The National Crime Agency has been asked to investigate the alleged use of computer software to spy on an Ethiopian political refugee living in London in an unprecedented example of espionage on British soil.
The charity Privacy International has made a criminal complaint to the agency’s National Cyber Crime Unit following the detection of the surveillance software FinSpy on a computer belonging to Tadesse Kersmo, who fled to Britain from Ethiopia in 2009.
FinSpy, a “Trojan” programme which was developed and produced by the British-German company Gamma International, allows a remote user to gain full access to a targeted computer and even to turn on functions such as microphones and cameras to record the computer’s owner without their knowledge.
Mr Kersmo, a university lecturer, claimed that he had been the victim of espionage by the Ethiopian Government because of his involvement with the political opposition group Ginbot 7. “I felt that the United Kingdom was a safe and free country but I was wrong and I feel very disappointed,” he said.
The FinSpy surveillance software first appeared on his computer in 2012 and was only detected after the issue was highlighted in a study by the Citizen Lab at the University of Toronto, which reported on a campaign to infect computers with FinSpy by sending a rogue email containing pictures of Ginbot 7 members.
Mark Scott, a lawyer with London firm Bhatt Murphy, said there was no legal justification for the software. “If your computer is in the UK and it’s intercepted and that’s without lawful authority then that is a crime. It’s very difficult to see what lawful authority.”
Mr Scott said he knew of no other similar incidents.
Mr Kersmo told a London press conference on Monday that documents and audio clips from Skype conversations involving him and other Ginbot 7 members had been published in doctored format online in order to discredit him. He said that the leaders of Ginbot 7 – a pro-democracy group formed from Ethiopian exiles in the United States and Europe – had feared they had a mole in their ranks. “The main purpose was probably to create suspicion among the executive committee members and it did to some extent.”
Calling on the NCA to investigate, he said: “It’s not only (about) my own personal liberty but also the UK’s interests and other Ethiopian citizens who live in the UK.”
Eric King, head of research for Privacy International, said: “Even when someone flees persecution in their own country, western-made surveillance technologies such as FinSpy can still be used by repressive regimes to monitor the moves of political activists anywhere around the world.”
The charity said that FinSpy was extremely difficult to detect. Trojan programmes are usually triggered by opening an email or download containing the invasive software.
According to the Citizen Lab research, command and control servers for FinSpy have been set up in 35 countries, including Ethiopia, Turkmenistan, Bahrain and Malaysia. Privacy International has asked HMRC to say whether Gamma International has an export licence for distributing the software to these regimes. Mr Scott said: “If the software needs to be exported to a country outside the European Union it requires an export licence. As far as the information we have, there has been no licence granted to Ethiopia or indeed any other country.”
John Campbell, a senior lecturer at the University of London’s SOAS, said the FinSpy case had “extensive implications” for the Home Office and could lead to more asylum claims if political opponents were being subjected to computer espionage. He said that scores of Ethiopian political dissidents had been arrested since the 2005 national elections and that some had been given life sentences.
Gamma International could not be reached for comment