The rights group Privacy International has filed a criminal complaint in the U.K. regarding the surveillance of three Bahraini activists on British soil by the Bahraini authorities, which apparently took place using the FinFisher spy tool.
FinFisher is a notorious piece of spyware that was produced by a British firm called Gamma International, but is these days sold out of Germany. It can be deployed in many ways, most notably by masquerading as software such as Firefox and iTunes updates.
The software allows the attacker to access the target’s device – documents, cameras, microphones, and so on. Last month Wikileaks published not only a summary of documents indicating who has bought FinFisher – a line-up ranging from Italian agencies to Australian police – but the code of FinFisher itself, so that security experts can figure out how to spot it more easily.
Bahrain, long been known to be a FinFisher customer, has a restrictive and rather nasty regime. The activists named in Privacy International’s complaint all took asylum in the U.K., and an investigation by human rights group Bahrain Watch has demonstrated that they were all spied upon, using FinFisher, while in the U.K.
In one case – that of Jaafar Al Hasabi – the victim was captured and extensively tortured while on a family trip back to Bahrain in 2010. The authorities there told him they had been watching him for 5 years in the U.K., through which they claimed to have gathered evidence that he was aiding opposition groups in Bahrain.
Privacy International’s complaint to the National Cyber Crime Unit of the National Crime Agency (NCA) – the U.K.’s answer to the FBI – follows a previous plea for the agency to investigate the case of Ethiopian refugee Tadesse Biru Kersmo, who was also targeted by FinFisher while in the U.K. It seems the organization and Kersmo’s solicitor aren’t having much luck getting updates out of the British authorities on the investigation into that case.
In both cases, the surveillance seems to be a clear-cut contravention of the U.K. Regulation of Investigatory Powers Act (RIPA). Privacy International said in its letter to the NCA that Gamma should be held liable as an accessory to the Bahraini authorities’ offence under RIPA, or for encouraging or assisting an offence under the Serious Crime Act.