Morgan Marquis-Boire works as a Google engineer and Bill Marczak is earning a Ph.D. in computer science. But this summer, the two men have been moonlighting as detectives, chasing an elusive surveillance tool from Bahrain across five continents.
What they found was the widespread use of sophisticated, off-the-shelf computer espionage software by governments with questionable records on human rights. While the software is supposedly sold for use only in criminal investigations, the two came across evidence that it was being used to target political dissidents.
The software proved to be the stuff of a spy film: it can grab images of computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The two men said they discovered mobile versions of the spyware customized for all major mobile phones.
But what made the software especially sophisticated was how well it avoided detection. Its creators specifically engineered it to elude antivirus software made by Kaspersky Lab, Symantec, F-Secure and others.
The software has been identified as FinSpy, one of the more elusive spyware tools sold in the growing market of off-the-shelf computer surveillance technologies that give governments a sophisticated plug-in monitoring operation. Research now links it to servers in more than a dozen countries, including Turkmenistan, Brunei and Bahrain, although no government acknowledges using the software for surveillance purposes.
The market for such technologies has grown to $5 billion a year from “nothing 10 years ago,” said Jerry Lucas, president of TeleStrategies, the company behind ISS World, an annual surveillance show where law enforcement agents view the latest computer spyware.
FinSpy is made by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.
“This is dual-use equipment,” said Eva Galperin, of the Electronic Frontier Foundation, an Internet civil liberties group. “If you sell it to a country that obeys the rule of law, they may use it for law enforcement. If you sell it to a country where the rule of law is not so strong, it will be used to monitor journalists and dissidents.”
Until Mr. Marquis-Boire and Mr. Marczak stumbled upon FinSpy last May, security researchers had tried, unsuccessfully, for a year to track it down. FinSpy gained notoriety in March 2011 after protesters raided Egypt’s state security headquarters and discovered a document that appeared to be a proposal by the Gamma Group to sell FinSpy to the government of President Hosni Mubarak for $353,000. It is unclear whether that transaction was ever completed.