A privacy group has announced that an Ethiopian political refugee living in the UK was illegally targeted from overseas using British-made spy software. It has brought the claim to the attention of the National Crime Agency for investigation.
This is not the first time London-based group Privacy International has honed in on the potential for harm caused by FinFisher spy software, made by UK firm Gamma International. In the past it has appealed to HMRC and foreign governments to carry out investigations into the potential misuse of a UK export it says is used to supress anti-goverment movements. This is the first case, however, that relates to a refugee in the UK being targeted from abroad — something Privacy International and refugee Tadesse Biru Kersmo say breaches UK law. It’s believed Kersmo is being targeted for being part of opposition group Ginbot 7, which operates largely among Ethiopian expats and was deemed a terrorist organisation by the Ethiopian government in 2011.
Kersmo left his home country in 2009 after enduring four years of “continuous harassment and intimidation”. He was a lecturer, working in Unity University, Addis Ababa when his wife was elected as a member of the capital’s city council for the opposition party, Coalition for Unity and Democracy. The government promptly reversed the outcome and declared itself the winner.
“People protested as expected against the decision,” Kersmo said at a press conference today. “More than 200 people were killed on the streets and something like 40,000 people were arrested and deported to desert areas infected by malaria. These kind of atrocities we may have seen in fascist Germany… we have that type of government.” The opposition party leader was put under house arrest, and many were imprisoned and are still awaiting trial. Kersmo was never prosecuted, but he and his wife were harassed by the authorities until the day they left.
“At every possible moment someone could call me and tell me where I’m located, my telephone was continually tapped,” he said. Having escaped this kind of surveillance and fled to the UK, Kersmo was understandably angry to find his computer had been infected with a trojan, he says because of his affiliation with Ginbot 7.
He read a report by the Citizen Lab in Toronto that revealed a FinSpy campaign in Ethiopia had used pictures of members of Ginbot 7 (including Kersmo) to get people to click on links and infect their systems. “This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting,” concluded the report. Once the target system is infected, the operator can use it to take over the computer to search documents and email, but also turn the webcam or microphone on or listen in to Skype conversations.
Citizen Lab’s Bill Marczak helped Privacy International scan Kersmo’s computer, and they found traces that showed FinSpy had been operating in June 2012 over two days while he was in the UK.
“I felt now I’m living in a safe country, I shall try to forget about what happened in Ethiopia,” said Kersmo. “I felt very disappointed and angry when I learned about this — I’m still angry. Because even in this country there is a barbaric government, a facist government, pursuing me. This has infringed not only my personal privacy but the UK’s national interest because they are spying on somebody in somebody else’s country.
“I hope that the UK government will investigate this issue… I’ve always tried to contribute to the betterment of Ethiopia and freedom of speech, I’ve tried to defend human rights in Ethiopia and its for this activity I have been intimidated for so long and it continues.”
Kersmo says he’s identified evidence of his private correspondence or documentation being reappropriated by the Ethiopian government for propaganda purposes. For instance, words from his computer were published on a pro-government website, but edited “in such a way it will serve their own purpose”. Elsewhere a piece of audio was published that cherry-picked soundbites and added in voices. “It pasted and twisted it in certain ways to imply we had relations with the Egyptian government. The conversation happened on Skype among seven community members — two in UK and one in Belgium… The main purpose was to create suspicion among community members — and it did create suspicion to some extent.” There were also suggestions taken from that same call that Ginbot 7 receives money from Eritrea, a story that later made headlines.
Gamma International maintains it only sells the software to law enforcement and intelligence agencies, so the assumption is it’s been used by Ethiopian authorities. The legality around this issue will be tricky though, mainly because a case like this has never been pursued before. Privacy International has taken similar complaints forward before, but either to foreign governments about foreign surveillance, or to HMRC about the legality of exporting such software. In 2012 it t hreatened the UK government with legal action if it did not explain why it allowed exports of the FinFisher software to repressive regimes such as Iran, Egypt and Syria, where it could be used against government opposition groups.
