FinFisher spyware was sold to authoritarian regimes to spy on dissidents, activists, and journalists

When Bahraini authorities arrested dozens of pro-democracy activists during the 2011 Arab Spring uprisings, the protesters had no way of knowing their phones and computers were already compromised. What they faced wasn't just conventional surveillance—it was industrial-grade spyware created by a private company in Germany and Britain, sold specifically to governments known for crushing dissent.

FinFisher, also marketed under the name FinSpy, was developed by Gamma International, an Anglo-German technology firm. The software did what most people assumed only intelligence agencies could accomplish: it remotely infiltrated devices, captured keystrokes, accessed webcams, and harvested communications. For years, the company operated in relative obscurity, selling its wares to governments it claimed would use them for legitimate law enforcement purposes.

But activists and journalists who suspected they were being watched had a different story. Civil society organizations began documenting cases where FinFisher appeared to be targeting political opponents rather than criminals. The claims seemed difficult to verify—these were private companies and foreign governments, after all, operating in the shadows where documentation is scarce and accountability is optional.

The turning point came in 2014 when hackers breached Gamma International and leaked the company's entire toolkit online. Suddenly, the speculation ended. Researchers could examine the actual code, the marketing materials, and most damning of all, the client list. It showed FinFisher had been sold to at least 35 authoritarian governments. The roster read like a directory of human rights violators: Bahrain, Ethiopia, Turkmenistan, and many others.

What followed was systematic documentation of FinFisher's deployment against people Gamma had publicly claimed it would never target. In Bahrain specifically, the spyware was weaponized against pro-democracy activists and their families. One American citizen discovered that Ethiopia had installed FinSpy on his computer while he was physically in the United States—a violation so brazen it became the basis for a successful lawsuit against the Ethiopian government. The OECD eventually investigated the company's conduct and found it had violated international human rights standards in seven separate instances.

Gamma's defense was thin. The company argued it had no control over how governments used its products—a position that collapsed under scrutiny. A company doesn't sell surveillance tools specifically designed for remote infiltration and plausible deniability without understanding exactly how they would be deployed.

The FinFisher case matters beyond the specifics of one company's misconduct. It exposed a gap in how technology firms are regulated when dealing with authoritarian purchasers. It revealed that profit motives can override even explicit human rights commitments. And it demonstrated that the people most vulnerable to surveillance—activists, journalists, and political opponents in repressive countries—were being systematically targeted by tools created in democracies and sold without meaningful oversight.

The leak of FinFisher's source code proved what critics had claimed: that private surveillance technology was being industrialized and sold to the world's worst abusers. The question now is whether knowing this has changed anything about how such tools are regulated. The answer, for most people in most countries, remains deeply unsettling.