Irresistible: Espionage, dissent and NGOs

(Photo: David von Blohn / Demotix)

(Photo: David von Blohn / Demotix)

Edward Snowden’s revelations on the voracious appetite of spying on all and sundry by the National Security Agency and allied agencies should not give pause for too much comment, other than to affirm a general premise: Activists and non-government groups are to be feared.  Non-profits are seen as potential threats, though what to is sometimes unclear.  Any government worth its salt should be afraid of its citizens – the latter must make the former accountable; the former must hold to the contractual bargain with citizens. 

Last week, Snowden revealed to members of the Council of Europe via videolink from Moscow that such groups as Human Rights Watch and Amnesty International were high on the list of surveillance targets.  “The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organisations… including domestically within the borders of the United States.”  He also delved further into such data mining programs as XKeyscore, a technology representing “the most significant new threat to civil liberties in modern times.”  Analysts, using the program, can select the metadata of an individual, and find content, “without judicial approval or prior review.”

Dinah PoKempner, general counsel at Human Rights Watch, responded that, if true, it was “indicative of the overreach that US law allows to security agencies.”  Such conduct “would again show why the US needs to overhaul its system of indiscriminate surveillance.” Indeed, it would fly in the face of a long held, if somewhat erroneous belief, that the US State Department actually treasures its human rights defenders, seeing them as the vanguard of reform rather than a cabal of troublesome dissent.  Human rights defenders in allied countries, for instance, pose a different set of problems.

A cursory glance at the guidelines of the US State Department on supporting human rights reveals how, “Protecting and supporting human rights defenders is a key priority of US foreign policy…. The Department’s objective is to enable human rights defenders to promote and defend human rights without hindrance or undue restriction and free from fear of retribution against them or their families.”  Stirring stuff.  There is even a reference to US support for the UN Declaration on Human Rights Defenders, adopted by consensus of the General Assembly in 1998.  Various strategies and techniques of encouragement are then discussed.

The guidelines even set out who human rights defenders are – those who “working alone or in groups, who non-violently advocate for the promotion and protection of universally recognised human rights and fundamental freedoms.”

Evidently, these guidelines did not quite cross the tables of those involved in the surveillance complex.  This may well be partly due to bureaucratic bungling – the irresistible growth of the espionage complex, but it may just as well be seen as consistent: after all, the NSA watches, and the State Department disposes.  The two occasionally seem to meet in fumbling circumstances.

The NSA is far from the only organisation engaged in the business of spying on activist groups and NGOs. A November 2013 report by Centre for Corporate Policy, a Washington, D.C. think tank, titled Spooky Business: Corporate Espionage Against Nonprofit Organizations, shows that such a process is addictive and systematic across centres of power.  Aversion to dissent is endemic, and it attracts birds of a feather in both government and corporate circles.  According to the report, the precondition for such espionage is that the non-profit organisation in question “impairs or at least threatens a company’s assets or image sufficiently.”  The targets are varied, including “environmental, antiwar, public interest, consumer, food safety, pesticide reform, nursing home reform, gun control, social justice, animal rights and arms control groups.”

The report looks at the antics of numerous entities hungry for data on their threatening quarry.  It might be the Society of Toxicology and Information Associates against animal rights activists.  It might be Stratfor and Coca-Cola against People for the Ethical Treatment of Animals.  Or BAE against Campaign Against the Arms Trade.

The gold target here seems to be Greenpeace, object of keen interest by the private security firm Beckett Brown International (BBI), retained by Dow Chemical, the world’s largest chlorine producer.  The world’s largest operator of nuclear power plants, Électricité de France, has also hired a set of private intelligence firms to keep an eye on the activities of the organisation, be it through good old hacking or conventional spying.  In November 2011, EDF was actually fined €1.5 million for “industrial espionage”, and two of its executives jailed.

Activities include infiltration, cultivation, deception.  Trash bins are searched.  Offices are cased, phone records of activists collected, confidential meetings breached.  Names are blackened; the severity of disasters – environmental, notably – are minimised.  According to Russell Corn, the managing director of Diligence, a corporate intelligence agency, anywhere up to 25 per cent of an activist camp will be “taking the corporate shilling” (New Statesman, Aug 7, 2008).  An inflated figure, perhaps, but worth keeping in mind.

Such behaviour illustrates all too well that there is a conflict of an international, global dimension between established centres of corporate and government power against those who would reform, or at the very least challenge, them.  When convenient, corporate and government interests will collude and find accord. There is even an argument to be made that their functions and interests have become, at points, indistinguishable.

Nothing illustrates this better than the privatisation phenomenon of intelligence activities, where traditional espionage is outsourced and redeployed with contracting agencies and their employees.  The private investigative firm Hackluyt, retained by BP and Shell, has a direct line to MI6.  Some irony, then, that Snowden was working for one such agency when he acquired his invaluable treasure trove of surveillance activities.

