On May 3, celebrations of World Press Freedom Day were less than cheerful, given the increasingly hostile environment journalists find themselves in. In Ukraine, for example, the media freedom representative of the Organization for Security and Cooperation in Europe was forced to intervene nearly daily to protect journalists. Last month, Human Rights Watch reported how “the Ethiopian government is using foreign technology to bolster its widespread telecom surveillance of opposition activists and journalists both in Ethiopia and abroad.” And in Azerbaijan, the government has stepped up its “surveillance of journalists’ and bloggers’ online and telephone correspondence.” “Global press freedom fell to its lowest level in over a decade,” the human rights organization Freedom House warned.
Helping fuel this trend are new technologies that make it possible to carry out surveillance at an unprecedented scale. It’s especially problematic in countries without rule of law and little respect for human rights, such as Libya or Syria. Unfortunately, companies in the United States and Europe are exporting some of these technologies. The good news is that the U.S. and other governments are looking into ways to curb the proliferation of surveillance technologies—but there are some land mines along the way.
An important part of this effort is updating export control regulations. Export controls—which are not outright bans—give the government the legal authority to review exports and to approve or deny them, depending on the circumstances and security and human rights implications. That means that a company that is trying to export a specific product needs to check whether that product is on a U.S. control list and covered by one of the “controls.” (A control is codified in the Export Control Classification Numbers describing the item and licensing policy. There are 10 broad categories of controls, with further subdivisions; the nonexhaustive list of controlled items is 72 pages long.)
Depending on the item and end user, the exporter might need a license from the government in order to export the product. According to the Bureau of Industry and Security at the Department of Commerce, only 1.7 percent of overall U.S. exports were affected by export controls during fiscal year 2013. BIS processed 24,782 export license applications, and it denied only 177. In order to keep up with technological changes, the Department of Commerce receives input from several technical advisory committees, but sometimes the regulation starts chasing reality—as has been the case when it comes to surveillance.
Thanks to a growing number of media reports and research shedding light on this phenomenon, however, governments around the world are trying to catch up. Last December, two new surveillance controls were created through the Wassenaar Arrangement, which consists of 41 member states that now have to implement them into their national export control regulatory regimes. One control relates to “intrusion software,” while the other focuses on “IP network surveillance systems.” It took a while—the U.K. first circulated its proposal on intrusion software about a year and half before it became reality—but it’s an important step to update export control regulations to curb this exploding market.
As a member of the Wassenaar Arrangement, the United States is now looking into how to enact these new controls into its national export control system. The U.S. export control regulatory system is more complicated than those of other countries. Instead of just one consolidated list of controls, the U.S. has two major lists: the Munitions List, which covers defense items with very strict standards, and the Commerce Control List, focusing on dual-use items with lower standards. Moreover, multiple agencies—namely the State Department and Commerce Department—are involved with administering them. (Currently, a significant reform to reduce the complexity and to move to a single list and eventually a single agency is underway, but it’s not clear when the latter changes will be implemented.)
The U.S. export control system also includes various human rights provisions. The section on crime control in the Commerce Control List, for example, states that “the judicious use of export controls is intended to deter the development of a consistent pattern of human rights abuses, distance the United States from such abuses and avoid contributing to civil disorder in a country or region.” Congress has also recognized the importance of these controls for U.S. foreign and human rights policy, and the Leahy Law explicitly prohibits military assistance to security forces of a foreign country that commit gross violations of human rights.
The U.S. government now needs to apply these human rights provisions to the new controls relating to surveillance. This includes making sure that—in keeping with precedent—a product’s availability from a foreign company isn’t an argument against a U.S. control.
The updates are happening under the specter of the “crypto wars” of the 1990s, a multiyear struggle to loosen export controls on encryption technologies that were initially on the U.S. munitions list. Encryption tools used to be something only governments were able to take advantage of, and governments tried to prevent the technology being used more widely. The result exemplifies how poor export control policies can do more harm than good: The controls were so broad and strong that they made it harder for activists and others to secure their communications. That episode demonstrates why it’s important to develop very targeted controls. Some have suggested using encryption controls to regulate surveillance technology, too—but combining them will make managing both only more complicated down the road. (A coalition of human rights and technology groups, including New America’s Open Technology Institute, where I work, submitted recommendations this month with proposals on how to make this happen. The Open Technology Institute is also one of the founding members of CAUSE—the international Coalition Against Unlawful Surveillance Exports.)
This problem of technology being abused for surveillance doesn’t only affect people in other countries. In February, the Washington Post published an article explaining how Ethiopian journalist Mesay Mekonnen, who lives in Northern Virginia, was being monitored with spyware. According to researchers, the Ethiopian government was spying on Mekonnen using spyware sold by an Italian company, Hacking Team, which has a regional sales office in Maryland. In short, a foreign government used European technology to spy on somebody in the United States.
Eric Rabe, the chief communications counsel for Hacking Team, says in an email: “The systems Hacking Team provides are used to surveil individual devices used by specific people who are targets of law enforcement investigations. They are not designed to and cannot be used to surveil entire networks, servers, etc. (such as the NSA is accused of doing.)” Rabe also says that Hacking Team attempts to learn about any possible abuse by vetting clients, monitoring reports of abuses, “require[ing] certain behaviors which we outline in our contract,” and “may decided [sic] to suspend support for that client’s system rendering it quickly ineffective.” But the reporting and research over the last few years show that these internal systems are not sufficient.
The good news is that Rabe’s comment suggests that it is possible for a company to render such technology ineffective quickly when it is found to contribute to human rights violations. However, it is not enough to just stop such surveillance once human rights have been violated. In order to prevent such abuses, smart revamping of the U.S. export control system would help protect Mekonnen and others like him around the world—and bring government practice in line with American human rights rhetoric.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.