MUNICH - It’s all so simple in the 1998 Disney movie Mulan. The heroine disguised as a boy joins the Chinese military to fight the enemy – armies of shadowy, faceless Huns that darken the horizon. Classic good versus evil.
Martin Münch says he knows who the bad guys are, and that he’s one of the good guys. The problem is many people don’t think he’s a good guy. To them, he’s on the wrong side of the Arab Spring. Some human rights groups accuse him of selling his software to totalitarian governments either knowingly or with flippant disregard for the use they can make of it.
Münch, 31, is a developer of spy software for computers and smartphones. Thanks to his FinFisher Trojan, the police and secret services can follow what somebody types into Google and says on Skype, and check out what they bought on their smartphone. Germany’s Federal Criminal Police Office (BKA) is testing FinFisher for possible use.
Münch is proud of his product, and for the first time he recently showed German journalists how it works. Up to this point, the media had not been given access to his development offices in Munich. The plaque out front reads: Gamma Group. Inside, a dozen staffers sit in front of screens.
Münch, co-owner and CEO, is good at explaining technological toys. Maybe that’s because he’s self-taught. He didn’t study computer science – he’s a musician, jazz piano and guitar. But nowadays he’s showing folks at security conferences how to infect computers. Münch sees himself a bit like Mushu, the little dragon in Mulan – the cool helper who stands by Mulan during battle. Münch named the company through which he owns 15% of Gamma International GmbH “Mushun” confessing with a sheepish grin how he added the ‘n’ that ends the name the same way as his own.
Martin Münch - Source: buggedplanet
Both the Süddeutsche Zeitung and the Guardian are in possession of documents showing that Gamma Group owns a company in the British Virgin Islands, a tax haven. When he was asked about this, Münch at first vehemently denied the existence of the company. When the Guardian sent him relevant documents, he apologized: he really did not think, he said, that such a subsidiary existed. During the visit to Gamma offices, Münch answers business questions evasively. No he doesn’t have any figures, doesn’t know who company partners are. "I’m just a little technician guy," he says adding that he is also the one who makes the strategic decisions.
Gamma’s bestseller in its FinFisher family is FinSpy. Münch leans over an Apple laptop and shows what the program does. First, the user selects the targeted operating system: iPhone, Android cell phone, PC with Windows or Linux. The Trojan can be sent via many servers in different countries so that even computer-savvy victims can’t tell who is monitoring them.
Users also control how the Trojan behaves. Key logging? Screen recording? Other options include using the microphone as a bug; appropriating data; locating cell phones. The Trojan can also turn the target’s webcam on. FinSpy presents all devices under surveillance as a list. Double click and you’re on whichever one you select. The Trojan is so powerful it’s like being with the target, looking over their shoulder.
FinSpy normally costs around 150,000 euros but can run into the seven figures, Münch says. Authorities have to buy a license for every device being monitored. Most buy five licenses, he says, but some buy up to 20. "The targets are individual criminals,” Münch says. Not “alleged criminals.” He uses “criminals” and “perpetrators” as if they were synonyms for “suspects” or “targets.”
Spy software for a police state?
In Bahrain, the island state in the Persian Gulf, those who oppose the regime are targets – and the regime used Martin Münch’s software to get back at them. Regime critics at home and abroad started getting weird e-mail messages. Their e-mails were being read by government agents, their phone conversations listened to, all thanks to Gamma Trojans. The Citizen Lab research institute at the University of Toronto in Canada examined some of the spam e-mails and found references to “finspyv2” – the second version of FinSpy – and “Martin Münch” in the program code.
Spy software for a police state? Gamma says that somebody stole a client demo version. But it has provided no clear-cut statement with regard to Bahrain, keeping things very hush-hush.
In early February, Reporters Without Borders and other human rights activists complained to Germany’s Federal Ministry of Economics and Technology (BMWi), demanding stricter controls on Gamma exports in line with OECD recommendations. If the Ministry follows-up, it could call on Gamma and the activists to meet at the Ministry to seek a mutually acceptable way forward.
Münch stresses that Gamma respects German export laws. That sounds good, except that FinFisher products aren’t shipped from Munich but from the UK where the mother company Gamma Group is headquartered in Andover near Stonehenge. Its founder – and, along with Münch, majority shareholder – is Louthean Nelson.
It is not publically known how many of Gamma’s customers are dictatorships. Citizen Lab has found servers with FinFisher traces in Brunei, Ethiopia, Turkmenistan and the UAE.
Gamma came to widespread public attention during the Arab Spring, after Egyptian protesters found a written tender to the fallen regime – software, hardware, and training – all for 287,137 euros. Münch claims nothing was ever delivered.
To Andy Müller-Maguhn, Gamma is nothing less than a "software weapons supplier." On his website buggedplanet.info he publishes press reports, lists information about Gamma companies and their principals. Since Münch’s address has been revealed he’s been receiving anonymous postcards that read: “I have a right to privacy.”
Münch speaks indignantly about his critics. "We have this bad boy image. It’s not a good feeling,” he says, and he doesn’t believe Gamma deserves it. He is promising greater transparency, for example, the appointment of a human rights delegate to the board. Then he says he will probably fill that role himself. After several hours in Münch’s company there is the impression that his moral compass doesn’t have a needle.
However, Münch also says he’s having a code of conduct drafted. And Gamma is talking to two unnamed human rights groups about providing advice on exports. He’s not sure of his ground there, he says: after all, the U.S. tortures too, in Guantanamo – does that make it a lawless state? "Just how much torture is acceptable?" If several human rights organizations come out and condemn a country Gamma will not sell its products there, Münch says – even if that country is not on government warning lists.
The scandal came as a big surprise to Münch: "Software doesn’t torture anybody," he says, claiming not to understand what the big deal is about. "I think it’s good when the police do their job” – going after the bad guys. The problem is that in some cases the “bad guys” are political opponents.