[liberationtech] Syria Crackdown Aided by U.S.-Europe Spy Gear

Mon Nov 7 11:35:07 PST 2011

Glad to hear what other orgs are doing on this particular subject - might
it make sense to coordinate off-list?  Strength in numbers and all.

On Mon, Nov 7, 2011 at 11:15 AM, Eric King <eric at privacy.org> wrote:

> Privacy International have been investigating the sale of surveillance
> technology for the last year and have been working with various media
> partners in preparation of some of these stories. In the coming months we
> will be beginning to share some of what we've discovered as we begin to
> build litigation against some of companies complicit in this trade.
>
> We have compiled a considerable amount of material but are short of staff
> on this project and have recently put out a call for volunteers to assist
> us in our investigation. More information can be found on our old school
> website here:
>
> https://www.privacyinternational.org/article/about-join-us
>
> --
> Eric King,
> Human Rights and Technology Advisor
> Privacy International
>
>
> On 7 Nov 2011, at 18:54, Jillian York wrote:
>
> > My only addition to Brett's thorough response is that EFF has drafted a
> set of standards for companies providing surveillance tech.  And while yes,
> I would agree that such companies should join the GNI and/or other similar
> groups, we should also note that GNI's principles have not yet been
> developed to encompass the specific concerns related to this type of tech.
> >
> > In any case, here are EFF's standards (pasted below, but footnotes get
> lost in the transfer; see link).  Would love comments:
> >
> >
> https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment
> >
> > ----
> >
> > Key principles:
> >       • Companies selling surveillance technologies to governments need
> to affirmatively investigate and "know your customer" before and during a
> sale.  We suggest something for human rights similar to what most of these
> companies are already required to do under the Foreign Corrupt Practices
> Act and the export regulations for other purposes, and
> >       • Companies need to refrain from participating in transactions
> where their "know your customer" investigations reveal either objective
> evidence or credible concerns that the technologies provided by the company
> will be used to facilitate human rights violations.
> > "Know Your Customer" Human Rights Process
> >
> > [Note: These guidelines use key terms —Technologies, Transaction,
> Company and Government — which are defined at the bottom and capitalized
> throughout]
> > Affirmatively Investigate: The Company must have a process, led by a
> specifically-designated person, to engage in an ongoing evaluation of
> whether Technologies or Transaction will be, or are being used to aid,
> facilitate or cover up human rights abuses.3
> >
> > This process needs to be more than lip service and needs to be
> verifiable (and verified) by outsiders.  It needs to be an organizational
> commitment, with real mechanisms in place including tools, training and
> education of personnel and career consequences for personnel when the
> process is not followed. In addition, in order to build transparency and
> solidarity, a Company that decides to refuse (or continue) further service
> on the basis of these standards should, where possible, report that
> decision publicly so that other companies can have the benefit of their
> evaluation.
> >
> > The process should include, at a minimum:
> >
> >               • Review of what the purchasing Government and Government
> agents and the Company personnel and agents are saying about the use of the
> Technologies, both before and during any Transaction. This includes, among
> other things, review of sales and marketing materials and discussions,
> technical discussions and questions, presentations, technical and
> contractual specifications and technical support conversations or requests.
> Some of the most troubling evidence in the Cisco case are the presentations
> made by Cisco employees that are plainly marketing the company as assisting
> the Chinese Government in  combatting the “Falun Gong Evil Religion.”
> >               • Review of the capabilities of the Technology for human
> rights abuses and consideration of possible mitigation measures, both
> technical and contractual.
> >               • Review the Government’s laws, regulations and practices
> regarding surveillance, including interception of communications, access to
> stored communications, due process requirements, and other relevant legal
> process as part of the assessment of risk of how the Technologies may be
> used or misused. For instance, Nokia Siemens says that it will only provide
> core lawful intercept (i.e. surveillance) capabilities that are legally
> required and are "based on clear standards and a transparent foundation in
> law and practice."
> >               • Review U.S. State Department annual human rights
> reports, relevant U.N. Reports, and other credible reports about the
> Government, including news or other reports from nongovernmental sources or
> local sources that indicate whether the Government engages in the use or
> misuse of surveillance capabilities to conduct human rights abuses.
