[liberationtech] Syria Crackdown Aided by U.S.-Europe Spy Gear

Mon Nov 7 11:36:47 PST 2011

Slight non-sequitur: 

I am a panelist at an event on Wednesday that will (in another panel) feature the CEO of Palantir.  I would like to pose some questions to the man but of you have something urgent you'd like asked or presented in the Q and A, do let me know (probably best offline to not clutter the list).  

Will compile and report back after Wed.

Katrin 

On Nov 7, 2011, at 1:54 PM, Jillian York wrote:

> My only addition to Brett's thorough response is that EFF has drafted a set of standards for companies providing surveillance tech.  And while yes, I would agree that such companies should join the GNI and/or other similar groups, we should also note that GNI's principles have not yet been developed to encompass the specific concerns related to this type of tech.
> 
> In any case, here are EFF's standards (pasted below, but footnotes get lost in the transfer; see link).  Would love comments:
> 
> https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment
> 
> ----
> 
> Key principles:
> 	• Companies selling surveillance technologies to governments need to affirmatively investigate and "know your customer" before and during a sale.  We suggest something for human rights similar to what most of these companies are already required to do under the Foreign Corrupt Practices Act and the export regulations for other purposes, and
> 	• Companies need to refrain from participating in transactions where their "know your customer" investigations reveal either objective evidence or credible concerns that the technologies provided by the company will be used to facilitate human rights violations.
> "Know Your Customer" Human Rights Process
> 
> [Note: These guidelines use key terms —Technologies, Transaction, Company and Government — which are defined at the bottom and capitalized throughout]
> Affirmatively Investigate: The Company must have a process, led by a specifically-designated person, to engage in an ongoing evaluation of whether Technologies or Transaction will be, or are being used to aid, facilitate or cover up human rights abuses.3 
> 
> This process needs to be more than lip service and needs to be verifiable (and verified) by outsiders.  It needs to be an organizational commitment, with real mechanisms in place including tools, training and education of personnel and career consequences for personnel when the process is not followed. In addition, in order to build transparency and solidarity, a Company that decides to refuse (or continue) further service on the basis of these standards should, where possible, report that decision publicly so that other companies can have the benefit of their evaluation.
> 
> The process should include, at a minimum:
> 
> 		• Review of what the purchasing Government and Government agents and the Company personnel and agents are saying about the use of the Technologies, both before and during any Transaction. This includes, among other things, review of sales and marketing materials and discussions, technical discussions and questions, presentations, technical and contractual specifications and technical support conversations or requests. Some of the most troubling evidence in the Cisco case are the presentations made by Cisco employees that are plainly marketing the company as assisting the Chinese Government in combatting the “Falun Gong Evil Religion.”
> 		• Review of the capabilities of the Technology for human rights abuses and consideration of possible mitigation measures, both technical and contractual.
> 		• Review the Government’s laws, regulations and practices regarding surveillance, including interception of communications, access to stored communications, due process requirements, and other relevant legal process as part of the assessment of risk of how the Technologies may be used or misused. For instance, Nokia Siemens says that it will only provide core lawful intercept (i.e. surveillance) capabilities that are legally required and are "based on clear standards and a transparent foundation in law and practice."
> 		• Review U.S. State Department annual human rights reports, relevant U.N. Reports, and other credible reports about the Government, including news or other reports from nongovernmental sources or local sources that indicate whether the Government engages in the use or misuse of surveillance capabilities to conduct human rights abuses.  
> Refraining from Participation: The Company must not participate in, or continue to participate in a Transaction or provide a Technology if it appears reasonably foreseeable that the Transaction or Technology will directly or indirectly facilitate human rights violations by the Government, including:
> 
> 		• The portion of the Transaction that the Company is involved in or the specific Technology provided includes building, customizing, configuring or integrating into a system that is known or is reasonably foreseen to be used for human rights violations, whether done by the Company or by others.
> 		• The portion of the Government that is engaging in the Transaction or overseeing the Technologies has been recognized as committing gross human rights abuses using or relying on similar Technologies, either directly or indirectly.
> 		• The Government's overall record on human rights generally raises credible concerns that the Technology or Transaction will be used to facilitate human rights abuses.
> 		• The Government refuses to incorporate contractual terms confirming the intended use or uses of the Technologies by the Government and to require the auditing of their use by the Government purchasers in sales of surveillance Technologies.
> Key Definitions and the Scope of the Process: Who should undertake these steps? The field is actually pretty small: Companies engaging in Transactions to sell or lease Technologies to Governments,  defined as follows:
> 
> 		• “Transaction” includes all sales, leases, rental or other types of arrangements where a Company, in exchange for any form of payment or other consideration, either provides or assists in providing Technologies, personnel or non-technological support to a Government. This also includes providing of any ongoing support such as software or hardware upgrades, consulting or similar services.
