FinFisher GmbH, FinFisher Labs GmbH and Elaman GmbH jointly produce and distribute surveillance software such as FinSpy for state authorities. Once installed on a recipient’s mobile device, FinSpy gives the state almost all-encompassing access. Infiltrated persons can be located at any time, police or secret services can record telephone conversations and chats and read out all mobile phone data. This is a massive encroachment on the privacy rights of those affected. In the summer of 2017, FinSpy appeared on a Turkish website disguised as the mobilization website of the Turkish opposition movement.
No surveillance software for repressive regimes
In 2015, a licensing requirement was introduced throughout Europe for exports of surveillance software to countries outside the EU. In response to parliamentary inquiries, the German government last confirmed on 19 June 2019 that it has not issued an export permit for intrusion software such as FinSpy since the introduction of the licensing requirement. IT analyses show that the software samples found in Turkey in the summer of 2017 are a FinSpy version that was produced after the introduction of the licensing requirement. These are strong indications that the company exported the software illegally despite the existing licensing procedures.
In autocratic regimes, the use of surveillance software by the authorities can have dramatic consequences for those affected. In countries such as Syria and Bahrain, those under surveillance are often threatened with imprisonment and torture. Exports to the Turkish government are also scandalous in view of the continuing repression of opposition members and media representatives and effectively support the government’s human rights violations. After the failed coup on 15 July 2016, more than 50,000 people were arrested; more than 140,000 people were removed from their jobs; more than a hundred newspapers and other media outlets were closed. Turkey is currently the country with the highest number of detained journalists in terms of population.
Software producers are held accountable for the first time
The software manufacturers based in Europe often deny any responsibility. Yet the export of the FinSpy surveillance software to Turkey would be illegal.
The export of the software probably took place between October 2016 and June 2017. At that time, the export was subject to authorisation according to both German and European regulations; an unauthorised export is punishable under the Foreign Trade and Payments Act.
An efficient prosecution of these illegal exports has hardly taken place so far, as the manufacturers circumvent the export requirements through complicated transnational company structures. This makes prosecution more difficult. Thus, FinFisher and Elaman were able to continue their business undisturbed for a long time - until now. In May 2023, the Munich I public prosecutor's office announced that it was bringing charges against four responsible persons of the FinFisher group of companies.
Data protection and privacy are human rights – not only in Germany
The GFF supports a number of cases in which we advocate for data protection and the right to informational self-determination. These cases frequently deal with laws that give German authorities excessive powers of surveillance, such as the new police laws. But also outside Germany, German companies must not become the henchmen of regimes that surveil their population. Where exports – of weapons as well as of spyware – are used with great certainty to violate human rights, the state must act.