Four indicted in Germany for violating export controls on surveillance software

Prosecutors in Munich have indicted four individuals for commercial violations of the Foreign Trade and Payments Act, accusing them of the unauthorised sale of surveillance software to non-EU countries on behalf of a German company that declared itself bankrupt last year.

The four, who were not identified by name, are accused of intentionally violating licensing requirements for dual-use goods while working for FinFisher, a Munich-based company that allegedly sold its so-called ‘FinSpy’ software to the Turkish government without permission by German authorities.

The investigation into the suspected sale was started by a joint criminal complaint by four NGOs and led to ‘extensive and complex inquiries by the specialised department for political criminal matters of the Munich public prosecutor’s office,’ according to a press release, 22 May, from the Munich prosecutor.

‘With their criminal complaint, they (the NGOs) submitted analyses by IT experts, which concluded that the surveillance software FinSpy was offered for download in 2017 via a fake website of the Turkish opposition movement under false pretences in order to spy on them,’ it said.

The now-defunct company’s ‘customers were states in the EU, but also so-called “EU001” states (for which the EU issued a general export licence: Australia, Iceland, Japan, Canada, New Zealand, Norway, Switzerland, Liechtenstein, UK, USA) and in particular so-called “non-EU001” countries,’ the prosecutor’s office said.

It explained that, ‘The export of surveillance technologies from the EU was subject to a licence requirement, which posed an existential threat to the FinFisher Group , since this also included the monitoring software it developed and sold. A globally branched company structure was intended to give the impression that even after the legal restrictions came into force on January 1st, 2015, the distribution of the surveillance software in countries outside the EU would continue in a legally compliant manner. In fact, all business activities of the various companies were constantly controlled, managed and coordinated from Munich.’

The statement added that, in order to be able to continue to process contracts with so-called non-EU001 countries, the accused decided to process the export of the surveillance software paperwork without a licence via a company based in Bulgaria, creating the impression that contracts with customers from non-EU countries were no longer served through Munich.

The Munich prosecutor added that, ‘At the end of January 2015, a contract worth EUR 5.04 million was signed for the delivery of monitoring software, hardware, technical support, training, etc. to Turkey. In order to disguise the fact that the contractually agreed deliveries were actually determined by the suspects from Munich and the recipient of the service was the Turkish secret service MIT, the contract document listed the Bulgarian company R. as the seller and the recipient of the delivery was an actually non-existent “General Directorate for Customs Control” in Ankara.’

https://www.justiz.bayern.de/gerichte-und-behoerden/staatsanwaltschaft/muenchen-1/presse/2023/4.php