A Toronto Web hosting company says it will demand the removal of Internet surveillance software on its servers if there’s proof customers loaded the application there.
“Because it’s a very clear violation of our acceptable use policy we would terminate those users,” Michael Carr, executive vice-president of SoftCom Inc., said in an interview Thursday.
Researchers at the University of Toronto’s Citizen Lab said this week that surveillance software called FinFisher –made by a German-based company which says it sells only to law enforcement agencies –turned up on command and control servers hosted by SoftCom here and on servers in 24 other countries.
Who’s using spyware on Toronto servers?
Citizen Lab says a number of governments use FinFisher, made by a division of Gamma International GmbH and its remote monitoring product, FinSpy, against their residents.
Carr said SoftCom, whose service provider business is called myhosting.com, can’t verify that the software actually is on its servers because the Citizen Lab report only details part of IP addresses it tracked that have FinSpy signatures.
It would be impossible to scan all of its servers without the full address, Carr said. Nor can it scan for applications.
UPDATE: After getting the IP address, Carr said that on March 15 the FinFisher software was found on its servers and the account was terminated. For privacy law reasons he can’t divulge who had the account. Nor does Softcom know how much, if any, data it pulled in. He can say the software was installed sometime in the last 12 months.
It doesn’t matter if a Canadian law enforcement or intelligence agency is lawfully using the software, he added. myhosting.com’s acceptable use policy forbids “spyware or any related software that records a user’s activities without their permission and forwards that information via the Internet.”
Although the policy says violations may result in the cancelling of service, Carr was firm. “We do not as a business want that type of activity on any our servers. And we’re very clear about that.”
Carr said SoftCom staff were surprised to hear about the claim that the software is on its servers here. It only found out by reading a newspaper article Thursday morning. Citizen Lab didn’t contact the provider before publishing its report on Wednesday.