Privacy International’s legal officer said that its prior complaints to HMRC did end up with the Department for Business, Information and Skills informing it that Gamma International would have needed a licence to export it. It turned out Gamma did not have the relevant licence up until September 2012, says Privacy International, so the campaign group wants an investigation to be carried out for any exports prior to that time. This seems reasonable, seeing as HMRC (which could not comment on this particular case) delivered this statement to Wired.co.uk: “If goods requiring an export licence are brought to a place of export in the UK without having such a licence, then a criminal offence has been committed. HMRC is the department with responsibility for investigating breaches of the UK’s strategic export controls.”
This time around, though, Privacy International has gone straight to the National Cyber Crime Unit, alleging there has been a breach of section 1 of the Regulation of Investigatory Powers Act (“RIPA”), section 45 of the Serious Crime Act 2007 (SCA) and section 8 of the Accessories and Abettors Act 1861. They argue that under RIPA it constitutes an “unlawful interception” via a “public telecommunications” system, as Kersmo was using the UK’s telecommunications system. RIPA is related to surveillance by UK public bodies, however, so it’s unclear how the law could be applied here. It seems Privacy International is implying Gamma International will share some culpability for the unlawful surveillance because it provided its software to a nation with a bad human rights record.
The problem is an assumption has been made that the act is being carried out by the Ethiopian government. There is no direct proof, and the authorities could potentially argue that the action was indeed illegal, and done by an unknown culprit. Although Gamma only sells to governments, it’s perfectly feasible the software has been reapprorpiated by others over the years. If it did admit to any kind of surveillance, Ethiopia would surely use the same argument offered by NSA and GCHQ: it’s for the protection of its citizens.
Nevertheless, Kersmo’s lawyer said: “issues raised are worrying and potential quite complex. If a computer in the UK is intercepted without lawful authority, that’s a crime. And it’s very difficult to see what lawful reason there should be for the interception. It’s very important the police undertake a proper investigation into this matter.”
The other legal breaches relate to Gamma’s involvement, with the SCA’s section 45 pointing to the illegality of “encouraging or assisting an offence”. However, under this law the perpetrator has to “believe that the offence will be committed and that his act will encourage or assist its commission”. Some ace investigatory work would need to be done for this to be proven — Gamma is unlikely to say it knew what the software would be used for. It’s more likely the company could be scuppered for its lack of a licence in the period preceding the summer of 2012, though in Kersmo’s case that would need to be 9 and 10 June.
Ethiopia’s track record with political opposition is not great. Aside from the 2005 election controversy (the government maintains the violence was induced by opposition), SOAS lecturer John Campbell says there have been plenty of other examples since. “In 2009 [individuals allegedly] planning a military coup were accused of being members of Ginbot 7, but the evidence seemed to be fairly light. Five were sentenced to death, 33 life imprisonment. In March 2011 114 journalists and opposition politicians were arrested again and 24 individuals were accused of belonging to Ginbot 7. Some were illegally abducted from Sudan and held to stand trial.”
Kersmo said that for the UK to understand the severity of the issue, it needs to understand how people are being targeted and punished.
“One journalist, a lady, was arrested and sentenced for 14 years because she took photos and sent a website link. The court declared she’s from Ginbot 7 and that act was described as an act of terrorism. The only thing she did was take photographs and send them. It was just a protest photograph. Another award-winning journalist gave a lecture on human rights issues and that was the only reason he was sentenced for life.
“In Ethiopian universities you cannot even mention the topic of human rights issues. You can deliver water, but you cannot talk about the right for water. You can deliver food, but you cannot talk about the right of having food.”
One journalist, Eskinder Nega, has been jailed seven times for offences including treason and terrorism. As an example, in 2011 he published a column criticising the authorities for detaining journalists and terrorists, and was promptly accused of being part of Ginbot 7. He was sentenced to 18 years in prison.
“One important point,” adds Kersmo, “is that Ethiopia is one of poorest countries in the world. It’s very possible that they’re using aid money to obtain this spyware. The country does not have enough food, enough education, it’s one of the least literate countries in the world, yet it’s spending millions on spyware. We have to stop this.”
According to Citizen Lab’s 2013 report, command and control servers for FinSpy backdoors were found in: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
Posted By: Kumilachew Gebremeskel Ambo