• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202/06-34339533, info@burojansen.nl.
    Steun Buro Jansen & Janssen. Word donateur, NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.
  • Publicaties

  • Europa

  • Politieklachten

  • Veilig Internetten

  • Jansen Library

  • Gamma Group and the police; FinFisher Trojan horse in the National Police (English translation of article from Observant #69)

    From Wikileaks documents published in 2014 about Gamma Group it becomes clear that since 2012 the Dutch police has acquired sixteen licences for the digital weapons FinSpy and FinMobile. However, the National police doesn’t reveal any further information in answer to the FOI request from Buro Jansen & Janssen.

    Gamma Group is an originally British company with branches and subsidiaries all over the world. Since 2008 Gamma Group has had the digital weapon FinFisher on offer. With the FinFisher or FinSpy software it’s possible to break into computers, laptops, tablets and smartphones using an USB or remotely via wifi or a network.

    Confirmation nor denial

    Under the Freedom of Information act (FOI) Buro Jansen & Janssen has requested documents from the National Police concerning contacts with Gamma Group. In response to the FOI request the National Police claims not to have any information about the Gamma Group: ‘Our research has shown that the police doesn’t have contracts with any of the companies mentioned by you. Furthermore, no documents were found by the police concerning the companies Gamma Group and/or Gamma International and/or similar names.’

    Therefore, the National Police claims not to have any contract with Gamma Group or companies with a similar name. This may well be.  Gamma Group consists of a network of different companies. The FinFisher software is on offer by several German companies who belong to that network, namely Elaman GmbH, the German subsidiaries of Gamma Group that have used the name FinFisher (FinFisher GmbH, FinFisher labs, FinFisher Holding) since 2013.

    Buro Jansen & Janssen also made an FOI request for any contacts with FinFisher. The National Police responded to this that they could neither deny nor confirm they possess any information about FinFisher: ‘If your request for information, as in the concerning case, aims at making public and/or available information about named companies with which the police might have agreements, this forms an unacceptable risk to those agreements’.

    This raises some questions. If the police doesn’t have any agreements with a FinFisher company, they could simply state that. For example, to our FOI request concerning the relations with Hacking Team, the police responded there was no contract with Hacking Team. Therefore, in their response to this FOI request the National Police neither deny nor confirm there’s a contract with FinFisher.

    It is rather hard to deny. After all, the Wikileaks documents about Gamma Group published in 2014 clearly showed the police has acquired FinFisher.

    Jochem van der Wal

    The Wikileaks documents about Gamma Group contain an overview of the customer data of the company, as well as an overview of questions for help that have been directed to the company by users of Gamma software. The documents show that the Korps Landelijke Politiediensten (National Corps Police Services, KLPD in abbreviation), nowadays the national unit of the National Police, has been a client of Gamma Group since 2012. The Wikileaks documents contain an overview of sixteen licences the KLPD acquired.

    The KLPD is registered as client ‘20FEC907’. This is a code, which is linked to a name: the KLPD from The Netherlands. Further inquiries show that a Dutch police official acts as contact for the company: Jochem van der Wal This person was identified through his PGP-Key by Twitter personality ‘@DrWhax’, Jurre van Bergen.

    Who is Jochem van der Wal? Van der Wal is regularly cited in the media in 2007 and 2008. Emerce.nl mentions Van der Wal in relation to a conference on June 14th, 2007 about the police and SPSS (Data collection, predictive analyses and networking with colleagues – The police as witness). He is set to speak at the conference in his capacity as KPLD police official about ‘digital forensic analysis in reach of the tactical investigation process by application of the Digital Washing Machine’.   Predictive policing, a euphemism for profiling, is slightly different to digital burglary, but Van der Wal already works for the KLPD by then.

    Techzine dedicates an article to SPSS (Statistical Package for Social Science) in September 2008. SPSS is software that is used in the social sciences for statistics, which was developed by the company of the same name. In the article (SPSS helps police predict crimes) Van der Wal is cited as an ICT specialist at the KLPD.

    The work of Van der Wal has also been noticed abroad. Hendon Publishing publishes an article in December 2008 called ‘Police departments fighting crime with predictive analytics software’, in which Van der Wal is described as ‘technical engineer at KLPD’. In an interview with Hendon Publishing Van der Wal says: ‘After implementing text-mining software and deploying it to a crime case, we found an essential connection within just five minutes—which we couldn’t have found in the past three months of investigations.’ He’s referring to the digital washing machine that has been developed by the KLPD. He calls it ‘Open Computer Forensic Architecture (OCFA), the ‘digital washing machine’, which creates an automated index out of the unstructured contents of a PC’s hard drive, enabling investigators to perform keyword searches for evidence.

