Landmark changes to EU surveillance tech export policy proposed, leaked document shows

This is an initial reaction by Privacy International to a leaked proposal by the European Commission specifically as it relates to surveillance technologies. A full analysis, including wider implications of the proposed changes, is forthcoming. It originally appeared here and was written by PI Research Officer Edin Omanovic.

The European Commission is proposing to amend the Dual Use regulation to control the export of surveillance technology on human rights grounds, a leaked copy of the proposal obtained by Euractiv shows.

The landmark move comes after years of campaigning by European Parliamentarians, some EU member states, and human rights organisations, including Privacy International. It will set a global precedent on the need to reconcile trade and human rights. However, it comes years after EU companies were revealed during the Arab Awakening to have supplied various security services known to be involved in human rights abuses with sweeping and sophisticated surveillance technology.

As a Commission proposal, it is yet to be reviewed by the European Parliament and Member State governments representatives in the Council. In those reviews, amendments will be made by both institutions until they are voted on and agreed.

If some of the proposed amendments are appropriately implemented, they will help protect human rights across the world, foster accountability for both governments and industry, and have a substantial impact on the trade in and use of surveillance technology across the world. There are concrete and hugely significant benefits of the proposal.

We do have reservations and concerns and the proposed Regulation needs to go further in certain areas. In particular, there are potential negative impacts on the IT security sector stemming from the scope of the controls and some of the other measures. While this is an issue acknowledged within the preamble of the proposal, much work is still required. The proposals are unclear in the details of ‘cyber-surveillance’ technologies that are to be controlled and much more clarity is needed before we can fully understand the nature of these controls. It is therefore vital that all stakeholders are engaged in the process going forward to achieve appropriate and effective implementation that protects human rights and IT security simultaneously.

A human rights basis

The proposed Regulation, if approved, will be binding upon EU member states and controls their policies on exports of “dual use” goods — previously defined as those that have both a civilian and military application. Amendments have been under discussion for years, beginning with a green paper in 2011, and involving a Commission report, an impact assessment, and a public consultation conducted last year. Privacy International has participated in consultations throughout this process.

The resulting ‘Reasons for and Objectives of the Proposal’ recognises that:

In recent years, there have been numerous reports of cyber-surveillance technologies being exported, in some cases by companies based in the EU, to repressive regimes and/or into conflict areas and misused in violation of human rights. Cyber-surveillance technologies, which have legitimate and regulated law enforcement applications, have thus been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death. As evidenced by those reports, the export of cyber-surveillance technology under such conditions poses a risk to the security of those persons and to the protection of fundamental human rights, such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as indirectly freedom from arbitrary arrest and detention, or the right to life.]

The proposal suggests creating an entirely new section devoted to “cyber-surveillance technology” to be subject to restriction. At this stage, it only indicates what types of items “related to” broad categories of technology could be included within the definition of “cyber-surveillance technology”. A full control list, to be contained within a new annex with specific control language detailing what will actually be controlled as envisaged by the proposal, is not currently available. This lack of detail makes it difficult for us to fully assess the implications of the proposed rules.

Crucially — and this is one of the main positives of the proposal — it ‘[e]xplicitly provid[es] for controls to prevent exports where there is a clear risk of human rights violations’. Current practice and legislation means that human rights implications are not uniformly or effectively assessed by EU member states when it comes to the export of surveillance technology. To address this, it is essential that a criteria be put in place meaning that government authorities appropriately assess and deny applications where there is a clear risk of human rights abuses.

This means that there is now an explicit and clear obligation on EU governments to assess applications using human rights as a criteria. Article 14 states that they should assess the “respect for human rights in the country of final destination as well as respect by that country of international humanitarian law”. The proposal also provides for guidance and recommendations to be developed by the Commission and Council on how this should be implemented. Going forward, it is key that the language contained within the proposal be strengthened further, and that the Commission and Council provide effective guidance to the member states specific to surveillance technology. It is therefore important that stakeholders push for stronger language and formulate effective risk assessment criteria to be used. In so far as is possible, uniformality among EU states’ risk assessments should be sought, and assessment information ought to be shared in public channels.

The proposal also expands existing “catch-all” mechanisms and applies them to human rights concerns, meaning that a member state can ask an exporter to apply for an export license because of human rights considerations. The proposal also expands on an existing article in the current law placing an obligation on exporters to request authorisation if they are aware of specific end-uses, though how this is to be implemented is unclear.

Transparency?

The proposed Regulation falls short on transparency. A key benefit of a licensing system for surveillance technology is that it compels transparency around the industry and market by providing data around exports. This not only fosters state responsibility around licensing decisions, it allows for verification around international committments, promotes confidence, and is essential for the protection of human rights by strengthening our understanding of the capabilities of governments. Privacy International has been calling for exporting countries to publicly publish detailed and up to date data about licensed exports to promote accountability and knowledge about the industry. Currently, only the UK publishes regular and significant data.

