Trade secrets

Between February 2011 and June 2012, I attended nine surveillance technology trade shows around the world. At these events, vendors, developers and government agencies meet, mingle and do business. They’re usually held at anonymous corporate hotels and are strictly invite-only. Yet the atmosphere is usually one of pervasive paranoia and attendees often conceal their real names and governmental affiliations. The sales representatives, by contrast, can be extremely frank, particularly when discussing the ethical implications of their trade. During one presentation, delegates from a password forensics company projected an image of a metal interrogation chair draped with chains and joked that their equipment could be used in conjunction with ‘other methods’. Another vendor told me that he was sure his company could come to ‘some arrangement’ with a (hypothetical) North Korean customer. Fat profit margins are top of the agenda; ethics and social responsibility rarely even come into it.

Twenty years ago, the value of the global surveillance industry was negligible – today it is estimated to be worth around $3bn. The fall of the Berlin Wall in 1989 left hundreds of Stasi officers out of a job and the rash of new surveillance companies that sprang up in the early 1990s in Germany suggests that many found lucrative new employment in the private sector. Privacy International published a report in 1995, highlighting this increased flow of surveillance tools from developed countries like the UK, the US, Germany and Israel to repressive regimes in Africa and South Asia, where they were then used as instruments of political control and internal repression. But not a single Western government has felt it necessary to impose export controls on surveillance technologies, and so this unethical trade has therefore continued unimpeded.

After 9/11, governments around the world ramped up their surveillance operations and private companies competed to develop and supply cheaper and more invasive tools. The business of surveillance was no longer the preserve of large military and arms manufacturers like BAE Systems; small technology enterprises and larger Silicon Valley companies quickly flooded the market. Privacy International’s recent research has identified around 250 vendors of surveillance technology based in 33 countries around the world and there are probably dozens more that have managed to remain under the radar. Unfortunately, these new actors seem to conduct themselves with even less integrity than their predecessors – exports to Africa and the Middle East are significant and companies now offer bespoke solutions and training to their clients.

One would think this would make it difficult to plead ignorance when companies get caught doing business with dictatorships and repressive regimes. Yet this is still the most common defence: companies claim that they had no knowledge of the uses to which their products were being put.
They deny complicity in resulting human rights abuses – censorship, torture, extrajudicial detention and executions – because they say that technology is neutral, that it’s not their responsibility to vet their clients, that they can’t control how equipment is used once sold. Let us be clear: in the majority of situations, this is simply not the case. These companies are not staffed by idealistic young software developers creating socially useful tools that their wicked clients are then misusing and perverting. In fact, most of the time they are working with their customers on a close and long-term basis, carefully tailoring surveillance systems to specific needs.

Milan-based Area SpA last year furnished Privacy International with a disturbing example of just how committed to customer service these companies can be. While President Bashar al Assad’s forces were engaged in brutal attempts to crush dissent in Syria, killing and injuring hundreds of unarmed protesters, Area secretly installed a nationwide mass surveillance system. Dozens of the company’s Italian employees were flown out to Syria to install hardware and software that would allow Syrian security agents to follow targets on flat-screen workstations displaying communications and web use in near-real time, alongside graphics that mapped citizens’ networks of electronic contacts. The €13m (US$16.7m) contract also specified that Area employees would supply training to Syrian security agents, teaching them how to monitor vast swathes of the population. Fortunately, after a Bloomberg report exposed the project and protesters gathered outside Area’s offices, the company quietly pulled the plug on the project.

The effect of a surveillance system of this sophistication and magnitude on political dissent, public debate, the rule of law – in fact, on all of the processes fundamental to participatory democracy – is devastating. When people see their friends and colleagues arrested and tortured because of a text message, a Facebook chat or a phone call, they think twice about complaining about government abuses. They may cut off all phone and email contact with those people, afraid that just being part of the wrong networks will bring the secret police to their own doors in the middle of the night. Arranging face-to-face meetings becomes practically difficult, and even speaking in person isn’t secure – governments can target individual mobile phones with malware that allows them to remotely control the device’s microphone and camera and thereby see and hear everything happening around it.

Organising political demonstrations is equally challenging. Blogs containing anti-government sentiments are identified and blocked almost as quickly as they can be written, preventing citizens from expressing their dissatisfactions to a wider audience. Surveillance technology is therefore one of the most powerful weapons in the dictator’s arsenal; it destroys political opposition and subdues populations far more effectively than guns or grenades.

