[liberationtech] Syria Crackdown Aided by U.S.-Europe Spy Gear

Brett Solomon brett at accessnow.org
Mon Nov 7 10:47:46 PST 2011 

Thanks for sending this through Aaron

At the same I was reading this Bloomberg piece, I received an email from my
colleague saying that the residential neighborhoods of Homs (Syria) were
being raided at 3am that morning by death squads, who were "targeting
houses searching for activists." One can only imagine how better informed
the death squads will be about the identity and location of activists once
the new Syrian surveillance regime is properly activated.

This most recent report of 4 western technology companies (*Area SpA,
NetApp Inc., Qosmos SA and Utimaco Safeware AG*) selling their goods and
services directly and/or indirectly to the Syrian regime is clearly a life
and death matter. We are told it's only a matter of weeks till they flick
the 'on' switch. It demonstrates a number of issues, including:

   - *Surveillance is about systems.* What we see being developed in Syria
   (and previously in Tunisia, Egypt and others) is an intricate ecosystem of
   companies, each of which provide a component, and each reliant upon each
   other to enable the entire surveillance capability to properly operate. I'd
   argue that each company is therefore responsible (to a lesser or greater
   degree) for the whole.
   - *Surveillance is not a helicopter operation*. It is an endeavor that
   requires upgrades, tech support, loading of new rules to detect new
   malware/viruses, training and ongoing implementation. That is, we are not
   just talking about the sale of a product, we are also talking about Western
   companies providing ongoing services to regimes in order to make the
   surveillance, storage and tracking of opponents more effective.
   - *Liability is attached to the technology*. Laws need to move on from
   the current 'dump and devolve' approach. Having sold off its surveillance
   business to another company (Trovicor) following its sale of equipment to
   the Iranian regime, Nokia Siemen's clearly believes it's no longer
   responsible for the technology or its impacts (including the documented
   detention and torture of activists). It's like building a cluster bomb, and
   then pretending that is has nothing to do with you when it detonates.
   - *The detail is in the sales agreements*. Doing business with regimes,
   like any other customer, requires formal negotiation and contractual
   arrangements - as seen with Qosmos and Area in Syria. Is there a good
   reason why suppliers of dual-use technology shouldn't include clauses in
   such agreements which enable a seller to rescind the contract without
   damages if the product is used to abuse people's basic rights? Western
   governments should create a no-damages environment so that companies can no
   longer argue that they cant extract themselves from a contract when human
   rights intelligence becomes available.
   - *Technology platforms should include a kill switch*. High risk
   technology should include a set of enabling keys that are required by the
   operator to enable the use of that technology. The technology company
   should retain control of the keys, which can be switched off from 'home
   base' if it becomes clear that a technology is being used or re-sold to
   breach user's rights. Such technologies should include automated usage
   reports sent back to the producer that give the company aggregated
   knowledge of how their product is being used.

Again, this case demonstrates that the sale of technology to regimes is not
an isolated incident. Regimes have very few domestic or indigenous
suppliers. Instead, they are almost entirely reliant on western companies
to supply them. It is true that certain Western developed technologies have
legitimate purpose to stop spam or malware, which is why its difficult to
ban such technology. But clearly self regulation is not sufficient. We need
a government and inter-government regulatory environment - that includes
export licenses, a presumption against granting against such licenses for
dual use technologies, and ongoing impact assessments before and if such
technology is sold. The European Parliament's resolution from last month is
a step in the right direction though it needs to broaden the concept of
dual use technology, provide for ex ante controls and enable pan-Europe
enforcement. In the US, there should be an impact assessment of why certain
other technologies are banned (eg encryption, Google Chrome etc) which
would benefit the people and not the regimes.

This raises the broader issue of what we are calling 'human rights by
design' - there are human rights decision points all along the ITC line -
from the contract, to the design of the chip, to the operation of the
network - and human rights need to be embedded into the very design of the
project. Those interested should read the Silicon Valley
Standard<https://www.accessnow.org/policy-activism/press-blog/the-silicon-valley-standard>which
came out of the Silicon Valley Human Rights Conference (
rightscon.org) and sets out some of the broader principles for technology
companies. Needless to say companies should also join the GNI!