> 		• “Technologies” include all systems, technologies, consulting services, and software that are reasonably likely to be used to surveil third parties, including but not limited to technologies that intercept communications, packet-sniffing software, deep packet inspection technologies, certain biometrics devices and systems, voting systems, and smart meters.  
> 		• “Company” includes subsidiaries, joint ventures (especially joint ventures directly with government entities), and other corporate structures where the Company has significant holdings or has operational control.
> 		• “Government” includes formal, recognized governments, including State parties to the United Nations. It also includes governing or government-like entities, such as the Chinese Communist Party or the Taliban and other nongovernmental entities that effectively exercise governing powers over a country or a portion of a country. For these purposes “Government” includes indirect sales through a broker, contractor, or other intermediary or multiple intermediaries if the Company is aware or should know that the final recipient of the Technology is a Government.
> This framework isn’t the only reasonable option for addressing the problem, of course. Yet given the steps that these large companies who compete in these markets already have to take – under the export laws, the Foreign Corrupt Practices Act and otherwise – this is a relatively small addition.  While some may argue that pushing U.S. tech companies to have a strong human rights filter will give a competitive advantage to companies that don’t institute one, the same is true about the anti-bribery laws. If these big companies can be expected not to get business through bribes even though some of their foreign competitors do, it’s reasonable to ask them not to get business enabling repression either.
> 
> Regardless of how tech companies get there, efforts to bring democracy and freedom around the world are hampered until they commit to making business decisions that consider human rights ramifications.  No reasonable company, certainly none in Silicon Valley, wants to be known as the company that helps facilitate human rights abuses. It’s time tech companies take real steps to ensure that they aren’t serving as "repression’s little helpers."
> 
> 
> 
> On Mon, Nov 7, 2011 at 10:47 AM, Brett Solomon <brett at accessnow.org> wrote:
> Thanks for sending this through Aaron
> 
> At the same I was reading this Bloomberg piece, I received an email from my colleague saying that the residential neighborhoods of Homs (Syria) were being raided at 3am that morning by death squads, who were "targeting houses searching for activists." One can only imagine how better informed the death squads will be about the identity and location of activists once the new Syrian surveillance regime is properly activated.
> 
> This most recent report of 4 western technology companies (Area SpA, NetApp Inc., Qosmos SA and Utimaco Safeware AG) selling their goods and services directly and/or indirectly to the Syrian regime is clearly a life and death matter. We are told it's only a matter of weeks till they flick the 'on' switch. It demonstrates a number of issues, including: 
> 	• Surveillance is about systems. What we see being developed in Syria (and previously in Tunisia, Egypt and others) is an intricate ecosystem of companies, each of which provide a component, and each reliant upon each other to enable the entire surveillance capability to properly operate. I'd argue that each company is therefore responsible (to a lesser or greater degree) for the whole.
> 	• Surveillance is not a helicopter operation. It is an endeavor that requires upgrades, tech support, loading of new rules to detect new malware/viruses, training and ongoing implementation. That is, we are not just talking about the sale of a product, we are also talking about Western companies providing ongoing services to regimes in order to make the surveillance, storage and tracking of opponents more effective. 
> 	• Liability is attached to the technology. Laws need to move on from the current 'dump and devolve' approach. Having sold off its surveillance business to another company (Trovicor) following its sale of equipment to the Iranian regime, Nokia Siemen's clearly believes it's no longer responsible for the technology or its impacts (including the documented detention and torture of activists). It's like building a cluster bomb, and then pretending that is has nothing to do with you when it detonates. 
> 	• The detail is in the sales agreements. Doing business with regimes, like any other customer, requires formal negotiation and contractual arrangements - as seen with Qosmos and Area in Syria. Is there a good reason why suppliers of dual-use technology shouldn't include clauses in such agreements which enable a seller to rescind the contract without damages if the product is used to abuse people's basic rights? Western governments should create a no-damages environment so that companies can no longer argue that they cant extract themselves from a contract when human rights intelligence becomes available. 
> 	• Technology platforms should include a kill switch. High risk technology should include a set of enabling keys that are required by the operator to enable the use of that technology. The technology company should retain control of the keys, which can be switched off from 'home base' if it becomes clear that a technology is being used or re-sold to breach user's rights. Such technologies should include automated usage reports sent back to the producer that give the company aggregated knowledge of how their product is being used. 
