28 May 14 | Digital Freedom, News and features, Politics and Society, United States
Last week saw a flurry of legislative to-and-fro on the Hill as the US House of Representatives pondered the passage of legislation aimed at ending bulk-collection by the US National Security Agency. The USA Freedom Act, or HR. 3361, was passed on Thursday in a 303-121 vote, and was hailed by The New York Times as “a rare moment of bipartisan agreement between the White House and Congress on a major national security issue”. Congressman Glenn ‘GT’ Thompson (R-Pa.) tweeted that he was the proud cosponsor of a bill “that passed uniting and strengthening America by ending eavesdropping/online monitoring.”
It was perhaps inevitable that compromise between the intelligence and judiciary committees would see various blows against the bill in terms of scope and effect. When legislators want to posture about change while asserting the status quo, ambiguity proves their steadfast friend. After all, with the term “freedom” in the bill, something was bound to give.
Students of the bill would have noted that its main author, Rep. Jim Sensenbrenner (R-Wi.), was also behind HR. 3162, known more popularly as the USA Patriot Act. Most roads in the US surveillance establishment tend to lead to that roughly drafted and applied piece of legislation, a mechanism that gave the NSA the broadest, and most ineffective of mandates, in eavesdropping.
Then came salutatory remarks made about the bill from Rep. Mike Rogers[2], who extolled its virtues on the House floor even as he attacked the Obama administration for not being firm enough in holding against advocates of surveillance reform. There is a notable signature change between commending “a responsible legislative solution to address concerns about the bulk telephone metadata program” and being “held hostage by the actions of traitors who leak classified information that puts our troops in the field at risk or those who fear-monger and spread mistruth to further their misguided agenda.”
Even as Edward Snowden’s ghost hung heavy over the Hill like a moralising Banquo, Rogers was pointing a vengeful finger in his direction. There would, after all, have been no need for the USA Freedom Act, no need for this display of lawmaking, but for the actions of the intelligence sub-contractor. Privacy advocates would again raise their eyebrows at Rogers’s remarks about the now infamous Section 215 telephone metadata program under the Patriot Act, which had been “the subject of intense, and often inaccurate, criticism. The bulk telephone metadata program is legal, overseen, and effective at saving American lives.”
Such assertions are remarkable, more so for the fact that both the Privacy and Civil Liberties Oversight Board and the internal White House review panel, found little evidence of effectiveness in the program. “Section 215 of the USA Patriot Act,” claimed the PCLOB, “does not provide an adequate basis to support this program.” Any data obtained was thin and obtained at unwarranted cost.
Critics of the bill such as Centre for Democracy and Technology President Nuala O’Connor expressed concern at the chipping moves. “This legislation was designed to prohibit bulk collection, but has been made so weak that it fails to adequately protect against mass, untargeted collection of Americans’ private information.” In O’Connor’s view, “The bill now offers only mild reform and goes against the overwhelming support for definitively ending bulk collection.”
Not so, claimed an anonymous House GOP aide. “The amended bill successfully addresses the concerns that were raised about NSA surveillance, ends bulk collections and increases transparency.” Victory in small steps would seem to have impressed the aide. “We view it as a victory for privacy, and while we would like to have had a stronger bill, we shouldn’t let the perfect being the enemy of the good.”
Various members of the House disagreed. Rep. Zoe Lofgren (D-Calif.) noted that the bill had received a severe pruning by the time it reached the House floor, having a change “that seems to open the door to bulk collection again.” Others connected with co-sponsoring initial versions of the bill, among them Rep. Jared Polis (D-Colo.) and Rep. Justin Amash (R-Mich.) also refused to vote for the compromise.
What, then, is the basis of the gripe? For one, the language “specific selection term”, which would cover what the NSA can intercept, is incorrigibly vague. The definition offers the unsatisfactory “term used to uniquely describe a person, entity or account.” What, in this sense, is an entity for the purpose of the legislation? The tip of the iceberg is already problematic enough without venturing down into the murkier depths of interpretation.
