Summer of Surveillance Revelations Highlights Spread of Spy Tech to Repressive Regimes

As the fallout from Edward Snowden’s revelations continue to dominate the news, another surveillance scandal has begun making headlines: powerful, Western spy technology reaching the hands of human rights-abusing, repressive regimes. The flow of these technologies is by no means novel, and the Open Technology Institute has already done some work examining and subsequently suggesting changes to Western export control regimes to address the problem. While some progress toward updating these controls for the digital age has been made, a string of news items and reports from the last few weeks suggest the need for a renewed sense of urgency and are a stark reminder there is more work yet to be done to stem the proliferation of surveillance technologies.

In late July, independent researcher Collin Anderson established that training conferences in surveillance technology hosted by TeleStrategies, Inc. (a Virginia-based company) included a number a number of people from countries engaging in human rights abuses. Citing documents previously released by Privacy International, Anderson posits that TeleStrategies’  action violates U.S. sanctions law. Some have accused these opaque conferences of training repressive regimes how to operate technology to monitor dissidents. Anderson’s analysis, while focused on sanctions violations, underscores the fact that the export of the knowledge necessary to operate sometimes complex surveillance technologies should be more closely regulated in line with the export of the actual equipment and software.

On August 15, the Citizen Lab released a report examining the widespread use of commercial network injection tools used to infect hardware and allow remote surveillance or control. The report’s findings suggest that both companies and governments alike in the United States need to do more to control the flow of these goods. The most striking piece of evidence is that a prototype system sold to the governments of Oman and Turkmenistan was designed by CloudShield Technologies, a private U.S. company that contracts U.S. Department of Defense. The technology, which is eerily similar to the QUANTUMINSERT tool developed and used by the NSA to infect computers and networks around the world, enables, as Morgan Marquis-Boire, the report’s author, puts it, “hacking on easy mode.”

Just days later, on August 22, the Digital Rights Foundation published an article confirming that Pakistan is a FinFisher customer based on leaked FinFisher documents. FinFisher is a software developed by a subsidiary of UK based Gamma International that covertly exploits security vulnerabilities to provide the product’s operator with remote access to other devices. The leak, which was part of a large document dump containing the “entire FinFisher support portal including correspondence between customers and the company staff… [and] all the software the company sells as well as the accompanying documentation and release material,” shows that someone in Pakistan has held the license to three software packages from FinFisher for three years. The Digital Rights Foundation notes that as “FinFisher only sells these software to government agencies, it was most likely one of the many intelligence agencies operating within the Pakistani government.” FinFisher’s presence in Pakistan means that the government can spy, in real time, on users of an infected computer, which most often means progressive opponents of the regime.

Most recently, the Washington Post shed light on a disturbing tool on the market that allows the user to access the mobile phone networks and track the location of any mobile customer.  The Post article notes that mobile networks must keep real-time location data on their customers in order to “deliver calls and other services to them.” Because of this, technology companies like Verint, a New York-based systems analysis software and hardware provider, are developing tools that allow the user to tap into the insecure networks that provide carriers with this information. Once a user has access to the network, they are able to query the entire network and determine the location of a mobile phone, in some cases down to the city block.

In a marketing brochure, Verint highlights its version of the tool, SkyLock, for its ability to locate, track, and ultimately manipulate targets. While this may, to use the words of Verint itself, provide an “actionable intelligence solution,” it also carries human rights implications. Verint has clientele in over 180 countries, and if screenshots from SkyLock’s marketing brochure are an indication, this list includes countries with questionable human rights records like the Democratic Republic of Congo, the United Arab Emirates, and Zimbabwe.

Export controls are one vehicle through which governments can stem the flow of sensitive technologies that pose security and human rights concerns. In an event at New America this March, Dutch Member of European Parliament Marietje Schaake noted that, in the aftermath of the Arab spring, “Western technology could immediately be traced back to individuals who had been dragged from their homes and put into prison.” In March, OTI, along with Privacy International and Digitale Gesellschaft, released a report detailing the export control regimes of the Germany, the United Kingdom, and the United States and explaining recent changes that have been made to cover surveillance technology. We subsequently worked with U.S.-based organizations and researchers on recommendations for how to amend the U.S. regime to align with the Wassenaar Arrangement's new language on intrusion software and network surveillance tools.

In the wrong hands, surveillance technologies like those exported by Verint, Gamma, and Hacking Team pose a clear threat to human rights. Allowing these tools to flow unchecked makes it easier for repressive regimes to monitor their citizens and consolidate power. The Open Technology Institute is committed to keeping the Internet open to all as a medium to freely express and communicate ideas. Often, this means helping marginalized or otherwise disadvantaged communities gain access to good technologies. OTI’s research on sanctions and the free flow of information, as well as our work in Red Hook, NY and the development of Commotion Wireless, are examples of valuable work doing just that. Export controls attack the problem from a different direction. Well thought out export controls are one avenue through which the United States and other democratic states can encourage universal respect for human rights, both on and offline.