This article was posted on 16 April 2014 at indexoncensorship.org

Private surveillance firms: Profits before freedom

(Illustration: Shutterstock)

(Illustration: Shutterstock)

State surveillance has been much publicised of late due to Snowden’s revelations, but allegations against the NSA and GCHQ are only one aspect of the international industry surrounding wholesale surveillance. Another growing concern is the emergence and growth of private sector surveillance firms selling intrusion software to governments and government agencies around the world.

Not restricted by territorial borders and globalised like every other tradable commodity, buyers and sellers pockmark the globe. Whether designed to support law enforcement or anti-terrorism programmes, intrusion software, enabling states to monitor, block, filter or collect online communication, is available for any government willing to spend the capital. Indeed, there is money to be made – according to Privacy International, the “UK market for cyber security is estimated to be worth approximately £2.8 billion.”

The table below, collated from a range of sources including Mother Jones, the Electronic Frontier Foundation, Bloomberg, Human Rights Watch, Citizen Lab, Privacy International and Huffington Post, shows the flow of intrusion software around the world.

Surveillance Company Country of Origin Alleged Countries of Use
VASTech South Africa Libya (137)
Hacking Team Italy Azerbaijan (160), Egypt (159), Ethiopia (143), Kazakhstan (161), Malaysia (147), Nigeria (112), Oman (134), Saudi Arabia (164), Sudan (172), Turkey (154), Uzebekistan (166)
Elbit Systems Israel Israel (96)
Creative Software UK Iran (173)
Gamma TSE UK Indonesia (132)
Narus USA Egypt (159), Pakistan (158), Saudi Arabia (164)
Cisco USA China (175)
Cellusys Ltd Ireland Syria (177)
Adaptive Mobile Security Ltd Ireland Syria (177), Iran (173)
Blue Coat Systems USA Syria (177)
FinFisher GmbH Germany Egypt (159), Ethiopia (143)

Note: The numbers alongside the alleged countries of use are the country’s ranking from 2014 Reporters without Borders World Press Freedom Index 2014.

While by no means complete, this list is indicative of three things. There is a clear divide, in terms of economic development, between the buyer and seller countries; many of the countries allegedly purchasing intrusion software are in the midst of, or emerging from, conflict or internal instability; and, with the exception of Israel, every buyer country ranks in the lower hundred of the latest World Press Freedom Index.

The alleged legitimacy of this software in terms of law enforcement ignores the potential to use these tools for strictly political ends. Human Rights Watch outlined in its recent report the case of Tadesse Kersmo, an Ethiopian dissident living in London. Due to his prominent position in opposition party, Ginbot 7 it was discovered that his personal computer had traces of FinFisher’s intrusion software, FinSpy, jeopardising the anonymity and safety of those in Ethiopia he has been communicating with. There is no official warrant out for his arrest and at the time of writing there is no known reason in terms of law enforcement or anti-terrorism legislation, outside of his prominence in an opposition party, for his surveillance. It is unclear whether this is part of an larger organised campaign against dissidents in both Ethiopia and the diaspora, but similar claims have been filed against the Ethiopian government on behalf of individuals in the US and Norway.

FinFisher GmbH states on its website that “they target individual suspects and can not be used for mass interception.” Without further interrogation into the end-use of its customers, there is nothing available to directly corroborate or question this statement. But to what extent are private firms responsible for the use of its software by its customers and how robustly can they monitor the end-use of its customers?

In the US Electronic Code of Federal Regulations, there is a piece of guidance entitled Know Your Customer. This outlines steps to be undertaken by firms to identify what the end-use of its products is. This is a proactive process, placing the responsibility firmly with the seller to clearly identify and act on abnormal circumstances, or ‘red flags’. The guidance clearly states that the seller has a “duty to check out the suspicious circumstances and inquire about the end-use, end-user, or ultimate country of destination.”

Hacking Team has sold software, most notably the Remote Control System (RCS) to a number of countries around the world (see above). Citizen Lab, based out of the University of Toronto, has identified 21 countries that have potentially used this software, including Egypt and Ethiopia. In its customer policy, Hacking Team outlines in detail the lengths it goes to verify the end-use and end-user of RCS. Mentioning the above guidelines, Hacking Team have put into practice an oversight process involving a board of external engineers and lawyers who can veto sales, research of human rights reports, as well as a process that can disable functionality if abuses come to light after the sale.

However, Hacking Team goes a long way to obscure the identity of countries using RCS. Labelled as untraceable, RCS has established a “Collection Infrastructure” that utilises a chain of proxies around the world that shields the user country from further scrutiny. The low levels of media freedom in the countries purportedly utilising RCS, the lack of transparency in terms of the oversight process including the make-up of the board and its research sources, as well as the reluctance of Hacking Team to identify the countries it has sold RCS to undermines the robustness of such due diligence. In the words of Citizen Lab: “we have encountered a number of cases where bait content and other material are suggestive of targeting for political advantage, rather than legitimate law enforcement operations.”

Many of the firms outline their adherence to the national laws of the country they sell software to when defending their practices. But without international guidelines and alongside the absence of domestic controls and legislation protecting the population against mass surveillance, intrusion software remains a useful, if expensive, tool for governments to realise and cement their control of the media and other fundamental freedoms.