Even more troubling in the USA Freedom Act is what it leaves out. For one thing, telephony metadata is only a portion of the surveillance loot. Other collection programs are conspicuously absent, be it the already exposed PRISM program which covers online communications, Captivatedaudience, a program used to attain control of a computer’s microphone and record audio, Foggybottom – used to note a user’s browsing history on the net, and Gumfish, used to control a computer webcam. (These are the choice bits – others in the NSA arsenal persist, untrammelled.)
Section 702 of the Foreign Intelligence Surveillance Amendments (FISA) Act, the provision outlining when the NSA may collect data from American citizens in various cases and how the incorrect or inadvertent collection of data is to be handled, is left untouched. On inspection, it seems the reformist resume of the Freedom Act is rather sparse.
Ambiguities, rather than perfections, end up being the enemy of the good. Laws that are poorly drafted tend to be more than mere nuisances – they can be dangerous in cultivating complacency before the effects of power. Well as it might that the USA Freedom Act has passed, signalling a political will to deal with bulk-collection of data. But in making that signal, Congress has also made it clear that compromise is one way of doing nothing, a form of sanctified inertia.
This article was posted on May 28, 2014 at indexoncensorship.org
20 May 14 | Digital Freedom, News and features, Politics and Society, Religion and Culture, Tunisia
After decades of dictatorship and two years of arguments and compromises, Tunisians passed a new constitution laying the foundations for a new democracy. (Photo: Mohamed Krit / Demotix)
“A model to other peoples seeking reform” said UN Secretary-General, Ban Ki-moon on the successful passing in 2014 of the new Tunisian Constitution. Championing a secular political and legal system following the popular uprisings of 2011, this constitution sought to maintain robust protections of fundamental freedoms. However, the recent creation of the Technical Telecommunication Agency (ATT) threatens to undermine such progress and all in the service of digital surveillance.
Established by decree no. 2013-4506, bypassing parliamentary approval, ATT “provides technical support to judicial investigations into ICT-related crimes”, enabling it to monitor and record online traffic with full access to networks and information held by Internet Service Providers. Many critics of the agency liken it to the NSA; Tunisian Pirate Party member Raed Chammem stated on Twitter “We finally have our own Tunisian law-abusing agency…#NSA-like #A2T”.
The drafting process of the constitution demonstrated the core divergent forces at play in Tunisia. Central to this tension was the positioning of media freedom, most notably in the mandate and impartiality of the High Independent Authority for Audiovisual Communication (HAICA). Articles 122 and 124 reduced the authority to an advisory role as opposed to that of a regulator and required its membership to be elected by parliament. It took concerted lobbying by civil society activists and the National Union of Tunisian Journalists to modify both articles. As stated by Freedom House “the revised language is not just a victory for press freedom and the media sector, but also a triumph for Tunisia’s growing civil society.”
The fight for greater oversight by civil society and regulatory bodies as seen in the last minute amendments to the constitution has not, to date, impacted the creation and implementation of the ATT. The International Business Times wrote that the ATT “fails to properly define the organization’s relationship with judicial authorities, and there is no legal framework for providing civilian accountability”. They go on to quote Tunisian lawyer, Kais Berrjab who states that the ATT represents a “battery of legal irregularities related to unconstitutionality and illegality.”
With an emergent blogger-community, any movement to restrict, monitor or record online content, strikes at the heart of media freedom in Tunisia. Article five of decree no. 2013-4506 outlines that ATT activities will be “secret, unpublished and only sent to the government”. When coupled with the head of the agency being appointed by the Minister of Information and Communication alone, and government plans to exempt the ATT from legal obligations, which exist for all other agencies, in regards to transparency, the prominence of the state raises pertinent questions about the impartiality and non-partisanship of the agency.
