Surveillance Exports: Time for the EU to Put its Money Where its Mouth is
By Joshua Franco, (@joshyrama) Researcher/Advisor on Technology and Human Rights for Amnesty International
It was just before dawn on March 20th when about a dozen security officers raided the home in Ajman, UAE, where Ahmed Mansoor lives with his wife and four young children, seizing all the family’s laptops and mobile devices, and taking Ahmed himself. He would not be heard from again for two weeks.
Nearly two months later, he is still being held, and until today his wife has had only one short visit with him.
According to news reports, the authorities suspect him of using his social media accounts to, among other things, publish false information and incite sectarianism. But along with other human rights groups and United Nations human rights experts, Amnesty International believes his arrest is an attack on his work as a human rights defender and a violation of his human rights. Amnesty International is calling for his immediate and unconditional release.
Ahmed Mansoor’s arrest marks a disturbing new chapter in a long story that has seen him face arbitrary detention, assaults, travel bans, death threats and other harassment.
This campaign against him has repeatedly relied on sophisticated spyware in attempts to access his personal information and monitor his communications. In at least two instances, researchers at The Citizen Lab in Canada found that this spying has used software sold by EU manufacturers: the German-British Gamma Group and Italian Hacking Team.
This is but one example of the problematic sale and use of European surveillance tools around the world. The market for European surveillance technology exports is a large one, but also one about which we know very little. With the exception of a few states, information regarding exports, or export licenses — the basic information about who is selling what to whom — is generally shrouded in secrecy.
What we do know comes from sources such as investigations by journalists. One such investigation found that over the last three years, EU states approved 317 export licenses for digital surveillance technology, with many of these exports ending up in countries with poor human rights records, including the United Arab Emirates — they denied only 14 licences.
Other information has come from data breaches when European companies have been attacked and had their internal communications dumped online. This is what happened to the Italian company Hacking Team in July 2015. Though the company had long denied it (and maintain they acted legally), the leaked documents appear to show that Hacking Team had indeed been selling to numerous governments with poor human rights records, including Uzbekistan, Bahrain, Ethiopia and others.
Another European manufacturer of surveillance software — the German-British Gamma International— suffered the same fate in 2014, allegedly at the hands of the same hacker. Those leaked documents appear to have revealed numerous problematic sales to repressive governments, and undermined the company’s claims that they were not involved in the targeting of dissidents in Bahrain with their software.
Surveillance poses a huge risk to human rights defenders. Amnesty International has documented examples of how abuses of surveillance technology can have a devastating effect on activists in countries all over the world.
In Belarus, activists, independent journalists and others told Amnesty International how the widespread fear of surveillance, alongside laws that criminalize basic freedoms, such as holding an unauthorized protest, makes it nearly impossible for activists to carry out daily activities such as sending an email, making a phone call, organizing a meeting or protest, or soliciting funds for their organization. As a result, their ability to exercise their human rights and to participate in the political life of the country is severely curtailed.
Surveillance-related abuses outside the EU can also impact on the rights of people inside the EU, and vice-versa.
Refugees from Uzbekistan in Europe are sometimes forced to cut off communication with family in Uzbekistan for fear that surveillance of their phone calls or emails from abroad could lead their family members to be persecuted by the security services.
Independent journalists Gulasal Kamolova and Vasiliy Markov were forced to flee Uzbekistan when their secret work for foreign, independent news outlets was revealed after their editor’s email account was hacked in Berlin, and their correspondence with her posted on websites in Uzbekistan.
All of this begs a rather obvious question: if the trade in European surveillance exports is such a substantial one, and if abuse of surveillance technology poses such clear human rights risks around the world, why should we learn about problematic sales only from investigative journalists, or even data breaches?
The answer is clearly that we should not.
More transparency and better regulation are desperately needed so that parliaments, journalists, civil society groups and the public can understand the human rights implications of the European trade in surveillance tools and so that exports that pose human rights risks are prohibited.
That is why Amnesty International, and other members of the Coalition Against Unlawful Surveillance Exports (CAUSE), welcomed the news, in September 2016, that the European Commission had released a proposal to update EU controls on the trade in so-called “dual-use” items — items that have both a military and non-military application — which can include some categories of surveillance technology.
This proposal includes many welcome innovations. For instance, the proposal expands the types of surveillance technologies that are subject to export licensing procedures, and explicitly requires the consideration of human rights concerns in the export licensing process.
To be sure, exports controls are not a panacea. They cannot prevent all abuses linked to surveillance, and as critics have pointed out, vague or broad drafting can have chilling effects on important security research if researchers are left unsure whether their activities require a license.
There are also several aspects of the proposal that need strengthening:
- Human rights considerations in the proposal contain restrictive limitations — covering only exports to specific officials with proven histories of human rights abuses, or to countries in situations of armed conflict. Controls should apply to any export that poses a substantial risk to human rights.
- A proposed extension of the “catch-all” clause, designed to ensure that new and evolving technology that poses human rights risks is captured under licensing procedures, is weak and easily circumvented as currently drafted. This must be strengthened so that all relevant technology exports are scrutinized for risks to human rights.
- The proposal contains very little by way of requiring greater transparency from either companies or states. States must proactively disclose information such as export license approvals and denials, the type of equipment concerned, the product category, description, value, destination country, end use/user and the reasons for the approval or denial of licenses.
- The proposal needs to clarify or amend definitions in order to offer greater protection for security research, to ensure that those carrying out work such as penetration testing, or finding and patching software vulnerabilities, are not inadvertently caught up in the regulation. This should be accomplished via an inclusive consultation that takes account of specialized expertise in this area.
- Most glaringly, the proposal does not require that states prohibit exports even where such exports are found to pose serious human rights risks. The proposal must be amended to require that exports that pose a substantial risk to human rights be denied.
The proposal — which is currently being considered by the European Parliament and the European Council — is an opportunity to make human rights a central consideration of EU trade policy in this area. If properly drafted and implemented, it could be an important first step to protect against transfers of European surveillance technology that pose risks to human rights.
EU leaders must ensure that the Commission’s proposal is strengthened so that it can pose a meaningful check against surveillance exports that threaten human rights.
If they do not, this effort risks being little more than lip service to the importance of human rights that will allow unscrupulous companies to continue to profit from trade in the tools used to suppress human rights defenders — people like Ahmed Mansoor — around the world.