Inside the Booming Commercial Surveillance Industry

With much of the world’s attention trained on the NSA’s unprecedented mass surveillance, it’s easy to forget about the $5 billion private industry profiting from spy technology. And as the annual RSA security conference kicks off in San Francisco, it’s a good time for a refresher.

The private surveillance industry, while legal, is a clandestine one, often lumped in with the arms trade, even though strictly speaking surveillance packages aren’t weapons. Hardware and software tools such as operating system exploits, deep packet inspection, lawful intercept tools, and data and traffic analysis packages are bought and sold at international arms shows and exported to foreign countries—including authoritarian regimes.

Private surveillance companies can be incredibly secretive about their products and which governments they sell them to—primarily because publishing client lists would “torpedo” their businesses, Eva Galperin, Global Policy Analyst with the Electronic Frontier Foundation told me.

“Conveniently for these companies,” said Edin Omanovic, a research officer with Privacy International, “the fact that they sell to government agencies who demand non-disclosure means that they can continue to operate under a shroud of secrecy away from public scrutiny and any form of real accountability.”

But there have been a number of recent document dumps, published by Wikileaks and Privacy International, giving us a peek into the nefarious mass surveillance industry. To make sense of it all, I talked with Morgan Marquis-Boire, a senior researcher at the research group Citizen Lab, about the most interesting and sinister products, and how they work.

One of the creepiest gadgets on the market is manufactured by Gamma Group. It’s called FinFly ISP (Internet Service Provider). It’s a piece of hardware, a box from the looks of things, that scans traffic running through an ISP’s data center, searching for its target.

Once the target is found, the device waits for the target to download a file and when they do, FinFly intercepts the download, injects an infection app, unbeknownst to the target. Once the target opens the file—it could be anything, even a PDF document—the app installs itself, opening up a wide range of remote monitoring capabilities. FinFly can also masquerade as popular software updates.

The same company also makes FinFisher, one of the most notorious spy tools on the market, which has received a lot of attention for its connection with political repression in not-so-friendly regimes. FinFisher is actually a suite of tools, a complete off-the-shelf surveillance solution that can intercept emails, IMs, VoIP calls, and remotely spy through the webcams and mics attached to personal laptops or desktop computers.

Creepier still is the mobile component, that can turn your cell phone into a live microphone without your knowledge. As if that wasn’t invasive enough, it can track your movements via GPS. FinFisher Mobile can compromise basically any device.

Other private surveillance companies, like HackingTeam, promise similar capabilities. According to the company’s marketing materials, it’s Galileo software offers a “Remote Control System” offers a stealthy way of attacking, infecting, and monitoring computers and smartphones “regardless of encryption.” HackingTeam even goes so far as to boast that its solution can overcome PGP, and other secure forms of online communication.

The Remote Control System can be installed via a bootable CD (how 1990s), USB drive, or direct “infection tampering with computer case.” Once planted on the target’s computer, the software will record keystrokes, transit email messages, and printed documents to remote control servers. It’s completely invisible to users or antivirus and malware apps.

Vupen Security, another big player in the industry, sells a different sort of surveillance solution to  governments and major corporations. Billing itself as a research company rather than a cyber-arms manufacturer, Vupen produces what are called zero-day exploits that take advantage of unpatched vulnerabilities with major software packages like operating systems and web browsers. Such exploits, the company says, help “law enforcement agencies and investigators to gain access to computer systems and install monitoring and interception tools on target PCs or mobile devices.”

There are a couple other sketchy things about the company’s positioning. One, the CEO has yet to explain how to keep his software out of criminal or repressive regimes. Two, during an interview with Security Week, he justified the sale of zero-day exploits much in the way arms manufacturers do: Essentially, that they help legitimate governments and law enforcement capture bad guys. Martin Muench, developer of Gamma Group’s FinFisher software, told Bloomberg in a 2012 interview, “We have no control; once it’s out there it’s basically with the country.”

The document leaks give some idea of what you can expect to pay for private surveillance tech. It’s not easy on the wallet. For instance, the total FinFisher package went for $15.5 million when Gamma Group sold it to Mexico, which included technical support, hardware, software, and even training. But, it’s possible to get a budget version too; a two seat license for the software runs about $380,000—“dictator pocket change,” Marquis-Boire said.

That’s a real concern for those monitoring the ever-growing industry: These tools are within the price range of petty dictators who, ultimately, may use them to terrorize anyone who opposes their rule. “The value of these kinds of lawful intercept solutions, the value of targeted digital surveillance itself, has become apparent to these kinds of actors,” Marquis-Boire said. Despite strict export controls on these surveillance solutions, there have been numerous examples of FinFisher and its ilk popping up in places where they probably shouldn’t. That includes the US.

The booming industry raises the question: How can we reconcile the morality of for-profit enterprises making bank on well-documented injustices? It’s a question that has long been asked of the arms industry, and for good reason.