> Again, this case demonstrates that the sale of technology to regimes is not an isolated incident. Regimes have very few domestic or indigenous suppliers. Instead, they are almost entirely reliant on western companies to supply them. It is true that certain Western developed technologies have legitimate purpose to stop spam or malware, which is why its difficult to ban such technology. But clearly self regulation is not sufficient. We need a government and inter-government regulatory environment - that includes export licenses, a presumption against granting against such licenses for dual use technologies, and ongoing impact assessments before and if such technology is sold. The European Parliament's resolution from last month is a step in the right direction though it needs to broaden the  concept of dual use technology, provide for ex ante controls and enable pan-Europe enforcement. In the US, there should be an impact assessment of why certain other technologies are banned (eg encryption, Google Chrome etc) which would benefit the people and not the regimes.
> 
> This raises the broader issue of what we are calling 'human rights by design' - there are human rights decision points all along the ITC line - from the contract, to the design of the chip, to the operation of the network - and human rights need to be embedded into the very design of the project. Those interested should read the Silicon Valley Standard which came out of the Silicon Valley Human Rights Conference (rightscon.org) and sets out some of the broader principles for technology companies. Needless to say companies should also join the GNI!
> 
> If the Bloomberg report is accurate, the period of plausible deniability is over. The CEOs of all four companies should therefore withdraw their companies from these contracts. If they do not they are very  likely be complicit in the abuses that Assad's regime is set to perpetrate once the new surveillance infrastructure is operational.
> 
> Brett
> 
> -- 
> Brett Solomon
> Executive Director | Access
> accessnow.org | rightscon.org
> +1 917 969 6077 | skype: brettsolomon | @accessnow
> 
> 
> 
> On Fri, Nov 4, 2011 at 10:43 AM, Aaron Swartz <me at aaronsw.com> wrote:
> http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-aid-with-u-s-europe-spy-gear.html
> 
> As Syria’s crackdown on protests has claimed more than 3,000 lives
> since March, Italian technicians in telecom offices from Damascus to
> Aleppo have been busy equipping President Bashar al-Assad’s regime
> with the power to intercept, scan and catalog virtually every e-mail
> that flows through the country.
> 
> Employees of Area SpA, a surveillance company based outside Milan, are
> installing the system under the direction of Syrian intelligence
> agents, who’ve pushed the Italians to finish, saying they urgently
> need to track people, a person familiar with the project says. The
> Area employees have flown into Damascus in shifts this year as the
> violence has escalated, says the person, who has worked on the system
> for Area.
> 
> 
> Area is using equipment from American and European companies,
> according to blueprints and other documents obtained by Bloomberg News
> and the person familiar with the job. The project includes Sunnyvale,
> California-based NetApp Inc. (NTAP) storage hardware and software for
> archiving e-mails; probes to scan Syria’s communications network from
> Paris-based Qosmos SA; and gear from Germany’s Utimaco Safeware AG
> (USA) that connects tapped telecom lines to Area’s monitoring-center
> computers.
> 
> The suppliers didn’t directly furnish Syria with the gear, which Area
> exported from Italy, the person says.
> 
> The Italians bunk in a three-bedroom rental apartment in a residential
> Damascus neighborhood near a sports stadium when they work on the
> system, which is in a test phase, according to the person, who
> requested anonymity because Area employees sign non-disclosure
> agreements with the company.
> 
> Mapping Connections
> 
> 
> When the system is complete, Syrian security agents will be able to
> follow targets on flat-screen workstations that display communications
> and Web use in near-real time alongside graphics that map citizens’
> networks of electronic contacts, according to the documents and two
> people familiar with the plans.
> 
> [...] The price tag is more than 13 million euros ($17.9 million), two
> people familiar with the deal say.
> 
> [...] “You may consider that any lawful interception system has a very
> long sales process, and things happen very quickly,” [the CEO] says,
> citing the velocity of Libyan leader Muammar Qaddafi’s fall, only a
> year after pitching his Bedouin tent in a Rome park on a visit to
> Italy. “Qaddafi was a big friend of our prime minister until not long
> ago.”
> 
> 
> When Bloomberg News contacted Qosmos, CEO Thibaut Bechetoille said he
> would pull out of the project. “It was not right to keep supporting
> this regime,” he says. The company’s board decided about four weeks
> ago to exit and is still figuring out how to unwind its involvement,
> he says. The company’s deep- packet inspection probes can peer into
> e-mail and reconstruct everything that happens on an Internet user’s
> screen, says Qosmos’s head of marketing, Erik Larsson.
> 
> [...] Area is installing the system, which includes the company’s
> “Captor” monitoring-center computers, through a contract with
> state-owned Syrian Telecommunication Establishment, or STE, the two
> people familiar with the project say. Also known as Syrian Telecom,
> the company is the nation’s main fixed-line operator.
> 
> [...]
> 
> 
> Schematics for the system show it includes probes in the traffic of
> mobile phone companies and Internet service providers, capturing both
> domestic and international traffic. NetApp storage will allow agents
> to archive communications for future searches or mapping of peoples’
> contacts, according to the documents and the person familiar with the
> system.
> 
> [...] Two people familiar with terms of the deal say that as a final
> stage of the installation, the contract stipulates Area employees will
> train the Syrian security agents who will man those workstations --
> teaching them how to track citizens.
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> 
> 
> 
> 
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> 
> 
> 
> -- 
> jilliancyork.com | @jilliancyork | tel: +1-857-891-4244
> 
> 
> 
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech

Katrin Verclas
MobileActive.org
katrin at mobileactive.org

skype/twitter: katrinskaya
(347) 281-7191

Check out the new Mobile Media Toolkit at 
http://mobilemediatoolkit.org. To "Making Media Mobile!"

A global network of people using mobile technology for social impact
http://mobileactive.org