By Brad Powell
Devices from U.S. technology company Blue Coat Systems have again been identified by Citizen Lab in sanctioned countries, including Syria, Iran, and Sudan. As the report details, these devices allow repressive governments to “implement politically-motivated restrictions on access to information, and monitor and record private communications,” resulting in significant risks to human rights when used for adverse purposes.
These concerns aren’t new. In 2011, Blue Coat made headlines when reports surfaced about its products being used by the Syrian government to crack down on dissidents. The transactions sparked an investigation by the U.S. Dept. of Commerce and eventually led to a $2.8 million civil penalty and restrictions on Dubai-based distributor Computerlinks FZCO.
Blue Coat hasn’t been alone in its seeming inability to control the unauthorized transfer of its dual-use technologies. Across the board, companies who have been negligent or complicit in the repressive operations of foreign regimes have only offered weak excuses to justify their behavior, as we documented two years ago.
FinFisher, Nokia Siemens, Amesys, Netsweeper, McAffee, Cisco, Area SpA—all of these companies and others have been implicated in selling information technology products to sanctioned or rights-violating political regimes. Despite heightened enforcement efforts and penalties for sanctions evaders (e.g. Executive Order 13608 issued May 1, 2012), these companies continue to obtain licensing exceptions and exploit regulatory gaps; the distribution channels and sales networks for their products are difficult to restrain; and no one from industry has demonstrated a truly proactive involvement to address the human rights risks that their products present.
As Human Rights First noted in 2011, all companies are obligated to identify and address the human rights risks of their global operations under the UN Guiding Principles. Gaps in domestic law are no excuse. At a minimum, this would mean due diligence and prevention. But the Citizen Lab report suggests that Blue Coat is actively taking steps to skirt its obligations. For instance, “Blue Coat may have blocked traffic on Syrian ISPs from accessing its websites,” which may limit its ability to identify the location of its devices and therefore respond to risks.
To date, Blue Coat has yet to offer an official response to the Citizen Lab report, beyond COO David Murphy’s brief comments to media (Washington Post, SC Magazine). The lack of public engagement has been discouraging because it is indicative of a broader tendency among these companies to let their public relations challenges play out through trade courts and sanctions enforcement, rather than through interaction with the global human rights community and multi-stakeholder frameworks. Citizen Lab is still pressing Blue Coat to respond to questions posed in its previous January report, and its recent investigation strengthens the case for forthright engagement from industry.