Finfisher and the Ethics of Detection

Finfisher and the Ethics of Detection

AV companies obey the law and cooperate actively with law enforcement. That doesn't mean they turn a blind eye to government spyware.

AV companies obey the law and cooperate actively with law enforcement. That doesn’t mean they turn a blind eye to government spyware.

In response to Cameron Camp’s blog on FinSpy and FinFisher spy on you via your cellphone and PC, for good or evil? a blog comment asked “Does ESET detect Finfisher?” As an update to that blog makes clear, yes, it does, as Win32/Belesak.D. However, the commenter also remarked that ” I think that it is clear in our days that laws are not so citizen friendly. ”

Let’s be clear about this. ESET not only obeys the law but, like other security companies, actively cooperates with law enforcement agencies.

But detection or non-detection of ‘policeware’ is a more complex issue than that, and in many countries, it has nothing to do with obeying the law. In general, law enforcement – let alone other government agencies (and I’m not referring to any particular government) – doesn’t ask for cooperation from AV companies in terms of non-detection. (There are stories that the biggest players have been approached and even agreed not to detect a government Trojan, but if there’s any truth in that, it hasn’t leaked out into the research community.)

After all, some researchers have publicly stated that that particular form of cooperation would not be forthcoming. Not that we want to be nice to crooks and terrorists, but it would endanger the community in general if government Trojans were misused by bad actors (or even the ‘good guys’)   – and in any case, the information wouldn’t reach all AV companies.

There are too many AV companies  (far too many, some would say), and too dispersed – geographically and politically – for a government (any government) agency to trust all of them. No doubt if agencies were able to insist on such cooperation, they would, but only the most draconian regimes can do that, and even then, only locally.

That doesn’t mean AV always detects this stuff, of course. Apart from the fact that highly targeted attacks often stay under the radar for long periods because we don’t see a sample, we don’t always know whether we detect a state-sponsored trojan that’s known to exist. The FinFisher/FinSpy  case is unusual because someone recently published the relevant file hashes.

Craig Johnston and I covered quite a few of these issues (notably with reference to earlier policeware like Magic Lantern) in an AVAR paper in 2009: Please Police Me. And Robert Lipovsky and I also wrote about it in relation to the so-called Bundestrojaner  Win32/R2D2.A and even referred to FinFisher:  German Policeware: Use the Farce…er, Force…Luke.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Discussion