If the Bloomberg report is accurate, the period of plausible deniability is
over. The CEOs of all four companies should therefore withdraw their
companies from these contracts. If they do not they are very likely be
complicit in the abuses that Assad's regime is set to perpetrate once the
new surveillance infrastructure is operational.

Brett

-- 
Brett Solomon
Executive Director | Access
accessnow.org | rightscon.org
+1 917 969 6077 | skype: brettsolomon | @accessnow


On Fri, Nov 4, 2011 at 10:43 AM, Aaron Swartz <me at aaronsw.com> wrote:

>
> http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-aid-with-u-s-europe-spy-gear.html
>
> As Syria’s crackdown on protests has claimed more than 3,000 lives
> since March, Italian technicians in telecom offices from Damascus to
> Aleppo have been busy equipping President Bashar al-Assad’s regime
> with the power to intercept, scan and catalog virtually every e-mail
> that flows through the country.
>
> Employees of Area SpA, a surveillance company based outside Milan, are
> installing the system under the direction of Syrian intelligence
> agents, who’ve pushed the Italians to finish, saying they urgently
> need to track people, a person familiar with the project says. The
> Area employees have flown into Damascus in shifts this year as the
> violence has escalated, says the person, who has worked on the system
> for Area.
>
>
> Area is using equipment from American and European companies,
> according to blueprints and other documents obtained by Bloomberg News
> and the person familiar with the job. The project includes Sunnyvale,
> California-based NetApp Inc. (NTAP) storage hardware and software for
> archiving e-mails; probes to scan Syria’s communications network from
> Paris-based Qosmos SA; and gear from Germany’s Utimaco Safeware AG
> (USA) that connects tapped telecom lines to Area’s monitoring-center
> computers.
>
> The suppliers didn’t directly furnish Syria with the gear, which Area
> exported from Italy, the person says.
>
> The Italians bunk in a three-bedroom rental apartment in a residential
> Damascus neighborhood near a sports stadium when they work on the
> system, which is in a test phase, according to the person, who
> requested anonymity because Area employees sign non-disclosure
> agreements with the company.
>
> Mapping Connections
>
>
> When the system is complete, Syrian security agents will be able to
> follow targets on flat-screen workstations that display communications
> and Web use in near-real time alongside graphics that map citizens’
> networks of electronic contacts, according to the documents and two
> people familiar with the plans.
>
> [...] The price tag is more than 13 million euros ($17.9 million), two
> people familiar with the deal say.
>
> [...] “You may consider that any lawful interception system has a very
> long sales process, and things happen very quickly,” [the CEO] says,
> citing the velocity of Libyan leader Muammar Qaddafi’s fall, only a
> year after pitching his Bedouin tent in a Rome park on a visit to
> Italy. “Qaddafi was a big friend of our prime minister until not long
> ago.”
>
>
> When Bloomberg News contacted Qosmos, CEO Thibaut Bechetoille said he
> would pull out of the project. “It was not right to keep supporting
> this regime,” he says. The company’s board decided about four weeks
> ago to exit and is still figuring out how to unwind its involvement,
> he says. The company’s deep- packet inspection probes can peer into
> e-mail and reconstruct everything that happens on an Internet user’s
> screen, says Qosmos’s head of marketing, Erik Larsson.
>
> [...] Area is installing the system, which includes the company’s
> “Captor” monitoring-center computers, through a contract with
> state-owned Syrian Telecommunication Establishment, or STE, the two
> people familiar with the project say. Also known as Syrian Telecom,
> the company is the nation’s main fixed-line operator.
>
> [...]
>
>
> Schematics for the system show it includes probes in the traffic of
> mobile phone companies and Internet service providers, capturing both
> domestic and international traffic. NetApp storage will allow agents
> to archive communications for future searches or mapping of peoples’
> contacts, according to the documents and the person familiar with the
> system.
>
> [...] Two people familiar with terms of the deal say that as a final
> stage of the installation, the contract stipulates Area employees will
> train the Syrian security agents who will man those workstations --
> teaching them how to track citizens.
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech



<http://www.europarl.europa.eu/parliament/public/staticDisplay.do?language=en&id=42>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111107/952d0734/attachment.html>

More information about the liberationtech mailing list