EU companies banned from selling spyware to repressive regimes
European companies selling online surveillance technology have come under increasing criticism from NGOs and the European Parliament after it emerged their products had helped regimes in Iran, Egypt and Libya to clamp down on protesters.
"We need to ask for more transparency from companies before they actually sell these technologies. It's not about sanctions and trade restrictions, it's about making sure the new technologies are not systematically used to repress citizens," Dutch Liberal MEP Marietje Schaake told this website after the European Parliament last month approved banning spyware exports to repressive regimes.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
Following the democratic uprisings in the Arab world, several European companies found themselves under fire from NGOs and the media for being careless about where their technology ends up. French and US technology, for example, had been used extensively by Libya's dictator Moammar Gaddafi for spying on the online activities of opposition activists.
An investigation by the Wall Street Journal into the deserted compound of Gaddafi's secret police in Tripoli found a monitoring centre "lined with posters and English-language training manuals stamped with the name Amesys, a unit of French technology firm Bull SA."
Amesys admits it equipped the monitoring centre in 2008, but insists that it did nothing illegal and points to the rapprochement between Western powers and the Libyan dictator at the time.
"The contract was related to the making available of analysis hardware concerning a small fraction of the Internet lines installed at that time (a few thousand). This did not include either Internet communications via satellite (as used in Internet cafes), encrypted data such as Skype-type communications, or filtering of Web sites. In addition, the hardware used did not allow for the monitoring of either fixed or mobile telephone lines," a statement from the French company reads.
But according to the Wall Street Journal, Amesys "equipped the centre with 'deep packet inspection' technology, one of the most intrusive techniques for snooping on people's online activities." One file seen by the US paper, dating back to February, the early stage of the anti-Gaddafi protests, includes a 16-minute Yahoo chat between a man and a woman, in which he worries that he has become a target as "the Gaddafi forces are writing lists of names." He tells her he will go into hiding and phone her from a new number.
Amesys was also singled out in a recent report by Freedom House, an international NGO promoting freedom on the internet. Italian and British firms are also accused of having sold online spying software to Middle Eastern and North African countries.
"Britain’s Gamma International provided its product FinSpy to Egypt’s security service, which used the product to monitor dissidents’ online activities. This spyware infects the computers of dissidents and allows the security service to capture key strokes and intercept audio streams, even when the dissidents are using encrypted email or voice communications such as Skype. The Italian company HackingTeam has sold software to security agencies in the Middle East and North Africa that bypasses Skype’s encryption and captures audio streams from a computer’s memory," the paper reads.
HackingTeam's only product is the Remote Control System, which according to its brochure "bypasses protection systems such as antivirus, antispyware and personal firewalls" and tracks emails, SMS-es, online activity and can even record skype calls or regular cellphone calls. The software is designed for police and intelligence services engaged in "digital investigations."
"We only sell RCS to 'authorized' countries, that is, we take into full account international recommendations about embargoes, civil liberties violations, treaties," David Vincenzetti from HackingTeam told this website. He refused to name the countries HackingTeam is selling its product to, citing "confidentiality". Vincenzetti said that they have some 30 customers in 20 countries "without any geographical concentration."
But this kind of response is exactly what MEPs are trying to avoid in the future.
"They always say it's confidential and act under the radar, so we can't share information about the situation on the ground. Currently reporting on dual use technology - which can be used both for tracking down wrong-doers and to repress citizens - is done after the export has taken place. And it depends on member states or companies to report if something went wrong," Schaake notes.
Instead, the European Parliament wants a more "pro-active system" so that when private companies are pressed to reveal private data or if their programmes are misused for surveillance and censorship of citizens, the EU could provide "political support", Schaake says.
"We have to increase the level of knowledge among politicians. There are standard lists of military technology banned for export during an embargo on a country. But this is not updated to include online weapons," she added.