Alert Sign Dear reader, online ads enable us to deliver the journalism you value. Please support us by taking a moment to turn off Adblock on Dawn.com.

Alert Sign Dear reader, please upgrade to the latest version of IE to have a better reading experience

.

Email


Your Name:


Recipient Email:


The screenshot of the FinFisher portal shows the software purchases made by the Pakistani customer, including license validity period.
The screenshot of the FinFisher portal shows the software purchases made by the Pakistani customer, including license validity period.
The screenshot of the FinFisher portal below shows a software update request by the Pakistani customer.
The screenshot of the FinFisher portal below shows a software update request by the Pakistani customer.
The screenshot shows an online complaint filed by the Pakistani customer, which is responded to by FinFisher Customer Support.
The screenshot shows an online complaint filed by the Pakistani customer, which is responded to by FinFisher Customer Support.
The screenshot of the FinFisher portal shows a software update request by the Pakistani customer.
The screenshot of the FinFisher portal shows a software update request by the Pakistani customer.

KARACHI: Someone inside Pakistan purchased an estimated 300,000-euro toolset of highly controversial surveillance software, and digital human rights activists are concerned about the serious threats this poses to the security and privacy of users operating in local cyberspace.

Digital Rights Foundation Pakistan (DRFP), a local NGO focused on digital rights, released its investigation into a 40GB leak of data from the servers of FinFisher, an online mass surveillance software that has been criticised by human rights organisations for its high potential for abuse, as in its use to target protesters in Bahrain (2012) and its purchase by Egyptian secret services during the revolution of 2011.

The latest data leak this August was made downloadable online by a hacker identified only by the online handle, PhineasFisher. The hacker wrote a note on social networking site Reddit, justifying the leak as a means to, “hopefully develop a better understanding of the organisations, and methods of operation involved in these [surveillance] attacks so that those targeted can actually defend themselves.”

DRFP carried out an investigation into the data, given the fact that tests carried out in 2013 by Canada-based Citizen Lab confirmed the presence of two FinFisher Command and Control servers operating in Pakistan.

DRFP sifted through the new data which included correspondence between customers and FinFisher support staff, and found that someone from Pakistan licensed three softwares from FinFisher for a period of three years. FinSpy and FinUSB were purchased by the Pakistani customer in April 2010, while the FinIntrusion Kit was purchased in June 2010.

 The screenshot of the FinFisher portal shows the software purchases made by the Pakistani customer, including license validity period.
The screenshot of the FinFisher portal shows the software purchases made by the Pakistani customer, including license validity period.

Also read: PTA says it does not conduct surveillance

FinSpy is used to remotely control and access online users who “change location, use encrypted and anonymous communication channels and reside in foreign countries”. FinUSB is used to infect USB devices, so whoever uses them becomes a target of surveillance, while the FinIntrusion Kit makes it possible to hack into hotel, airport, and other Wi-Fi networks to record traffic, extract usernames and passwords (even for encrypted sessions), and capture data like webmail, video portals, online banking and more.

 The screenshot shows an online complaint filed by the Pakistani customer, which is responded to by FinFisher Customer Support.
The screenshot shows an online complaint filed by the Pakistani customer, which is responded to by FinFisher Customer Support.

Chats between “Customer 32” (username 0DF6972B and ID 32) who identifies himself as ‘Khalid’ from Pakistan, and FinFisher support staff indicate that the surveillance software was being used to infect Microsoft Office PowerPoint documents to enable spying on whomever received and opened the file(s).

 The screenshot of the FinFisher portal shows a software update request by the Pakistani customer.
The screenshot of the FinFisher portal shows a software update request by the Pakistani customer.

Additionally, the DRFP report cites that, “Customer 32 also used FinFisher to covertly steal files from target” computers.

All the files of those who were targeted were readily available but Customer 32 wanted more. As outlined in another exchange with FinFisher support staff, ‘Khalid’ requested a software update where: “the agent [should] be able to select files to download even when the target is offline and whenever the target comes online, those selected files may be downloaded without the interaction required from user.”

DRFP alleges that the spy software was likely being used by a Pakistani intelligence agency, given the high cost of the software and the fact that FinFisher’s company policy states that, “solutions are sold to governmental agencies only”.

Director of DRFP Nighat Dad terms these findings “worrisome” due to the human rights violations associated with this technology.

“Vulnerable groups like human rights defenders, journalists and activists are at great risk in Pakistan, where there are no protections of privacy rights and no regulations being followed in the surveillance of people,” says Ms Dad, adding that, “As citizens of a democratic state, it is our right to know who is using such intrusive surveillance software in Pakistan, and what laws and regulations are being followed in their deployment.”

Court case against FinFisher use in limbo

Based on Citizen Lab’s earlier findings, digital rights organisation Bytes For All Pakistan filed a public interest litigation case in the Lahore High Court in May 2013, challenging the existence of FinFisher Command and Control Servers in Pakistan. The same month, the Lahore High Court ordered the Pakistan Telecommunication Authority to present a report on the issue within 30 days. Over a year has passed, with six “confirmed dates”, but the PTA has yet to produce the report, and the court has yet to proceed on the case.

