The Organisation for Economic Co-operation and Development has for the first time found a surveillance software company to be in violation of human rights guidelines, following a complaint about the notorious British-German spyware outfit Gamma International.
Gamma allegedly sold its FinFisher spyware tool to the Bahraini regime, which is a big-time human rights abuser that seems to have used the software to persecute activists. The complaint to the OECD’s U.K. national contact point (NCP – an agency operated by the British government) was made by the right group Privacy International, which has also made a criminal complaint about Gamma, along with Reporters Without Borders and other groups.
However, the OECD’s guidelines for businesses are voluntary, so apart from calling out the fairly shameless Gamma, not much can come directly from this particular decision. In addition, the Gamma Group is these days operating out of Munich rather than the U.K.
The case involved three Bahraini dissidents, two of whom were living outside the country at the time they were apparently targeted using FinFisher. Gamma refused throughout the investigation to confirm whether it supplied the tool to Bahrain’s government, but the evidence indicated pretty clearly that the activists were targeted with Gamma’s product, and it was reasonable to assume it was the Bahrainis behind it.
The big problem, from the OECD’s point of view, is that Gamma doesn’t have human rights policies and due diligence processes to stop its products being used in an abusive way, and had been uncooperative during the investigation:
The UK NCP has concluded that Gamma International UK Limited has not acted consistently with provisions of the OECD Guidelines requiring enterprises to do appropriate due diligence… to encourage business partners to observe Guidelines standards… to have a policy commitment to respect human rights… and to provide for or co-operate through processes to remediate human rights impacts…
Through its legal representative, the company has raised obstacles to the complaint’s progress, whilst failing to provide information that would help the NCP make a prompt and fair assessment of these. The NCP considers that this does not have the appearance or practical effect of acting in good faith and respecting the NCP process.
In a statement, the complainants said they were disappointed that the NCP had not taken “a more pro-active investigatory role” that would have confirmed that Gamma really did sell FinFisher to Bahrain – this would have allowed more strenuous condemnation of the company, they said.
Still, they seemed reasonably happy with the general precedent. Privacy International deputy director Eric King said:
Today’s judgement is a watershed moment recognising that surveillance companies such as Gamma cannot shirk their human rights obligations. This decision reaffirms that supplying sophisticated intrusive surveillance tools to the world’s most repressive regimes is not only irresponsible business conduct, but violates corporate human rights obligations, and the companies that engage in such behaviour must bear the responsibility for how their products are ultimately used.