Spy Trojan Seller on Ethics, Authoritarians, & 'Bad Guys' vs. 'Good Guys'

Monday 11 March 2013

Headquartered out of a modern industrial estate in Andover, England, Gamma Group sells controversial advanced surveillance technologies to intelligence and law enforcement agencies in countries across the world. The company has been the source of widespread news coverage over the last couple of years due to its spy trojan tools — designed to secretly infiltrate computers, monitor communications and siphon data from hard drives — which security researchers say they believe are being used by authorities in a host of countries with poor human rights records, including: Bahrain, Brunei, Ethiopia, Indonesia, Mongolia, Singapore, Turkmenistan, and the United Arab Emirates.

Recently, I had an interesting and at times revealing back-and-forth email exchange with Gamma's Germany-based spokesman, Martin J. Muench. It is significant enough that I feel it is worth reproducing here, mainly because it offers an unusual level of insight into Muench's — and ultimately Gamma's — thinking.

The exchange began when I sent Muench a query regarding a prospective story I was working on — a follow-up to a Netzpolitik article detailing documents showing German federal police's plans to use Gamma's "Finfisher" (a.k.a "FinSpy") computer surveillance software. I also wanted to ask Muench about a "code of conduct" his company is apparently looking to implement in response to concerns about complicity in human rights violations.

However, the exchange, all on the record, eventually became a broader discussion about selling surveillance technologies, with Muench telling me that "we don’t necessarily agree with each other as far as the definition of what is ethical" and adding that he thought journalists had kicked up a "fuss" about Finfisher because they themselves were "guilty of the most appalling breaches."

It makes for quite a thought-provoking read, I think, especially toward the end. The content of the correspondence has not been edited, though I have removed email signatures and greetings ("Hi Ryan," "best regards," etc.) to cut out unnecessary repetition.

*****

From: Ryan Gallagher
To: Martin J. Muench

22 January 2013 12:52

I was reading this report on netzpolitik.org about the German Bundeskriminalamt acquiring Finspy: https://netzpolitik.org/2013/secret-government-document-reveals-german-federal-police-plans-to-use-gamma-finfisher-spyware/

I wanted to confirm with you:

1. is this an accurate report? Have the Bundeskriminalamt purchased Finspy or are they just testing it?

2. I note that the Netzpolitik report says you are in talks with NGOs with regards introducing a code of conduct for companies like yours. Which organizations are involved in the discussions? Can you share any information about what the code of conduct might include? And are any other companies involved?

*****

From: Martin J. Muench
To: Ryan Gallagher

22 January 2013 13:15

1. is this an accurate report? Have the Bundeskriminalamt purchased Finspy or are they just testing it?

As you can imagine this article and others relating to it have stimulated a great deal of interest...

However, I am afraid I have to tell you that Gamma simply does not discuss its client base, its exports, or any of the operations which its clients may or may not be undertaking. This is because there is usually a contractual term of confidentiality, and because naming a client can prejudice criminal or counter terror investigations and compromise the security of the members of the police or security services involved. Neither will Gamma name any countries which have not purchased its products thereby enabling customer countries to be identified by a process of elimination.

2. I note that the Netzpolitik report says you are in talks with NGOs with regards introducing a code of conduct for companies like yours. Which organizations are involved in the discussions? Can you share any information about what the code of conduct might include? And are any other companies involved?

We are currently having discussions with several groups. I don’t wish to elaborate further at the moment as some of these groups are our most vociferous public critics but who are quite prepared to discuss our ideas with us in private. In fact we have drafted a proposed Code of Conduct for the industry which goes far beyond the current ECAs.

*****

From: Ryan Gallagher
To: Martin J. Muench

22 January 2013 14:04

Regarding the code of conduct: is there any way you can send me a copy of the draft so I can get an idea of what it includes? Will it be made available publicly?

I note that Privacy International were previously reported to have turned down an invitation to discuss the code of conduct: http://www.guardian.co.uk/technology/2012/dec/26/british-company-gamma-international

Why did Privacy International refuse to engage? Do you think the code will have credibility if groups like Privacy International say they won't meet you to discuss it?