Although the proposal aims to “enable civil society organisations to fully contribute to the formulation and implementation of export control policy” through transparency and annual reports, this proposal falls short of calling on governments to publicly publish the needed detailed data. Instead, there is a mechanism included in Article 24 where member states supply the Commission with data about implementation and enforcement activities, which is to be published annually and available to the public. There are also mechanisms envisaged for better information sharing among licensing authorities and a new coordination group.

These essential transparency elements need to be included in any final Regulation.

IT Security Research?

PI sees the spread of technological tools for offensive purposes as a substantial threat to the right to privacy. They can be used by governments, and potentially private sector contractors, for internal repression by targeting devices and infrastructure. Further, the reach of these tools is not limited by geographic borders — purchased by one government it can then be used against individuals in other countries, including citizens of the countries who exported it. However, PI recognises the central role offensive tools play in producing defensive countermeasures to keep us all safe. As such, these technologies must not be controlled where they are exported for defensive purposes or where the purpose has not been determined.

There has been rightly a significant level of concern over the impacts of export licencing regimes on security research and the impact it will have on the safety of our devices, networks and services. The preamble (3) recognises that the new control on surveillance technologies “should, in particular, not prevent the export of information and communication technology used for legitimate purposes, including law enforcement and internet security research”. How this is to be achieved for security research remains to be seen as the final annex detailing what is controlled, and in what circumstances, has not been published. It is essential that the European Commission establish much needed clarity and certainty on this matter — for instance by including language within the Regulation itself and not just the preamble.

What will actually come within the full scope of the Regulation and how the actual parameters will be defined is not contained within the leaked proposal. However, we do have definitions provided for some of these categories in the impact assessment and in other instruments such as the Wassenaar Arrangement, which already and independently of the EU controls mobile telecommunications interception equipment, intrusion software, and IP surveillance systems. Lawful Interception Systems and Data retention systems appears to be the only new EU unilateral control, included after Germany adopted such controls last year.

Most notably, the term Forensic Tools is not defined in the regulation, WA nor the impact assessment. Like Intrusion Software, Forensic Tools can be used to enhance and improve cybersecurity, and by extension protect human rights globally, and must not be restricted when moving between international parties to remedy problems with IT systems. When these tools are being exported to be used in attacks against individuals, the full force of regulation and the consideration of human rights issues ought to apply. The difference between these two scenarios must be recognised by the drafters and clearly distinguished from each other. Should this not be possible, the balance favours improved cybersecurity for all.

Article 16 states that the list of controlled surveillance technologies “shall be updated in consideration of the risks that the export of such items may pose as regards the commission of serious violations of human rights or international humanitarian law or the essential security interests of the Union and its Member States”. Whether any additional items are included in the future, and if so, how, is not addressed within the proposal. It is essential that if any new controls are proposed, that they are not overly broad and consider the role of the technology in contributing to enhanced security. PI, the Commission itself and much of the worlds population rely on these technologies to do their work, socialise and explore the vast knowledge stores available online. It is in no ones interest to have our devices betray us. Any term which is not defined appropriately or at all should be removed from the definition of “cyber-surveillance” in order to provide clarity and limit chilling effects.

We have been seriously concerned that some regulations are overly broad, lack necessary exemptions, or clearly articulate the exceptions. A key example is how attempts to regulate the trade in vulnerabilities in the US has detrimental effects on security research — the very kind of work that makes our technologies safe and truly secure. That’s why in our submission to the US Bureau of Industry & Security last year we called for the existing regulatory language contained in the Wassenaar Arrangement particularly around Intrusion Software to be revised, and we will work to ensure that the EU’s Regulation will provide the much needed corrections so as to not inhibit security.

It’s important to note that this proposal does not specifically address the broad scope of the specific control on Intrusion Software — the decision to change the control parameters on this are decided not within the EU, but at the Wassenaar Arrangement, where discussions are ongoing. The EU does regulate how it is implemented though, meaning that it can play a significantly positive role in, for example, specifying how the controls should be interpreted, the conditions when an application should be denied, how controls should be enforced, and whether any transparency measures should be invoked. PI is actively working towards the EU getting the changes required in upcoming versions.

Final thoughts

This is a leaked proposal, and it could look drastically different when finally implemented. Nevertheless, the recognition that human rights considerations should play a role in this huge area of trade policy is to be celebrated.

There are some significant challenges ahead. Controlling dual-use technologies is fraught with risks, particularly as these technologies are not just used by government agencies, but across industry and other sectors, and by individuals too. The democratisation effect of information technology relies on its accessibility across society and across the world. Even the language of export control can have a chilling effect and this must be taken into consideration. We must ensure that any control does not inhibit, even with a chilling effect, any such research and exploration.

The leaked European proposal however is a welcome improvement to a space that has for too long gone without safeguards, with dire consequences, and offers genuine opportunities for real improvements in the global state of privacy. It is also a significant milestone in a long term policy debate, and marks the beginning of the next stage of process. Privacy International will continue to engage in this and encourages others to do so. Stronger human rights considerations in trade and improved cybersecurity of our devices are vital components to the protection of the fundamental right to privacy.

A copy of this initial reaction has been shared with the European Commission. Privacy International will update this page with all developments related to the proposal, and will be working on a fuller in-depth analysis over the coming months.