Public prosecutors in Munich are investigating whether German company FinFisher broke the law by exporting powerful spying software without a permit.
German public broadcasters NDR, WDR, BR and daily newspaper Süddeutsche Zeitung, quoting a spokeswoman for the prosecutor's office, reported that directors and employees of FinFisher and two further companies were being investigated.
The probe was prompted by earlier investigations by the media outlets and a complaint filed by anti-surveillance NGOs Reporters Without Borders, Netzpolitik.org, the Society for Civil Rights (Gesellschafft für Freiheitsrechte, GFF) and the European Center for Constitutional and Human Rights.
The NGOs said there was a "probability bordering on certainty" that malware used in 2017 to target anti-government protesters in Turkey was a FinFisher product called FinSpy. The spyware allows users to access targets' contacts, chat messages, phone conversations, photos and videos, including those on WhatsApp, Facebook Messenger and Skype. It basically gives unimpeded access to targets' phones, according to the NGOs.
The company declined the broadcasters' request for comment.
Strict export rules
Germany has classified software and devices that can be used to spy on people as dual-use products, which could serve civilian as well as military purposes. To avoid misuse, such products must be approved for export by the Federal Office of Economics and Export Control (BAFA), part of the Economics Ministry, before they can be sold in a non-EU country.
The software in question was developed in 2016, according to an analysis of its source code by digital rights group Access Now and independently confirmed by a German university. A spokesman from the Economy Ministry said the government had not issued any export permits for spying software since 2015, meaning that according to the NGOs the export must have happened without a permit.
Used in Turkey
The German media outlets reported last year that Finspy was used in Turkey to spy on opposition protesters.
During protests in July 2017 organized by the Republican People's Party (CHP) against Turkish President Recep Tayyip Erdogan, fake Twitter accounts posted links to websites which promised protesters information about the demonstrations if they downloaded a smartphone app.
The app contained spying software which was identified by the NGOs as FinSpy.
FinFisher is well-known in Germany for developing the so-called "Bundestrojaner" spying software that law enforcement authorities use, with a judge's permission, to track the smartphones of crime suspects. It has also made headlines in the past because its products were found to be used by authoritarian regimes against opponents in several countries.