Indonesia Sneakily Buys Spyware, Claims Amnesty International

May 3, 2024 TH Author headline,government,privacy,spyware,indonesia

Indonesia has acquired spyware and surveillance technologies through a “murky network” that extends into Israel, Greece, Singapore and Malaysia for equipment sourcing, according to Amnesty International.

The human rights org alleged its investigation showcased “the continued failure of multiple countries to regulate and provide transparency on the exports of dual-use technologies, such as spyware, and the non dual-use hardware that hosts the spyware or surveillance technology which pose serious human rights risks.”

Amnesty International’s researchers used open source intelligence – including commercial trade databases and spyware infrastructure mapping – to track spyware purchases between 2017 and 2023.

They found buyers that included the Indonesian National Police (Kepala Kepolisian Negara Republik) and the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara).

Suppliers of the products included Q Cyber Technologies (linked to NSO Group), the Intellexa consortium, Saito Tech (also known as Candiru), FinFisher and its wholly owned subsidiary Raedarius M8 Sdn Bhd, and Wintego Systems.

But the purchases weren’t straightforward. Often, the transactions passed through intermediary companies established with nominal secretaries that made it difficult to identify the true owner in places like Singapore.

“By covering the beneficial owner in this way, verification of end-to-end supply chains for dual-use goods becomes close to impossible, making public procurement oversight challenging,” the report observes.

The nonprofit also found some of the spyware platforms were associated with malicious domain names and network infrastructure.

“These malicious spyware domains include domains that mimic the websites of opposition political parties and major national and local news media outlets, including media from Papua and West Papua with a history of documenting human rights abuses,” wrote the human rights watchdogs.

Despite naming media in the province of West Papua, where separatists have fought a long insurgency, the org conceded it had little visibility into who was targeted and had no evidence that the tech had been used to target specific individuals. That concealment may be by design.

“Highly invasive spyware tools are designed to be covert and to leave as few traces as possible. This built-in secrecy can make it exceedingly difficult to detect cases of unlawful misuse of these tools against civil society, and risks creating impunity-by-design for rights violations,” wrote Amnesty’s reporters.

They pointed to a lack of sufficient regulations in Indonesia as allowing the use of spyware. “Overall, inadequate regulation enforcement can lead to a culture of non-compliance, encourage risk-taking behavior, and allow for a long-term deterioration of compliance culture.”

The investigation was completed in collaboration with a host of other organizations, including Haaretz, Inside Story, Tempo, WAV research collective and Woz. ®