Privacy International doesn’t think it’s right that companies based in Europe and the United States – where governments publicly condemn the kind of human rights abuses described above – should make vast sums of money by facilitating these same abuses. We also believe that this notoriously murky and elusive industry needs to be much more transparent about which products are being sold to which regimes, particularly in Africa and the Middle East. We embarked on the Surveillance Industry Index – a publicly-accessible online catalogue of surveillance companies, products and marketing materials – because we felt that putting the hard facts in the public domain would hopefully stop companies obfuscating their involvement with repressive governments and make them more accountable. We also hoped that it would add to the evidence base for proper export licensing systems in Europe and the US. In particular, the excerpts from the marketing material we’ve presented provide direct insight into the ethical vacuum at the heart of the industry and demonstrate the terrifying scope and power of some of the technologies that are now readily available.

For example, UK-headquartered Gamma Group describes one of their products as permitting ‘black hat hacking [illegal and malicious] tactics to enable intelligence services to gather information from target systems that would be otherwise extremely difficult to obtain legally’. South African VASTech sells a mass surveillance product that can intercept ‘more than 100,000 simultaneous voice channels, allowing it to capture up to one billion intercepts per day and storing in excess of 5,000 Terabytes of information’. Madrid-based Agnitio is even more explicit, stating that their product is ‘designed for mass voice interception and voice mining’. Mass surveillance has been ruled illegal in most democratic countries as, by its very nature, it can never be considered a proportionate or necessary tactic.

Over the past few years, Gamma International’s FinFisher suite, a range of spyware that covertly takes remote control of a computer or mobile device, copying files, intercepting Skype calls and logging every keystroke, has appeared all over the world. Recent reports by computer security company Rapid7 have placed FinFisher command and control servers in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the US. A separate investigation in August by CitizenLab, an interdisciplinary project based at the Munk Centre for International Studies at the University of Toronto, identified potential FinFisher command and control servers in Bahrain, Brunei, the Czech Republic, Ethiopia, Indonesia, Mongolia, Singapore, the Netherlands, Turkmenistan and the United Arab Emirates.

Gamma International’s Managing Director, Martin J Muench, has refuted this research – the latest in a long line of denials and excuses from the company. In April 2011, the Guardian reported that two Egyptian human rights activists had found a proposal from Gamma to supply President Mubarak’s regime with FinFisher products inside the ransacked headquarters of the State Security Investigations service. The company said the offer was for a free trial version and that ‘Gamma International UK Limited has not supplied any of its FinFisher suite of products or related training etc to the Egyptian government’. When it was reported that five Bahraini human rights activists had been sent emails containing FinFisher trojans, Gamma suggested that the malware in question was a ‘copy of an old FinSpy demo version’ that ‘may have been stolen’. Muench also tried to point the finger at organisations that had been investigating Gamma’s practices: ‘It’s been suggested that the information was stolen on behalf of a pressure group to disrupt our business but I have no evidence yet to support that claim.’

Yet Muench’s ultimate defence is that Gamma always complies with British, American and German export regulations, recently stating that ‘Export Control Authorities … act as our moral compass’. This would be all well and good – if such export regulations existed anywhere in the world. In fact, exports of surveillance technologies remain almost entirely unlicensed and thus uncontrolled. It should also be noted that, although Gamma has been using the above justification since April 2011, the company only bothered to submit a technical information about FinFisher to the Department for Business Innovation and Skills (BIS) in June 2012. BIS, which is responsible for licensing exports in the UK, has now decided that exports of FinFisher should in fact be licensed, on the basis that the product contains cryptography.

However, the British government has thus far refused to include other surveillance tools in the export-licensing regime, apparently buying into the industry’s claims that these products are all sold for legitimate purposes. Yet BIS controls exports of hundreds of ‘dual-use’ products (products that can be used illegally or dangerously as well as having a legitimate or civilian purpose) and the industry has thus far demonstrated a woeful inability to self-regulate. Unless surveillance exports are effectively controlled by law, the action the UK has taken on Gamma’s FinFisher will be just a sticking plaster on a bullet wound. Though the European Parliament passed a resolution calling for stricter oversight of surveillance technology exports and President Obama announced an executive order to prevent such exports to Syria and Iran, there has not been any clear, decisive action as of yet. And, for dissidents and ordinary citizens alike, the space for speaking out about human rights violations and ensuring this information gets out to the wider world is narrowing all the time.

©Eric King
41(4): 81/86
DOI: 10.1177/0306422012465540

This article appears in Digital Frontiers, the winter 2012 edition of Index on Censorship magazine.

Trevor Kavanagh, the Sun and press freedom

The Sun’s associate editor Trevor Kavanagh has launched a stirring attack on the police in this morning’s paper. When Kavanagh lays out of what happened over the weekend, it’s hard not to agree that this looks like an assault on the press by an overzealous police force. While there is a criminal investigation ongoing and the police will need to talk to people, dawn raids at the weekend seem excessive and intimidatory.