    Dnpa.nl was registered by the KLPD on April 4th, 2005. DNPA stands for Dutch National Police Agency and the abbreviation is used, for example, on github.com and other websites. Van der Wal already uses it in 2002 for an article in the collection ‘Dealing with the data flood, mining data, text and multimedia’.  He already works for the KLPD at that time: ‘J. van der Wal, Msc. Dutch National Police, Criminal Investigation Department. Research and Development, Driebergen – Rijsenburg, The Netherlands.

    In 2016 Van der Wal still works at the national unit (formerly KLPD). This emerges from the acknowledgement page of Tim Cocx, who finished his Phd at the University of Leiden in 2016.  Cocx expresses his gratitude to a number of employees of the national unit of the National Police for their support for his research, one of which is Jochem van der Wal.

    Also named are Ton Holslag (Department of Specialist Investigative Applications), Wil van Tilburg (Co-ordinator information requests), Leen Prins (expert advisor to the Department of International Police Information (IPOL) of the KLPD) and Henry Willering. This last one also appears in the Wikileaks documents about Hacking Team published in 2015. Willering is head of the department for technology and expert development (Research and Development) of the national unit and Jochem van der Wal’s boss.

    Deployment of FinSpy and FinSpy Mobile

    The Wikileaks documents show the Dutch police acquired sixteen licences for the use of FinSpy / Fin Mobile in the four years it worked with Gamma Group. Some licences end after 2014 (the year Gamma Group was hacked). In total it would concern 58 targets, in all likelihood meaning computers, smart phones and other digital resources (and not individuals).

    The National police doesn’t supply any information about the deployment of FinFisher in response to the FOI request by Buro Jansen & Janssen.

    However, there are clues that would indicate the use of FinFisher by the Dutch police.

    Computerworld mentions on August 8th, 2014 (in response to the publication of the Wikileaks documents about Gamma Group) it had been clear even before that the police deployed digital weapons: ‘The fact the Dutch police does employ such software became known in the beginning of this year during the successful operation to catch an indecency suspect. On his computer in a holiday bungalow spy software was placed. Which software it concerned was never revealed and even now police and the prosecution office don’t make any announcements about the type of software they use for investigative purposes.’

    It is as yet unclear whether this operation was successful, by the way, the court case against the suspect is ongoing.

    According to the police keyloggers were deployed in this case from the beginning of December 2013 till the middle of January 2014. It concerned so-called targets (digital resources) that were contaminated, one of which failed. Two computers were allegedly chosen as targets.

    This could match one of the help questions the Dutch police directed towards Gamma Group/Finfisher that concern the digital weapon FinSpy being detected by the antivirus programme AVG. One help question mentions: ‘Some functionality of the agent/system do not work when the AVG AV tool is active. For example the keylogger module.‘ Another help question mentions a similar error report: ‘AVG anti virus tool detects generated infection on agent.

    The Wikileaks documents contain nine help questions from the Dutch police to Gamma Group in total. Some help questions deal with ‘non encrypted audio traffic between mobile target and server‘ and ‘non encrypted SMS traffic between mobile target and system.’ This could mean a third party can intercept data.

    Another help question concerns ‘Android bug easy to reverse engineer and easy to find in target.‘ This could mean that the target to which the police has deployed the digital weapon might be easily detectable for the victim itself or others.

    It doesn’t become clear from the Wikileaks documents whether or not the problems encountered with the software were fixed. Neither does it show whether the police decided not to use the evidence obtained in the burglary as a result of the problems encountered. In the response to the FOI request the National Police doesn’t supply any information about this either.

    Other question marks

    There are also some other issues concerning the purchase of FinFisher and the deals with Gamma Group.

    As users of FinFisher, The Netherlands finds itself in rather dubious company. Gamma Group also sold the digital weapon to a number of repressive regimes that have used it against opposition members, journalists and human rights activists, among others. With the publication of the Wikileaks documents in 2014 and the hacked data of Gamma Group, details about its clientele have come to light. Though even before these events quite a bit was already known. During the Arab Spring of 2011 activists discovered that dictator Mubarak had purchased 3 tons worth of FinFisher spyware. Revelations about the use of FinFisher in Bahrain followed the year after, in 2012.

