The transfer of commercial censorship and surveillance technology produced and exported by American and European companies to repressive countries with a history of human rights abuses is a growing problem. As we explain in a recent report, one proposal for governments to curb the export of these technologies is to update export controls, which could make selling such technology to specific end users with dubious human rights records illegal. At the end of last year, a coalition of 41 governments decided to do exactly that, and now the U.S. government is weighing its options on how to integrate a few specific technologies into its complex export control regime. This week, along with a group of human rights organizations and technology experts, the Open Technology Institute submitted recommendations for how we believe the United States can do this in a targeted manner that protects human rights online and minimizes collateral damage that could be caused by overly broad controls.
Background: What Prompted These Changes?
In December 2013, 41 countries agreed to update their export controls to cover certain types of surveillance technology. At the conclusion of their annual plenary meeting, the members of the Wassenaar Arrangement—a multilateral forum that governs conventional arms, as well as dual use goods and technology, and includes the U.S., the U.K., France, and Germany—announced that they were adopting new controls relating to “intrusion software” and “IP network surveillance systems.” Intrusion software can be used surreptitiously to intercept passwords, screenshots, microphone recordings, camera snapshots, and Skype chats, and to remotely execute commands. “IP network surveillance systems” monitor general network traffic and can identify and collect information flowing through a network. These are two narrowly defined, specific types of technology that can be abused for nefarious purposes.
Next Steps After Wassenaar
Now that the Wassenaar member states have agreed upon language, the burden is on each individual government to incorporate the new controls into its national export control regime. The definitions of “intrusion software” and “IP network surveillance systems” themselves cannot be changed, but each country has the flexibility to decide how the new controls will be integrated nationally. The governments have to answer related questions about licensing policy, such as which users and countries should generally be denied access to the equipment and whether there should be exemptions for certain technology that would otherwise require a license to export.
The United States plays a unique role in this process, because it is traditionally among the first countries to integrate the annual Wassenaar changes into its export control regime. As a result, the way the U.S. implement the controls serves as a blueprint for other countries. We therefore see this as an opportunity for the United States to demonstrate international leadership on these issues and provide a roadmap to other countries for how to adopt the new controls with a clear focus on protecting human rights. Incorporating the proposed changes into the existing regime properly can reduce threats created by the uncontrolled trade of global surveillance while ensuring that general purpose computing and research are not affected. A targeted approach will also help avoid unintended chilling effects that could be created as a result of the new controls if they are interpreted in an overly broad manner.
An interagency group with representatives from the relevant agencies in the U.S. government is currently considering options for how to add these new controls. A final rule is expected sometime this summer. Our recommendations were written to inform that process, with the understanding that the Wassenaar countries have already decided to regulate this technology—so the question we are attempting to answer now is what the implementation of those regulations will look like.
Implementation Recommendations from U.S. Civil Society
Our recommendations attempt to take a diverse array of concerns and interests into consideration about the best path forward. The document was developed jointly and submitted by a group of human rights and technology organizations in the U.S.: Access, Internews, Reporters Without Borders, New America's Open Technology Institute, and independent researcher Collin Anderson (and with input from a number of other experts). They build on the analysis of existing export control regulations and the provisions relating to technology and surveillance outlined in a joint report released by OTI, Privacy International, and Digitale Gesellschaft, “Uncontrolled Global Surveillance: Updating Export Controls to the Digital Age.” Our efforts to influence the process in the U.S. also fit into a larger advocacy strategy around these issues through the newly launched global Coalition Against Unlawful Surveillance Exports (CAUSE), of which OTI is a founding member.
A summary of the recommendations is below. Read the full document here (pdf).
Summary of Recommendations for the Implementation of the 2013 Wassenaar Arrangement Changes Regarding “Intrusion Software” and “IP Network Communications Surveillance Systems”
The uncontrolled export of surveillance technologies to countries with dubious human rights records poses a growing, significant threat to human rights and the free flow of information online. These tools—commonly marketed directly to governments and designed to build surveillance and privacy-invasion capabilities into a country’s communications infrastructure—pose serious threats to not only high-profile civil society and democratic efforts, but also the daily lives of individual citizens. With the recent export control amendments agreed upon at the multilateral Wassenaar Arrangement’s December 2013 Plenary Meeting, this is a critical time for the United States to update export controls regulations to align with its well-defined human rights foreign policy objectives and to demonstrate international leadership on these issues. Integrating the proposed changes into the existing regime properly can reduce threats created by the uncontrolled trade of global surveillance while ensuring that general purpose computing and research are not affected. A targeted approach will also help avoid unintended chilling effects that could be created as a result of the new controls.
Given a diverse array of concerns and interests, we offer the following recommendations: Controls for surveillance technology must be implemented independent of encryption controls. Relying on encryption controls is the wrong way to regulate this technology, because it would confuse two analytically distinct issues and would not cover all of the relevant surveillance technology. The United States should carefully consider language and appropriate exemptions that capture the technology in question while minimizing risk to research and general purpose computing. Controls should include a case-by-case consideration for all destinations with a provisional presumption of denial. Foreign availability provisions should not apply to surveillance controls. Because of the significant human rights impact and foreign policy implications of these technologies, the fact that a product is available from foreign companies is not a sufficient argument against a U.S. control. The technologies require either a new classification or the application of strong existing controls. We offer a preferred and alternate option for how to achieve this:
- Preferred option: Expand the definition and current application of existing Surreptious Listening controls, or create a replacement control (e.g. “Surveillance Technology” control) that covers the broad range of the communication intercepting devices, from mobile interception equipment to intrusion software.
- Alternate option: Implement controls through the Crime Control list, which contains a relevant control that parallels the need for both strict regulatory oversight and consideration of human rights implications.
Once implemented, the effectiveness of the control relies on more active U.S. government involvement before and after export to mitigate non-compliance. Effective controls on intrusion software and network surveillance equipment will require clear “know your customer” policies and aftermarket verification.
Export control processes related to surveillance technology should promote transparency and participation from civil society and industry. It is especially critical that industry and civil society are included in the process to ensure that federal agencies’ efforts match the fast pace of technological development.