> > Refraining from Participation: The Company must not participate in, or
> continue to participate in a Transaction or provide a Technology if it
> appears reasonably foreseeable that the Transaction or Technology will
> directly or indirectly facilitate human rights violations by the
> Government, including:
> >
> >               • The portion of the Transaction that the Company is
> involved in or the specific Technology provided includes building,
> customizing, configuring or integrating into a system that is known or is
> reasonably foreseen to be used for human rights violations, whether done by
> the Company or by others.
> >               • The portion of the Government that is engaging in the
> Transaction or overseeing the Technologies has been recognized as
> committing gross human rights abuses using or relying on similar
> Technologies, either  directly or indirectly.
> >               • The Government's overall record on human rights
> generally raises credible concerns that the Technology or Transaction will
> be used to facilitate human rights abuses.
> >               • The Government refuses to incorporate contractual terms
> confirming the intended use or uses of the Technologies by the Government
> and to require the auditing of their use by the Government purchasers in
> sales of surveillance Technologies.
> > Key Definitions and the Scope of the Process: Who should undertake these
> steps? The field is actually pretty small: Companies engaging in
> Transactions to sell or lease Technologies to Governments, defined as
> follows:
> >
> >               • “Transaction” includes all sales, leases, rental or
> other types of arrangements where a Company, in exchange for any form of
> payment or other consideration, either provides or assists in providing
> Technologies, personnel or non-technological support to a Government. This
> also includes providing of any ongoing support such as software or hardware
> upgrades, consulting or similar services.
> >               • “Technologies” include all systems, technologies,
> consulting services, and software that are reasonably likely to be used to
> surveil third parties, including but not limited to technologies that
> intercept communications, packet-sniffing software, deep packet inspection
> technologies, certain biometrics devices and systems, voting systems, and
> smart meters.
> >               • “Company” includes subsidiaries, joint ventures
> (especially joint ventures directly with government entities), and other
> corporate structures where the Company has significant holdings or has
> operational control.
> >               • “Government” includes formal, recognized governments,
> including State parties to the United Nations. It also includes governing
> or government-like entities, such as the Chinese Communist Party or the
> Taliban and other nongovernmental entities that effectively exercise
> governing powers over a country or a portion of a country. For these
> purposes “Government” includes indirect sales through a broker, contractor,
> or other intermediary or multiple intermediaries if the Company is aware or
> should know that the final recipient of the Technology is a Government.
> > This framework isn’t the only reasonable option for addressing the
> problem, of course. Yet given the steps that these large companies who
> compete in these markets already have to take – under the export laws, the
> Foreign Corrupt Practices Act and otherwise – this is a relatively small
> addition.  While some may argue that pushing U.S. tech companies to have a
> strong human rights filter will give a competitive advantage to companies
> that don’t institute one, the same is true about the anti-bribery laws. If
> these big companies can be expected not to get business through bribes even
> though some of their foreign competitors do, it’s reasonable to ask them
> not to get business enabling repression either.
> >
> > Regardless of how tech companies get there, efforts to bring democracy
> and freedom around the world are hampered until they commit to making
> business decisions that consider human rights ramifications.  No reasonable
> company, certainly none in Silicon Valley, wants to be known as the company
> that helps facilitate human rights abuses. It’s time tech companies take
> real steps to ensure that they aren’t serving as "repression’s little
> helpers."
> >
> >
> >
> > On Mon, Nov 7, 2011 at 10:47 AM, Brett Solomon <brett at accessnow.org>
> wrote:
> > Thanks for sending this through Aaron
> >
> > At the same I was reading this Bloomberg piece, I received an email from
> my colleague saying that the residential neighborhoods of Homs (Syria) were
> being raided at 3am that morning by death squads, who were "targeting
> houses searching for activists." One can only imagine how better informed
> the death squads will be about the identity and location of activists once
> the new Syrian surveillance regime is properly activated.
