In the last few years, surveillance technology sold to repressive regimes has contributed directly to human rights abuses. “Western technology could immediately be traced back to individuals who had been dragged from their homes and put into prison,” European Parliament Member Marietje Schaake said at a recent event.
Increasingly, governments around the world rely on commercial technologies produced and exported by American and European countries to monitor and censor their citizens. The Wall Street Journal reported in 2011 that the annual value of the “retail market for surveillance tools has sprung up from ‘nearly zero’ in 2001 to around $5 billion a year.” This explosion of demand is reflective of how surveillance policy and practice have evolved during the last 15 years. And while most of this technology has legitimate uses for law enforcement, it can also be abused. According to Arvind Ganesan of Human Rights Watch, the problem is that “not every government is going to respect the rule of law or people’s rights when they buy this technology.” Human Rights Watch just released an in-depth report looking at the chilling effects of network surveillance in Ethiopia, which got some of its equipment from European companies.
The Arab Spring and the release of former regime documents shined a bright light on both the abuses and the industry, demonstrating how Western companies can be complicit in human rights abuses by exporting these technologies to authoritarian regimes like Assad’s Syria and Qaddafi’s Libya. As more evidence emerged over the past few years, human rights advocates and policymakers alike began seeking ways to hold companies developing and selling these products accountable. Some businesses in the United States, United Kingdom, and France have faced legal challenges for violating human rights under existing domestic laws. (For example, after two human rights groups filed formal complaints, the French government opened up a judicial inquiry against the Amesys to look into its operations in Libya, and in the United States plaintiffs have brought court cases against Cisco for selling equipment to the Chinese government that was used as part of its censorship and surveillance regime.) Other stakeholders have called for better self-regulation in the industry.
One other proposal is to update export controls, which could make selling this technology to countries with dubious human rights records illegal. Moreover, it would give the government a clear path to penalize companies that violate the regulations—rather than having to try to prove in court how individual cases in which the technology was used violated the law. A new joint report from Digitale Gesellschaft, New America’s Open Technology Institute (where we both work), and Privacy International examines existing export control regulations with a particular eye on provisions relating to human rights and surveillance technologies. (Note: Future Tense is a partnership of Slate, the New America Foundation, and Arizona State University.)
In essence, export controls are licensing regulations that allow governments to monitor—and in some cases, prevent—the flow of domestic products and services to other countries. In the United States, they are part of a complicated and tiered system administered by the Departments of Commerce, State, and Defense. American companies need to check both the U.S. Munitions List, which controls defense-related items, and the Commerce Control List, which controls so-called dual-use items (items that have both military and civilian uses), before selling products to foreign countries. Generally, if the item in question is included in either list, a company would need to seek a license to sell the technology abroad, giving the U.S. government the ability to approve or deny the application based on a number of factors, including the destination and end-use.
While export controls focus on the object being exported and how it’s being used, sanctions are concerned with the country or individual receiving the good. They prohibit a broader swath of transactions with a smaller, more specific list of countries and actors in an attempt to influence those foreign countries’ behavior. The United States currently has comprehensive sanctions in place against Iran, Syria, Sudan, North Korea, and Cuba, which effectively ban all exports to these countries.
U.S. sanctions policies can help us think about how to apply export controls to the problem of American-made surveillance technology. For example, since 2010, the U.S. government has prohibited exporting to Iran goods or services that it considers “sensitive technology,” which includes hardware, software, and telecommunications equipment that can be used “to restrict the free flow of unbiased information” or “disrupt, monitor or otherwise restrict speech” in Iran. Similar policies have also applied to Syria since 2012. By including specific language describing surveillance technology, the U.S. government acknowledged that this equipment is abused by repressive regimes and increased the penalties against American companies that are caught exporting it.
But export control regulations remain outdated when it comes to this problem. Part of the challenge is bureaucratic. As Schaake, a strong advocate on these issues, noted at the event, “It is very, very difficult to get regulations like this moving.” Further complicating the process is the widely accepted notion that unilateral export controls are not particularly effective. The argument is if one nation restricts the exporting of surveillance products, companies in other countries would just take their place in the market. And, of course, the companies producing these items have a business interest to push back against any attempt to control their markets, even if there are serious human rights concerns about how their products are being used. Several governments and institutions have imposed a few export controls on a few types of surveillance technologies, including the United States. For example, in 2012 several Western countries began restricting the export of IMSI catchers (devices that enable “man in the middle” attacks and intercept mobile phone traffic by impersonating cellphone towers). But thanks to the lack of international coordinated efforts, existing bans have been largely ineffective—or at least until recently.
Late last year, a group of countries that house some of the most notorious companies in the surveillance market agreed to establish new controls. These changes took place through the Wassenaar Arrangement, a 41-country forum that addresses export controls on conventional arms and dual-use goods and has recently turned to the problem of surveillance technologies. In December 2013, the Wassenaar members—which include the United States, the United Kingdom, France, and Germany—announced new controls relating to “intrusion software” and “IP network surveillance systems.”
Intrusion software can be used by outside actors to surreptitiously swipe passwords, screenshots, microphone recordings, camera snapshots, and Skype chats, and to remotely execute commands. “IP network surveillance systems” monitor general network traffic and can identify and collect information flowing through a network. This is the technology that could, for example take a picture of a group of protesters, pick out individual faces, and match them to names and other activity on the Internet.
This international agreement is the first step. But the onus is now on each individual Wassenaar member to incorporate the new controls into its national export control regimes. The Wassenaar Arrangement does not focus on addressing human rights concerns—it is intended to be a discussion about security and stability. But the new provisions offer an opportunity for the U.S. government to exercise leadership by providing a blueprint that other countries can follow for how to integrate them with a clear focus on protecting human rights.
There is some apprehension about export controls among those who remember the “Crypto Wars” of the 1990s, which were a battle over the broad and messy restrictions placed on cryptography exports. At that time, many security experts and technologists fought for their right to export products with strong encryption, like those that would protect users against digital forms of wiretapping. In the end, the rules were loosened.
But the government should use lessons from the Crypto Wars and implement new controls in a targeted manner, recognizing that the intent is to prevent human rights abuses using surveillance technology, not stop legitimate activities by companies or security researchers. Building policies about “sensitive technologies” into U.S. sanctions demonstrates that it is possible to craft more precise and effective definitions that cover this type of equipment without being overly broad. Seizing this chance to demonstrate leadership will be an important step by the U.S. government in both preserving free speech and fighting repression around the world.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.