Brian Cathcart suggests:

“As for the [Metropolitan Police], it is doing its job. It may well be doing it with a special zeal, in response to criticisms about a previous absence of zeal, but we can hardly complain about that either. “

I think I can complain, if I’m honest. The Met’s embarrassment over past unwillingness to investigate phonehacking does not give it licence to act disproportionately now, and journalists being roused from their beds by police is a bit too close for comfort to the kind of events we at Index cover and campaign on in the less free world. Moreover, one can’t help feel this is all part of an attempt to show willing ahead of the Leveson Inquiry’s scrutiny of the relations between police and the press, due to begin at the end of February.

Kavanagh correctly points out that “illegal” practices take part across the media. As Index noted in our submission to the Leveson Inquiry, these practices can be justified if there is a public interest and a clear line of accountability within the publication.

He then notes that the UK rates below Slovakia, Poland and Estonia in press freedom. The post-Soviet countries the UK is behind are not exactly Belarus or Turkmenistan, or indeed Russia, but Kavanagh is technically correct on this. The rating comes from Reporters Without Borders’ (RSF) annual Press Freedom Index. The RSF report comments:

Against the extraordinary backdrop of the News of the World affair, the United Kingdom (28th) caused concern with its approach to the protection of privacy and its response to the London riots. Despite universal condemnation, the UK also clings to a surreal law that allows the entire world to come and sue news media before its courts.

The “surreal law” referred to is English defamation law, while the “approach to privacy” is the fondness for the judicial injunction displayed by those who seek to stifle stories about them, not, as one might read it, the tendency of certain gentlemen of the press to listen to people’s voice messages.

While it may be tempting to aim a dismissive “calm down, dear” at Kavanagh, we should not pretend that there are no press freedom issues at stake in this country.

Ups and downs: World Press Freedom Index 2010

Reporters Without Borders (RSF) published its ninth annual World Press Freedom Index today, with a mixed bag of what secretary-general Jean François Julliard calls “welcome surprises” and “sombre realities”.

Six countries, all in Europe, share the top spot this year — Finland, Iceland, the Netherlands, Norway, Sweden and Switzerland — described as the “engines of press freedom”. But over half of the European Union’s member states lie outside the top 20, with some significantly lower entries, such as Romania in 52nd place and Greece and Bulgaria tied at 70th. The report expresses grave concerns that the EU will lose its status as world leader on human rights issues if so many of its members continue to fall down the rankings.

The edges of Europe fared particularly badly this year; Ukraine (131st) and Turkey (138th) have fallen to “historically low” rankings, and despite a rise of 13 places, Russia remains in the worst 25 per cent of countries at 140th. It ranks lower than Zimbabwe, which continues to make steady — albeit fragile — progress, rising to 123rd.

At the very bottom of the table lie Eritrea, North Korea and Turkmenistan, as they have done since the index first began in 2002. Along with Yemen, China, Sudan, Syria, Burma and Iran, they makes up the group of worst offenders, characterised by “persecution of the media” and a “complete lack of news and information”. RSF says it is getting harder and harder to distinguish between these lowest ten countries, who continue to deteriorate. There are particular fears about the situation for journalists in Burma ahead of next month’s parliamentary election.

Another country creating cause for concern in the run-up to elections is Azerbaijan, falling six places to 152nd. Index on Censorship recently joined other organisations in a visit to Baku to assess the health of the country’s media. You can read about their findings in a joint mission report, ‘Free Expression under Attack: Azerbaijan’s Deteriorating Media Environment’, launching this Thursday, 28 October, 6.30 pm, at the Free Word Centre. Belarus, another country on which Index is campaigning, languishes at 154th.

It is worth noting, though, that relative press freedom rankings can only tell so much. Cuba, for example, has risen out of the bottom 20 countries for the first time, partly thanks to its release of 14 journalists and 22 activists this summer, but journalists still face censorship and repression “on a daily basis”. Similarly, countries such as South Korea and Gabon have climbed more than 20 places, only to return to the position they held before a particularly bad 2009. It seems, then, that the struggle for press freedom across the world must continue to be a “battle of vigilance”.

Free Microsoft licences to help combat censorship

Microsoft is extending its program of giving free software licences to non-profit organisations. The initiative was first applied to Russia, after it was discovered that authorities were using software piracy inquiries as a method of suppressing independent media outlets and advocacy groups. The program will now include 500,000 NGOs in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Uzbekistan, China, Malaysia, and Vietnam. Prior to the announcement NGOs could only obtain a free licence if they were aware of the program and followed the necessary procedure. According to Microsoft’s official blog announcement, the unilateral licence will last until 2012.