Excuses, Excuses: Surveillance Technology and Oppressive Regimes
By Meg Roggensack and Betsy Walters
“This is a commerce of death for the companies that place this technology in the hands of dictatorships.” – Saeid Pourheydar, Iranian opposition journalist tortured at Evin Prison
Saied Pourheydar was held by Iranian officers for weeks in 2010, brutally beaten over and over again, and interrogated by intelligence officers wielding transcripts of his mobile phone calls, e-mails and text messages. The officers had that information at the ready because of monitoring technologies sold directly to the state security agencies, or to Iranian companies with known ties to the regime, by Stockholm-based Ericsson AB, U.K.-based Creativity Software Ltd., and Dublin-based Adaptive Mobile Security Ltd.
In Syria, a brutal crackdown on citizen protests has killed more than 3,000 since March, and yet technicians for the Italian surveillance company, Area SpA, have been rushing to finish installation of a system that will allow Syrian security agents to follow targets on a flat-screen workstation that displays graphics that map a target’s networks of electronic contact in nearly real time. Area is using equipment from California-based NetApp Inc. and Hewlett Packard, Paris-based Qosmos SA, and Germany’s Utimaco Safeware, though current indicators are that these companies did not expressly consent to having their technology sold to Syria. Area’s contract stipulates that its employees will continue to travel to Syria to train government security agents in the use of the tracking-technology that Mark Dubowitz of the Foundation for Defense of Democracies calls “custom-made for repression.” Last week, Bloomberg reported that Area is considering exiting their contract with the Syrian government, but said Area CEO Andrea Formenti, “[b]efore making a definitive decision, we need to, based on all the contractual obligations we have, evaluate what impact there will be for us,”. Saied Pourheydar’s story should factor into their considerations.
Abdul Ghani Al Khanjar could tell almost the exact same story. Except he’s not Syrian, he’s Bahraini; and his captivity and torture were perpetrated on the back of surveillance technology sold to the Bahraini government by European tech-giant Siemens AG and its subsidiary Nokia Siemens Network (NSN).
NSN’s divested unit, Munich-based Trovicor GmbH, maintained those systems in Bahrain and is known to have sold similar monitoring centers to Egypt, Syria and Yemen. According to the investigation, “the equipment plays a surveillance role in at least 12 Middle Eastern and North African nations.”
Three US Senators, Mark Kirk, Robert Casey, and Christopher Coons, have asked the Obama Administration to investigate how the Syrian government obtained equipment from California-based NetApp and Blue Coat Systems. The Commerce department is now investigating Blue Coat’s role. Both companies have denied direct sales to Syria.
These are the stories that have come to light as many of the Middle East’s oppressive regimes fall and the tactics of dictators are revealed. Before these revelations, few governments, and far fewer consumers, had given a great deal of thought to the nuts and bolts of repressing an entire nation. When asked for an explanation for their cooperation in repression the companies producing and selling these technologies have offered the following excuses:
Excuse #1: We comply with all international and domestic regulations, so none of our activities are illegal.
Whether the sale of lawful intercept technology to repressive regimes is technically illegal or not, companies should at a minimum exercise due diligence before making such sales given the capacity of this technology to facilitate repression.
Businesses in every sector have an internationally recognized responsibility to take concrete steps to protect human rights. The U.N. Guiding Principles on Business and Human Rights, which the Human Rights Council officially endorsed this year, call for businesses to perform due diligence to understand and avoid any negative human rights impact that their activities, or the activities of their partners, will have. This standard calling for due diligence and prevention is now reflected in the OECD guidelines on multinational enterprises, the new International Standards Organization’s ISO 26000, the standards of the International Finance Corporation, the European Union’s new strategy on corporate social responsibility, and in specific provisions of the domestic Dodd-Frank Act. Even a minimal level of due diligence on the part of these technology companies would have revealed the role their products would play in horrific human rights violations. They either knew or should have known what they were helping brutal regimes do, and under the U.N. Guiding Principles they then have a responsibility to avoid providing that help.
This excuse also ignores the stated policy goals of the United States and other democratic nations that unambiguously call for a halt to the well-documented human rights violations in the very countries that these businesses count as “clients.” The Obama administration has issued unequivocal condemnations of the brutal tactics used by regimes in Iran, Syria, Yemen, Libya, Bahrain, and others. The United States has passed sanctions barring American imports to Syria and Iran—and while these sanctions do not technically prohibit the deals that have been made, they clearly intend to further democracy and promote human rights. The companies that do business with repressive regimes ignore the pivotal role they are playing in undermining these policy goals and international human rights norms.
John Ruggie, the U.N. Special Representative for Business and Human Rights and author of the U.N. guidelines, perhaps gave the most succinct response to the ‘we’ve done nothing illegal’ argument when he said: “[t]he corporate responsibility to respect human rights is a social responsibility over and above compliance with applicable laws. It is the minimum expectation society has of business conduct in relation to human rights. It means that as business goes about its business, it should not infringe on the rights of other.”
Excuse #2: We sell our products to other Western companies, and we are not responsible for what buyers might do with our product after purchase, including resale to a repressive regime.