The IB Times highlights a key motivation behind the creation of the ATT; the belief “that monitoring the activities of private citizens is essential to counterterrorism effort.” Indeed this argument is playing out across the world, most notably in the US concerning the actions of NSA and the UK with its own GCHQ.
Mounting public pressure to confront recent high-profile assassinations, as well as the perceived threat of Islamic extremism has been highlighted as key reasons for this move towards creating a more investigative body – ATT in all essences replaces the Tunisian Internet Agency (ATI) – however criticism remains as to how it can operate within the legal and political parameters outlined in the 2014 constitution.
In the same IB Times article, Jillian York of the Electronic Frontiers Foundation is quoted as saying, “starting with legitimate concerns about security, the state can then push beyond that and you see surveillance used against political dissidents or just in violation of basic privacy.” Herein lies the central conflict; the last minute redrafting of the constitution established civilian oversight, an impartial regulator and robust protections, but will the ATT, wired to the central government, through the Minister of Information and Communication, undermine such progress, making online participation as dangerous for journalists and bloggers as seen under the leadership of Zine el-Abidine Ben Ali?
The passing of the constitution proved to be a powerful call-to-action for Tunisian civil society, reshaping the government’s relationship with the media and civil society and embedding freedom of media and expression at the core of the legal and political system. But with the establishment of the ATT, Tunisia risks damaging this precedent, undermining the progress, as part of an ill-defined counterterrorism campaign.
The constitution cannot exist outside any effort to counter terrorism; it should, in fact, lie at the core of these efforts. The combatting of militancy and terrorism requires the support and involvement of all sectors of society, including the media and civil society. But if it is the state that strikes the first blow against the ideals and optimism contained within the constitution, will the emergent civil society be able to defend it?
This article was posted on May 20, 2014 at indexoncensorship.org
11 Apr 14 | Digital Freedom, News and features
(Illustration: Shutterstock)
State surveillance has been much publicised of late due to Snowden’s revelations, but allegations against the NSA and GCHQ are only one aspect of the international industry surrounding wholesale surveillance. Another growing concern is the emergence and growth of private sector surveillance firms selling intrusion software to governments and government agencies around the world.
Not restricted by territorial borders and globalised like every other tradable commodity, buyers and sellers pockmark the globe. Whether designed to support law enforcement or anti-terrorism programmes, intrusion software, enabling states to monitor, block, filter or collect online communication, is available for any government willing to spend the capital. Indeed, there is money to be made – according to Privacy International, the “UK market for cyber security is estimated to be worth approximately £2.8 billion.”
The table below, collated from a range of sources including Mother Jones, the Electronic Frontier Foundation, Bloomberg, Human Rights Watch, Citizen Lab, Privacy International and Huffington Post, shows the flow of intrusion software around the world.
| Surveillance Company |
Country of Origin |
Alleged Countries of Use |
| VASTech |
South Africa |
Libya (137) |
| Hacking Team |
Italy |
Azerbaijan (160), Egypt (159), Ethiopia (143), Kazakhstan (161), Malaysia (147), Nigeria (112), Oman (134), Saudi Arabia (164), Sudan (172), Turkey (154), Uzebekistan (166) |
| Elbit Systems |
Israel |
Israel (96) |
| Creative Software |
UK |
Iran (173) |
| Gamma TSE |
UK |
Indonesia (132) |
| Narus |
USA |
Egypt (159), Pakistan (158), Saudi Arabia (164) |
| Cisco |
USA |
China (175) |
| Cellusys Ltd |
Ireland |
Syria (177) |
| Adaptive Mobile Security Ltd |
Ireland |
Syria (177), Iran (173) |
| Blue Coat Systems |
USA |
Syria (177) |
| FinFisher GmbH |
Germany |
Egypt (159), Ethiopia (143) |
Note: The numbers alongside the alleged countries of use are the country’s ranking from 2014 Reporters without Borders World Press Freedom Index 2014.
