By Terry Xu
TOC has earlier reported on a Singapore private company’s alleged purchase of surveillance malware revealed via WikiLeak’s media release on 15th September, and the report on what the surveillance malware can possibly do.
We have also since sent many queries to government agencies asking about this matter. The government has been silent on the issue – too silent, in fact, to be of assurance to citizens. We are, after all, talking about an intrusive computer software that can intrude into any computer, be it to steal the online bank passwords of ordinary citizens, or hacking into government servers to steal vital information.
PCS Security Limited is the private company which has been identified by the documents released by Wikileaks of possessing the malicious software sold by German company, FinFisher.
On its website, PCS says it prides itself “in delivering value-added systems with our domain expertise and experience in Homeland Security and Infocomm Security.”
“We have the expertise and capability to deliver cutting-edge technology solutions for our Customers in the Government, trade and the commercial sector,” it said.
The company has not replied to any of the queries TOC sent to them since last week. As such, we are unable to verify with the company if they possess the software as alleged by WikiLeaks.
The malware and items from FinFisher, which are allegedly purchased by PCS, allows the user to collect practically everything from infected devices. This includes contact lists, emails, chat messages, webcam videos, screenshots, keystrokes – all without the knowledge of the device owner.
The malware is said to be able to operate under all major desktop and mobile operating systems, namely Windows, OS X, Linux, Android, iOS, BlackBerry, Symbian, and Windows Mobile.
Under Singapore’s Computer Misuse Act, as stated in the Statutes:
Unauthorised use or interception of computer service
—(1) Subject to subsection (2), any person who knowingly —
(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;
(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electro-magnetic, acoustic, mechanical or other device; or
(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b),
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.
There are sections in the Computer Misuse Act which hints that even the possession of such malware could be illegal:
Abetments and attempts punishable as offences
(1) Any person who abets the commission of or who attempts to commit or does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall be liable on conviction to the punishment provided for the offence.
(2) For an offence to be committed under this section, it is immaterial where the act in question took place.
As such, all this suggests that possessing and using surveillance malware might run afoul of the law. As such, TOC also tried to seek advice from the Attorney General Chambers, to shed some light on whether such malware is legal in Singapore, whether the use of surveillance malware to spy on individuals is legal, and if the mere possession of the software by the private company constitutes an illegal act.
For such straight-forward yes-no answers, it was astonishing that we received no response from AGC for close to two weeks, despite repeated emails sent.
TOC also wrote to the police asking similar questions. The police responded, but with less than useful information:
“We regret to inform you that we are unable to assist you in this matter. You may wish to seek advice from a legal counsel.
You may also consider approaching the Legal Aid Bureau (LAB). No prior appointment is required. However, the Bureau only provides legal aid and advice in civil matters to needy Singaporeans and Permanent Residents who qualify under the means test. For applicants who require legal aid, they must in addition to the means test, qualify for legal aid under a merits test. Full details of the Means Test and Merits Test as well as other helpful information on the Bureau are available on the LAB website at the following link: http://www.lab.gov.sg.
We hope the information is useful to you and your understanding is appreciated.”
As the agencies that should be the most conversant with the law were not able to give us an answer, we decided to turn to the Ministry of Communications and Information. Queries were sent to Minister Yaacob Ibrahim, Mr Zaqy Mohammad and Mr Baey Yam Keng – respectively the chairman and deputy chairman of the Government Parliamentary Committees on Communication and Information, seeking their comments on the issue.
Mr Yaacob too has not replied since we contacted him last week. Mr Zaqy and Mr Baey have also not responded to our queries.
Why is it that no one in the government wishes to address the alarming possibility that a private company is possessing surveillance malware, which could effectively allow them to spy on another individual? In addition, PCS Security Limited has various projects with government agencies dealing with security, which allows them access to secret documents used by civil servants and even ministers. Is our government not concerned about the security risks?
Does the possession of such malware constitute a national security issue which requires immediate attention? If so, has any investigation been conducted? Or is our government ignoring anything related to WikiLeaks, even if what it suggests puts our citizens and national security at risk?
As we investigate further, we continue to await the response from the ministries and the ministers to address the question of legality of using and possessing such surveillance malware.