The following is a guest post by Edin Omanovic, a researcher who focuses on export controls and surveillance technology at Privacy International, a London-based NGO that advocates for the right to privacy and investigates government surveillance.
The release of a new white paper on the export of surveillance technologies is a welcome and highly relevant contribution to what remains a niche yet hugely important issue.
Called Considerations on Wassenaar Arrangement Proposals for Surveillance Technologies, the white paper is the most authoritative and in-depth publicly available analysis to date of how recent changes to export control regulations are likely to impact industry and the trade in surveillance technologies, and how export authorities should interpret the new controls.
The release is also timely: the European Union and its member states have recently implemented the Wassenaar regulations to control the relevant categories of technologies, while the U.S. is expected to do so imminently. The white paper also comes during what is a hugely important year for the development of export controls, which will see the EU decide whether or not it will adopt a unilateral export control mechanism aimed at stopping transfers of surveillance technologies likely to have a detrimental impact upon human rights in third countries.
Understanding the likely impact of the regulatory changes is a complex endeavor. Individual contributions to the debate such as this paper are therefore invaluable, and will bridge and inform a discussion encompassing complex questions relating to human rights, international security, export controls – and crucially, the technology itself.
Background
The Wassenaar Arrangement is an intergovernmental export control regime used to determine which items should be subjected to export licensing by its participatory states in order to foster international security. The two categories of technology discussed in the paper, IP Network Surveillance and Intrusion Software, are electronic surveillance systems used to monitor internet activity and hijack devices, allowing their users an intrusive look at the private communications of individuals. The categories were added at the 2013 plenary of the Arrangement.
The adoption of the categories means that the 41 participating states, which are comprised of the world’s largest exporters of arms and dual use goods — including Russia, the U.S., and all EU member states —– are obliged to control the export of these technologies. Wassenaar also requires its members to regulate transfers of other surveillance technologies, such as mobile phone interception equipment known as IMSI Catchers, and laser microphones used to eavesdrop on conversations through glass windows.
While human rights are not considered a motivational factor for the decision to regulate the technology within Wassenaar, it is clear that the two states which instigated the inclusion of the new categories into the regime – France and the United Kingdom – were motivated at least in part by domestic concerns relating to human rights.
Wassenaar includes two main types of control lists: one for items that have dual uses, and one for items that have military uses. The dual use list is based on civilian items that generally could be used in the development or delivery of WMDs, while the military list is based on items specially designed for military use. Surveillance technologies, even when sold to military end users, do not readily fall into either category. Oftentimes, systems or specific products that are used for electronic surveillance are based on technologies and systems which also have more general applications, and trade in these more general applications should not be restricted. Monitoring Centers used for the lawful interception of telecommunications and widely sold as explicit surveillance products, for example, are comprised of collection devices, retention and mediation solutions, and analysis technologies which all have everyday uses.
This has led to a tension: while authorities may want to bring specific surveillance technologies within their remit of control, they risk inadvertently subjecting too many items and activities to licensing requirements. The ability therefore to accurately define an item that will catch all the intended items, while not catching anything else, is the core aim of the Wassenaar control lists and the basis upon which definitions are formulated.
Fit For Purpose?
The paper assesses how effective the approved definitions are likely to be in fulfilling their main objectives, and provides recommendations for how they should be interpreted and implemented by export control authorities.
The inclusion of the category relating to intrusion software was instigated by the UK in 2012 in the midst of increasing evidence that technologies such as FinFisher, a suite of trojan based systems formerly exported by UK-based Gamma International, were being exported to authoritarian states with poor human rights records and being used to target activists. The fact that such technology can be used to target individuals across borders – including within the UK itself – as well as concerns over their use for espionage also undoubtedly led to the decision to subject the category to control.
The formulation of a control that would catch intrusion software like FinFisher is challenging, given the general application of the company’s technologies in devices and for security research. To deal with this, the control focuses not on intrusion software itself, but on products which facilitate their use, such as the software for its administration and delivery. In addition, the control is accompanied by a number of specific exemptions, that complement the general exemptions included within the control lists.
It is unclear how effective the intrusion software control will be in practice, given that some of the controlled technologies constitute Intangible Transfers of Technology and can be transmitted online, thereby circumventing traditional export controls. It can also be argued that the control will not catch emerging technologies that carry out a similar function but operate in different ways, or even existing products, such as NSO Group’s Pegasus. Nevertheless, the white paper argues that the definition applies to the most high profile products on the market, including FinFisher, Hacking Team’s RCS, QuickTrail, and SS8 Interceptor.
Although the intrusion software definition will go a long way in catching these items, there are concerns that the definition it may be too broad, inadvertently catch too many items, and therefore damage security research.
Privacy International shares many of these concerns and raised awareness about them just three days after the announcement of the new Wassenaar regulations. We continue to speak with export control authorities regarding their interpretation and implementation.
The category relating to IP Network Surveillance Systems was instigated by France after evidence emerged that a French company, Amesys, supplied technology to Gaddafi’s Libya, leading to litigation against the company by international human rights group FIDH. As the paper describes, the IP Network Surveillance control goes a considerable way in subjecting many of the most prominent internet monitoring centers available on the market to control, including Amesys’s Eagle, and VASTech’s ZEBRA – another surveillance system used by Libya during the Gaddafi era.
As the white paper demonstrates, however, the requirement that the system must perform relationship mapping significantly narrows the range of products affected by the regulations, especially because network monitoring is based around a suite of technologies with general applications.
“Constructive” role for export controls
The white paper’s key recommendations include taking the context of technology transfers into consideration. This is one of the important aspects of Privacy International’s work on this issue within the Coalition Against Unlawful Surveillance Exports (CAUSE), a civil society campaign calling for transfers of surveillance technologies to be stopped if there exists a risk that they will be used for human rights abuses.
As the paper concludes, if the new regulations are well defined and implemented correctly, there is a ”constructive and expansive role for export controls in the promotion of human rights and cyber security goals.”
The electronic surveillance industry is only likely to expand as digital networks become an ever-increasing feature of modern life and as they are affected by surveillance across the world. It’s essential to ensure that there exist mechanisms to stop the transfer of specific items likely to be used for human rights abuses. As a policy debate, this is an area in urgent need of more research and evidence, and the new paper massively enriches this conversation.
Edin Omanovic is the author of Private Interests: Monitoring Central Asia and co-author of Uncontrolled Global Surveillance: Updating Export Controls in the Digital Age. Twitter: @edin_o
photo credit: Glynlowe.com