Litigation and other formal complaints related to mercenary spyware

Bahraini activists have started a legal action against Gamma alleging that the company was involved in the sale of spyware products to the Bahraini government knowing they would be used to crack down on protests during the Arab spring. The claimants say that they were targeted with the FinFisher/FinSpy program, which was manufactured in the UK and sold to the Bahraini government. They also accuse Gamma of providing training to Bahraini government officials on how to correctly use the software, along with technical support and software updates. All allege that the Bahraini government attacked their computers while they were in the UK. The claimants say they were targeted in relation to their pro-democracy campaigning during the Arab spring. Hassan Mushaima, one of the claimants, was jailed for life in 2011 by a military court in Bahrain. The claimants are represented by Leigh Day.

The Electronic Frontier Foundation (EFF) filed a lawsuit in federal court in Washington, D.C. alleging that the government of Ethiopia, using FinFisher/FinSpy, illegally wiretapped and invaded the privacy of EFF’s client, a U.S. citizen on U.S. soil. The United States Court of Appeals for the District of Columbia Circuit ultimately concluded in March 2017 that Ethiopia was immune from suit absent an exception under the Foreign Sovereign Immunities Act, which did not arise here. In response to the decision, EFF argued that the court had “held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–as long as they do so by remote control” and that the decision was “extremely dangerous for cybersecurity.” Under this holding, there is no legal recourse if a foreign government “hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil.” For further analysis of this decision, see Lawfare and Motherboard.

In 2013, Privacy International, Reporters Without Borders, Bahrain Watch, the Business Center for Human Rights, and the ECCHR filed a formal complaint with the UK National Contact Point for the OECD, as well as the equivalent German Contact Point, against Gamma and Trovicor. The UK Contact Point accepted the complaint for consideration against Gamma. In 2014, the UK Contact Point determined that Gamma was in violation of human rights guidelines. The German Contact Point refused to investigate the allegations and was only willing to continue with mediation in relation to Trovicor’s risk management.

Privacy International began investigating Gamma and the export of FinFisher/FinSpy spyware. After discovering that Gamma’s FinSpy was subject to the UK export control regime and that Gamma had only submitted a Control List Classification enquiry asking the government whether or not it needed an export license for the product in July 2012, Privacy International submitted a dossier of evidence against Gamma to HMRC and called for an investigation. HMRC is responsible for overseeing the enforcement of export regulations in the UK. HMRC refused to provide any details regarding any investigation into Gamma’s export practices, arguing that it was statutorily barred from doing so. In May 2013, Privacy International filed for judicial review of HMRC’s decision. In May 2014, the Administrative Court declared that HMRC acted unlawfully and “irrationally” in issuing blanket refusals into the status of any investigation into the potentially illegal export of FinFisher. The court quashed HMRC’s decision and ordered it to consider Privacy International’s request again.

In October 2014, Privacy International and the European Center for Constitutional and Human Rights submitted a criminal complaint calling for an investigation into Gamma in Munich, Germany. In December 2014, public prosecution authorities in Munich decided not to launch investigatory proceedings against Gamma’s employees.

The organizations argued that the Munich-based companies sold the FinSpy spyware to Turkey without an export license and that this assisted in the surveillance of opposition members and journalists by the Turkish government. Public prosecutors in Munich reportedly opened an investigation. On October 14, 2020, DW reported that “German Customs Investigation Bureau (ZKA) searched 15 residential and business premises in Germany and abroad last week with connections to the Munich-based surveillance software firm FinFisher.” On May 22, 2023, it was announced that German prosecutors indicted four former FinFisher CEOs on the basis that they sold their surveillance technology to Turkey without the necessary approvals.

In March 2022, FinFisher ceased business operations and filed for insolvency.

In November 2017, the International Federation for Human Rights (FIDH) and the Ligue française des droits de l’Homme (LDH), with support from the Cairo Institute for Human Rights Studies (CIHRS), requested an investigation into the sale of surveillance equipment by this French company to Egypt and the potential role of this equipment in widespread oppression under the Al Sissi regime in Egypt. In December 2017, the Paris Prosecutor acknowledged the gravity of the allegations, giving Egyptian victims the opportunity to become civil parties to the case and testify in France as well as enable FIDH and LDH to become civil parties.

In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below.

In October 2011, FIDH and LDH filed a complaint alleging the complicity of Amesys and its executive managers in acts of torture for having signed and executed a commercial agreement for the provision of surveillance technology to the Libyan regime in 2007. In May 2012, a formal criminal investigation was opened in France. After subsequent litigation over this decision to open an investigation, in January 2013, the Chamber of Criminal Investigation of the Court of Appeal upheld the initial order to open the investigation. In June 2021, four Amesys and Nexa Technologies executives were indicted by investigating judges of the crimes against humanity and war crimes unit of the Paris Judicial Court for complicity in torture in the Libyan portion of the investigation and complicity in torture and enforced disappearance in the Egyptian portion. These indictments arose out of this 2017 complaint, as well as the 2011 complaint described below. These indictments arose out of this complaint, as well as the 2011 complaint described above.

FIDH and LDH filed a criminal complaint before a Paris court urging for an investigation into the involvement of French companies supplying surveillance equipment to Bashar El-Assad’s Syrian government. The complaint named Qosmos, a French company, in particular alleging that it is complicit in human rights abuses, including torture, by the Syrian government by providing it with surveillance equipment. In April 2014, a full judicial investigation was brought against Qosmos by the Paris Court for complicity in torture. In April 2015, an investigative judge declared Qosmos an “assisted witness.”

In December 2020, a Paris judge dismissed the case due to insufficient evidence to establish causal link between surveillance equipment and acts of torture and crimes against humanity by the Syrian regime.

In March 2022, the US District Court for the Southern District of Florida dismissed the case. In April 2022, Oueiss appealed to the US Court of Appeals for the Eleventh Circuit.