> >
> > This most recent report of 4 western technology companies (Area SpA,
> NetApp Inc., Qosmos SA and Utimaco Safeware AG) selling their goods and
> services directly and/or indirectly to the Syrian regime is clearly a life
> and death matter. We are told it's only a matter of weeks till they flick
> the 'on' switch. It demonstrates a number of issues, including:
> >       • Surveillance is about systems. What we see being developed in
> Syria (and previously in Tunisia, Egypt and others) is an intricate
> ecosystem of companies, each of which provide a component, and each reliant
> upon each  other to enable the entire surveillance capability to properly
> operate. I'd argue that each company is therefore responsible (to a lesser
> or greater degree) for the whole.
> >       • Surveillance is not a helicopter operation. It is an endeavor
> that requires upgrades, tech support, loading of new rules to detect new
> malware/viruses, training and ongoing implementation. That is, we are not
> just talking about the sale of a product, we are also talking about Western
> companies providing ongoing services to regimes in order to make the
> surveillance, storage and tracking of opponents more effective.
> >       • Liability is attached to the technology. Laws need to move on
> from the current 'dump and devolve' approach. Having sold off its
> surveillance business to another company (Trovicor) following its sale of
> equipment to the Iranian regime, Nokia Siemen's clearly believes it's no
> longer responsible for the technology or its impacts (including the
> documented detention and torture of activists). It's like building a
> cluster bomb, and then pretending that is has nothing to do with you when
> it detonates.
> >       • The detail is in the sales agreements. Doing business with
> regimes, like any other customer, requires formal negotiation and
> contractual arrangements - as seen with Qosmos and Area in Syria. Is there
> a good reason why suppliers of dual-use technology shouldn't include
> clauses in such agreements which enable a seller to rescind the contract
> without damages if the product is used to abuse people's basic rights?
> Western governments should create a no-damages environment so that
> companies can no longer argue that they cant extract themselves from a
> contract when human rights intelligence becomes available.
> >       • Technology platforms should include a kill switch. High risk
> technology should include a set of enabling keys that are required by the
> operator to enable the use of that technology. The technology company
> should retain control of the keys, which can be switched off from 'home
> base' if it becomes clear that a technology is being used or re-sold to
> breach user's rights. Such technologies should include automated usage
> reports sent back to the producer that give the company aggregated
> knowledge of how their product is being used.
> > Again, this case demonstrates that the sale of technology to regimes is
> not an isolated incident. Regimes have very few domestic or indigenous
> suppliers. Instead, they are almost entirely reliant on western companies
> to supply them. It is true that certain Western developed technologies have
> legitimate purpose to stop spam or malware, which is why its difficult to
> ban such technology. But clearly self regulation is not sufficient. We need
> a government and inter-government regulatory environment - that includes
> export licenses, a presumption against granting against such licenses for
> dual use technologies, and ongoing impact assessments before and if such
> technology is sold. The European Parliament's resolution from last month is
> a step in the right direction though it needs to broaden the concept of
> dual use technology, provide for ex ante controls and enable pan-Europe
> enforcement. In the US, there should be an impact assessment of why certain
> other technologies are banned (eg encryption, Google Chrome etc) which
> would benefit the people and not the regimes.
> >
> > This raises the broader issue of what we are calling 'human rights by
> design' - there are human rights decision points all along the ITC line -
> from the contract, to the design of the chip, to the operation of the
> network - and human rights need to be embedded into the very design of the
> project. Those interested should read the Silicon Valley Standard which
> came out of the Silicon Valley Human Rights Conference (rightscon.org)
> and sets out some of the broader principles for technology companies.
> Needless to say companies should also join the GNI!
> >
> > If the Bloomberg report is accurate, the period of plausible deniability
> is over. The CEOs of all four companies should therefore withdraw their
> companies from these contracts. If they do not they are very likely be
> complicit in the abuses that Assad's regime is set to perpetrate once the
> new surveillance infrastructure is operational.
> >
> > Brett
> >
> > --
> > Brett Solomon
> > Executive Director | Access
> > accessnow.org | rightscon.org
> > +1 917 969 6077 | skype: brettsolomon | @accessnow
> >
> >
> >
> > On Fri, Nov 4, 2011 at 10:43 AM, Aaron Swartz <me at aaronsw.com> wrote:
> >
> http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-aid-with-u-s-europe-spy-gear.html
> >
> > As Syria’s crackdown on protests has claimed more than 3,000 lives
> > since March, Italian technicians in telecom offices from Damascus to
> > Aleppo have been busy equipping President Bashar al-Assad’s regime
> > with the power to intercept, scan and catalog virtually every e-mail
> > that flows through the country.
