Broad based intellectual empowerment
27 July 2017 16:33 (South Africa)
Opinionista Wessel van Rensburg

Are rogue intelligence agents using Telkom to spy on SA citizens?

  • Wessel van Rensburg
    Wessel-van-Rensburg.jpg
    Wessel van Rensburg

    Wessel van Rensburg is a media voyeur and tech fetishist. He lives in Hackney, London, where he runs a social & digital media lab. Trained as a lawyer at Tukkies, Wessel was a member of the Truth and Reconciliation Commission Investigation Unit.

A South African computer connected to the Internet via Telkom is hosting software that’s designed to allow powerful secret spying. Are rogue intelligence agents using Telkom to spy on South Africans?

Two IP addresses, belonging to erstwhile South African state telecoms operator Telkom, have been caught in a global dragnet indicating that local computers are hosting at least one FinSpy server.

“At a high level, our scans probed IP addresses in each country, and attempted to perform the handshake distinctive to the FinSpy command and control protocol. If a server responded to the handshake, we marked it as a FinSpy node.”

So reads a snippet from a recent report, “For Their Eyes Only”,  by Morgan Marquis-Boire and friends at The Citizen Lab, Munk School of Global Affairs and the Canada Centre for Global Security Studies.

IP addresses are essential to the way the Internet works. All digital information (or “packets”) that flows through the Internet contains IP addresses, so they “know” where they should end up. Devices connected to the Internet, like computers and mobile phones, must have some form of IP address.

The FinSpy server works in conjunction with software called Fin Fisher. Finfisher is essentially a trojan:  software that’s installed surreptitiously when a user opens an apparent innocent file, say a Word document or an image attached to an email. Once installed on an unsuspecting device, FinFisher does the snooping and communicates and receives commands from the FinSpy server.

FinFisher, has versions not only for Windows, but also on iOS, Android, BlackBerry, Windows Mobile and Symbian devices. So yeah, just about any smartphone.

The range of surveillance it enables is near total. While the desktop version allows it to snoop by taking screenshots, recording your keystrokes, accessing passwords and nabbing audio of Skype conversations, the mobile versions can track locations, peruse address books, help itself to SMS’s, listen to calls and  activate the microphone on a device to listen to conversations close by.

Gamma International UK Ltd is the UK headquartered company behind FinSpy and FinFisher software. Alerted to it, the UK government has inspected their software and found that FinSpy is so potent it would require a license before it could be exported outside of the European Union.

Because its software has been used against human rights activists, Reporters without Borders has named the company one of five “corporate enemies of the Internet”.

Gamma International itself claims that it provides “advanced technical surveillance and monitoring solutions and international consultancy to National and State Intelligence Departments and Law Enforcement Agencies.”

I contacted Gamma International to try to establish if they do sell their software to private companies. I have received no reply as of yet. This is apparently a standard method of operating, telling Slate on a previous occasion that Gamma: “simply does not discuss its client base, its exports, or any of the operations which its clients may or may not be undertaking.”

Telkom in turn assured me that it was not hosting the FinSpy server, and that it had no idea who was. I was informed that one of its ISP customers could be using FinSpy. It is possible that the server software resides on one of Telkom’s machines, or that Telkom is only providing the IP addresses. Either way this would be in clear contravention of Telkom’s own terms of use.

I asked Telkom if it checks the content enabled through its network and whether this complies with their terms. The answer via their spokesperson, Pynee Chetty,  is that when it comes to IP addresses Telkom does not check. To be fair to Telkom, monitoring traffic on all these addresses would entail installing tracking technology on the South African Internet on a massive scale.

And such technology could easily be used for censorship as well. But what if Telkom were simply informed by the likes of me of skulduggery on their infrastructure?

I asked Chetty if Telkom could identify the culprits using the IP addresses in this case. Chetty claimed that it could not tell which of their customers was hosting the FinSpy server because it operates a system in which IP addresses are allocated dynamically every hour  so and that without the times they were spotted,  the IP address contained in the report no longer points to the original customer account.

But what if I could get them the times? Chetty replied that even if I had the times when the IP addresses were snagged , making it possible to trace the account holder ,  Telkom would not investigate the matter without a charge first being laid by the South African police.

That means even if this software clearly contravenes their own terms , Telkom would not investigate out of their own accord.

Why is Telkom so reticent?

One can only speculate.

The SA government still owns the largest stake in Telkom and its organs are the only entities allowed to legally surveil South African citizens in South Africa. Gamma International does business with governments and claims they supply software within UK law. It is likely that this is therefore the South African government’s trojan.

I asked the South African government for comment. Phumla Williams, a South African government spokesperson, gave feedback from “all the security cluster communicators. They all confirm that government does not use the software in their respective departments.”

Surveillance of citizens by state organs in South Africa can only be implemented after a court order. In theory, therefore, South African citizens are not subject to the blanket surveillance the US apparently practices. While the legal constraints on the state are more severe in South Africa, in practise the breakdown in the rule of law and corruption makes for a situation that is potentially far worse.

Recent investigative reporting, as well as high profile political leaks, have shown that there’s widespread illegal surveillance taking place in South Africa. This means spying through using the organs and infrastructure of the state, but often outside the logic of the public or state interest. In other words, this is surveillance for personal interest and with little legal oversight.

Why would the South African government want FinSpy’s capabilities, if that indeed is the case?

It’s unlikely that South Africa’s spy agencies have anything like the technical capability to do NSA-style broad surveillance.

We know that it won’t be trivial for them to access services that are hosted outside South Africa, for example a South African Gmail account. Similarly, without a company like Skype’s cooperation, it is unlikely that they would have easy access to that kind of communication either.

South Africa was also never part of the so-called “Five Eyes” intelligence arrangement between Anglo-Saxon countries, so it won’t be able to get this information from the US either. South African government agencies, up to now  (and for the most part), seem to focus on what they have easy access to, snooping on phone calls, SMS’s and email accounts hosted with local South African companies.

A FinSpy system could give them new types of access by compromising what security experts call “end points”  and with that, the ability to snoop in a far more comprehensive way, including on US cloud based services belonging to individual targets. DM

  • Wessel van Rensburg
    Wessel-van-Rensburg.jpg
    Wessel van Rensburg

    Wessel van Rensburg is a media voyeur and tech fetishist. He lives in Hackney, London, where he runs a social & digital media lab. Trained as a lawyer at Tukkies, Wessel was a member of the Truth and Reconciliation Commission Investigation Unit.

Get overnight news and latest Daily Maverick articles






Do Not Miss