Again, the U.N. Guidelines for Business and Human Rights say otherwise. The Guidelines specifically state that companies may be involved in human rights violations through their business relationships with third parties, and call on companies to exercise due diligence in discovering and taking steps to rectify any human rights violations committed by partners. Consumers and governments are accustomed to calling on businesses to avoid using suppliers who violate human rights; for example, there was great outcry in the 1990s when Nike was discovered to be contracting with factories employing child labor. Though the businesses are different, the same concerns, and conclusions, apply.
For example, in Syria the Italian company Area has been installing equipment that it purchased from German company Utimaco. Malte Pollmann, Utimaco’s General Manager responded to initial inquiries by calling Area a “trusted long-term partner,” but said that Utimaco rarely knows where partners install its equipment, and that he “wouldn’t need to know, because it’s not the duty of any of our end partners to tell us.” This week—following a spate of news reports and condemnations— Utimaco changed its tune, posting on its website that “We are thoroughly investigating the matter and have stopped any further activities with Area until we receive full clarification from them.” NetApp released a statement along the same lines. Both NetApp and Utimaco should have performed such due diligence on their “trusted long-term partner” long ago, rather than using willful ignorance as a shield to their human rights responsibilities.
Excuse #3: Many democracies—including the United States—have laws requiring that lawful intercept technology be built into communications devices and software. It is a legitimate tool for fighting crime.
The Wall Street Journal recently editorialized that “Many of the technologies Huawei [a Chinese telecom company] supports in Iran—such as location services—are available on Western networks as well. The difference is that, in the hands of repressive regimes, it can be a critical tool in helping to quash dissent.” Many have called Western democracies hypocritical for opposing the sale of certain technologies to Middle Eastern regimes while using that same technology themselves, and indeed the U.S. and England have both recently come under fire for possibly abusing their government controls of mobile devices. A key difference is that countries like the U.S. and England have laws in place dictating when and how such controls may be used, and their citizens are free to challenge any possible oversteps in a court of law. No such protections exist to check abuses in countries like Syria, Iran, and Libya, where the sales in question were made.
Excuse #4: We sell our products to private companies, not to governments, and we have the expectation that our product will only be used for commercial purposes, not repression by a government.
There are legitimate reasons that a private technology provider might need location and filtering tools, such as billing, managing network traffic, or offering location-based advertising. However, when that sale is made to a company in a country with a record of repression, it carries the risk that the technology might be coopted by security forces seeking to misuse it, and companies have a due diligence obligation to investigate and avoid that possibility. In 2008 the Dublin-based company Adaptive Mobile sold technology to filter, block and store text messages to Irancell, Iran’s second-largest private mobile service provider. Adaptive executives claim that the system was only for commercial purposes, but a Bloomberg investigation revealed that requests from law enforcement for certain capabilities—such as the ability to track and change the content of messages—were discussed extensively within Adaptive as the deal was coming together. If Adaptive was unaware of the Iranian law enforcement’s extensive history of tracking citizens and violently repressing dissent, Iran’s request to be able to track and alter citizens’ text messages should have at least put Adaptive on notice that they should find out how their technology was likely to be used.
Excuse #5: The technology that we bring into repressed countries is a force for good that, over time, outweighs the human rights violations that the technology facilitates.
It is undeniable that increasing the availability of technology for citizens of repressive regimes has incredible benefits for the free flow of information, freedom of expression, and the ability to organize and inspire others. It is imperative that technology providers make every conscious and concerted effort to advance the benefits and minimize the abusive uses of their products. Providers may consider development of a remote (company-controlled) kill switch or a built-in ability to disable certain functions in the event of misuse. Additionally, companies could include a contractual right to terminate service or refuse upgrades for violating parties. User protections need to be built into the architecture of the products so that rogue regimes have absolutely no way to gain the information they seek. Technology providers need to think creatively to find solutions that keep users using and—just as important—safe.
Excuse #6: Repressive regimes are going to get the technology no matter what – if not from us, then from a company based in a country with fewer restrictions.
This argument is based on the fallacies that providers of this technology are fungible, and that the laissez-faire status quo will be maintained in the face of these disclosures. Companies risk both investor and public backlash, and the likelihood of greater oversight, if they do not take steps themselves to identify and address the risks revealed in press reports and investigations. In addition, home governments can help by working together to identify and isolate the companies that choose to continue to aid the violators.
And a final, unexpressed reason for these sales:
These deals are worth millions of dollars.
If these deals were not incredibly lucrative, companies would be much more willing to forgo them. The deal between the Syrian regime and Italy-based Area is work more than $17.9 million. Just one of Adaptive Mobile’s proposed deals with the Mobile Communication Company of Iran was worth $5.5 million. Overall, the “lawful interception” and information intelligence market now generates more than $3 billion annually. But companies are being shortsighted. These sales come at the cost of stability in the Middle East, which is crucial for the world’s security and which U.S. taxpayers have spent untold billions to foster. More tangibly, continuing instability cuts down on the companies’ long-term consumer base by keeping potential users in the darkness and, often, poverty of repression.
Despite claims to the contrary, businesses everywhere—including those in the ICT sector—have an obligation to respect human rights. Their responsibilities are clearly articulated in the U.N. Guiding Principles, as well as other international and, increasingly, domestic instruments. Their excuses stand on crumbling ground, and their contributions to human rights violations can no longer be tolerated.