On Wednesday, EFF will give recommendations to the European Parliament for how to combat one of the most troubling problems facing democracy activists around the world: the fact that European and American companies are providing key surveillance technology to authoritarian governments that is then being used to aid repression.
Recent reports by the Wall Street Journal and Bloomberg News have exposed the shadowy but growing industry that sells electronic spy gear to governments known for violating human rights. The technology’s reach is very broad: governments can listen in on cell phone calls, use voice recognition to scan mobile networks, read emails and text messages, censor web pages, track one’s every movement using GPS, and can even change email contents while en route to a recipient. Some tools are installed using the same type of malicious malware and spyware used by online criminals to steal credit card and banking information. They can secretly turn on webcams built into personal laptops and microphones in unused cell phones. And all of this information is filtered and organized on such a massive scale that it can be used to spy on every person in an entire country.
Ordinary citizens, journalists, human rights campaigners and democracy advocates have all been targeted, eviscerating privacy rights and chilling free speech. Ample evidence suggests information acquired through this spy gear appears has played a role in the harassment, threats, and even torture of journalists, human rights campaigners, and democracy activists. Yet dozens of companies from the U.S. and E.U continue to sell this technology, including to authoritarian regimes. The market for surveillance equipment has grown to a staggering $5 billion a year.
Dutch member of the EU Parliament Marietje Schaake has been trying to spearhead an effort to curb sales of this type of technology to repressive regimes. In September, the EU parliament passed a resolution proposed by Ms. Schaake which called on European countries to regulate sales of this dangerous surveillance tools if they can be used in human rights violations. She has also asked the European Commission to investigate sales by these companies to the governments of Bahrain, Yemen, Syria, Tunisia and Egypt. On Wednesday, EFF will be testifying at a workshop for Committee of International Trade and Committee on Foreign Affairs, co-chaired by Ms. Schaake. Here is part of what we will say:
First, transparency is key. The mass surveillance industry as a whole has been notoriously secretive and that has, in turn, allowed it to proliferate without meaningful safeguards. But we know that just having this information in the public eye can, by itself, force change. Companies have pulled out of countries and created official human rights policies thanks to news reports. The world program director of I.S.S. Tatiana Lucas even complained that shining a spotlight on these practices “makes U.S. manufacturers gun shy about developing, and eventually exporting, anything that can remotely be used to support government surveillance.” We want to turn up the heat on these companies even more to be accountable for selling to authoritarian regimes.
We encourage the EU commission to act on Ms. Schaake’s request for an investigation into these companies and have them answer questions on the record. The EU Parliament should also consider disclosure requirements, requiring companies to publicize which governments they are selling to (either a full list or a limited list of based on troubling regimes or portions of regimes) and descriptions of the capabilities of their technologies, so an investigative body could follow the money trail to find out exactly whose equipment ends up where and how it is being used.
“Know Your Customer”
But beyond transparency, there is also the question of limiting sales to certain governments or parts of governments. Many have called for such direct legislation of surveillance tools but EFF has not joined that chorus, in part because we recognize how difficult it will be to create rules that both reach the problem and do not create collateral harms.
First and foremost, we want to make sure we do not leave activists with fewer tools than they already have. Parliament must be mindful of legislation just based on types of technology because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm very people that the regulations are trying to protect. As EFF has highlighted before, legal terms used to define harmful technology can often encompass basic technology like web browsers and email servers. We can see this problem in the U.S., where overbroad regulations keep Syrian activists from accessing Google Chrome and Earth, Java, and or hosting services like Rackspace or SuperGreenHosting. It can also harm network security efforts.
So instead of focusing on the technology being sold, we recommend that any formal or informal effort to address the problem of misuse of surveillance technologies look at the government customers as the ultimate chokepoint. To that end, EFF has proposed a “know your customer” framework, based on already existing legal frameworks in the U.S. that can be implemented without significant overhead cost to government or businesses.
Simply put, companies selling surveillance technologies to governments or government providers need to affirmatively investigate and "know their customer" before and during a sale. EFF has already detailed extensive framework for such regulations including questions, definitions, and procedures for how to accomplish it.
It would require companies to comprehensively review everything about a sale of surveillance technology from the negotiations, discussions, background of the buyer, contractual specifications, technical support requests, to State Department and U.N human rights reports and the capability for abuse. Companies would refrain from participating in transactions where their investigations reveal either objective evidence or credible concerns that the technologies provided by the company will be used to facilitate human rights violations. You can read EFF’s full, detailed “know your customer” framework here.
This approach does three things: First, it avoids the many problems with pre-defining technologies, and instead focuses on the uses of the technologies to facilitate human rights abuses. Second it encompasses both government-like entities and sales to third-parties when the technology is likely to pass to repressive governments. This problem has been a frequent excuse from companies engaged in this business and their apologists. Yet in the context of tracking bribes in the Foreign Corrupt Practices Act and other export regulations, the U.S. government, like other governments around the world, have developed tools to help discover these sorts of transactions. Third, because it is based on current regulations that many of the companies involved in selling surveillance equipment to government end users already have to comply with, this approach should not add a heavy regulatory burden.
We hope the EU moves quickly on this problem, as recent reports show it is only getting worse. We also hope the U.S. Congress is listening because with U.S companies sell the same equipment, they are not only undermining own foreign policy in these countries, but destroying the human rights the State Department claims it supports around the world.
When asked by the Guardian if he would be comfortable knowing that regimes in North Korea and Zimbabwe were purchasing this technology from the companies he does business with, Jerry Lucas, president of Telestrategies Inc., said, “That’s just not my job to determine who’s a bad country and who’s a good country. That’s not our business.”
By instituting EFF’s "know our customer" standards, we can make it their business.