Privacy News Online frequently writes about surveillance conducted by governments on their populations, or by companies on their users. Less well-known is the connection between governments that wish to spy and the companies that provide the means to do so. Within most Western nations, there are various ways to find out the names of suppliers to governments – for example, using local transparency requirements, or freedom of information laws. But there is a far murkier world involving suppliers of surveillance tools to countries that lack robust protection of human rights.
One country that is happy to export its digital surveillance tools to any regime is China. There are many major Chinese companies working in the area of domestic surveillance, notably of the Uyghur population in Xinjiang. Selling their products outside China not only brings profits for the companies involved, but also extends China’s economic and political influence in these countries.
The West is not much better. US companies sell digital surveillance tools around the world – even to China – and European countries have also been selling products to repressive regimes for years. In 2018, Privacy International produced a report entitled “Teach ‘em to Phish: State Sponsors of Surveillance”. It detailed the many billions of dollars spent by both the US and EU in transferring surveillance capabilities to foreign nations in order to achieve foreign policy goals. One knock-on consequence of what the report calls “securitisation” is that a huge global industry has grown up to meet the demand for sophisticated digital surveillance tools:
Such securitisation is hugely appealing for industry, allowing security companies and contractors to benefit from increased sales of security equipment, training contracts, and increased public financial support for the research and development of their products. Contractors are deeply involved in the delivery of surveillance training programmes around the world
Privacy International outlines what the US, Europe and China have been doing in this area. Another report, published by Amnesty International in September 2020, concentrated on the EU. “Out of Control: Failing EU Laws for Digital Surveillance Export”, noted that “The current European Union export regulation framework fails to protect human rights.” The document provides a good introduction to the region’s digital surveillance exports, and how these tools are already being abused, notably by the Chinese authorities in Xinjiang.
As scrutiny of this trade has increased, and as digital surveillance tools have become more powerful and thus potentially more harmful to human rights, so there have been growing calls for greater safeguards when they are sold abroad. The EU has been discussing new regulations imposing stronger conditions on so-called “dual-use” items – products and services that can be put to both peaceful and military or repressive uses – for some years. It published a major report on dual-use exports back in 2011. At the end of 2020, the complex process of proposals, discussions, and negotiations among the EU main legislative bodies was complete, resulting in the new EU dual-use regulation. As the MIT Technology Review explains, the main thrust of the new law is transparency:
The regulation requires companies to get a government license to sell technology with military applications; calls for more due diligence on such sales to assess the possible human rights risks; and requires governments to publicly share details of the licenses they grant. These sales are typically cloaked in secrecy, meaning that multibillion-dollar technology is bought and sold with little public scrutiny.
EU governments are now obliged to provide details of the destinations, products, value and licensing decisions for dual-use surveillance technologies, or state publicly that they will not disclose this information. The idea here is to publicly shame governments that try to hide sales to repressive regimes and dictatorships. A group of human rights organizations has welcomed what it calls the “positive elements” of the new law, which include the following:
The final agreement stipulates that [EU] Member States should “consider the risk of use in connection with internal repression or the commission of serious violations of international human rights and international humanitarian law” — a standard that has previously applied to military technology or equipment. However, the agreement does not provide criteria to determine what counts as a “serious” human rights violation. International human rights law obligates states to protect human rights. So in cases where it is clear that the exported goods will be used for human rights violations or abuses, Member States don’t have discretion but are obliged to deny the export.
But overall, the human rights organizations call the legislation a “missed opportunity”, because it fails to provide explicit and strong conditions on EU Member State authorities and exporters. As for recommendations, they want the vague term “cyber-surveillance” used in the regulation to be interpreted broadly, and to include technologies such as mobile phone interception and jamming equipment; intrusion software; forensic tools for data extraction; drones; and even laser microphones.
It’s good news that the home territory of some of the main players in the dual-use digital surveillance sector has brought in a new law to regulate it. However, it’s important to note that it has taken many years to come up with what is a relatively weak text. Perhaps more problematically, it still leaves many companies in other parts of the world – notably in the US and China – that are unconstrained by EU rules. While the US might bring in new laws to ensure that digital surveillance exports pay closer attention to the possible abuse of human rights, there is little chance of that happening with China.
Featured image by European Union.