[liberationtech] Syria Crackdown Aided by U.S.-Europe Spy Gear
Jillian York
jyork at cyber.law.harvard.edu
Mon Nov 7 10:54:14 PST 2011
My only addition to Brett's thorough response is that EFF has drafted a set
of standards for companies providing surveillance tech. And while yes, I
would agree that such companies should join the GNI and/or other similar
groups, we should also note that GNI's principles have not yet been
developed to encompass the specific concerns related to this type of tech.
In any case, here are EFF's standards (pasted below, but footnotes get lost
in the transfer; see link). Would love comments:
https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment
----
Key principles:
1. Companies selling surveillance technologies to governments need to
affirmatively investigate and "know your customer" before and during a
sale. We suggest something for human rights similar to what most of these
companies are already required to do under the Foreign Corrupt Practices
Act <http://www.justice.gov/criminal/fraud/fcpa/> and the export
regulations<http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=b598042103e95c10c396b0140e0620b7&rgn=div9&view=text&node=15:2.1.3.4.21.0.1.7.22&idno=15>for
other purposes, and
2. Companies need to refrain from participating in transactions where
their "know your customer" investigations reveal either objective evidence
or credible concerns that the technologies provided by the company will be
used to facilitate human rights violations.
"Know Your Customer" Human Rights Process *[Note: These guidelines use key
terms —Technologies, Transaction, Company and Government — which are
defined at the bottom and capitalized throughout]*
*Affirmatively Investigate:* The Company must have a process, led by a
specifically-designated person, to engage in an ongoing evaluation of
whether Technologies or Transaction will be, or are being used to aid,
facilitate or cover up human rights
abuses.3<https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment#footnote3_wswrqs3>
This process needs to be more than lip service and needs to be verifiable
(and verified) by outsiders. It needs to be an organizational commitment,
with real mechanisms in place including tools, training and education of
personnel and career consequences for personnel when the process is not
followed. In addition, in order to build transparency and solidarity, a
Company that decides to refuse (or continue) further service on the basis
of these standards should, where possible, report that decision publicly so
that other companies can have the benefit of their evaluation.
The process should include, at a minimum:
1. Review of what the purchasing Government and Government agents and
the Company personnel and agents are saying about the use of the
Technologies, both before and during any Transaction. This
includes, among
other things, review of sales and marketing materials and discussions,
technical discussions and questions, presentations, technical and
contractual specifications and technical support conversations
or requests.
Some of the most troubling evidence in the Cisco case are the
presentations
made by Cisco employees that are plainly marketing the company
as assisting
the Chinese Government in combatting the “Falun Gong Evil
Religion<http://www.wired.com/threatlevel/2008/05/leaked-cisco-do/>
.”
2. Review of the capabilities of the Technology for human rights
abuses and consideration of possible mitigation measures, both technical
and contractual.
3. Review the Government’s laws, regulations and practices regarding
surveillance, including interception of communications, access to stored
communications, due process requirements, and other relevant
legal process
as part of the assessment of risk of how the Technologies may be used or
misused. For instance, Nokia
Siemens<http://www.nokiasiemensnetworks.com/sites/default/files/document/human_right_policy.pdf>says
that it will only provide core lawful intercept (i.e. surveillance)
capabilities that are legally required and are "based on clear standards
and a transparent foundation in law and practice."
4. Review U.S. State Department annual human rights
reports,<http://www.state.gov/g/drl/rls/hrrpt/>relevant U.N. Reports,
and other credible reports about the Government,
including news or other reports from nongovernmental sources or local
sources that indicate whether the Government engages in the use or misuse
of surveillance capabilities to conduct human rights abuses. **
*** **Refraining from Participation: *The Company must not participate in,
or continue to participate in a Transaction or provide a Technology if it
appears reasonably foreseeable that the Transaction or Technology will
directly or indirectly facilitate human rights violations by the
Government, including:
1. The portion of the Transaction that the Company is involved in or the
specific Technology provided includes building, customizing,
configuring or
integrating into a system that is known or is reasonably foreseen to be
used for human rights violations, whether done by the Company or
by others.
