Lawsuit alleges that Addis Ababa used private technology to monitor Internet communications of dissident-linked American
A first-of-its kind lawsuit that resumes in a U.S. District Court on Tuesday has drawn attention to the private surveillance-technology industry as a potential enabler of spying on Americans. The case involves a U.S. citizen who alleges that “clandestine computer programs” assumed “what amounts to complete control” over his personal computer and relayed copies of his electronic activity — including Skype calls, Internet searches and emails — to the Ethiopian government.
Kidane — the pseudonym under which the complainant is known in the case to protect his family from retribution — says his computer was monitored by spyware placed on his computer while he was living in the United States. He is an Ethiopian-born naturalized U.S. citizen who sought asylum in the U.S., where he has lived for more than two decades. His case is being closely watched by activists and civil liberties campaigners because of its potential implications for domestic cybersurveillance by security agencies such as the National Security Agency (NSA).
A victory for Kidane “would be a clear statement from a U.S court to say that wiretapping without court authorization is illegal, no matter who does it. And yes, absolutely that would have implications for the NSA,” said his legal counsel, Nate Cardozo, a staff attorney at the Electronic Frontier Foundation.
“We know that the NSA engages in full content wiretapping … without a court order authorizing it,” he added. “That conduct is simply illegal, and I think a U.S. court order holding Ethiopia responsible for doing the same thing but on a much smaller scale here hopefully would at least raise some eyebrows at the NSA.”
The suit alleges that FinSpy, an intrusion and surveillance program, was transmitted by a Microsoft Word document attachment sent to Kidane’s computer via email by or on behalf of the Ethiopian government. It began targeting Kidane’s machine in late October 2012.
Ethiopia was accused of deploying FinSpy in a March 2013 report by Citizen Lab, an organization that studies surveillance, on the basis of the IP address from which the software was transmitted. The attack on Kidane’s computer was found to have originated from the same server. Days after the Citizen Lab report appeared, the Ethiopian government tried to shut down FinSpy on Kidane’s computer, Cardozo alleged. However, there was a malfunction, and traces of the software remained on his client’s machine.
“We caught the Ethiopian government red-handed,” Cardozo said.
Kidane is seeking damages and an acknowledgment from the Ethiopian government that it acted outside the law. Ethiopia has stated in court documents that “computer addresses can be and are easily [faked],” but it has not denied the allegations. It has argued that because it is a foreign sovereign power, a U.S. court lacks jurisdiction to hear the case.
Freedom House reported last year that the Ethiopian government has upped its efforts to target dissidents with surveillance malware. U.K.-based Ethiopian opposition figure Tadesse Kersmo also alleges his computer was infected with FinSpy, in a criminal complaint filed on his behalf by Privacy International, a U.K.-based nonprofit.
FinSpy’s capabilities
FinSpy can pull users’ passwords from Internet browsers and emails. It can record telephone calls and audio from a computer microphone, turn on a webcam and save keystrokes and text messages, according to company documents released via WikiLeaks. The software can extract files from a hard disk, poach deleted files and take screen shots of a computer screen.
It is designed to evade detection and can bypass 40 anti-virus systems, according to the leaked company files.
The spyware tool is a part of the FinFisher product suite formerly under the umbrella of the U.K.-based Gamma Group, which, according to its website, provides “advanced technical surveillance, monitoring solutions and advanced government training.”
The FinFisher company, based in Munich, maintains that the products are sold to “government agencies only” and that the spyware is designed to target individuals and is not to intended for mass surveillance.
But the British government has criticized the group. Gamma lacks “due diligence processes that would protect against abusive use of its products,” according a U.K. government report.
Gamma does not say to which countries it has sent products, and it did not respond to an Al Jazeera query.
Even if the manufacturer’s intent is that FinSpy be used lawfully, human rights groups say the technology has been used to facilitate abuses. FinFisher command and control servers are said to be active in some three dozen countries, including Brunei, Nigeria, Pakistan, Qatar, Romania, Turkey, Turkmenistan and the United Arab Emirates, according to 2013 report by Citizen Lab.
Some of those countries have come under fire for suppressing political dissent. A document appearing to show a contract with FinFisher was allegedly found in the offices of Egypt’s secret police in 2011.
Bahraini authorities have been accused of using it to target three Bahraini activists who have been granted asylum in the United Kingdom. And the Lahore High Court is set to hear a case about the use of the spyware in Pakistan. The suit alleges that the government indiscriminately spied on its citizens with the help of the FinFisher technology.
But for many experts, the issue goes beyond just one company, as the surveillance industry has swelled to a sector worth some $5 billion a year. Earlier this year, the European Union implemented export controls on spyware technology.
But laws in many other countries governing the use of surveillance have not kept up with its rapid development and global reach. “The lawful interception of communications must be performed with proper legal authorization, but what this authorization looks like varies across jurisdictions,” said Privacy International.
“Often, laws are vague and broadly interpreted, courts authorize and review surveillance in secret, and individuals are monitored surreptitiously and are not notified that they were placed under surveillance,” the group said.