HM Revenue & Customs must now investigate Gamma International for potential illegal exports

News & Analysis
HM Revenue & Customs must now investigate Gamma International for potential illegal exports

Privacy International’s campaign for effective export controls of surveillance technology is still ongoing, but for one company, action can already be taken by HM Revenue & Customs to hold stop their unethical practices. Here is the story so far...

Privacy International has been investigating the trade in surveillance technology for almost two years as part of our Big Brother Incorporated project. Our research showed the capabilities of surveillance technology has grown hugely in the past decade but was almost entirely unregulated. So this summer PI took the initial step towards legal proceedings against the British government sending a ‘pre-action protocol’ letter to the Department for Business, Innovation and Skills (BIS). In the letter, we called for all UK surveillance technology to be made subject to export controls - which would see the sale of these products to overseas governments scrutinised in the same way as that of munitions and military equipment. While most goods can be freely exported to destinations beyond the EU, certain items that have military or dual military/civilian applications fall under the purview of the UK’s export control regime and their sale to a non-EU countries requires a licence. When a vendor applies for such an licence, the government then has the chance to scrutinise the goods and their destination, and approve or reject their export. In this way, the UK government controls the sale of goods to countries where they may have an extreme and detrimental impact on overseas civilian populations or UK interests abroad.

In our initial letter to BIS of 12th July, we pointed out that - given that surveillance technology may have an equal if not greater impact on oppressed populations as guns and bombs - the UK’s existing export control regime must be extended to include such goods, to ensure that human rights concerns are given due consideration before export. At the time, no UK surveillance technology products were subject to export control; they could be exported freely with dire consequences for human rights campaigners and political activists across the world.

As an example of a particularly dangerous surveillance technology, the letter highlighted FinSpy, a suite of ‘IT intrusion’ products sold by the Andover-based firm Gamma International. FinSpy is a sophisticated piece of malware that is sent to target individuals disguised as a harmless email, link or software update. FinSpy then installs itself on the target’s computer or smartphone and begins to relay information back to the sender, including the contents of all emails and skype conversations, as well as address books and documents stored on the device’s hard drive. FinSpy can even be used to remotely activate a device’s internal camera and microphone without the user’s knowledge, capturing images and audio recordings of the user and his or her surroundings. Very difficult to either detect or evade, FinSpy is an extremely powerful tool in the hands of an oppressive regimes, used to target human rights activists and political campaigners for harassment, indefinite detention and torture.

The Secretary of State for Business, Innovation and Skills responded to our letter on 8th August. Although his letter failed to reassure us that BIS will extend the existing regime to include comprehensive and effective oversight of all surveillance technology exports, it did reveal the department had conducted an assessment of FinSpy, and concluded that FinSpy products do actually fall within the purview of the existing export control regime. PI welcomed the confirmation that FinSpy and similar Gamma products do indeed require a licence for export, but requested clarification regarding Gamma International’s licence applications. In a subsequent letter, BIS admitted that Gamma International had yet to apply for, or be granted, any such licence. Despite this, FinSpy and similar products have turned up in Bahrain, Egypt, Ethiopia and Turkmenistan. Clearly, Gamma is exporting controlled items beyond the EU, while failing to secure the appropriate export licence. The company is therefore in breach of UK law, and may be liable to criminal proceedings.

While BIS is the department that sets export policy, it is up to HM Revenue & Customs to enforce these rules and ensure that Gamma International no longer flouts UK and EU export regulations with impunity. On 9th November Privacy International wrote to HMRC, alerting the department to this ongoing breach of UK export regulations. While we are still considering legal action against BIS for its failure to ensure effective oversight of all surveillance technology products, our focus for the moment is on ensuring that HMRC do not let Gamma International off the hook. We requested a response from HMRC within 14 days, but have not yet received a response.