2. The portion of the Government that is engaging in the Transaction
or overseeing the Technologies has been recognized as committing gross
human rights abuses using or relying on similar Technologies, either
directly or indirectly.
3. The Government's overall record on human rights generally raises
credible concerns that the Technology or Transaction will be used to
facilitate human rights abuses.
4. The Government refuses to incorporate contractual terms confirming
the intended use or uses of the Technologies by the Government and to
require the auditing of their use by the Government purchasers
in sales of
surveillance Technologies.
*Key Definitions and the Scope of the Process:* Who should undertake these
steps? The field is actually pretty small: Companies engaging in
Transactions to sell or lease Technologies to Governments, defined as
follows:
1. “Transaction” includes all sales, leases, rental or other types of
arrangements where a Company, in exchange for any form of
payment or other
consideration, either provides or assists in providing Technologies,
personnel or non-technological support to a Government. This
also includes
providing of any ongoing support such as software or hardware upgrades,
consulting or similar services.
2. “Technologies” include all systems, technologies, consulting
services, and software that are reasonably likely to be used to surveil
third parties, including but not limited to technologies that intercept
communications, packet-sniffing software, deep packet inspection
technologies, certain biometrics devices and systems, voting systems, and
smart meters.
3. “Company” includes subsidiaries, joint ventures (especially joint
ventures directly with government entities), and other corporate
structures
where the Company has significant holdings or has operational control.
4. “Government” includes formal, recognized governments, including
State parties to the United Nations. It also includes governing or
government-like entities, such as the Chinese Communist Party or the
Taliban and other nongovernmental entities that effectively exercise
governing powers over a country or a portion of a country. For these
purposes “Government” includes indirect sales through a broker,
contractor,
or other intermediary or multiple intermediaries if the Company
is aware or
should know that the final recipient of the Technology is a Government.
This framework isn’t the only reasonable option for addressing the problem,
of course. Yet given the steps that these large companies who compete in
these markets already have to take – under the export laws, the Foreign
Corrupt Practices Act and otherwise – this is a relatively small addition.
While some may argue that pushing U.S. tech companies to have a strong
human rights filter will give a competitive advantage to companies that
don’t institute one, the same is true about the anti-bribery laws. If these
big companies can be expected not to get business through bribes even
though some of their foreign competitors do, it’s reasonable to ask them
not to get business enabling repression either.
Regardless of how tech companies get there, efforts to bring democracy and
freedom around the world are hampered until they commit to making business
decisions that consider human rights ramifications. No reasonable company,
certainly none in Silicon Valley, wants to be known as the company that
helps facilitate human rights abuses. It’s time tech companies take real
steps to ensure that they aren’t serving as "repression’s little helpers."
On Mon, Nov 7, 2011 at 10:47 AM, Brett Solomon <brett at accessnow.org> wrote:
> Thanks for sending this through Aaron
>
> At the same I was reading this Bloomberg piece, I received an email from
> my colleague saying that the residential neighborhoods of Homs (Syria) were
> being raided at 3am that morning by death squads, who were "targeting
> houses searching for activists." One can only imagine how better informed
> the death squads will be about the identity and location of activists once
> the new Syrian surveillance regime is properly activated.
>
> This most recent report of 4 western technology companies (*Area SpA,
> NetApp Inc., Qosmos SA and Utimaco Safeware AG*) selling their goods and
> services directly and/or indirectly to the Syrian regime is clearly a life
> and death matter. We are told it's only a matter of weeks till they flick
> the 'on' switch. It demonstrates a number of issues, including:
>
> - *Surveillance is about systems.* What we see being developed in
> Syria (and previously in Tunisia, Egypt and others) is an intricate
> ecosystem of companies, each of which provide a component, and each reliant
> upon each other to enable the entire surveillance capability to properly
> operate. I'd argue that each company is therefore responsible (to a lesser
> or greater degree) for the whole.