Lamenting the lack of action, petitioner and Bytes for All chairman Shahzad Ahmad says, “There is ample evidence already since the Citizen Lab report, so no more investigation is needed. There is hard technical evidence. Right now, we need a response from authorities in the court of law.”

With proof that FinFisher has been and may still be active in Pakistan, Ahmad says the issue of online surveillance is now of greater importance than that of the more high-profile online censorship issues.

“Unfortunately, breach of privacy is a much graver issue than censorship, as censorship can be circumvented; loss of privacy is permanent,” Ahmad says.

Published in Dawn, August 24th, 2014


Comments (23) Closed



Ali Aug 24, 2014 07:27am

There is difference between supper species and an ordinary species and in Pakistan normal public are species. The ordinary species don

anees zaidvi Aug 24, 2014 07:44am

It is good to know but it only adds to the fears of a common man like me without being able to do something about it.

imran Aug 24, 2014 07:52am

Government around the world do stuff like this and honestly to some extent it has to be done

Dr-TK Aug 24, 2014 08:01am

And your point is??? As if there are no other "rights" abuses in Pakistan. Perhaps this is something needed for a country like Pakistan?

arsh Aug 24, 2014 08:53am

I always wonder, when other countries spy on their citizens it is termed as national security. But when Pakistani security agency spy then it is termed as human rights violation.

Ahmed Aug 24, 2014 09:32am

We are under an ever increasing threat. If it was done by spy agencies for betterment of our surveillance, then why not....Although no justification...but as they say 'If the US and Germany can do it, why can't we?')

jvd Aug 24, 2014 10:02am

Every government and its agencies have mandate to protect their citizens, by sorting out culprits hidden in the masses, through surveillance or any other means, without causing any damage to general public. However, in the mentioned case, the most important thing is whether Security Agencies are using that spyware or it has fallen into the hands of any nefarious elements.

El Cid Aug 24, 2014 10:13am

Good one. So what's new... And you people just 'discovered ' this... Spending too much time on Bollywood rubbish to figure out reality !

Alt Aug 24, 2014 10:13am

With all the Internal and External threats working to destabilize and weaken the country..the Intelligence agencies MUST do whatever is required.

?????? Aug 24, 2014 10:43am

Can their be clone version - or cheap duplicate of this FinFisher -so small fishes can also spy on neighours - boyfriends - girlfriends - relatives - colleagues and any one and every one - keep busy .

Jamshed Aug 24, 2014 12:08pm

@Dr-TK You're probably see the point when your data is made public!

oBSERVER Aug 24, 2014 01:21pm

@jvd Yes indeed jvd. They use containers to protect the citizens. They do not allow food and water and so on.What Country you said you are from please?

Mohammad Aug 24, 2014 01:56pm

if it is done by Pakistani Intel Agencies or Government of Pakistan, It's approved from me and I have no Objection!!

keep it up guys.

Muhammad Farhan Aug 24, 2014 02:47pm

This is as much fascinating as it is controversial. Surveillance is a reality we should all accept if we value our safety. Individuals and groups of individuals concerned about "online privacy" should probably get off the internet and refrain from sharing their personal information, because if they don't have any ill intent then they shouldn't be worrying about having their information scanned for security reasons.

Feroz Aug 24, 2014 04:13pm

Such software can only be sold to Government Agencies, not public like you and me. The Software provider would ensure it is so before selling it, so there is no need to speculate who bought it. The software provider cannot be paid in cash through Hawala channels so matter should rest in Peace. How the software is being used and which citizens rights are being affected by it, needs a different article. That the Court orders to provide the records has not been complied with and the Court like in missing persons case is unable to enforce rulings, everyone should know who is using it.

501 Aug 24, 2014 04:25pm

There is always an NGO trying to bite our intelligence.

khalid Aug 24, 2014 04:36pm

the system is being operated by one of the biggest media group in PK. a recent email content hack of a journalist was one of the operation carried out by the media group.

kazigee Aug 24, 2014 04:52pm

These are modern day tools for peace and war. If acquired and used by a responsible body this will ensure that the enemy cannot benefit from obtaining vital information and use it against a nation or its people.

All governments all over the world are spying on their citizens for loftier goals than terrorizing or suppressing their civil and democratic rights.

For Pakistan to have such a technology tantamounts to having the nuclear capability in todays world.

Taimoor Khan Aug 24, 2014 05:06pm

Whats the big deal? If it was done by ISI then it is for the national security and protection of national interests. Waste of space on a newspaper like Dawn.

Asad Aug 24, 2014 05:19pm

You folks are so naive. Yes ignorance is bliss!

omer khan shaheen Aug 24, 2014 07:08pm

Why are we acting surprised!

Malik Ajmal Khan Aug 24, 2014 08:37pm

So, counter spying needs to be one step ahead of spying.

Muhammad Asad Bin Faruq Aug 25, 2014 01:04pm

its seems more of a corporate espionage since the software is being used to hack in ppt files. 300,000 euro isn't much for business giants operating in Pakistan. then again i watch a lot of movies :P