Over the past few years, Qatar’s State Security Bureau (SSD) has been a customer of a German technology firm that sells software used to secretly monitor emails and other forms of online communication, according to a new report from WikiLeaks.
The SSD is responsible for internal security investigations and intelligence gathering, as well as sedition and espionage cases, according to the US State Department.
Wikileaks, known for publishing secret and classified information online, calls the software sold by Munich-based FinFisher “spyware” that’s “designed to be covertly installed on a Windows computer and silently intercept files and communications, such as Skype calls, emails, video and audio through the webcam and microphone.”
On its website, FinFisher – which was formerly part of the UK-based Gamma Group – said its products are designed to target individual suspects and are not mass surveillance tools.
Qatar is far from FinFisher’s only customer.
The WikiLeaks report, which was released today, identified some 17 clients – including governments and security agencies in several countries, such as Australia, Bahrain, the Netherlands, Pakistan, Singapore and Vietnam.
While Qatar may be far from the only country using FinFisher’s software, the new report sheds a rare light on the digital surveillance tools Qatar has at its disposal.
WikiLeaks’s report is based primarily on customer feedback and service requests sent to FinFisher.
The records related to Qatar show 11 licensing agreements active between October 2010 and April 2014. The brief entries cover difficulties that clients had in seeing “new targets” (individuals under surveillance).
Wikileaks estimates the licences sold to Qatar cost at least €683,700 (QR3.22 million).
However, the extent to which Qatar uses software developed by FinFisher – which says its products are for “targeted and lawful criminal investigation” purposes only – to monitor residents is not clear.
In the past, University of Toronto researchers found that the software was used to target activists in Bahrain.
In one 2012 case during Bahrain’s uprising, one of FinFisher’s clients sent an email from what appeared at first glance to be the personal email account of an Al Jazeera reporter. The message claimed to contain images and accounts of protesters being tortured following their arrest.
If the recipient opened the attachment, the cyber attackers gained clandestine remote access to the individual’s computer as well as the ability to steal data stored on it.
Further investigations by research and advocacy organization Bahrain Watch said FinFisher had been used to target dozens of individuals, including high-profile lawyers, politicians and journalists in that country.
Little is known about how authorities in Qatar police the internet, beyond an automated censorship tool that blocks websites deemed to contain obscene content.
In 2011, the morality censors temporarily prevented internet users in some Gulf countries from accessing the popular blogging site Tumblr.
That prompted a Harvard researcher to look into how countries such as Qatar block certain online material.
Earlier this year, the parent company of the country’s second-largest telecom firm said local laws prevented it from disclosing how often it turns over customer information to Qatari authorities.
Vodafone published its first-ever law enforcement disclosure report in June, analyzing demands for customer’s communications data by law enforcement agencies in 29 countries.
The company said it was unable to discuss its interactions with security officials here, but noted that authorities in Qatar have the right to demand unfettered “access (to) confidential information or communication relating to a customer.”
Meanwhile, the country’s advisory council is still mulling a draft cybercrime law, which won Cabinet approval in February.
Qatar’s state news agency has previously said that the proposed legislation would make it illegal to unlawfully access government departments or agencies through the internet.
It would also make it a crime to publish “incorrect news” online that endangers public order as well as factual information “related to the sanctity of the private and family life of individuals” or that “exceeds” the country’s social values.