    Questions can also be raised about the financial integrity of the company. The way in which Gamma Group is organised makes it the perfect vehicle for transferring money to tax havens, whether or not through another company. The different companies of Gamma Group have never been worth a lot of money. Gamma Group, as it’s presented on trade fairs, is based in the tax haven of the British Virgin Islands, under the name of Gamma Group International Ltd.  Apart from that, it has branches in Lebanon (Gamma Group International Sal), Cyprus and Singapore, all known to be tax havens.

    Police even more secretive than AIVD

    The National Police possesses FinFisher, but refuses to supply further information. Secrecy is predominant. A thorough study of the response to our FOI request finds that the National Police acts even more secretively about FinFisher than it normally does in their responses to FOI requests.

    The response is even more ambiguous than the standard response of the intelligence services to requests under the WIV (Law on the intelligence services). In responses to requests for perusal under the WIV it’s usually stated that ‘in view of matters that are still relevant to the ability of performing the tasks of the Dutch General Intelligence and Security Service (AIVD), explicitly no statements can be made, not even about the question whether such data even exist or not’.

    In its response regarding FinFisher the National Police responds: ‘If your request for information, as in the concerning case, aims at making public and/or available information about named companies with which the police might have agreements, this forms an unacceptable risk to those agreements.’

    It’s remarkable that they mention an unacceptable risk to the agreement. In 2014 the Ministry of Justice refused to supply any information at all due to risks regarding the deployment of the tool. On August 8th, 2014 Ministry spokesperson Sentina van der Meer told Computerworld: ‘The supplying of information about which specific software the investigative services possess forms an unacceptable risk to the deployment of such means. Partly due to this reason, acquisition processes of these means have taken place under the official secrets act.’

    Replacement Head of Police/Head of Operation National Unit Theo van der Plas almost trips on his own words in his response to the FOI request: ‘This fact and/or this situation prevents any statements being made about whether any data do not reside with any governmental body that concern your request for information and at the same time it must be kept secret whether data are residing with any governmental body.  This is why I cannot make any statements about whether the requested information has been recorded in documents, does or does not reside with any governmental body.’

    In plain English: the police cannot make any statements whether such data exist or not. The response to the FOI request even lacks a motivation: ‘Further motivation of this judgment cannot be supplied due to the nature of the situation and/or the type and/or contents of the requested information, without providing insight into the existence or not of the requested information.’

    This makes the National Police even more inscrutable than AIVD usually is in their responses to requests under the WIV. Even though intelligence services often use inimitable reasoning within the framework of secrecy, they usually reference law articles that clarify the legal basis for the refusal. With AIVD it’s usually about not supplying in connection with ‘the current level of knowledge of AIVD (WIV article 53, paragraph 1); sources of AIVD and/or its legal predecessors (WIV article 55, paragraph 1 under b, in conjunction with article 15, preamble and under b); methods of AIVD and/or its legal predecessors (WIV article 55, paragraph 1 under b).’

    The National Police employs a similar inscrutable jargon to Louthean Nelson and his company Gamma Group. The company itself makes it very hard to find out who the developers of FinFisher are and who Gamma Group’s partners and/or intermediaries are. The National police has become part of Louthean Nelson’s hall of mirrors.

    This article is a translation of the Dutch article
    Gamma Group en de politie; FinFisher trojan in de Nationale politie

    other English articles on the subject

    Kailax / Nir (Max) Levy; The magic hand of Israeli intelligence

    Kailax technical details

    Providence and the Dutch National Police Supply chain liability via a former police officer (English translation of article from Observant #69)

    Links from teh Dutch article


    Besluit Nationale politie op Wob verzoek over Hacking Team, Gamma Group en Providence

    Boeven vangen met dubieuze software van dubieuze bedrijven

    Gamma Group/Louthean Nelson; Wapenhandelaars pur sang

    Bedrijfsprofiel Gamma Group/Louthean Nelson; wapenhandelaars pur sang (pdf)

    Inleiding Boeven vangen met dubieuze software van dubieuze bedrijven(pdf)

    Gehele Observant #69 Politie Mercenaries

    Door Wikileaks openbaar gemaakte stukken over Gamma Group/FinFisher

    CitizenLab over FinFisher

    CitizenLab diverse artikelen over FinFisher

    gebruik FinFisher Nederlandse politie

    gebruik FinFisher Nederlandse politie support

    Kamervragen FinFisher/Gamma Group