Before Edward Snowden sparked a global debate about government surveillance, it was a fact of life for Tadesse Kersmo. During Ethiopia’s national elections, in 2005, he and his wife campaigned for the country’s pro-democracy party, the Coalition for Unity and Democracy, which achieved a sweeping victory in the capital of Addis Ababa. But, when the results were overturned and protests broke out amid allegations of fraud, the ruling party quickly began cracking down on the opposition. Observers from the European Union reported extensive human-rights violations in the months that followed, including nearly two hundred demonstrators killed by security forces and tens of thousands more imprisoned.
Kersmo evaded arrest and moved to the countryside, but his ties to the opposition subjected him to continued threats, harassment, and intense monitoring long after the election. “It is common wisdom that the phones are tapped,” he told me, in a tired baritone, over Skype. “People would call me and tell me, ‘We are following you, we know what you’re doing, we know where you are.’ ” On three separate occasions between 2005 and 2007, Kersmo was detained and beaten. At one point, he was told that his family would find his dead body in the streets, because the prisons were filled to capacity. When that seemed imminent, in 2009, Kersmo and his wife fled to the U.K., where they were granted asylum. There he continued his work as a university lecturer and a senior member of Ginbot 7, an exiled pro-democracy party that the Ethiopian government labelled a terrorist group in 2011, under a vague and widely condemned proclamation.
Kersmo and his wife thought that their new life in the U.K. would take them out of the government’s sights. But, in April of last year, Kersmo read a report from the University of Toronto’s Citizen Lab, a nonprofit research group that scans the Internet to expose government-sponsored spyware and cyberattacks, showing evidence of a malware campaign targeting Ethiopian dissidents. The report describes a malicious file that, when opened, silently installs monitoring software on the victim’s computer. When Kersmo noticed that the malware “baited” its victims using photos of Ginbot 7 members, including those of himself, he decided to have his machine examined by Citizen Lab.
The group found traces of FinSpy, part of an “intrusion” software suite known as FinFisher, which first made headlines in 2011, after a sales contract was discovered inside the headquarters of the Egyptian secret police, following the ouster of President Hosni Mubarak. The spyware was capable of stealthily transmitting Kersmo’s chats, Web searches, files, e-mails, and Skype calls to a server somewhere in Ethiopia. “The feeling was shock—that they are still following us, even here,” Kersmo told me. “It goes beyond my personal security. All Ethiopians living in the U.K., United States, and elsewhere are unsafe now.”
The other week, Privacy International, a U.K.-based human-rights organization, filed a criminal complaint on Kersmo’s behalf, making him the first U.K. resident to challenge the use of hacking tools by a foreign power. “This case would be important to all refugees who end up in countries where they think they are safe,” Alinda Vermeer, a lawyer with Privacy International, who filed Kersmo’s complaint, told me in a phone interview. That sense of safety is illusory, she said, because countries armed with tools like FinSpy insure that refugees “can be spied on in an equally intrusive way as they were back at home.” Worse, the surveillance also reveals with whom the victims have been communicating, potentially endangering the lives of contacts and relatives still residing in their home country.
Kersmo’s dilemma is becoming more common, particularly among journalists and activists seeking political freedoms beyond their country’s borders. The Electronic Frontier Foundation recently filed a suit similar to Kersmo’s against the Ethiopian government, on behalf of a U.S. citizen living near Washington, D.C., where most of the country’s Ethiopian-American population lives. (Fearing government reprisal, the plaintiff asked to use a common Ethiopian name, “Kidane,” as a pseudonym during the proceedings.) In a different report, released last month, Citizen Lab revealed evidence of an attack on Ethiopian Satellite Television, a news service with offices in the U.S. that serves as an alternative to state-controlled media in Ethiopia. A mysterious source had made three attempts to send malicious files to employees, claiming that they were news articles; the files contained a small program that exploits a security flaw in Microsoft’s Windows operating system, allowing it to silently install Remote Control System, a spyware tool similar to FinSpy.
The growing surveillance-technology industry—including the companies Gamma International and Hacking Team, the European developers of FinSpy and Remote Control System—has been valued at five billion dollars. Proponents defend such commercial spyware by noting that it helps authorities catch terrorists and other serious criminals. But Gamma will not disclose which countries it sells its products to, nor is it particularly eager to take responsibility for how they are used. In 2012, Martin J. Muench, the company’s founder, told Bloomberg News that his company has “no control; once it’s out there it’s basically with the country” to use the tools ethically. (Gamma did not respond to a request for comment.)
The Milan-based Hacking Team claims that it monitors its software, and has the ability to disable functionality if it believes that clients “have used Hacking Team technology to facilitate gross human rights abuses.” According to its customer policy, the company’s sales are reviewed by “an outside panel of technical experts and legal advisors,” which looks for “red flags,” including “credible government or non-government reports reflecting that a potential customer could use surveillance technologies to facilitate human rights abuses.” Like Gamma, Hacking Team also refuses to name which countries use its products, but it denied allegations in a recent report by Citizen Lab that claimed Remote Control System was used in twenty-one countries, including Azerbaijan, Uzbekistan, Saudi Arabia, and Sudan. A spokesperson, Eric Rabe, told Mashablethat the Citizen Lab report is “not an accurate list of nations where Hacking Team clients are located,” but refused to elaborate on the company’s vetting process.
Regardless, the increased scrutiny of commercial spyware has led some countries to tighten regulations regarding its sale, particularly across national borders. In 2012, the U.K. governmentinformed Gamma, which has offices in Andover, England, that it needs to obtain licenses to sell FinSpy outside the country, citing laws that control the export of cryptography. Alinda Vermeer, of Privacy International, explained that, while export controls under the Wassenaar Arrangement—which regulates weapons and technologies with potential military applications within forty-one nations—were recently updated to restrict spyware, the new terms haven’t yet been adopted by all participating countries. This means that, while future deals will be regulated in some countries, past purchases and current efforts from spyware companies around the world have relatively few rules to follow—and more people like Kersmo are bound to get caught in the crosshairs. “There is a social obligation for corporations,” Kersmo said. “Selling this kind of software to irresponsible governments is irresponsible.”