Trade secrets
Surveillance technology destroys political opposition more effectively than guns or grenades. And it’s big business.
07 Dec 12
Digital Frontiers, the winter 2012 issue of Index on Censorship magazine explores how activists and journalists are using technology to get vital news out and bring about change.

Digital Frontiers, the winter 2012 issue of Index on Censorship magazine explores how activists and journalists are using technology to get vital news out and bring about change.

Between February 2011 and June 2012, I attended nine surveillance technology trade shows around the world. At these events, vendors, developers and government agencies meet, mingle and do business. They’re usually held at anonymous corporate hotels and are strictly invite-only. Yet the atmosphere is usually one of pervasive paranoia and attendees often conceal their real names and governmental affiliations. The sales representatives, by contrast, can be extremely frank, particularly when discussing the ethical implications of their trade. During one presentation, delegates from a password forensics company projected an image of a metal interrogation chair draped with chains and joked that their equipment could be used in conjunction with ‘other methods’. Another vendor told me that he was sure his company could come to ‘some arrangement’ with a (hypothetical) North Korean customer. Fat profit margins are top of the agenda; ethics and social responsibility rarely even come into it.

Twenty years ago, the value of the global surveillance industry was negligible – today it is estimated to be worth around $3bn. The fall of the Berlin Wall in 1989 left hundreds of Stasi officers out of a job and the rash of new surveillance companies that sprang up in the early 1990s in Germany suggests that many found lucrative new employment in the private sector. Privacy International published a report in 1995, highlighting this increased flow of surveillance tools from developed countries like the UK, the US, Germany and Israel to repressive regimes in Africa and South Asia, where they were then used as instruments of political control and internal repression. But not a single Western government has felt it necessary to impose export controls on surveillance technologies, and so this unethical trade has therefore continued unimpeded.

After 9/11, governments around the world ramped up their surveillance operations and private companies competed to develop and supply cheaper and more invasive tools. The business of surveillance was no longer the preserve of large military and arms manufacturers like BAE Systems; small technology enterprises and larger Silicon Valley companies quickly flooded the market. Privacy International’s recent research has identified around 250 vendors of surveillance technology based in 33 countries around the world and there are probably dozens more that have managed to remain under the radar. Unfortunately, these new actors seem to conduct themselves with even less integrity than their predecessors – exports to Africa and the Middle East are significant and companies now offer bespoke solutions and training to their clients.

One would think this would make it difficult to plead ignorance when companies get caught doing business with dictatorships and repressive regimes. Yet this is still the most common defence: companies claim that they had no knowledge of the uses to which their products were being put.
They deny complicity in resulting human rights abuses – censorship, torture, extrajudicial detention and executions – because they say that technology is neutral, that it’s not their responsibility to vet their clients, that they can’t control how equipment is used once sold. Let us be clear: in the majority of situations, this is simply not the case. These companies are not staffed by idealistic young software developers creating socially useful tools that their wicked clients are then misusing and perverting. In fact, most of the time they are working with their customers on a close and long-term basis, carefully tailoring surveillance systems to specific needs.

Milan-based Area SpA last year furnished Privacy International with a disturbing example of just how committed to customer service these companies can be. While President Bashar al Assad’s forces were engaged in brutal attempts to crush dissent in Syria, killing and injuring hundreds of unarmed protesters, Area secretly installed a nationwide mass surveillance system. Dozens of the company’s Italian employees were flown out to Syria to install hardware and software that would allow Syrian security agents to follow targets on flat-screen workstations displaying communications and web use in near-real time, alongside graphics that mapped citizens’ networks of electronic contacts. The €13m (US$16.7m) contract also specified that Area employees would supply training to Syrian security agents, teaching them how to monitor vast swathes of the population. Fortunately, after a Bloomberg report exposed the project and protesters gathered outside Area’s offices, the company quietly pulled the plug on the project.

The effect of a surveillance system of this sophistication and magnitude on political dissent, public debate, the rule of law – in fact, on all of the processes fundamental to participatory democracy – is devastating. When people see their friends and colleagues arrested and tortured because of a text message, a Facebook chat or a phone call, they think twice about complaining about government abuses. They may cut off all phone and email contact with those people, afraid that just being part of the wrong networks will bring the secret police to their own doors in the middle of the night. Arranging face-to-face meetings becomes practically difficult, and even speaking in person isn’t secure – governments can target individual mobile phones with malware that allows them to remotely control the device’s microphone and camera and thereby see and hear everything happening around it.

Organising political demonstrations is equally challenging. Blogs containing anti-government sentiments are identified and blocked almost as quickly as they can be written, preventing citizens from expressing their dissatisfactions to a wider audience. Surveillance technology is therefore one of the most powerful weapons in the dictator’s arsenal; it destroys political opposition and subdues populations far more effectively than guns or grenades.

