Shades of “deep grey”; lessons from an undercover surveillance investigation
This piece was authored by PI head of research and investigations Claire Lauterbach.
Al Jazeera recently published an investigation into the shadowy trade of communications surveillance technologies. Their undercover reporter revealed four companies offering to illegally sell highly intrusive surveillance technologies to the governments of South Sudan and Iran, both of which are subject to extensive international sanctions. In the film, the four companies — two Italian, one Turkish and one Chinese — show themselves eager to employ workarounds, third parties, and shell companies to offer deals that the film claims to be violations of export regulations governing the sale of such technologies.
The surveillance vendors in the film offer two different technologies. One deal concerns the sale of an IMSI catcher to the South Sudanese government. An IMSI catcher is not a simple bug — it is a mobile device that can intercept phone and Wi-Fi communications of any device in its range; it retails from tens to hundreds of thousands of dollars. The second deal concerns an offer to sell an IP intercept system to Iran. Such a system could potentially monitor the internet traffic of an entire country.
How easy is it to circumvent the law? Exports of military-civilian ‘dual-use’ technologies, including many surveillance technologies like those described above, are reviewed at the national level by the export authority of the government from which the technology will be exported. The regulatory regime is a maze of regulations and updates to regulations, laid out in endless lists, footnotes, and appendices. There are very few destination countries where it is actually illegal for companies based in the European Union to sell controlled dual-use technologies: Iran and Syria, for example. Again, it depends on where you’re selling them from.
While there are relatively few restrictions to where European surveillance tech can be sold, the bureaucracy of applying for and obtaining an export license for surveillance technology can be burdensome. So even when they do not have to, companies cut corners in ways that could violate the law. There are various ways in which companies could do this.
The first method is to misdeclare the end-user. This method involves a surveillance tech company misdeclaring where their technology will be used in order to avoid obtaining the necessary paperwork such as an export license from the government of the exporting country, or a certificate from the intended end-user of the product, which is required for the granting of the license. For example, in order to sell its IMSI catcher surveillance product to South Sudan, Al Jazeera reveals that an Italian firm offers to obtain an end-user certificate signed in Tanzania. One option presented to the undercover reporter is that Tanzania could then gift the device to the South Sudanese government, which has been subject to heavy military sanctions over its brutal civil war. Alternatively, the Italian firm links Al Jazeera’s undercover reporter with their Turkish wholesaler, who could quickly and easily do a deal through Dubai.
Another tactic is to falsify paperwork. During the investigation, the Turkish company offers to falsify the type of technology actually being sold by calling it “telecom testing equipment”, a routine piece of tech. An Italian company offers to similarly lie about the nature of its interception product, calling it a “traffic management system”. No license would be required to export such a system. Alternatively, a company could simply forge the paperwork. A South African company was recently caught attempting to sell an interception device to a purported private client; the end-user certificate had reportedly been forged.
Finally, there’s the verbal assurance– the assertion that the vendor has checked with the security services of the exporting state and that, hesitations aside, a proposed sale can go through. “We sell trust, we don’t sell products,” affirms Italy surveillance company AREA’s Senior Vice President Marco Braccioli in the Al Jazeera film. Proximity between state security and surveillance companies is nothing new. Members of Israel’s elite 8200 signals intelligence agency are virtually assured a job at one of the country’s thriving surveillance companies. Malware vendor Hacking Team lobbied its Italian military and intelligence contacts for assistance in reinstating its lucrative global export license. However, if the claims of the surveillance dealers in Al Jazeera’s investigation are true, and they have indeed obtained verbal confirmation from state agents that the sales can go ahead in the way the companies suggest, this is strong evidence that certain state security agents are knowingly facilitating potential violations of their own laws.
In one of the most shocking of the film’s revelations, employees of Chinese surveillance firm Semptian offer to sell surveillance devices to Al Jazeera’s undercover reporter for an unknown private client. While a Chinese employee hesitates because he doesn’t want the technology to end up in terrorists’ hands, his boss is unbothered. He offers to deal directly with the reporter through his shell company in total willing ignorance: “We don’t know who is the end-user and we don’t care.” This is not necessarily illegal but we would not know if it were: many aspects of China’s export regulation regime, particularly concerning interception and surveillance technologies are shrouded in secrecy. The use of middlemen and offshore companies, particularly near target clients, is widespread.
But how many companies duck and dive around the regulations to sell to “deep grey countries”? “Lots” admits one vendor. How many of the mobile surveillance devices sold globally have ended up in the hands of gang members, criminals, kidnappers, or terrorist groups? And how many mass surveillance technologies will be used in politically motivated surveillance? Those who watch the surveillance industry will recognise the irony: entire marketing strategies are derived around preventing terrorism and crime and keeping civilians safe, while some companies’ own profit-maximizing strategies do exactly the opposite by selling to clients where there is a high risk of diversion or misuse of their products. This is hypocritical and reckless in the extreme.
In many respects the trade in surveillance technologies follows tried and true tactics of the arms trade and the unlicensed trade in nuclear technologies — they thrive in darkness. Regulations can be skirted, companies can move abroad or trade through offshore companies — but we need to build a stronger expectation of transparency and accountability for the trade. We need more disclosure from national export authorities worldwide of export licenses they grant, so that they can be held to account for rubber stamping questionable sales.