“Know Your Customer” Standards for Sales of Surveillance Equipment
How Technology Companies Can Avoid Being "Repression’s Little Helper"
For years, there’s been ample evidence that authoritarian governments around the world are relying on the technology of U.S. and European companies to facilitate abuse of human rights, with a wealth of recent evidence in the Arab Spring and China.1 As we mentioned recently, it's time for tech companies, especially those selling surveillance equipment, to step up and ensure that they aren’t assisting foreign governments in committing human rights violations against their own people. One way tech companies can navigate this difficult issue is by adopting a robust Know Your Customer program, similar to the one in the current U.S. export controls or a program similar to that required by the Foreign Corrupt Practices Act.2
Below, we’ve outlined a proposal for companies to audit their current and potential customers for human rights abuses. We propose a simple framework:
- Companies selling surveillance technologies to governments need to affirmatively investigate and "know your customer" before and during a sale. We suggest something for human rights similar to what most of these companies are already required to do under the Foreign Corrupt Practices Act and the export regulations for other purposes, and
- Companies need to refrain from participating in transactions where their "know your customer" investigations reveal either objective evidence or credible concerns that the technologies provided by the company will be used to facilitate human rights violations.
We believe this framework would be most effective if companies implement it voluntarily, thereby ensuring the most flexible approach as technologies change and situations around the world shift. Nokia Siemens Networks has already adopted a Human Rights Policy that incorporates some of these guidelines. But if companies don’t act on their own, and don’t act soon and with convincing commitment, then some regulatory approach in the U.S. is likely going to be necessary. As we noted earlier this month, the EU Parliament recently took a step toward preventing sales of surveillance equipment to authoritarian regimes, and members of the U.S. Congress are watching closely as well.
Here are some basic guidelines to ensure that U.S. companies aren’t complicit in the abuse of human rights around the world, regardless of whether efforts are voluntary or through regulation.
"Know Your Customer" Human Rights Process
Affirmatively Investigate: The Company must have a process, led by a specifically-designated person, to engage in an ongoing evaluation of whether Technologies or Transaction will be, or are being used to aid, facilitate or cover up human rights abuses.3
This process needs to be more than lip service and needs to be verifiable (and verified) by outsiders. It needs to be an organizational commitment, with real mechanisms in place including tools, training and education of personnel and career consequences for personnel when the process is not followed. In addition, in order to build transparency and solidarity, a Company that decides to refuse (or continue) further service on the basis of these standards should, where possible, report that decision publicly so that other companies can have the benefit of their evaluation.
The process should include, at a minimum:
- Review of what the purchasing Government and Government agents and the Company personnel and agents are saying about the use of the Technologies, both before and during any Transaction. This includes, among other things, review of sales and marketing materials and discussions, technical discussions and questions, presentations, technical and contractual specifications and technical support conversations or requests. Some of the most troubling evidence in the Cisco case are the presentations made by Cisco employees that are plainly marketing the company as assisting the Chinese Government in combatting the “Falun Gong Evil Religion.”
- Review of the capabilities of the Technology for human rights abuses and consideration of possible mitigation measures, both technical and contractual.
- Review the Government’s laws, regulations and practices regarding surveillance, including interception of communications, access to stored communications, due process requirements, and other relevant legal process as part of the assessment of risk of how the Technologies may be used or misused. For instance, Nokia Siemens says that it will only provide core lawful intercept (i.e. surveillance) capabilities that are legally required and are "based on clear standards and a transparent foundation in law and practice."
- Review U.S. State Department annual human rights reports, relevant U.N. Reports, and other credible reports about the Government, including news or other reports from nongovernmental sources or local sources that indicate whether the Government engages in the use or misuse of surveillance capabilities to conduct human rights abuses.
Refraining from Participation: The Company must not participate in, or continue to participate in a Transaction or provide a Technology if it appears reasonably foreseeable that the Transaction or Technology will directly or indirectly facilitate human rights violations by the Government, including:
- The portion of the Transaction that the Company is involved in or the specific Technology provided includes building, customizing, configuring or integrating into a system that is known or is reasonably foreseen to be used for human rights violations, whether done by the Company or by others.
- The portion of the Government that is engaging in the Transaction or overseeing the Technologies has been recognized as committing gross human rights abuses using or relying on similar Technologies, either directly or indirectly.
- The Government's overall record on human rights generally raises credible concerns that the Technology or Transaction will be used to facilitate human rights abuses.
- The Government refuses to incorporate contractual terms confirming the intended use or uses of the Technologies by the Government and to require the auditing of their use by the Government purchasers in sales of surveillance Technologies.
Key Definitions and the Scope of the Process: Who should undertake these steps? The field is actually pretty small: Companies engaging in Transactions to sell or lease Technologies to Governments, defined as follows:
- “Transaction” includes all sales, leases, rental or other types of arrangements where a Company, in exchange for any form of payment or other consideration, either provides or assists in providing Technologies, personnel or non-technological support to a Government. This also includes providing of any ongoing support such as software or hardware upgrades, consulting or similar services.
- “Technologies” include all systems, technologies, consulting services, and software that are reasonably likely to be used to surveil third parties, including but not limited to technologies that intercept communications, packet-sniffing software, deep packet inspection technologies, certain biometrics devices and systems, voting systems, and smart meters.
- “Company” includes subsidiaries, joint ventures (especially joint ventures directly with government entities), and other corporate structures where the Company has significant holdings or has operational control.
- “Government” includes formal, recognized governments, including State parties to the United Nations. It also includes governing or government-like entities, such as the Chinese Communist Party or the Taliban and other nongovernmental entities that effectively exercise governing powers over a country or a portion of a country. For these purposes “Government” includes indirect sales through a broker, contractor, or other intermediary or multiple intermediaries if the Company is aware or should know that the final recipient of the Technology is a Government.
This framework isn’t the only reasonable option for addressing the problem, of course. Yet given the steps that these large companies who compete in these markets already have to take – under the export laws, the Foreign Corrupt Practices Act and otherwise – this is a relatively small addition. While some may argue that pushing U.S. tech companies to have a strong human rights filter will give a competitive advantage to companies that don’t institute one, the same is true about the anti-bribery laws. If these big companies can be expected not to get business through bribes even though some of their foreign competitors do, it’s reasonable to ask them not to get business enabling repression either.
Regardless of how tech companies get there, efforts to bring democracy and freedom around the world are hampered until they commit to making business decisions that consider human rights ramifications. No reasonable company, certainly none in Silicon Valley, wants to be known as the company that helps facilitate human rights abuses. It’s time tech companies take real steps to ensure that they aren’t serving as "repression’s little helpers."
- 1. For example, Narus, a Boeing subsidiary, was revealed to have sold to Libya sophisticated equipment used for surveillance. Telecomix recently published log files from the Syrian Telecommunications Establishment use of devices made by California’s BlueCoat Systems, Inc. And Cisco Systems is facing litigation in both Maryland and California based on its alleged sales of surveillance equipment to the Chinese to track, monitor and otherwise facilitate the arrest, detention, or disappearance of human rights activists and religious minorities who have been subjected to gross human rights violations.
- 2. In fact, unlike some of the other places where it is used, "know your customer" is a reasonable idea in the limited context of sales of sophisticated technologies that can be used to facilitate human rights abuses to countries at risk for repression.
- 3. Maybe it's time for companies that wish to sell this sophisticated equipment to foreign governments to have Human Rights Officers just as they now have Privacy Officers.