Perhaps the best way of thinking of corporate responsibility in terms of intrusion software comes from Adds Jouejati of the Local Coordination Committees in Syria, “It’s like putting a gun in someone’s hand and saying ‘I can’t help the way the person uses it.’”

This article was posted on 11 April, 2014 at indexoncensorship.org 

New global coalition urges governments to keep surveillance technologies in check

World leaders must commit to keeping invasive surveillance systems and technologies out of the hands of dictators and oppressive regimes, said a new global coalition of human rights organizations as it launched today in Brussels.

The Coalition Against Unlawful Surveillance Exports (CAUSE) – which includes Amnesty International, Digitale Gesellschaft, FIDH, Human Rights Watch, the New America Foundation’s Open Technology Institute, Privacy International, Reporters without Borders and Index on Censorship – aims to hold governments and private companies accountable for abuses linked to the US$5 billion and growing international trade in communication surveillance technologies. Governments are increasingly using spying software, equipment, and related tools to violate the right to privacy and a host of other human rights.

“These technologies enable regimes to crush dissent or criticism, chill free speech and destroy fundamental rights. The CAUSE coalition has documented cases where communication surveillance technologies have been used, not only to spy on people’s private lives, but also to assist governments to imprison and torture their critics,” said Ara Marcen Naval at Amnesty International.

“Through a growing body of evidence it’s clear to see how widely these surveillance technologies are used by repressive regimes to ride roughshod over individuals’ rights. The unchecked development, sale and export of these technologies is not justifiable. Governments must swiftly take action to prevent these technologies spreading into dangerous hands” said Kenneth Page at Privacy International.

In an open letter published today on the CAUSE website, the groups express alarm at the virtually unregulated global trade in communications surveillance equipment.

The website details the various communication surveillance technologies that have been made and supplied by private companies and also highlights the countries where these companies are based. It shows these technologies have been found in a range of countries such as Bahrain, Brazil, Côte d’Ivoire, Egypt, Ethiopia, Libya, Nigeria, Morocco, Turkmenistan, UAE, and many more.

“Nobody is immune to the danger communication surveillance technologies poses to individual privacy and a host of other human rights. And those who watch today, will be watched tomorrow” sadi Karim Lahidji, FIDH President. “The CAUSE has been created to call for responsible regulation of the trade and to put an end to the abuses it enables” he added.

Although a number of governments are now beginning to discuss how to restrict this trade, concerns remain. Without sustained international pressure on governments to establish robust comprehensive controls on the trade based on international human rights standards, the burgeoning proliferation of this intrusive technology will continue – fuelling even further abuses.

“There is a unique opportunity for governments to address this problem now and to update their regulations to align with technological developments” said Tim Maurer at New America’s Open Technology Institute.

“More and more journalists, netizens and dissidents are ending up in prison after their online communications are intercepted. The adoption of a legal framework that protects online freedoms is essential, both as regards the overall issue of Internet surveillance and the particular problem of firms that export surveillance products,” said Grégoire Pouget at Reporters Without Borders.

“We have seen the devastating impact these technologies have on the lives of individuals and the functioning of civil society groups. Inaction will further embolden blatantly irresponsible surveillance traders and security agencies, thus normalizing arbitrary state surveillance. We urge governments to come together and take responsible action fast,” said Wenzel Michalski at Human Rights Watch.

The technologies include malware that allows surreptitious data extraction from personal devices; tools that are used to intercept telecommunications traffic; spygear used to geolocate mobile phones; monitoring centres that allow authorities to track entire populations; anonymous listening and camera spying on computers and mobile phones; and devices used to tap undersea fibre optic cables to enable mass internet monitoring and filtering.

“As members of the CAUSE coalition, we’re calling on governments to take immediate action to stop the proliferation of this dangerous technology and ensure the trade is effectively controlled and made fully transparent and accountable” said Volker Tripp at Digitale Gesellschaft.

NGOs in CAUSE have researched how such technologies end up in the hands of security agencies with appalling human rights records, where they enable security agents to arbitrarily target journalists, protesters, civil society groups, political opponents and others.

Cases documented by coalition members have included:
• German surveillance technology being used to assist torture in Bahrain;
• Malware made in Italy helping the Moroccan and UAE authorities to clamp down on free speech and imprison critics;
• European companies exporting surveillance software to the government of Turkmenistan, a country notorious for violent repression of dissent.
• Surveillance technologies used internally in Ethiopia as well as to target the Ethiopian diaspora in Europe and the United States.

#dontspyonus: The fight against mass surveillance

Index on Censorship had a Google Hangout on how to protect yourself from mass surveillance, and what you can do to demand the right to privacy from your government.

Jim Killock, Executive Director at Open Rights Group, Mike Rispoli, Communications Manager at Privacy International, and Mike Harris, Campaign Director for Don’t Spy On Us share their thoughts on the unfolding fight to restrict mass surveillance.