Just last month, German authorities searched the offices of the Munich-based software developing company FinFisher after accusations that it illegally sold spyware to Turkish authorities. This was only the lastest of many probes into the export of cyber-surveillance technology to authoritarian regimes. Such issue first came under the spotlight at the beginning of the 2010s, when a series of scandals disclosed the use of European software in the repression of the Arab Spring. Since then, it hasn’t been infrequent to see oppressive regimes using technology produced in the EU to spy on their domestic opponents and human rights activists.
While governments scrambled to take action in response to the early scandals of the 2010s, the adopted measures had significant loopholes. This prompted intense negotiations at the EU level to review the legislation. After more than four years in the works, the review of the Dual-Use Regulation is finally done. This regulation creates new rules for all those technology products which potentially have both civilian and military applications. But does final text uphold the expectations of human rights advocates?
Why exporting cyber-surveillance tech is an issue
In 2015 a massive data leak involving the Italian IT firm Hacking Team confirmed the company’s alleged sale of spyware to several authoritarian regimes over the previous years. Among its customers figured Kazakhstan, Uzbekistan and the United Arab Emirates, as well as Ethiopia and Morocco. At the time of the sales, the World Press Freedom Index reported severe breaches of the rule of law and press freedom in all the above-mentioned countries.
The main products sold by Hacking Team were so-called Remote-Control Systems (RCSs). The RCSs are intrusion software which covertly infect electronic devices to collect stored data and incoming/outgoing communications. Unsurprisingly, subsequent investigations unveiled that the Moroccan and UAE Intelligence Agencies used the software to spy on human rights activists during the governments’ crackdown on the Arab Spring protests in 2012. In the same year, the Ethiopian government employed the software to spy on a collective of dissenting journalists.
Hacking Team was not alone in carrying forward this dirty business: the Surveillance Industry Index by the NGO Privacy International displays a long list of companies engaging in such unethical deals. Another notable case involves the same FinFisher which is currently under investigation. Its homonymous software was employed by a multitude of countries governed by repressive regimes, from Bahrein and Ethiopia to Vietnam and Turkmenistan.
By 2014, before the Hacking Team scandal unleashed, world governments had already updated the Wassenaar Arrangement control list. The Wassenaar Arrangement is the international control regime governing the exports of dual-use goods and technologies. Items such as intrusion software and Internet Protocol (IP) network surveillance were added to the list.
The intrusion software by Hacking Team and FinFisher clearly fell under the arrangement’s scope, but many technologies were intentionally left out. Indeed, a recent investigation by Amnesty International revealed that European companies continued to export surveillance tools despite the disastrous human rights records of their customers; such technologies did not fall under the scope of the Arrangement’s updated control list. However, the companies also failed to carry out their due diligence obligations. In this context, due diligence is a principle whereby companies make sure that the products they are going to sell may not be misused by their customers.
In 2015, the French multinational Morpho (now Idemia) sold facial recognition equipment to the Shanghai Public Security Bureau in China. The corporation later introduced an internal policy forbidding to sell surveillance equipment to Chinese authorities, but it should be evident by now that private companies cannot be exclusively left to self-regulate. The People’s Republic of China is implementing mass surveillance projects like Skynet and Sharp Eyes throughout the mainland without any regard for the privacy of its citizens, a fundamental human right as defined in Article 12 of Universal Declaration of Human Rights.
In Xinjiang, the Chinese government is enforcing repressive policies against Uyghurs, the region’s main ethnic group. These policies include segregation, internment, forced sterilization, cultural erasure and mass surveillance. Yet, this did not stop another European company, the Dutch Noldus Information Technology, from selling face reading technology to the Xinjiang Normal University for “scientific and research purposes” in 2018. At the time, the crimes of the Chinese regime were public knowledge already.
The indiscriminate export of such double-edged technologies clearly appears problematic. The end-use of cyber-surveillance is inextricably linked to the political context of the importing countries. Unscrupulous regimes secure their own survival by crushing dissidents and subjugating entire populations: their wrongdoings should not be facilitated by European cutting-edge technology.
The reform of the Dual-Use Regulation
On November 9th, the EU finally took important steps forward in this regard: the three main institutions, namely the Commission, the Council of the EU and the Parliament, concluded trilogue negotiations to revise the 2009 Dual-Use Regulation. Cyber-surveillance technology is now comparable to other dual-use goods, and as such must be subject to export controls when there are risks of misuse by the countries of destination.
After six (!!!) years of negotiations on new #dualuse control regulation the destination port is near.Chaired a really constructive trilogue.Thank you for the great work @EU2020DE @DRedonnet @Trade_EU the #EP rapporteur @MarketkaG + shadows @svensimon @LSchreinemacher @EP_Trade pic.twitter.com/BrH8WqesYP
— Bernd Lange (@berndlange) September 22, 2020
The updated text features a number of important provisions. In particular:
- Definition of cyber-surveillance technology. The definition is quite broad in scope and includes items such as monitoring centres and data retention systems as well as intrusion software. Overall, cyber-surveillance items which enable to covertly monitor, extract, collect and analyse the data of natural persons fall under the scope.
- Autonomous EU export control list. The text gives way to the creation of an EU autonomous list, independent from the one established under the WA. It will contain all the dual-use items in the single market subject to export control. This will allow public authorities to add more swiftly new specific items to the list.
- Transparency. The Commission will be tasked with providing the Parliament and the Council an annual report illustrating the enforcement progress of the regulation. Member States will be obliged to furnish relevant data to the Commission for that purpose. This will enable the public to name and shame those Member States which fail to properly enforce the regulation.
- Catch-all clause. The catch-all clause enables authorities to add non-listed cyber-surveillance technologies to the control list in case potential abuses linked to the violation of human rights by the final users were to be identified.
Where to next?
With the new dual-use regulation, the EU finally confronts a long-existing issue, a source of profound discomfort among those who hold European values dear. Nevertheless, ambiguous wording and inexistent references to certain technologies could make the text less impactful than actually needed. Firstly, biometric technology is never explicitly mentioned. Indeed, the text defines cyber-surveillance technology as uniquely “covert”. This particular wording may potentially result in the exclusion of facial recognition systems, usually employed in public spaces, from the scope of the definition.
Secondly, it appears that the addition of new items to the control list will require a unanimous decision by the 27. Such caveat should not come as a surprise: some Member States have repeatedly tried to water down the text’s most stringent articles. While the Commission and the Parliament made themselves bearers of bold proposals, the Council took a more conservative stance by taking the side of the surveillance industry.
All in all, the recast of the dual-use regulation represents a meaningful achievement for the prevention of human rights violations abroad. Despite the loopholes, European companies will surely have a hard time supplying oppressive regimes and agencies with the technology they need to spy on their own citizens. Now it is up to Member States to properly enforce export controls as contemplated by the traditional division of competences.
