FinSpy software surfaced abroad in countries where the German government had not issued an export license, including Turkey.
According to the ARD investigation, FinFisher may have got around the export ban by operating a parallel business structure.
Data from the Malaysian commercial register shows that Stephan Oelkers, one of the businessmen behind FinFisher, founded a company there in 2015 under the name Raedarius M8 Limited. During this time, the export of spy software was much less strictly regulated in Germany.
The business offered: "Solutions in the field of communication and information technology" and "Distribution and sales."
Currently, 25% of the shares in Raedarius M8 belong to a FinSpy developer. The rest is administered by a lawyer from Munich, whose office address also serves as the postal address of FinFisher.
Time up for Germany-FinFisher cooperation?
Konstantin von Notz, deputy faction leader of the Green Party in the Bundestag, called on Germany's federal government to end its cooperation with the FinFisher.
"German and European surveillance and censorship software contribute to massive human rights violations worldwide," Notz told ARD.
Germany must "finally end its cooperation with these companies that deliberately circumvent existing controls and continue to export their programs, coded with German tax money, to despots around the world," said Notz.
In Germany, every export of surveillance software must be approved by the Federal Office of Economic and Export Control. The responsible Federal Ministry of Economics had repeatedly stated that it had not issued any export licenses for surveillance software since 2015.
The current investigation into FinFisher was in part driven by German press revelations in 2018. Journalists reported that Turkey was using surveillance software to target members that appears to have the same source code as FinFisher's FinSpy.