Industry regulator alleges news portal failed to verify facts and drew its own conclusions; TMI will cooperate in probe
Posting of false information an offence under Section 211 of the Communications and Multimedia Act 1998
INDUSTRY regulator the Malaysian Communications and Multimedia Commission (MCMC) said it is investigating The Malaysian Insider (TMI) over a story the news portal published at 3pm on March 14 titled “Malaysia uses spyware against own citizens, NYT reports.”
The TMI story was based on a blog post published on the New York Times website, titled Researchers Find 25 Countries Using Surveillance Software, which itself was based on a paper released by researchers at the Citizen Lab from the University of Toronto’s Munk School of Global Affairs.
The research came off a comprehensive global Internet scan for the command and control (C+C) servers of the FinSpy remote monitoring software developed by German-based FinFisher, which claims its surveillance software is sold only to governments and law enforcement agencies. The research authors are Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.
Claiming that the report was “speculative and ill-researched,” MCMC is alleging that TMI “failed to verify the veracity of the New York Times report, nor checked the facts which are available online and had made its own conclusions on the matter.”
“At this stage of the investigations, MCMC would like to remind the public not to simply believe everything that they read online and to verify all the information that they receive before forming any views or conclusions on the issue,” the industry regulator said in a statement issued late March 14.
“The public is also reminded that the posting of false information constitutes an offence under Section 211 of the Communications and Multimedia Act 1998 and upon conviction, [those found guilty] can be fined a sum not exceeding RM50,000 or imprisonment for a term not exceeding one year,” it added.
In an immediate response to Digital News Asia (DNA), TMI chief executive officer and editor Jahabar Sadiq said “We've been informed by MCMC -- through a phone call and an email late last night -- that they are investigating the report.”
“We are cooperating with them on the matter,” he said via email.
FinSpy captures information from an infected computer, such as passwords and Skype calls, and sends the information to a FinSpy C+C server.
In its statement, MCMC noted that the Citizen Lab stated that the discovery of a FinSpy C+C server in a given country cannot conclusively indicate that the country is using FinSpy on its citizens:
“Importantly, we believe that our list of servers is incomplete due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment. Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies.
In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country.”
The Citizen Lab expressed its concern with countries like Bahrain, Ethiopia, Turkmenistan and Vietnam, where there was strong indication of spyware use by government and law enforcement agencies, and which have “problematic records on human rights, transparency, and rule of law.”
However, while one server was tracked to Malaysia, the research authors did not call out the country: “Eight servers are hosted by provider GPLHost in various countries (Singapore, Malaysia, Australia, United States). However, we observed only six of these servers active at any given time, suggesting that some IP addresses may have changed during our scans.”
In the report, the server that is claimed to be in Malaysia is registered to a company called Iusacell PCS, which seems to be a Mexico-based mobile operator, a point which MCMC noted in its statement.
The industry regulator also added that a further report from another group of researchers based in the United States also gave similar comments:
“Please note: We are not able to determine whether they're actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all: they are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure. Our guess is that part of the identified C&Cs are acting as proxies.”
“Additionally, a recent news report released by the Associated Press supported Citizen Lab's findings," MCMC said:
“Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, said that Canada, Mexico, Bangladesh, Malaysia, Serbia, and Vietnam were among the host countries newly identified in Wednesday's report. That alone doesn't necessarily mean those countries' governments are using FinFisher, a program distributed by British company Gamma International, but it is an indication of the spyware's reach.”
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.