In the past month—thanks to reporting from the Wall Street Journal and Bloomberg, as well as WikiLeaks and its media partners—a little sunlight has finally exposed a large but shadowy industry: Western technology companies selling mass spying software to governments. The amazing and dangerous capabilities of these tools are described in hundreds of marketing documents that were recently leaked to the media organizations.
The Wall Street Journal laid out many of the tools in detail, explaining how they can be used to spy on millions of the world’s citizens, most of whom are completely innocent. It’s also easy to see how tools can be used to track and repress those working for human rights and fundamental freedoms:
“The techniques described in the trove of 200-plus marketing documents, spanning 36 companies, include hacking tools that enable governments to break into people's computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country.”
Much of what this software does would be considered malicious “black-hat hacking” if used by a private citizen. In fact, as the Wall Street Journal reported, many of these companies market their products as the kinds “often used in ‘malware,’ the software used by criminals trying to steal people's financial or personal details.”
One program manufactured by the company FinFisher, reportedly falsifies updates to popular software like iTunes, and when the user downloads it, the perpetrator can monitor the user’s every move—even see into their webcam, according to this promotional video. Another company, Packet Forensics, brags about its “man in the middle attack” capabilities, in which it can get in between two parties communicating and read the contents of any message, even when encrypted.
WikiLeaks and OWNI put together an excellent interactive map that details, country-by-country, which companies are operating where and what forms of communication are potentially being monitored. The list is long and worrisome.
The promoters of this ugly market have so far had a callous attitude. Jerry Lucas, president of TeleStrategies—the company behind International Support Systems (ISS)—recently remarked it’s “not my job to determine who's a bad country and who's a good country. That's not our business, we're not politicians … we're a for-profit company. Our business is bringing governments together who want to buy this technology."
But the recent reports and press coverage seem to be having an effect. Tatiana Lucas, world policy director for ISS, made a lame attempt to tie the sale of repressive technologies to jobs, as if facilitating human rights and privacy abuses should be thought of as an economic recovery tool. She even bemoaned the fact that her clients are missing out on U.S. taxpayer money because of the lack of an “intercept mandate” on service providers (i.e. CALEA expansion, a very bad idea). Yet even so, she the admitted, “Attention of this kind makes U.S. manufacturers gun shy about developing, and eventually exporting, anything that can remotely be used to support government surveillance.”
With the names of these companies, and their troubling marketing pitches known, it’s time for the next step: Who are their customers? Bloomberg gave us a great head start with this infographic highlighting Syria, Iran, Bahrain and Tunisia, but given the long list of companies and technologies vying for business at ISS, there are likely many more.
In our “know your customer” post, we proposed standards these companies should voluntarily comply with to make sure their technology does not fall into the wrong hands. But those same questions can be asked by lawmakers, regulators, and the press right now, starting with: What governments or government agents are buying or licensing these technologies?
Remember, “Government” here includes formal, recognized governments, governing or government-like entities, such as the Chinese Communist Party or the Taliban that effectively exercise governing powers over a country or a portion of a country. It also importantly includes indirect sales through a broker, contractor, or other intermediary or multiple intermediaries if the Company is aware or should know that the final recipient of the Technology is a Government, something the Commerce Department already gives guidance on in their “know your customer” standards.
Then once the purchasers are identified, we need to determine whether their technology is being sold to directly or indirectly facilitate human rights violations.
Questions should include:
- Has any portion of a transaction that the company is involved in, or the specific technology provided, included building, customizing, configuring or integrating into a system that is known or is reasonably foreseen to be used for human rights violations, whether done by the Company or by others?
- Has the portion of the government that is engaging in the transaction or overseeing the technologies has been recognized as committing gross human rights abuses using or relying on similar technologies, either directly or indirectly.
- Has the government's overall record on human rights generally raised credible concerns that the technology or transaction will be used to facilitate human rights abuse?
- Has the government refused to incorporate contractual terms confirming the intended use or uses of the technologies by the government and to require the auditing of their use by the government purchasers in sales of surveillance technologies?
If the answer to one or more of these questions is yes, then the pressure should be on for the company to withdraw. The time is now. Even those who have previously studied the problem have been surprised at how fast the market for mass surveillance has grown. As former deputy technology officer under the Obama Administration Andrew McLaughlin explained, “The Arab Spring countries all had more sophisticated surveillance capabilities than I would have guessed.” Mass surveillance is a freedom of speech issue, McLaughlin emphasized, and “[i]t’s exceedingly easy for governments to conduct online and mobile surveillance” for stifling dissent.
We have the names of the companies and we know what they do. Now we need to know exactly who their customers are and turn up the heat.