I'm missing the point that the FinFisher, FinSpy, "Hallo Steffi" toolbox is a German product. The software is written in Germany, and Gamma International is just an UK sales proxy. The usage of this toolbox by state agencies within Germany is illegal, but Germany exports this illegal toolbox to friendly regimes, and uses it to spy on hostile regimes.
Thats similar to: We don't own our own bomb, we just borrow bombs from US, and export centrifuges to Korea and Iran.
It should be also noted that FinSpy got a valid Apple certificate, while Apple on the other hand side is known to block software like Drones+. Its therefore just an other example that locking down a platform by certificates is not to protect users, but to protect a monopoly. And a reminder to stop UEFI. http://news.ycombinator.com/item?id=4337218
I think conceptually this is obvious -- all means of fighting crime can be used to fight people who wish to change the law. To change the law, you must push for activity outside the scope of the current law to be accepted. Activity outside the scope of the law is, by another unflattering name, crime.
It's a little naive the way the article repeats that the software is "only for use in criminal investigations."
1. Outside of first-world democracies, one of the main purposes of criminal investigations is to find political dissidents so they can be threatened, jailed, tortured, or "disappeared."
2. Another country's definition of "crimes," "criminal" or "investigation" may be very different from yours. In the USA we have due process, presumption of innocence, double jeopardy, rules of evidence, speedy trial, reasonable search and seizure, prohibitions on ex post facto laws, Miranda rights...in other countries, maybe there's a court and a trial, but with a 95%+ conviction rate and no questions are considered relating to the reliability of the prosecution's investigation process, arguments, witnesses or evidence. Or, when you're accused, you're simply tortured until you confess, and the torture is effective enough that most people confess (or extreme enough that people who don't confess usually die). And the types of laws that they have may mean that dissidents are actually criminals -- for example, if it's illegal to criticize the regime in any way, then all dissidents are criminals by definition.
3. Most evil regimes have a secret police (it's practically part of the definition of "evil regime"). The thing that distinguishes the secret police from the regular police is that the former are, well, secret. An oppressive government wouldn't come out and say to a First-World seller of such surveillance software, "We're going to use this for criminal investigations and secret police actions." Instead they'd say, "We're going to use this for criminal investigations," and once they had it, expand its use to the secret police without telling anyone.
4. Even if it's not sold directly to the worst regimes, it may wind up in their hands anyway, through bribery, espionage, a sequence of individually legitimate, indirect trades through neutral nations, or plain old software piracy. The fact that software is not a physical item and can be moved through networks or tiny, unobtrusive, common devices like SD cards or USB drives, perfectly disguised through encryption, and duplicated at virtually zero cost makes it much easier and less risky to steal and/or move across borders than would be the case for physical items like guns, artillery, aircraft, etc.
5. Independent invention is also possible. There are plenty of countries with the money and technical know-how to develop something like this (ahem Russia ahem China), who aren't shy about cracking down on their own political dissidents and presumably wouldn't mind selling the software to like-minded regimes for money or political favors.
6. With postmortems on infected PC's, or sufficiently detailed reports of dissidents' activity leading to arrest, the outside world might figure out what happened, as appears to be the case in this article. But by then there's not much we can do, short of the usual ways the international community tries to improve human rights -- multilateral negotiations, diplomatic pressure, economic sanctions, UN peacekeepers, limited military strikes, full-scale invasion and regime change. None of which seem to be particularly reliable or effective.
The reason this type of software hasn't been much noticed until recently is that despotic countries are often relatively backwards in many ways, so (I'm guessing) most tyrants haven't had to worry much about Internet-organized dissidents until enough of their population got Internet access for it to become an effective tool for activists, which (I'm guessing) only happened fairly recently in most such countries.
"In the USA we have due process, presumption of innocence, double jeopardy, rules of evidence, speedy trial, reasonable search and seizure, prohibitions on ex post facto laws, Miranda rights..."
I suppose those things are fundamentally still here, as long as you aren't overly interesting to the govt, but I feel like we have a Cheshire Constitution that is slowly fading away, leaving only its memory and myth behind.