Privacy International doesn’t think it’s right that companies based in Europe and the United States – where governments publicly condemn the kind of human rights abuses described above – should make vast sums of money by facilitating these same abuses. We also believe that this notoriously murky and elusive industry needs to be much more transparent about which products are being sold to which regimes, particularly in Africa and the Middle East. We embarked on the Surveillance Industry Index – a publicly-accessible online catalogue of surveillance companies, products and marketing materials – because we felt that putting the hard facts in the public domain would hopefully stop companies obfuscating their involvement with repressive governments and make them more accountable. We also hoped that it would add to the evidence base for proper export licensing systems in Europe and the US. In particular, the excerpts from the marketing material we’ve presented provide direct insight into the ethical vacuum at the heart of the industry and demonstrate the terrifying scope and power of some of the technologies that are now readily available.

For example, UK-headquartered Gamma Group describes one of their products as permitting ‘black hat hacking [illegal and malicious] tactics to enable intelligence services to gather information from target systems that would be otherwise extremely difficult to obtain legally’. South African VASTech sells a mass surveillance product that can intercept ‘more than 100,000 simultaneous voice channels, allowing it to capture up to one billion intercepts per day and storing in excess of 5,000 Terabytes of information’. Madrid-based Agnitio is even more explicit, stating that their product is ‘designed for mass voice interception and voice mining’. Mass surveillance has been ruled illegal in most democratic countries as, by its very nature, it can never be considered a proportionate or necessary tactic.

Over the past few years, Gamma International’s FinFisher suite, a range of spyware that covertly takes remote control of a computer or mobile device, copying files, intercepting Skype calls and logging every keystroke, has appeared all over the world. Recent reports by computer security company Rapid7 have placed FinFisher command and control servers in Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar and the US. A separate investigation in August by CitizenLab, an interdisciplinary project based at the Munk Centre for International Studies at the University of Toronto, identified potential FinFisher command and control servers in Bahrain, Brunei, the Czech Republic, Ethiopia, Indonesia, Mongolia, Singapore, the Netherlands, Turkmenistan and the United Arab Emirates.

Gamma International’s Managing Director, Martin J Muench, has refuted this research – the latest in a long line of denials and excuses from the company. In April 2011, the Guardian reported that two Egyptian human rights activists had found a proposal from Gamma to supply President Mubarak’s regime with FinFisher products inside the ransacked headquarters of the State Security Investigations service. The company said the offer was for a free trial version and that ‘Gamma International UK Limited has not supplied any of its FinFisher suite of products or related training etc to the Egyptian government’. When it was reported that five Bahraini human rights activists had been sent emails containing FinFisher trojans, Gamma suggested that the malware in question was a ‘copy of an old FinSpy demo version’ that ‘may have been stolen’. Muench also tried to point the finger at organisations that had been investigating Gamma’s practices: ‘It’s been suggested that the information was stolen on behalf of a pressure group to disrupt our business but I have no evidence yet to support that claim.’

Yet Muench’s ultimate defence is that Gamma always complies with British, American and German export regulations, recently stating that ‘Export Control Authorities … act as our moral compass’. This would be all well and good – if such export regulations existed anywhere in the world. In fact, exports of surveillance technologies remain almost entirely unlicensed and thus uncontrolled. It should also be noted that, although Gamma has been using the above justification since April 2011, the company only bothered to submit a technical information about FinFisher to the Department for Business Innovation and Skills (BIS) in June 2012. BIS, which is responsible for licensing exports in the UK, has now decided that exports of FinFisher should in fact be licensed, on the basis that the product contains cryptography.

However, the British government has thus far refused to include other surveillance tools in the export-licensing regime, apparently buying into the industry’s claims that these products are all sold for legitimate purposes. Yet BIS controls exports of hundreds of ‘dual-use’ products (products that can be used illegally or dangerously as well as having a legitimate or civilian purpose) and the industry has thus far demonstrated a woeful inability to self-regulate. Unless surveillance exports are effectively controlled by law, the action the UK has taken on Gamma’s FinFisher will be just a sticking plaster on a bullet wound. Though the European Parliament passed a resolution calling for stricter oversight of surveillance technology exports and President Obama announced an executive order to prevent such exports to Syria and Iran, there has not been any clear, decisive action as of yet. And, for dissidents and ordinary citizens alike, the space for speaking out about human rights violations and ensuring this information gets out to the wider world is narrowing all the time.

©Eric King
41(4): 81/86
DOI: 10.1177/0306422012465540

This article appears in Digital Frontiers, the winter 2012 edition of Index on Censorship magazine.