Rules meant to prevent the export of EU surveillance technology to repressive regimes aren’t working, an investigation by our international consortium Security for Sale has found. The European Union toughened its regulations in 2014 after a series of incidents in which German, French, Italian, and British malware Malware is malicious software used to disrupt or invade computer systems or to obtain sensitive information. and spying tools were used against activists, journalists, and government opponents abroad.
What’s the problem?
More than 300 export licenses for surveillance technology were granted in the EU between 2014 and 2016. And 30% were for goods destined for countries the watchdog organization Freedom House has deemed "not free."
With help from volunteers, we made an overview showing where all Europe’s spy tech vendors do business. We counted 235 such companies with headquarters in Europe (an EU member state, Norway, or Switzerland). Many are active in repressive countries:
- 42 in the United Arab Emirates
- 40 in China
- 15 in Turkey
- 15 in Saudi Arabia
The European surveillance industry is still peddling its wares around the world.
Why aren’t the rules working?
EU-wide export restrictions have been in place for internet and cellular surveillance tools and intrusion software since December 31, 2014. This type of equipment is known as "dual use" technology, as it can be used for both military and civilian purposes.
To sell these goods in nations outside the EU, a company must obtain a license from the relevant national authority. In the Netherlands, that’s the Ministry of Foreign Affairs.
Officially, EU countries must weigh "all relevant considerations" in deciding whether to allow a company to export a product – one such consideration being the danger that the product could be used for repression in the destination country.
But though in principle the rules are the same for every member state, in practice every country interprets them differently. For instance, Denmark and the UK have all permitted exports of surveillance technology to the United Arab Emirates (UAE) The UAE forbids the dissemination of information that could harm ‘the national unity’ or the ‘reputation’ of the state. According to Amnesty International, the regime regularly arrests dissidents, and torture is widespread. The government has used Italian software to spy on the well-known human rights activist Ahmed Mansoor. , but the Netherlands has refused to, citing human rights concerns.
Finland has stated that it follows "the Dutch line" on human rights, yet the country has approved exports to the UAE and the export of cellular spying technology to autocratic countries like Kuwait, Oman, and Morocco.
Problem: the rules are open to interpretation
It’s possible that the rules are interpreted differently because they’re too vague. The Netherlands, Austria and Spain read the law as saying authorities are required to refused a permit if there’s "a clear risk" that a product could be used to oppress citizens. That’s the rule for munitions and conventional weapons, like tanks.
And countries like Denmark and Germany see no obligation under the law. The Danish Minister of Foreign Affairs has said it believes a country is only required to consider potential human rights threats, and only when the end user is "military or similar." Denmark’s position is that it’s permitted to allow exports for economic reasons even where there’s a "clear risk" that a product could facilitate oppression.
Sound like legal nitpicking? It isn’t.
Sound like legal nitpicking? It isn’t, says Collin Anderson, a US security expert who’s studied the rules governing the surveillance technology trade. "It’s not fair that a company in the Netherlands, where the authorities are serious about human rights, is competing with, for instance, a company in Italy, where the authorities are known for ignoring even the most basic risks of human rights violations," he says. "That betrays the entire purpose of the European Union."
Quentin Michel, a professor at the University of Liège and an expert in export control regulations, says the human rights criterion is just one of numerous aspects of the EU rule that are interpreted differently by every member state. "So far, any attempt by the Commission to make sure there’s a common understanding of the criteria has failed," he says. "Therefore, we don’t have a level playing field across the EU."
It makes sense to go "license shopping"
In theory, this means that, for example, a company could apply for an export permit in a country where it has a greater chance of success than at home. The practice is known as license shopping.
"Because individual countries still have many discretionary powers, they decide for themselves how to interpret the European law with regard to dual-use export, even though they decided on the EU-wide rules together," says Marietje Schaake of the Alliance of Liberals and Democrats for Europe. A longtime fighter for stricter control of the digital arms trade, she’s the one who put the issue on the European political agenda. "I see that as a weakness, as it’s rewarding for companies to then shop around for licenses until one country says yes," she says.
It’s unclear whether license shopping is actually going on. According to Schaake, there’s no way to know, because communication between member states is inadequate.
How would a new law change things?
The European Commission has vowed to beef up controls on digital arms exports since the Arab uprisings After the Arab uprisings around 2011, it emerged that European and US surveillance software had been used to track, spy on, and persecute activists in the Middle East. For example, the French company Amesys sold intelligent monitoring software to the Libyan secret services. It was used to surveil citizens during anti-Qaddafi protests, facilitating arrests and assaults. around 2011, but it’s struggled to make legally binding agreements with member states. Proposed legislation on dual-use goods is currently before the European Parliament.
