KUALA LUMPUR, March 14 — Malaysia is among 25 countries using off-the-shelf spyware to keep tabs on citizens by secretly grabbing images off computer screens, recording video chats, turning on cameras and microphones, and logging keystrokes, US newspaper the New York Times (NYT) reported yesterday.
Besides Malaysia, researchers at Citizen Lab based at the University of Toronto’s Munk School of Global Affairs found that the United States, Singapore, Indonesia and Britain also used the surveillance software known as FinSpy.
“Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance,” security researcher Morgan Marquis-Boire was quoted by NYT as saying.
Martin J. Muench, managing director of Gamma Group — a British company that sells FinSpy — has reportedly said that Gamma Group sold its technology to governments solely to monitor criminals, and that it was most often used against “paedophiles, terrorists, organised crime, kidnapping and human trafficking”.
Marquis-Boire, however, pointed out that the software was open to abuse, saying: “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law.”
Other countries with servers running FinSpy include Bahrain, Bangladesh, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Japan, Latvia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Turkmenistan, the United Arab Emirates and Vietnam.
Global human rights group Human Rights Watch said in its 2013 report that Malaysia has yet to ratify core human rights treaties, despite being a member of the United Nations Human Rights Council.
FinSpy was used in emails targeted at political dissidents in Ethiopia and on Android phones in Vietnam, according to Marquis-Boire’s report published on the Citizen Lab website yesterday.
FinSpy was also found in emails targeting Bahraini activists last July. Turkmenistan’s Ministry of Communications also ran FinSpy off its own computer system, according to the report.
Human Rights Watch called Turkmenistan last month one of the most repressive governments in the world.
“Our findings highlight the increasing dissonance between Gamma’s public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists,” said the Citizen Lab report.
Editor’s Note: The following statement was issued by the Malaysian Communications and Multimedia Commission (MCMC) in response to this story. The Malaysian Insider is co-operating fully with the authorities.
False reporting by local online news portal
CYBERJAYA, 14 March, 2013 — MCMC is investigating the news report issued by local online news portal, The Malaysian Insider, at around 3:00 pm today with the headline stating “Malaysia Uses Spyware against Own Citizens, NYT Reports”. MCMC would like to state that this report is speculative and ill-researched. The online portal appears to have failed to verify the veracity of the report from the New York Times, nor checked the facts which are available online and had made its own conclusions on the matter.
An excerpt from the full report by The Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, Canada (https://citizenlab.org/2013/03/you-only-click-twice-finfishers-globalproliferation-2/) states that the discovery of the FinSpy C+C server in a given country cannot conclusively indicate that the country is using the FinSpy on its citizens.
The report added: “Importantly, we believe that our list of servers is incomplete due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment. Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies. In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country.”
A further report from another group of researchers based in the USA, Rapid7 Community, also gave similar comments: (https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher)
“Please note: we are not able to determine whether they’re actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all: they are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure. Our guess is that part of the identified C&Cs are acting as proxies.”
Additionally, a recent news report released by the Associated Press supported Citizen Lab’s findings: (http://bigstory.ap.org/article/researchers-findgerman-made-spyware-across-globe) “Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, said that Canada, Mexico, Bangladesh, Malaysia, Serbia, and Vietnam were among the host countries newly identified in Wednesday’s report. That alone doesn’t necessarily mean those countries’ governments are using FinFisher, a program distributed by British company Gamma International, but it is an indication of the spyware’s reach.”
MCMC has also conducted a review of currently available information and we have found that the server that is allegedly hosted in Malaysia also has similar Internet Protocol (IP) addresses linked to a commercial webhosting company called GPLHost which has similar IP hosting in Australia, Singapore and the United States. We have also found that the server that is claimed to be in Malaysia appears to be registered to a company called Iusacell PCS. Further checking of Iusacell PCS indicates that it could be a Mexican mobile operator.
At this stage of the investigations, MCMC would like to remind the public not to simply believe everything that they read online and to verify all the information that they receive before forming any views or conclusions on the issue. The public is also reminded that the posting of false information constitutes an offence under Section 211 of the Communications and Multimedia Act 1998 and upon conviction, can be fined for a sum not exceeding RM50,000 or imprisonment for a term not exceeding one year.