*****

From: Martin J. Muench
To: Ryan Gallagher

22 January 2013 14:16

I would honestly appreciate not putting too much focus on it at this point as I firstly would like to finish it and most of all also implement everything that has been and will be defined in there before promoting it publicly. Once it's done and we began the implementation we will definately make it public.

PI was offered numerous times a visit to our offices, a full product demonstration and open discussions about various topics. They mentioned that they're discussing internally a few month ago but did not respond to any follow-up emails. No reasons were given on why the offer was ignored.

I can only guess or better wonder why Eric King of PI does not want a personal meeting and also see the other side of the stories especially as he is spending so much time and energy on them without having the full picture; but I don't think that one organisation like PI not being interested in also giving constructive criticism will affect the credibility of such a code on a global level.

*****

From: Ryan Gallagher
To: Martin J. Muench

22 January 2013 15:05

If you have not yet implemented the code of conduct, doesn't that mean you are acknowledging that thus far you have not been adhering to appropriate ethical standards? What exactly is it that you need to implement? It would be great if you could show me a draft of the code, even on a background basis, to help me understand the context of the thing.

*****

From: Martin J. Muench
To: Ryan Gallagher

22 January 2013 21:56

Firstly, let me correct you. I am not acknowledging that Gamma has not adhered to ethical standards at all. One problem with ethical standards is that we all have them and we don’t necessarily agree with each other as far as the definition of what is ethical. Who decides? You have your views, I have mine and others have theirs’. That’s not to say we all disagree on everything. It simply means that we don’t all have the same views and for very different reasons.

Our position is this; we believe in the right to privacy but we don’t believe it takes precedence over or supersedes the right to life. We believe that nation states have the right to defend themselves against terrorists and we believe in the right to fight organised crime. We sell FinFisher to governments and law enforcement agencies to do this. We don’t sell a mass-monitoring tool. We sell a highly sophisticated piece of target specific software capable of providing evidential quality reports.

Another problem, of course, is that today’s ‘good guy’ may be tomorrow’s ‘bad guy’ and vice versa. If we imposed a moral code based on our intuition as to who might become a bad guy in the future we could end up spending a lot of time thinking about it and doing very little else. So, until we can get a code of conduct up and running that will actually work, rather than pay lip service to ‘ethics’, we have decided to let the export controls authorities act as our ‘moral compass’, for want of a better expression. After all, they are best placed to know who the ‘bad guys’ are and who the likely future ‘bad guys’ will be. We follow their lead and comply with the law.

Of course one of the reasons that some of the media have picked up on FinFisher products and make such a fuss is that some of them have become the subject of law enforcement inquiries themselves by electronic means and have been shown in the past to be by their own admission guilty of the most appalling breaches. The Leveson Inquiry shows a good example of this.

*****

From: Ryan Gallagher
To: Martin J. Muench

23 January 2013 03:30

Your last email raises many questions for me.

One problem with ethical standards is that we all have them and we don’t necessarily agree with each other as far as the definition of what is ethical.

Ethical standards can sometimes be highly subjective but they are often also relative to basic standards of right and wrong. Would it be ethical for me to sell a gun to a man I knew had a history of violence and might subsequently use it to murder an innocent person? I think the answer to that question is obvious. And I think the same kind of hypotheticals can be used in the realm of surveillance technologies. Would it be ethical for me to sell a sophisticated spy technology to a notoriously brutal state security agency operating in a country ruled by a despot with a well documented record of cracking down on, beating and jailing people engaging in legitimate democratic activities?

So, until we can get a code of conduct up and running that will actually work, rather than pay lip service to ‘ethics’, we have decided to let the export controls authorities act as our ‘moral compass’, for want of a better expression.

By this I assume you mean European export controls? Or are you also including United Nations and United States sanctions?

I should point out that just because a company is not on an export control list doesn't mean it is a place where human rights violations are not rife. For instance, countries such as Turkmenistan, Kazakhstan, Uzbekistan, Morocco and Thailand are ruled by authoritarian regimes with little (if any) limitations on the use of sophisticated spy technologies to monitor innocent individuals participating in legitimate democratic activities (journalism, activism, etc.). It is a given that these countries also have serious criminals whom they wish to monitor. But they may also have a disposition towards abusing surveillance technology to stifle dissent, track dissidents, target journalists, etc.

