The Citizen Lab, a group within U of T’s Munk School of Global Affairs, has released a new report that implicates 33 government agencies in 32 countries over their use of FinFisher, a notorious spyware service.

Working across a multitude of disciplines that include political science, sociology, and computer science, researchers at the Citizen Lab scrutinize and investigate the influence of political power on the Internet.

Gamma Group, the Munich-based developer of FinFisher, advertises on their website that their software offers solutions to “help government law enforcement and intelligence agencies identify, locate and convict serious criminals [by] clos[ing] the gap in traditional investigative methods.”

Spyware is software that can monitor processes on a target’s computer without their knowledge and can send information to another party. Spyware can also be programmed to capture keystrokes, access connected microphones as well as cameras, making it a powerful spying tool.

Previously thought to be accessible by only the world’s most advanced nations, FinFisher’s availability on the open market puts sophisticated spyware in the hands of any nation willing to pay.

Bill Marczak, one of the authors of the Munk School’s report, expects that “governments will not want to be left behind as more and more of their peers get into the computer/phone intrusion game.”

The Citizen Lab was able to gain a large trove of data from a recent data leak at a Milan-based firm called Hacking Team, who offer a FinFisher-like service to governments, law enforcement agencies, and corporations. The leak allowed researchers to identify FinFisher using agencies by their IP address. Marczak says that this was possible because “Hacking Team had provided demos or sold their product to a lot of the same customers FinFisher had.”

Hacking Team’s employees, while on the premises of these customers, would often send emails back to their headquarters, inadvertently logging the customers IP addresses on Hacking Team’s email servers. 

Hacking Team’s data leak represented a huge opening for cybersecurity researchers around the world. For the Citizen Lab, it came after several wide reaching scans for Finfisher servers, most recently in 2012 and 2013. These scans, while unsuccessful in identifying the location of the master FinFisher servers, did reveal FinFisher’s use of proxy servers.

Proxy servers act as a mask for master servers, providing a different IP address for all the master server’s connections to the internet. In this way, FinFisher’s servers might have American IP addresses when, in reality, they are based in Saudi Arabia. Due to this masking of the original IP address, the master servers’ countries of origin remained a mystery, even after Gamma Group suffered a data leak in 2014.

That changed in 2015, when the Citizen Lab found that FinFisher had been “updated so that the decoy pages returned by the [proxy server] were actually fetched by the master,” Marczak explained.

This update allowed for location based queries, such as Googling ‘weather,’ to use the location of the master servers, revealing their country of origin to the Citizen Lab. In fact, the Citizen Lab was even able to simply Google “what is my IP address?” to reveal a master server’s exact IP address.

While Marczak believes that FinFisher will only continue to enhance their decoy system, he is confident in the Citizen Lab’s scans, stating that, “the thinking goes, [that] if they change the behavior of their servers to something we have not seen before, we will not be able to recognize it as FinFisher in the future. However, these slight modifications don’t actually impact our ability to detect their servers, in practice.”

Going forward, Marczak believes that FinFisher will eventually restructure their system so that these types of scan become fruitless, and government use of spyware will become ubiquitous. He warned that such action is dangerous because, “in the case of the surveillance business, you have the private sector involved with very little government regulation.  Since the private sector naturally tends towards profit maximization in the absence of government regulation, you get companies selling to very repressive places like Turkmenistan. That, in essence, is the problem — surveillance companies have little requirement or incentive to perform due diligence on their clients.”

There have been attempts to regulate the use of government spyware, most notably when modifications were made to an export control agreement called the Wassenaar Arrangement.

Originally targeted at regulating the exports of arms and technology, in 2013, 41 countries pledged to adopt controls for the cyber surveillance tools that firms like FinFisher and Hacking Team were selling.Despite these pledges, the world has yet to see any type of spyware regulation, leaving every internet user with a looming breach in their security.

To many, including Ronald Deibert, the Citizen Lab’s director, it is imperative for universities to act as stewards of a free and open Internet. “I see what we are doing as a form of ‘digital arms control verification’ in this regard, shedding a light on abuses and violations of human rights around access to information, freedom of speech, and privacy,” Deibert said, when asked about the Citizen Lab’s purpose.

In respect to the FinFisher report, Deibert finds it to be an excellent representation of the work that his lab aims to produce. “It is a good example of the mixed methods approach we take, combining different disciplines, especially in this case techniques from network measurement, and turning them to pressing frontline questions that are pertinent to the human rights domain.”

The FinFisher report is the latest in a series of investigations concerning the global proliferation of spyware products and services conducted by the Citizen Lab.