The new law would rest on four principles:
- Consistency. All European countries must handle license applications in the same way.
- Efficiency. License applications must not stand in the way of legitimate trade.
- Effectiveness. European countries must treat human rights as a criterion, not merely an option, in evaluations of export applications, to prevent technology being used to oppress citizens.
- Transparency. A reporting system must be put in place to make it easier for countries to share information.
The European Commission has also expanded the list of surveillance technologies that would be subject to the proposed law. And if a member state or business fails to abide by the rules, it would incur a fine.
According to Marietje Schaake, Europe has focused solely on commercial considerations for too long. "Companies complain that they will have to file too much paperwork with the new regulation and that terms like ‘human rights’ are too multi-interpretable," she says. "But to me, that’s not an argument to disregard an overhaul of the current regulation altogether."
"What is happening now is a true disaster. People are put in jail every day because of these repressive technologies made in Europe. We regulate coffee so it doesn’t contain poison, and we regulate toys so kids don’t swallow small parts. But we fail to apply proper control mechanisms to dual-use items."
Not everyone likes the plan
Lobbying organization DigitalEurope, You can read DigitalEurope’s position paper here. which represents the interests of more or less every big European IT and telecom concern, says Europe shouldn’t have to solve the problem on its own: all countries should be involved. In a position paper, DigitalEurope argues that it’s useless making rules for Europe if the rest of the world can do what it likes. The group also opposes transparent reporting, saying it would clash with business interests and confidentiality.
Digital Europe isn’t the only lobby group critical of the proposed law. The AeroSpace and Defence Industries Association of Europe, Read the ASD’s paper here. which represents major companies in those sectors, argues that national licensing processes already pay enough attention to human rights. The pressure group EuroCommerce, EuroCommerce’s paper can be found here. which represents six million retail and wholesale businesses, fears that applying for an export permit is becoming too complicated and time-consuming.
And BDI, And here’s BDI’s paper. "the voice of German industry," complains that the term ‘human rights violations’ is too vague and that companies shouldn’t be burdened with assessing the safety of a particular nation. Curtailing civil liberties may be justified in one country and not in another, BDI argues.
In states including Sweden, the UK and Germany, where dual-use exports are big business, the lobbyists’ claims are finding support in government. But Marietje Schaake says the outcry from industry is nothing new. "Companies just don’t like rules,” she says. "It’s a standard reaction."
Do the lobbyists have a point?
To a certain extent, they do. "They mostly complain about the rules being vague," Schaake says. "It’s up to Europe to say, in a very precise manner: These products are at risk, these are not; you have to check this, and only if you follow these rules can you expect a stamp. And it goes without saying that we must create smooth processes. I don’t want companies to fill out a hundred forms if they can fill out one."
Not everyone opposes the proposed law, though. In 2014, organizations including Amnesty International formed the Coalition Against Unlawful Surveillance Exports CAUSE is led by Amnesty International, Human Rights Watch, the International Federation for Human Rights, Privacy International, and Reporters Without Borders. (CAUSE) to hold governments and businesses accountable for misuse of surveillance technology. In CAUSE’s view, the new law can’t go too far.
The Netherlands, already one of the strictest interpreters of the European rules, is in favor too. In a position paper on the new proposal, the Dutch government argues that "security considerations always trump economic gains."
Schaake says, "Instead of companies saying, ‘If the Netherlands is so strict, we’ll just export through another country,’ I’d like every country to have the same high standards."
Meanwhile, Dutch surveillance companies continue exporting
But the situation in the Netherlands is far from perfect. Requested records indicate that the Dutch government has issued just one export license for surveillance products since 2014. Yet Dutch interception companies like Group 2000 and Digivox are recording huge annual profits and supplying governments and telecom and internet providers all over the world.
Neither vendor was willing to talk to us, and the Ministry of Foreign Affairs declined to comment. So the pressing question lingers: How can these companies be selling their products and services worldwide if Dutch public records show no trace of those exports?
Under the current legislation, we’ll never find out. It’s up to Europe to make its laws tougher and to demand transparency.
Thank you to coauthors Lasse Skou Andersen and Sebastian Gjerding of Denmark’s Dagbladet Infomation. This piece is part of the investigative journalism project Security for Sale, reporting on Europe’s security industry in partnership with journalists from eleven European countries. Security for Sale is made possible by Journalismfund.eu
—Translated from Dutch by Laura Martz