> - *Surveillance is not a helicopter operation*. It is an endeavor that
> requires upgrades, tech support, loading of new rules to detect new
> malware/viruses, training and ongoing implementation. That is, we are not
> just talking about the sale of a product, we are also talking about Western
> companies providing ongoing services to regimes in order to make the
> surveillance, storage and tracking of opponents more effective.
> - *Liability is attached to the technology*. Laws need to move on from
> the current 'dump and devolve' approach. Having sold off its surveillance
> business to another company (Trovicor) following its sale of equipment to
> the Iranian regime, Nokia Siemen's clearly believes it's no longer
> responsible for the technology or its impacts (including the documented
> detention and torture of activists). It's like building a cluster bomb, and
> then pretending that is has nothing to do with you when it detonates.
> - *The detail is in the sales agreements*. Doing business with
> regimes, like any other customer, requires formal negotiation and
> contractual arrangements - as seen with Qosmos and Area in Syria. Is there
> a good reason why suppliers of dual-use technology shouldn't include
> clauses in such agreements which enable a seller to rescind the contract
> without damages if the product is used to abuse people's basic rights?
> Western governments should create a no-damages environment so that
> companies can no longer argue that they cant extract themselves from a
> contract when human rights intelligence becomes available.
> - *Technology platforms should include a kill switch*. High risk
> technology should include a set of enabling keys that are required by the
> operator to enable the use of that technology. The technology company
> should retain control of the keys, which can be switched off from 'home
> base' if it becomes clear that a technology is being used or re-sold to
> breach user's rights. Such technologies should include automated usage
> reports sent back to the producer that give the company aggregated
> knowledge of how their product is being used.
>
> Again, this case demonstrates that the sale of technology to regimes is
> not an isolated incident. Regimes have very few domestic or indigenous
> suppliers. Instead, they are almost entirely reliant on western companies
> to supply them. It is true that certain Western developed technologies have
> legitimate purpose to stop spam or malware, which is why its difficult to
> ban such technology. But clearly self regulation is not sufficient. We need
> a government and inter-government regulatory environment - that includes
> export licenses, a presumption against granting against such licenses for
> dual use technologies, and ongoing impact assessments before and if such
> technology is sold. The European Parliament's resolution from last month is
> a step in the right direction though it needs to broaden the concept of
> dual use technology, provide for ex ante controls and enable pan-Europe
> enforcement. In the US, there should be an impact assessment of why certain
> other technologies are banned (eg encryption, Google Chrome etc) which
> would benefit the people and not the regimes.
>
> This raises the broader issue of what we are calling 'human rights by
> design' - there are human rights decision points all along the ITC line -
> from the contract, to the design of the chip, to the operation of the
> network - and human rights need to be embedded into the very design of the
> project. Those interested should read the Silicon Valley Standard<https://www.accessnow.org/policy-activism/press-blog/the-silicon-valley-standard>which came out of the Silicon Valley Human Rights Conference (
> rightscon.org) and sets out some of the broader principles for technology
> companies. Needless to say companies should also join the GNI!
>
> If the Bloomberg report is accurate, the period of plausible deniability
> is over. The CEOs of all four companies should therefore withdraw their
> companies from these contracts. If they do not they are very likely be
> complicit in the abuses that Assad's regime is set to perpetrate once the
> new surveillance infrastructure is operational.
>
> Brett
>
> --
> Brett Solomon
> Executive Director | Access
> accessnow.org | rightscon.org
> +1 917 969 6077 | skype: brettsolomon | @accessnow
>
>
>
> On Fri, Nov 4, 2011 at 10:43 AM, Aaron Swartz <me at aaronsw.com> wrote:
>
>>
>> http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-aid-with-u-s-europe-spy-gear.html
>>
>> As Syria’s crackdown on protests has claimed more than 3,000 lives
>> since March, Italian technicians in telecom offices from Damascus to
>> Aleppo have been busy equipping President Bashar al-Assad’s regime
>> with the power to intercept, scan and catalog virtually every e-mail
>> that flows through the country.
