On August 10 and 11, 2016, Ahmed Mansoor got a series of texts on his iPhone. Their subject was a gripping one: new revelations on the torture of prisoners in his homeland, the United Arab Emirates. Mansoor is an internationally renowned human rights activist who was imprisoned in 2011 after calling for democratic reforms in the Gulf state.
Mansoor forwarded the messages to researchers at the University of Toronto’s Citizen Lab. They discovered that an Israeli company, the NSO Group, was attempting to install malware Malware is malicious software used to disrupt or invade computer systems or to obtain sensitive information. on his phone. Hacking Mansoor’s device was evidently worth a lot to the UAE’s government: software like this is hugely expensive. Zerodium, a company that sources and sells security exploits, paid $1 million last year to a team of hackers who found a previously unknown weakness in the iPhone. From various leaked documents, we know that a license to distribute intrusion software can easily cost more than €100,000.
It wasn’t the first time Mansoor had been sent malware. Two European companies, Gamma Group International in Britain Gamma International was also based in Germany. and HackingTeam in Italy, had previously tried to break into his computers and phone. Citizen Lab had uncovered those attempted hacks too.
Both companies initially denied wrongdoing – until they were hacked themselves, by an activist calling himself Phineas Fisher. See Phineas Fisher is thought to be a Spanish hacker who was arrested in early February. He unearthed internal correspondence showing that each had done business with a number of despotic states. The leaked documents show that HackingTeam has done business in Azerbaijan, Bahrain, Brazil, Chile, Colombia, Ecuador, Egypt, Ethiopia, Honduras, Kazakhstan, Lebanon, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Russia, Saudi Arabia, Singapore, South Korea, Sudan, Thailand, Turkey, the UAE, Uganda, the US, Uzbekistan, and Vietnam. Gamma International has done business in Bahrain, Bangladesh, Egypt, Ethiopia, Germany, Mongolia, Pakistan, Qatar, Uganda, and Vietnam. Both firms remain active today.
One in three exports is to “not free” countries
Incidents like this spurred the European Union to act to curb the export of surveillance products in 2014. Human rights activists were overjoyed.
But today, the celebrations have given way to disappointment. The new rules haven’t had the effect many had hoped for. Research by our international consortium Security for Sale shows that EU member states permitted exports of cybersurveillance technology at least 317 times in the last three years. They denied only 14 applications.
Almost one third 29.7% to be precise of the licenses were for exports to countries the watchdog organization Freedom House Freedom House is a respected independent US organization that advocates for political rights and civil liberties, supports human rights activism, and promotes democratic change. It publishes regular reports on topics including press and Internet freedom, including Freedom in the World, an annual assessment of civil liberties in various countries. has branded “not free.” Despite the attempts to hack Mansoor, Denmark and the UK have both approved exports of mass Internet surveillance systems to the UAE during the past two years.
Only 17% of permits were for exports to countries Freedom House deems “free”
And Finland has issued several licenses to the Finnish subsidiary of the Canadian company EXFO allowing sales of cellphone spying technology The technology in question is a so-called IMSI catcher, an eavesdropping device that mimics a powerful cellular tower. Phones in the area will try to connect to the network through the device. If they do, their communication and location data will be intercepted. Powerful IMSI catchers can spy on large numbers of cellphones, for instance during demonstrations. to countries including the UAE.
The UAE isn’t the only country buying surveillance tools from Europe. Egypt – weighed down by General Abdul Fatah Al-Sisi’s repressive regime Civil society has suffered severe repression under Al-Sisi’s regime. Protests are banned, and countless opposition leaders and critics have been arrested. People who receive foreign funding for acts deemed ‘harmful to national interests’ can face life sentences. Other crimes include ‘defaming religion’ and offending ‘public morals.’ Members of the LGBT community are suffering increased persecution. since 2013 and ranked “not free” by Freedom House – received spy tech exports from the UK.
The British government also permitted the sale of surveillance technology in Vietnam, a communist one-party state ranked as “not free.”
Reporters Without Borders Reporters Without Borders is a France-based international NGO that researches and promotes press freedom. has characterized the country as an “enemy of the Internet” and as the world’s third-largest prison for online dissidents and bloggers after China and Iran. Denmark, meanwhile, allowed a Danish business to demonstrate a system for monitoring Internet traffic in Vietnam.
Of the licenses uncovered in our investigation, 52% were for exports to countries Freedom House ranks as “partially free.” They include Turkey, where president Recep Tayyip Erdogan’s government has cracked down on political opposition following a failed coup last year.
Only 17% of permits were for exports to countries Freedom House deems “free.”
Compared to Finland and the UK, the Netherlands hasn’t exported much spy tech. The Dutch Ministry of Foreign Affairs, which grants the relevant permits, issued one for the sale of software to Montenegro – considered “partially free” by the Freedom House. But it refused one for export to the UAE. In interviews, the Ministry told us it did so because of human rights concerns.
Why many more applications should be denied
“The data clearly illustrate that the current regulation is insufficient,” says Edin Omanovic, a research officer with the nonprofit group Privacy International. Privacy International is a London-based NGO that defends the right to privacy worldwide. Founded in 1990, it has been highly active on surveillance-related issues. In 2016, it launched the Surveillance Industry Index, a database containing information on companies that sell spying tools. “The very low amount of applications being denied is concerning. Given that many of the countries that these products are being sold to have a problematic human rights record and no legal framework regulating the use of surveillance technologies, a lot more exports should have been refused.”