While by no means complete, this list is indicative of three things. There is a clear divide, in terms of economic development, between the buyer and seller countries; many of the countries allegedly purchasing intrusion software are in the midst of, or emerging from, conflict or internal instability; and, with the exception of Israel, every buyer country ranks in the lower hundred of the latest World Press Freedom Index.
The alleged legitimacy of this software in terms of law enforcement ignores the potential to use these tools for strictly political ends. Human Rights Watch outlined in its recent report the case of Tadesse Kersmo, an Ethiopian dissident living in London. Due to his prominent position in opposition party, Ginbot 7 it was discovered that his personal computer had traces of FinFisher’s intrusion software, FinSpy, jeopardising the anonymity and safety of those in Ethiopia he has been communicating with. There is no official warrant out for his arrest and at the time of writing there is no known reason in terms of law enforcement or anti-terrorism legislation, outside of his prominence in an opposition party, for his surveillance. It is unclear whether this is part of an larger organised campaign against dissidents in both Ethiopia and the diaspora, but similar claims have been filed against the Ethiopian government on behalf of individuals in the US and Norway.
FinFisher GmbH states on its website that “they target individual suspects and can not be used for mass interception.” Without further interrogation into the end-use of its customers, there is nothing available to directly corroborate or question this statement. But to what extent are private firms responsible for the use of its software by its customers and how robustly can they monitor the end-use of its customers?
In the US Electronic Code of Federal Regulations, there is a piece of guidance entitled Know Your Customer. This outlines steps to be undertaken by firms to identify what the end-use of its products is. This is a proactive process, placing the responsibility firmly with the seller to clearly identify and act on abnormal circumstances, or ‘red flags’. The guidance clearly states that the seller has a “duty to check out the suspicious circumstances and inquire about the end-use, end-user, or ultimate country of destination.”
Hacking Team has sold software, most notably the Remote Control System (RCS) to a number of countries around the world (see above). Citizen Lab, based out of the University of Toronto, has identified 21 countries that have potentially used this software, including Egypt and Ethiopia. In its customer policy, Hacking Team outlines in detail the lengths it goes to verify the end-use and end-user of RCS. Mentioning the above guidelines, Hacking Team have put into practice an oversight process involving a board of external engineers and lawyers who can veto sales, research of human rights reports, as well as a process that can disable functionality if abuses come to light after the sale.
However, Hacking Team goes a long way to obscure the identity of countries using RCS. Labelled as untraceable, RCS has established a “Collection Infrastructure” that utilises a chain of proxies around the world that shields the user country from further scrutiny. The low levels of media freedom in the countries purportedly utilising RCS, the lack of transparency in terms of the oversight process including the make-up of the board and its research sources, as well as the reluctance of Hacking Team to identify the countries it has sold RCS to undermines the robustness of such due diligence. In the words of Citizen Lab: “we have encountered a number of cases where bait content and other material are suggestive of targeting for political advantage, rather than legitimate law enforcement operations.”
Many of the firms outline their adherence to the national laws of the country they sell software to when defending their practices. But without international guidelines and alongside the absence of domestic controls and legislation protecting the population against mass surveillance, intrusion software remains a useful, if expensive, tool for governments to realise and cement their control of the media and other fundamental freedoms.
Perhaps the best way of thinking of corporate responsibility in terms of intrusion software comes from Adds Jouejati of the Local Coordination Committees in Syria, “It’s like putting a gun in someone’s hand and saying ‘I can’t help the way the person uses it.’”
This article was posted on 11 April, 2014 at indexoncensorship.org
04 Apr 14 | About Index, Campaigns, Press Releases
World leaders must commit to keeping invasive surveillance systems and technologies out of the hands of dictators and oppressive regimes, said a new global coalition of human rights organizations as it launched today in Brussels.