> >
> > Employees of Area SpA, a surveillance company based outside Milan, are
> > installing the system under the direction of Syrian intelligence
> > agents, who’ve pushed the Italians to finish, saying they urgently
> > need to track people, a person familiar with the project says. The
> > Area employees have flown into Damascus in shifts this year as the
> > violence has escalated, says the person, who has worked on the system
> > for Area.
> >
> >
> > Area is using equipment from American and European companies,
> > according to blueprints and other documents obtained by Bloomberg News
> > and the person familiar with the job. The project includes Sunnyvale,
> > California-based NetApp Inc. (NTAP) storage hardware and software for
> > archiving e-mails; probes to scan Syria’s communications network from
> > Paris-based Qosmos SA; and gear from Germany’s Utimaco Safeware AG
> > (USA) that connects tapped telecom lines to Area’s monitoring-center
> > computers.
> >
> > The suppliers didn’t directly furnish Syria with the gear, which Area
> > exported from Italy, the person says.
> >
> > The Italians bunk in a three-bedroom rental apartment in a residential
> > Damascus neighborhood near a sports stadium when they work on the
> > system, which is in a test phase, according to the person, who
> > requested anonymity because Area employees sign non-disclosure
> > agreements with the company.
> >
> > Mapping Connections
> >
> >
> > When the system is complete, Syrian security agents will be able to
> > follow targets on flat-screen workstations that display communications
> > and Web use in near-real time alongside graphics that map citizens’
> > networks of electronic contacts, according to the documents and two
> > people familiar with the plans.
> >
> > [...] The price tag is more than 13 million euros ($17.9 million), two
> > people familiar with the deal say.
> >
> > [...] “You may consider that any lawful interception system has a very
> > long sales process, and things happen very quickly,” [the CEO] says,
> > citing the velocity of Libyan leader Muammar Qaddafi’s fall, only a
> > year after pitching his Bedouin tent in a Rome park on a visit to
> > Italy. “Qaddafi was a big friend of our prime minister until not long
> > ago.”
> >
> >
> > When Bloomberg News contacted Qosmos, CEO Thibaut Bechetoille said he
> > would pull out of the project. “It was not right to keep supporting
> > this regime,” he says. The company’s board decided about four weeks
> > ago to exit and is still figuring out how to unwind its involvement,
> > he says. The company’s deep- packet inspection probes can peer into
> > e-mail and reconstruct everything that happens on an Internet user’s
> > screen, says Qosmos’s head of marketing, Erik Larsson.
> >
> > [...] Area is installing the system, which includes the company’s
> > “Captor” monitoring-center computers, through a contract with
> > state-owned Syrian Telecommunication Establishment, or STE, the two
> > people familiar with the project say. Also known as Syrian Telecom,
> > the company is the nation’s main fixed-line operator.
> >
> > [...]
> >
> >
> > Schematics for the system show it includes probes in the traffic of
> > mobile phone companies and Internet service providers, capturing both
> > domestic and international traffic. NetApp storage will allow agents
> > to archive communications for future searches or mapping of peoples’
> > contacts, according to the documents and the person familiar with the
> > system.
> >
> > [...] Two people familiar with terms of the deal say that as a final
> > stage of the installation, the contract stipulates Area employees will
> > train the Syrian security agents who will man those workstations --
> > teaching them how to track citizens.
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> >
> > You will need the user name and password you receive from the list
> moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> >
> >
> >
> >
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> >
> > You will need the user name and password you receive from the list
> moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> >
> >
> >
> > --
> > jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
> >
> >
> >
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> >
> > Should you need to change your subscription options, please go to:
> >
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> > If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
> >
> > You will need the user name and password you receive from the list
> moderator in monthly reminders.
> >
> > Should you need immediate assistance, please contact the list moderator.
> >
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
>
>

-- 
jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111107/f57a3d70/attachment.html>