Amnesty uncovers spyware exports to Indonesia

Pegasus symbol image
Software sold by the companies mentioned in the report has been used to spy on journalists, activists, and political opposition groups. (Source: IMAGO / ZUMA Wire)

The human rights organization Amnesty International on May 1 published a report on the international trade in surveillance technologies. Using Indonesia as a case study, the investigation shows how suppliers of digital surveillance technology based in various countries use complex networks of subsidiaries to circumvent regulatory authorities and export restrictions. Per the report, the lack of transparency makes it difficult to effectively implement regulatory mechanisms – to the extent that such mechanisms even exist.

The investigation is the result of a months-long collaboration between Amnesty and the media organizations Haaretz, Inside Story, Tempo, WAV research collective, and Woz. The research delved into commercial trade databases and public records. Amnesty and its partners uncovered evidence of “numerous spyware imports or deployments between 2017 and 2023 by companies and state agencies in Indonesia.” Human rights defenders, journalists, and activists in the country have been subject to repeated attacks – both digital and physical – in recent years.

According to research findings, some of the world’s leading producers of digital surveillance technology made sales to Indonesia. Products marketed by Q Cyber Technologies (NSO Group), the Intellexa consortium, Saito Tech (Candiru), Raedarius M8 Sdn Bhd (a subsidiary of FinFisher), and Wintego Systems were among those sold. Buyers included the Indonesian National Police and the National Cyber and Crypto Agency.

According to Amnesty, the investigation “showcases the continued failure of multiple countries to regulate and provide transparency on the exports of dual-use technologies.” These products can be deployed for both civilian and military purposes, and pose “serious human rights risks,” Amnesty says.

The imported surveillance programs give attackers unlimited access to a targeted device. On smartphones for example it is possible to turn on the cameras or activate the microphone and listen in on the user’s surroundings. The owner of the device is generally unaware of the installation of the software, and can have trouble ascertaining after the fact which data were compromised.

Repression in Indonesia

Amnesty describes the sale of surveillance technology to Indonesia as particularly worrying and points to a 2022 report documenting numerous human rights abuses. Amnesty reported at the time that attacks on freedom of expression, freedom of assembly, privacy, and sexual and reproductive rights had increased in previous years. Security authorities and the military had used violence against protestors and political dissenters; rights had been curtailed.

“Human rights defenders and activists have repeatedly faced repression online in Indonesia. The Electronic Information and Transaction (EIT) law and other restrictive laws have been used to prosecute and intimidate human rights defenders, activists, journalists, academics and others. The murky trade in spyware tools to Indonesia adds another dangerous tool for potential intimidation. This cannot be allowed to continue,” said Carolina Rocha da Silva, Operations Manager at Amnesty’s Security Lab.

Opaque Networks

The technology sent to Indonesia came from Israel, Singapore, and Malaysia, though only some of the actual suppliers are based in these countries. Sales are facilitated by a “murky ecosystem of surveillance vendors, brokers and resellers” operating locally and internationally. As a result, “it becomes exceedingly difficult to identify where such invasive tools are being sold and to control if the suppliers have followed legally mandated rules for export licensing or performed their human rights due diligence assessments.”

In Singapore, for example, imports passed through intermediaries that had previously supplied surveillance technology and spyware to state agencies in Indonesia. It can be difficult to identify the actual owners of these intermediary companies, Amnesty reports. “By covering the beneficial owner in this way, verification of end-to-end supply chains for dual-use goods becomes close to impossible.”

What is clear however is which companies developed the exported spyware: Q Cyber Technologies for example is part of the Israel-based NSO Group. The company was placed on the United States’ sanctions list after its Pegasus software was found to have been used to spy on activists, journalists, and members of political opposition groups around the world.

Since mid-2023 the supplier Intellexa and its subsidiaries have also been on the US Commerce Department’s sanctions list for “threatening the privacy and security of individuals and organizations worldwide.” Among other abuses, the company’s Predator surveillance software was allegedly used to spy on journalists and politicians in Greece.

Saito Tech, also known by the name Candiru, is likewise on the US sanctions list. In 2021, researchers at the University of Toronto’s Citizen Lab found Candiru’s programs linked to more than 750 fake websites pretending to be affiliated with non-governmental organizations like Amnesty International or with the Black Lives Matter movement.

Raedarius M8 Sdn Bhd is a subsidiary of the surveillance software supplier FinFisher (now known as Vilicius Holding GmbH), the Amnesty report shows. In recent years its programs have been used against political opposition groups and activists in Turkey, Egypt, and Bahrain.

In addition to the exports, the research team also uncovered malicious web domains and network infrastructure. The websites mimic the home pages of news organizations or opposition parties. If targeted individuals open the webpages on their devices and interact with them, then the devices are infected with malware, such as Intellexa’s Predator spyware or malware from Candiru.

Amnesty’s recommendations

In order to prevent impunity for rights-violators and support prevention of rights abuses, Amnesty demands that governments better monitor the market and enforce adherence to existing regulations, including export regulations. Penalties should be “substantial enough to deter non-compliance.” What is needed is “a combination of technology, resources, and international cooperation to track and regulate exports effectively.”

Furthermore, Amnesty “calls on all countries to ban the sale, transfer, export, and use of highly invasive spyware,” which, it says, “is fundamentally incompatible with human rights.” There should be “a global moratorium – a halt on the sale, transfer, and use of surveillance technology – until there is a proper human rights regulatory framework in place that [protects] people from the misuse of these tools.” Export licenses for the companies involved must be audited.

From the suppliers of surveillance technology Amnesty demands that they put a halt to the development, sale, and use of the dangerous products so long as they do not contain technological safeguards that ensure lawful use under a regulatory framework that respects human rights. All activities that lead to human rights abuses should be stopped. “This includes immediately terminating the use, support, and sale of [suppliers’] technologies in states where state authorities have a history of digitally and/or physically targeting members of civil society or in which adequate legal safeguards against abuses are not present,” says Amnesty.

Amnesty also recommends that surveillance companies “provide remediation” to individuals who were targeted with their technologies and as a result became victims of unlawful surveillance. (hcz)