Have you never considered conducting an analysis of each country's respective social and polititical conditions before you do business with it? This is in line with the "know your customer" program recommended by the United States and the UN Guiding Principles on Business and Human Rights, which outlines how companies should "act with due diligence to avoid infringing on human rights and address adverse impacts."

It doesn't strike me as due diligence for you to say that you will sell to any country so long as they are not on a sanctions list.

Of course one of the reasons that some of the media have picked up on FinFisher products and make such a fuss is that some of them have become the subject of law enforcement inquiries themselves by electronic means have been shown in the past to be by their own admission guilty of the most appalling breaches. The Leveson Inquiry shows a good example of this.

I find this to be a bit of an inaccurate comparison. The "phone hacking" scandal involved (unethical) tabloid journalists listening to the voicemails of individuals by entering a default PIN code into their mailbox to gain access. I don't think that it is comparable to providing authoritarian regimes with a sophisticated spy trojan that can be used to secretly take over targeted computers, intercept communications and steal data from hard disks. The scale is different, the technology is different, and, perhaps most crucially, the potential harms are different.

*****

From: Martin J. Muench
To: Ryan Gallagher

23 January 2013 08:51

Thanks for your email. It’s a fascinating debate and one in which we could engage for some time. I see you have strong views and clearly have made your own judgments but I am afraid that I am going to have to end it here.

Would it be ethical for me to sell a sophisticated spy technology to a notoriously brutal state security agency operating in a country ruled by a despot with a well documented record of cracking down on, beating and jailing people engaging in legitimate democratic activities?

This may well be a view held by some of; the UK (Northern Ireland), the USA (Guantanamo Bay) or Germany – and we are a little sensitive of our past. However, many people in the West might not view those counties that way…..

Debate aside and let’s be clear, we co-operate with the export controls agencies of Germany, the UK and the USA. Gamma simply does not discuss its client base, its exports, or any of the operations which its clients may or may not be undertaking. This is because there is usually a contractual term of confidentiality, and because naming a client can prejudice criminal or counter terror investigations and compromise the security of the members of the police or security services involved. Neither will Gamma name any countries which have not purchased its products thereby enabling customer countries to be identified by a process of elimination.

Lastly, may I suggest you have a closer look at the Leveson Inquiry — you may find it illuminating — at least in the definition of a tabloid (David Leigh of The Guardian admits to hacking an arms dealer?)

*****

From: Ryan Gallagher
To: Martin J. Muench

23 January 2013 13:33

Yes, it's an interesting discussion. I was particularly keen to hear your response to my question about due diligence and the UN Guiding Principles on Business and Human Rights, which I note that you did not answer directly.

we are a little sensitive of our past. However, many people in the West might not view those counties that way…..

What do you mean?

may I suggest you have a closer look at the Leveson Inquiry – you may find it illuminating — at least in the definition of a tabloid (David Leigh of The Guardian admits to hacking an arms dealer?)

Yes, that's right. There were a few cases included in the Leveson inquiry that focused on journalists outside the tabloids, though it was certainly a tabloid-orientated inquiry. The Leigh case is interesting because it reveals the extent to which investigative journalists will sometimes break the law in order to expose corruption — which can be deemed permissible under UK law if there is a substantial "public interest" defence. In 2006, well before Leveson, Leigh admitted to listening to voicemails of an arms dealer in order to help reveal corrupt payments. If you followed the case you would know that the UK's Crown Prosecution Service looked into Leigh's activities and advised that he not be prosecuted because on balance it was decided his actions were in the public interest: http://www.guardian.co.uk/media/2012/jun/14/police-guardian-journalist-phone-hacking

I understand why you raise the example. But ultimately it is unrelated to what we are discussing — that is, export controls and surveillance technologies. It's false equivalence for you to bring up Leveson in the context of selling spy trojans to authoritarian regimes. As I wrote in my previous message, the scale is different, the technology is different, and, perhaps most crucially, the potential harms are different.

*****

From: Martin J. Muench
To: Ryan Gallagher

23 January 2013 14:37

Thank you for your email. I do not wish to add anything at this point. You have my answers.

No comments:

Post a Comment