>>
>> Employees of Area SpA, a surveillance company based outside Milan, are
>> installing the system under the direction of Syrian intelligence
>> agents, who’ve pushed the Italians to finish, saying they urgently
>> need to track people, a person familiar with the project says. The
>> Area employees have flown into Damascus in shifts this year as the
>> violence has escalated, says the person, who has worked on the system
>> for Area.
>>
>>
>> Area is using equipment from American and European companies,
>> according to blueprints and other documents obtained by Bloomberg News
>> and the person familiar with the job. The project includes Sunnyvale,
>> California-based NetApp Inc. (NTAP) storage hardware and software for
>> archiving e-mails; probes to scan Syria’s communications network from
>> Paris-based Qosmos SA; and gear from Germany’s Utimaco Safeware AG
>> (USA) that connects tapped telecom lines to Area’s monitoring-center
>> computers.
>>
>> The suppliers didn’t directly furnish Syria with the gear, which Area
>> exported from Italy, the person says.
>>
>> The Italians bunk in a three-bedroom rental apartment in a residential
>> Damascus neighborhood near a sports stadium when they work on the
>> system, which is in a test phase, according to the person, who
>> requested anonymity because Area employees sign non-disclosure
>> agreements with the company.
>>
>> Mapping Connections
>>
>>
>> When the system is complete, Syrian security agents will be able to
>> follow targets on flat-screen workstations that display communications
>> and Web use in near-real time alongside graphics that map citizens’
>> networks of electronic contacts, according to the documents and two
>> people familiar with the plans.
>>
>> [...] The price tag is more than 13 million euros ($17.9 million), two
>> people familiar with the deal say.
>>
>> [...] “You may consider that any lawful interception system has a very
>> long sales process, and things happen very quickly,” [the CEO] says,
>> citing the velocity of Libyan leader Muammar Qaddafi’s fall, only a
>> year after pitching his Bedouin tent in a Rome park on a visit to
>> Italy. “Qaddafi was a big friend of our prime minister until not long
>> ago.”
>>
>>
>> When Bloomberg News contacted Qosmos, CEO Thibaut Bechetoille said he
>> would pull out of the project. “It was not right to keep supporting
>> this regime,” he says. The company’s board decided about four weeks
>> ago to exit and is still figuring out how to unwind its involvement,
>> he says. The company’s deep- packet inspection probes can peer into
>> e-mail and reconstruct everything that happens on an Internet user’s
>> screen, says Qosmos’s head of marketing, Erik Larsson.
>>
>> [...] Area is installing the system, which includes the company’s
>> “Captor” monitoring-center computers, through a contract with
>> state-owned Syrian Telecommunication Establishment, or STE, the two
>> people familiar with the project say. Also known as Syrian Telecom,
>> the company is the nation’s main fixed-line operator.
>>
>> [...]
>>
>>
>> Schematics for the system show it includes probes in the traffic of
>> mobile phone companies and Internet service providers, capturing both
>> domestic and international traffic. NetApp storage will allow agents
>> to archive communications for future searches or mapping of peoples’
>> contacts, according to the documents and the person familiar with the
>> system.
>>
>> [...] Two people familiar with terms of the deal say that as a final
>> stage of the installation, the contract stipulates Area employees will
>> train the Syrian security agents who will man those workstations --
>> teaching them how to track citizens.
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click
>> above) next to "would you like to receive list mail batched in a daily
>> digest?"
>>
>> You will need the user name and password you receive from the list
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
>
>
> <http://www.europarl.europa.eu/parliament/public/staticDisplay.do?language=en&id=42>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
--
jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111107/277c14ab/attachment.html>
More information about the liberationtech
mailing list