The Coalition Against Unlawful Surveillance Exports (CAUSE) – which includes Amnesty International, Digitale Gesellschaft, FIDH, Human Rights Watch, the New America Foundation’s Open Technology Institute, Privacy International, Reporters without Borders and Index on Censorship – aims to hold governments and private companies accountable for abuses linked to the US$5 billion and growing international trade in communication surveillance technologies. Governments are increasingly using spying software, equipment, and related tools to violate the right to privacy and a host of other human rights.
“These technologies enable regimes to crush dissent or criticism, chill free speech and destroy fundamental rights. The CAUSE coalition has documented cases where communication surveillance technologies have been used, not only to spy on people’s private lives, but also to assist governments to imprison and torture their critics,” said Ara Marcen Naval at Amnesty International.
“Through a growing body of evidence it’s clear to see how widely these surveillance technologies are used by repressive regimes to ride roughshod over individuals’ rights. The unchecked development, sale and export of these technologies is not justifiable. Governments must swiftly take action to prevent these technologies spreading into dangerous hands” said Kenneth Page at Privacy International.
In an open letter published today on the CAUSE website, the groups express alarm at the virtually unregulated global trade in communications surveillance equipment.
The website details the various communication surveillance technologies that have been made and supplied by private companies and also highlights the countries where these companies are based. It shows these technologies have been found in a range of countries such as Bahrain, Brazil, Côte d’Ivoire, Egypt, Ethiopia, Libya, Nigeria, Morocco, Turkmenistan, UAE, and many more.
“Nobody is immune to the danger communication surveillance technologies poses to individual privacy and a host of other human rights. And those who watch today, will be watched tomorrow” sadi Karim Lahidji, FIDH President. “The CAUSE has been created to call for responsible regulation of the trade and to put an end to the abuses it enables” he added.
Although a number of governments are now beginning to discuss how to restrict this trade, concerns remain. Without sustained international pressure on governments to establish robust comprehensive controls on the trade based on international human rights standards, the burgeoning proliferation of this intrusive technology will continue – fuelling even further abuses.
“There is a unique opportunity for governments to address this problem now and to update their regulations to align with technological developments” said Tim Maurer at New America’s Open Technology Institute.
“More and more journalists, netizens and dissidents are ending up in prison after their online communications are intercepted. The adoption of a legal framework that protects online freedoms is essential, both as regards the overall issue of Internet surveillance and the particular problem of firms that export surveillance products,” said Grégoire Pouget at Reporters Without Borders.
“We have seen the devastating impact these technologies have on the lives of individuals and the functioning of civil society groups. Inaction will further embolden blatantly irresponsible surveillance traders and security agencies, thus normalizing arbitrary state surveillance. We urge governments to come together and take responsible action fast,” said Wenzel Michalski at Human Rights Watch.
The technologies include malware that allows surreptitious data extraction from personal devices; tools that are used to intercept telecommunications traffic; spygear used to geolocate mobile phones; monitoring centres that allow authorities to track entire populations; anonymous listening and camera spying on computers and mobile phones; and devices used to tap undersea fibre optic cables to enable mass internet monitoring and filtering.
“As members of the CAUSE coalition, we’re calling on governments to take immediate action to stop the proliferation of this dangerous technology and ensure the trade is effectively controlled and made fully transparent and accountable” said Volker Tripp at Digitale Gesellschaft.
NGOs in CAUSE have researched how such technologies end up in the hands of security agencies with appalling human rights records, where they enable security agents to arbitrarily target journalists, protesters, civil society groups, political opponents and others.
Cases documented by coalition members have included:
• German surveillance technology being used to assist torture in Bahrain;
• Malware made in Italy helping the Moroccan and UAE authorities to clamp down on free speech and imprison critics;
• European companies exporting surveillance software to the government of Turkmenistan, a country notorious for violent repression of dissent.
• Surveillance technologies used internally in Ethiopia as well as to target the Ethiopian diaspora in Europe and the United States.
