Photo

Last May, two security researchers volunteered to look at a few suspicious e-mails sent to some Bahraini activists. Almost one year later, the two have uncovered evidence that some 25 governments, many with questionable records on human rights, may be using off-the-shelf surveillance software to spy on their own citizens.

Morgan Marquis-Boire, a security researcher at Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found that the e-mails contained surveillance software that could grab images off computer screens, record Skype chats, turn on cameras and microphones and log keystrokes. The word “FinSpy” appeared in the spyware code. FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.

Now, one year later, Mr. Marquis-Boire and Mr. Marczak have found evidence that FinSpy is being run off servers in 25 countries, including Ethiopia and Serbia, without oversight.

Until Mr. Marquis-Boire and Mr. Marczak stumbled upon FinSpy last May, security researchers had tried, unsuccessfully, for a year to track it down. FinSpy gained notoriety in March 2011 after protesters raided Egypt’s state security headquarters and discovered a document that appeared to be a proposal by the Gamma Group to sell FinSpy to the government of President Hosni Mubarak .

Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”

But evidence suggests the software is being sold to governments where the potential for abuse is high. “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,” Mr. Marquis-Boire said. “Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.”

As of last year, Mr. Marquis-Boire and Mr. Marczak, with other researchers at Rapid7, CrowdStrike and others, had found command-and-control servers running the spyware in just over a dozen countries. They have since scanned the entire Internet for FinSpy.

The Munk School is publishing their updated findings on Wednesday. The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.

In Ethiopia, FinSpy was disguised in e-mails that were specifically aimed at political dissidents. The e-mails lured targets to click on pictures of members of Ginbot 7, an Ethiopian opposition group. When they clicked on the pictures, FinSpy downloaded to their machines and their computers began communicating with a local server in Ethiopia.

“This continues the theme of FinSpy deployments with strong indications of politically motivated targeting,” the researchers wrote in their report.

A Turkmenistan server running the software belonged to a range of I.P. addresses specifically assigned to the ministry of communications. Turkmenistan is the first clear-cut case of a government running the spyware off its own computer system. Human Rights Watch has called Turkmenistan one of the world’s “most repressive countries” and warned that dissidents faced “constant threat of government reprisal.”

In Vietnam, the researchers found evidence that FinSpy was running on Android-powered phones. They found one Android phone infected with FinSpy that was sending text messages back to a Vietnamese telephone number. That finding was particularly troubling, researchers say, given recent clampdowns by the nation’s government. Last year, Vietnam introduced censorship laws that prohibit bloggers from speaking out against the country’s ruling Communist party. According to Human Rights Watch, at least 40 people had since been convicted and sentenced to prison terms. Many are now serving terms ranging from three to 13 years.

The sale of surveillance technology is still largely unregulated, but Mr. Marquis-Boire and Mr. Marczak’s findings have prompted greater scrutiny. Responding to their findings last fall, Germany’s foreign minister Guido Westerwelle called for an Europe-­wide ban on the export of surveillance technology to repressive regimes. And last month, Privacy International and other groups filed complaints with the Organization for Economic Cooperation and Development against Gamma Group and Trovicor GmbH, a German company that also sells surveillance software.

“I don’t think you can put technology back in the bottle,” said Mr. Marquis-Boire. “I understand why police would want to use this type of technology, but I’m just not for commercial companies selling them to nondemocratic regimes with questionable human rights records.”