US security researcher Collin Anderson, who wrote a report on regulating cybersurveillance for the NGO Access Now Access Now is an international foundation working on behalf of human rights, and specifically internet freedom. and has spoken about the subject before the European Parliament, draws a similar conclusion. “The few cases where a denial has been issued are success stories,” he says. ‘But the overall picture seems to be that the good intentions behind the rules have not been followed up in practice.”
Security for Sale’s investigation is the first extensive, systematic probe of the issue. The figures may actually be much higher. Of the 28 EU member states, 11 refused to furnish the information we requested. They include France and Italy, both home to some of the world’s biggest spy-tech businesses.
“There are numbers you’ll never find,” says Marietje Schaake of the Alliance of Liberals and Democrats for Europe in the European Parliament, who’s been at the forefront of efforts to monitor the digital weapons trade. ‘We’re talking about a very gray, untransparent, and dark industry.”
“We’re talking about a very gray, untransparent, and dark industry”
So how do the current rules work? In the EU, national authorities in the member states determine whether or not to grant export licenses for surveillance products, which are so-called dual-use goods, usable for both military and civilian purposes. According to EU regulations, issuers of permits must take into account “all relevant considerations” – including the possibility that a technology could be used to violate human rights.
The rule for dual use technology was added to EU export policies in 2014. Citing “growing security concerns regarding the use of surveillance technology and cyber-tools that could be misused in violation of human rights or against the EU’s security,” the European Commission decided the export of spying tools outside the union would henceforth require government approval.
The European Commission was referring to a number of incidents in which authoritarian regimes cracked down on the opposition using European technology. In 2011, Bloomberg found out activists in Bahrain had been tortured while being interrogated about private messages the authorities had intercepted using equipment from the Finnish-German conglomerate Nokia Siemens Networks. And there are more cases In Morocco, journalists for the critical website Mamfakinch were hacked using intrusion software from the Italian company HackingTeam. In Libya, after the fall of Gaddhafi, activists found out the French company Amesys had supplied the dictator with technology that allowed him to snoop on Internet traffic. And the French company Qosmos is being investigated over charges of providing Syria with spying tools. like this.
Human rights? Profits come first
Time to curb the export of surveillance technology, the EU decided in 2014. But the regulations proved to be weak. Conventional arms regulations dictate that a country must refuse an export license if there is a “clear risk” that a weapon could be used for internal repression in the destination country.
But dual-use technologies aren’t subject to this rule. With them, the authorities can choose to prioritize other interests, like boosting economic growth or maintaining a good relationship with the country in question.
That means EU nations can decide for themselves whether to treat human rights as a decisive factor. “The regulation is mostly focused on security risks and is not geared to sufficiently address the risks of human rights violations,” says professor Quentin Michel, an expert on export regulations at the University of Liège.
The European Commission acknowledges the presence of a “regulatory gap” and has put forward a proposal to strengthen the law. The proposal would not require member states to deny licenses for exports that could endanger human rights. But it would strengthen human-rights language in the rule and include more categories of spying equipment than the three Three types of cyber-surveillance technologies are currently regulated under the EU’s dual-use regulation: (1) internet surveillance, Internet Protocol (IP) network communications surveillance systems or equipment, and specially designed components therefor, (2) mobile surveillance, mobile telecommunications interception or jamming equipment, and monitoring equipment therefor and (3) intrusion software, specially designed or modified to avoid detection by "monitoring tools," or to defeat "protective countermeasures," of a computer or network capable device, and performing any of the following: a) the extraction of data or information, from a computer or network-capable device, or the modification of system or user data or b) the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions. that are currently regulated.
Klaus Buchner, the European Parliament’s The process works as follows. The European Commission has submitted a proposal, which is undergoing discussion and review by the European Parliament. The parliament has chosen Klaus Buchner to report on the proposal. Supporting him are six shadow rapporteurs, drawn from Buchner’s fellow members of parliament: Christofer Fjellner of Sweden, Bernd Lange of Germany, Sander Loones of Belgium, Marietje Schaake and Anne-Marie Mineur of the Netherlands, and Tiziana Beghin of Italy. Meanwhile, the European Council is formulating its own position. The council is made up of the heads of the EU’s 28 member states, a chairperson, and the chair of the European Commission. Ultimately, the three bodies’ proposals will result in a single amendment to the law. rapporteur on the proposal, says our investigation highlights the need for an update to the law. “The [denials of permission for 14] exports in your data set have in effect strengthened human rights and strengthened the EU as a trading partner,” he says. “The importance now is to harmonize this human rights-focused approach across Europe in order to overcome internal differences and patchy implementation.”
But it’s not clear whether the proposed bill will be passed. The Danish government, in a memorandum, said “there is a general skepticism among member states” towards the new rule. That’s because it differs from existing international agreements, such as the Wassenaar Arrangement, a voluntary but politically binding pact between 41 states regulating the export of munitions, tanks, missiles, guns, and digital weapons. The current EU rules are partly based on that agreement. European export rules are also based on other unofficial international agreements besides the Wassenaar Arrangement: those of the Nuclear Suppliers Group (dealing with nuclear proliferation), the Missile Technology Control Regime (on the proliferation of drones and missiles) and the Australia Group (to do with biological warfare).
Member states also fear that the new emphasis on human rights would “create uncertainty about the interpretation and implementation and thus create large administrative burdens for both companies and authorities,” the memorandum said. The European Parliament will debate the proposal on February 28.
This piece is part of the investigative journalism project Security for Sale, reporting on Europe’s security industry in partnership with journalists from eleven European countries. Security for Sale is made possible by Journalismfund.eu
—Translated from Dutch by Laura Martz