Charges brought against former FinFisher group CEOs
As a result of a criminal complaint by Reporters Without Borders (RSF) and three other organisations, prosecutors in Munich have charged four former senior representatives of the Munich-based FinFisher group with illegally selling surveillance software to authoritarian governments for years – software often used to undermine press freedom.
Brought by the Munich I public prosecutor’s office on 3 May, the charges accuse persons who were CEOs of limited companies (GmbH) in the FinFisher group at the time of intentionally violating authorisation requirements for dual-use items by selling surveillance technology to countries outside the EU, thereby committing criminal offences.
The criminal complaint that RSF Germany, the Society for Civil Rights (Gesellschaft für Freiheitsrechte, GFF), the European Centre for Constitutional and Human Rights (ECCHR) and netzpolitik.org filed on 5 July 2019 alleged that the CEOs of FinFisher GmbH, FinFisher Labs GmbH, and Elaman GmbH sold the spyware FinSpy to Turkey without the German federal government’s authorisation.
“This is the second direct success of our criminal complaint,” RSF Germany executive board spokesperson Katja Gloger said, referring to the FinFisher group, which had to discontinue its business operations in spring 2022.
“Today, press freedom violations often involve the use of surveillance software,” she said. “For those affected, every individual case means a massive infringement of their privacy rights. And in authoritarian states, in particular, this can have dramatic consequences for journalists and their sources, for activists and opponents of the government.”
GFF lawyer and lawsuit coordinator Sarah Lincoln said FinFisher apparently sold surveillance software to authoritarian governments illegally for years. “It thereby contributed globally to the surveillance and oppression of human rights defenders, journalists, and government opponents,” she said. “The fact that those responsible are being prosecuted at last is a long-overdue signal that such violations must not remain unpunished.”
ECCHR Legal Director Miriam Saage-Maaß said: “Firms like FinFisher have been able to export worldwide practically unhindered to date. Today’s indictment is long overdue. Hopefully, it will result in prompt conviction of the responsible CEOs. But above and beyond that, the EU and its member states must take much more decisive action against the massive abuse of surveillance technology.”
Throughout the EU, exporting such surveillance software to countries outside the union has required authorisation since 2015, and violations are liable to prosecution. The German federal government has not authorised any exports of surveillance software since 2015.
Nonetheless, up-to-date versions of the FinSpy trojan have been found time and again in countries with oppressive governments such as Egypt, Myanmar and Turkey. Under President Recep Tayyip Erdoğan, who has just won a new mandate in the second round of elections held on 28 May,, the Turkish authorities have been using a wide range of methods to harass Turkish journalists both in Turkey and abroad.
In summer 2017, FinSpy was detected on a Turkish website designed to lure members of the Turkish opposition movement headed by then presidential candidate Kemal Kılıçdaroğlu. It may have enabled the surveillance of many political activists and journalists. The Turkish intelligence agency MIT can use the spyware to locate individuals, record their telephone calls and chats and see all the data on mobile phones and computers.
RSF Germany began working on FinFisher in 2013, when RSF, the ECCHR, Privacy International, the Bahrain Centre for Human Rights (BCHR) and Bahrain Watch (BW) jointly filed OECD complaints against Munich-based Trovicor GmbH and the British-German Gamma Group, of which FinFisher was a part. RSF has listed FinFisher as an “Enemy of the Internet” since 2013.
A broad coalition of human rights and press freedom organisations has for years been advocating for a moratorium on the sale, transfer and use of surveillance technology. Such a moratorium should remain in place until an appropriate legal framework is in force throughout the world.
In response to the use of increasingly sophisticated surveillance tools – such as Pegasus, a trojan used by governments that is sold by NSO Group, an Israeli firm – RSF created its Digital Security Lab (DSL) in summer 2022.
Journalists who suspect that their online communications are being spied on may consult the experts at RSF’s Berlin office, where the DSL analyses digital attacks against journalists and advises media and journalists on IT security in relation to investigative journalism.