S’pore govt denies using spy software

[Updated: on 16 March, adding more details, comments from MHA spokesperson]

Singapore's government has denied using spy software after being identified among a list of 25 countries that were found by two researchers to be employing it, in a report published by a Canadian think-tank.

A Ministry of Home Affairs spokesperson told Yahoo! Singapore on Saturday that it does not use it or any such spyware, after the report, published on Citizen Lab, the University of Toronto’s centre for research on digital media and global security, detailed findings from two security researchers at the universities of California and Toronto that named the city-state among others that have servers running a specific spyware.

Brunei, Indonesia, Malaysia and Vietnam, as well as Middle Eastern countries like Bahrain, Qatar and the United Arab Emirates, and developed countries such as Australia, Britain, Canada and the U.S. were also identified.

“FinSpy”, the term used for the spyware the researchers found, is sold by a British company called Gamma Group. Embedded in emails, the software has the capability to “grab images off computer screens, record Skype chats, turn on cameras and microphones and log keystrokes”, according to a New York Times report on the findings. Once downloaded unknowingly, FinSpy links a user’s computer to a local server — in some of these cases, servers that belonged to their governments.

An official of Gamma Group reportedly said it sells its technology to governments for the sole purpose of monitoring criminal activity, and that it was most often employed against “paedophiles, terrorists, organised crime, kidnapping and human trafficking”.

According to the two researchers — Morgan Marquis-Boire and Bill Marczak — however, FinSpy is not only likely to be used for “politically motivated surveillance”, but is also applied differently in different countries.

In Ethiopia, for instance, download links for FinSpy were embedded in pictures in emails that were specifically directed at political dissidents, while in Turkmenistan, the server running the software belonged to a range of I.P. addresses that were assigned to the country’s communications ministry.

Closer to home, the spyware was found to be running on Android phones in Vietnam, where Marquis-Boire and Marczak discovered one phone that was sending text messages to a Vietnamese telephone number — a troubling finding given recent clampdowns by the country's government, the researchers reportedly said.

“Our findings highlight the increasing dissonance between Gamma’s public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists,” the researchers added in their report.

The two also warned that the presence of "a global and unregulated market for offensive digital tools potentially presents a novel risk to both national and corporate cyber security".

However, the researchers also qualified that their findings do not necessitate that in all the countries listed, it is a government agency that is using FinSpy.

A key part of their report notes that the "discovery of a FinSpy command-and-control centre in a given country is not a sufficient indicator to conclude the use of (the software) by that country's law enforcement or intelligence agencies".

"In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country," the report added.

After discovering FinSpy last May, Marquis-Boire and Marczak scanned the whole internet for its presence, turning up this latest list of countries. The others are Bangladesh, the Czech Republic, Estonia, Germany, India, Japan, Latvia, Mexico, Mongolia, the Netherlands and Serbia.