- Due process: Bradley Manning, Kim Dotcom/MegaUpload.
- Presumption of innocence: Guantanamo (I know, "combatants"), US citizens held for similar reasons.
- Speedy trial: see Due process.
- Reasonable Search/Seizure: the govt sticks GPS transmitters on cars without warrants. The government declares by law that any email or other electronic information that is on a server longer than six months is "abandoned" and therefore legal to hoover up at their leisure and without a warrant. Which means that all your gmail are belong to them.
At least there's a public controversy about those things. Some specific comments about how the Constitution may not be as dead as you think:
> Bradley Manning, Kim Dotcom/MegaUpload.
I'm pretty sure that the latter is still winding its way through the court system. Not sure about the former. But Manning was also a member of the military, so it makes sense that he should be held to a higher standard than random civilians, with respect to leaking of classified information.
> Presumption of innocence
US citizens held for similar reasons? Citation needed.
> Reasonable search and seizure
Warrantless GPS transmitters were unanimously ruled illegal by the Supreme Court [1]. As for your point about email, I'd believe it -- but again, I'm not familiar with it, citation needed.
> Telecom immunity
Yes, this is a really crappy, sleazy thing our government did. But I'd guess ex post facto only applies to criminalizing behavior after the fact, not decriminalizing it.
> US citizens held for similar reasons? Citation needed.
Sorry, I can't find it. I was thinking specifically of someone from the Chicago area with a Hispanic name arrested on suspicion, but I can't find it. My recollection is that he's suspended in the system, but I can't find a citation.
While you make excellent points, I still feel like we've lost a lot. Maybe it's a personal thing.
Your fourth point is the most scary in my opinion. I just realized that it doesn't take much in terms of effort to achieve almost perfect secrecy.
A simple dropbox account coupled with TOR or another similar service is enough for the online and 'cover your tracks'. You could plainly download truecrypt and encrypt your data with it and any group who's monitoring you would be none the wiser. Sure, they'd know you've sent something and they could break into your house to seize your computer but you either have truecrypted your hard drive previously or DBAN'ed your computer.
You could say that this is not a good thing because it allows someone to sell secrets to opposing countries. You would say that the tubes need to be monitored, secure connections need to have a back door, every bit passing through the pipe needs to be copied for future analysis. But let me ask you this, if you were living in an oppressive country do you still think it's 'better' to let everyone know what you're doing?
In a sense, you could say that the advent of high-speed, low cost, easily accessible and network communicable adding machines has made it easier for the general to be more informed and less 'spyable'(of course, less spyable only if you take the extra effort, but I assure you it's possible, although the laws of diminishing returns apply).
You mention the use of Tor and TrueCrypt. But, how effective is a lock against the thief who is already in the house?
Besides, in my part of the world Internet speed is not like that of US (which I have not experienced) or of S Korea (which I experienced and couldn't believe it was that fast) and neither is it so good in the countries where oppressive regimes are still holding ground (albeit with the (in)direct support of many western powers including the USA) the speed is very slow. Use of sth like Tor reduces it to a mere trickle. Though a in particular case the pain can be endured but when it comes to an entire nation then it's not a solution at all.
I was happy that the headline writer phrased it that way, precisely because most people are that naive. So for everyone who read that article, in the future, when they hear "our software catches criminals" they'll mentally append "...and dissidents".
>What they found was the widespread use of sophisticated, off-the-shelf computer espionage software by governments with questionable records on human rights.
And even more widespread use by governments with good records on human rights (especially since lots of the "NGOs" that check human rights violations are based there or are sponsored by those very governments. Plus those governments do most of their violations outside their borders).
Thats similar to: We don't own our own bomb, we just borrow bombs from US, and export centrifuges to Korea and Iran.
It should be also noted that FinSpy got a valid Apple certificate, while Apple on the other hand side is known to block software like Drones+. Its therefore just an other example that locking down a platform by certificates is not to protect users, but to protect a monopoly. And a reminder to stop UEFI. http://news.ycombinator.com/item?id=4337218