We are grateful to the John D. and Catherine T. MacArthur Foundation for their support of the Citizen Lab’s work on the commercial surveillance market, and for their recognition of the importance of independent research in furthering human rights worldwide.
What to do about the growing “Digital Arms” market? The spread of technologies like mobile phones and social networks has enabled corporations and governments to eavesdrop on a mass scale. Fulfilling the demand for surveillance tools, a range of companies now sell surveillance backdoors and vulnerabilities, described as “lawful intercept” software. The term leverages the assertion that malware for surveillance and 0-days for hacking have the same status as statutorily mandated (and regulated) “lawful intercept” functionality in telecommunications equipment, when they are sold to government purchasers. This label may be viewed as a branding attempt of unregulated products, rather than a term of art. This industry is growing, and is currently estimated to be worth at least US$5 billion.1 While these products and services have been historically developed largely in Western nations such as the US, they are sold throughout the world with few restrictions. Human rights activists and privacy advocates worldwide have called for greater regulation, even as some of these products have ended up in the hands of governments with poor human rights track records, including Bahrain, United Arab Emirates, and Vietnam.
A research and advocacy community is emerging that is investigating and raising awareness around the proliferation of such dual-use technologies. The Citizen Lab has been actively conducting research in this area for several years with projects led by numerous people, including Citizen Lab researchers and fellows Morgan Marquis-Boire, Bill Marczak, John Scott-Railton, Sarah McKune, Jakub Dalek, Seth Hardy, Greg Wiseman, and independent researchers Claudio Guarnieri and Collin Anderson. These efforts join those of other individuals and organizations like Privacy International, the Electronic Frontier Foundation, and many others.
FinFisher is the most notorious of these tools — a network intrusion suite which is marketed and sold exclusively to law enforcement and intelligence agencies by Gamma TSE, part of UK-based Gamma Group. FinSpy, a component of the FinFisher suite, is capable of intercepting email, instant messaging and VoIP communications, as well as spying on users through webcams and microphones and transmitting the data to a command-and-control (C2) server. In August 2012 and after several preliminary reports, Marquis-Boire, Marczak, Scott-Railton, and Guarnieri, fingerprinted FinSpy’s unique C2 protocol and scanned the Internet to identify instances of the C2 servers. This investigation resulted in the discovery of FinSpy C2 servers in a total of 36 countries, some of which are governed by authoritarian regimes.2 We found evidence of FinFisher being used to target Bahraini human rights activists, opposition political groups in Ethiopia, and in Malaysia during the 2013 elections. In addition, we exposed the use of commercial surveillance malware developed by Italy-based company Hacking Team to target a dissident in the United Arab Emirates.3
Working with our Cyber Stewards Network partners,4 our research has informed advocacy efforts worldwide. For example, following the discovery of FinFisher C2 servers on two Mexican ISPs, Renata Avila and a number of Mexican activists lobbied the Mexican government to conduct an investigation into how FinFisher is deployed in the country.5 As a result, both Mexico’s Senate and Congress have approved a resolution for the country’s privacy authority, Instituto Federal de Acceso a la Información y Protección de Datos Inicio, to commence with the investigation.6 Additionally, the advocacy group Bytes for All, in Pakistan, filed a petition with the Lahore High Court regarding the presence of FinFisher C2 servers in the country, as indicated by our findings.7 The first hearing resulted in a court decision ordering the Pakistan Telecommunication Authority to launch an investigation. The case is currently ongoing.8
Citizen Lab has also published a series of reports on Blue Coat Systems, a California-based manufacturer of networking technology which can be used to monitor Internet usage and block websites by address, keywords, or even by the content they contain. Blue Coat products are used legitimately throughout the entire global Internet to manage network traffic, but our research has found that the products are also used by repressive governments to block politically sensitive websites. In Syria, our researchers discovered products sold by Blue Coat Systems, namely ProxySG and PacketShaper devices, used in the regime’s network filtering and monitoring apparatus. Following our report’s publication,9 Blue Coat Systems announced that it would no longer provide “support, updates, or other services” to software located in Syria. The US government also reacted to evidence against Blue Coat Systems. Computerlinks FZCO, a Middle East distributor working with Blue Coat Systems, was fined in the amount of US$2.8 million for purchasing Blue Coat products and exporting them to Syria without a license.
Many have called for greater regulation of the market for surveillance equipment, both as unilateral export controls, and through multilateral coordination. Partly in response to this effective pressure, the 41 member states of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies made a move towards regulating this industry.10 The Arrangement calls on signatories to engage in voluntary information sharing and provide notifications on export activities related to items listed on its two control lists. The Munitions List consists of weapons and items such as tanks and other military armed vehicles, combat vessels, and aircraft, while the List of Dual Use Goods and Technologies contains products and technologies that are normally used for civilian purposes but which may have military applications, such as stealth technology materials and advanced radar.11 Recognizing that surveillance tools and systems, under certain conditions, may pose threats to international security and stability, the member states have agreed to add two new categories of surveillance systems — “intrusion software” and “IP network surveillance systems” — to the Dual Use control list.12
There are several lingering issues around the amendments to the Wassenaar Arrangement. Marietje Schaake, a Member of the European Parliament, who has consistently lobbied for the amending of dual-use legislation to include intrusion tools, criticized the language as lacking in precision and “open for interpretation.”13 Moreover, the proposed export controls may negatively affect the study of surveillance tools. Privacy International has described the potential danger associated with imposing export controls on surveillance systems as the risk of overreach. Unless proper safeguards are implemented, such controls could limit security researchers’ ability to conduct investigations.14 While the Wassenaar Arrangement clarifies that “controls do not apply to…‘basic scientific research’”, it is unclear whether this stipulation would allow penetration testing or other research methods employed by information security professionals.
Whatever one believes about the merits or effectiveness of regulating the commercial surveillance market, one thing is clear: policy making on complex technological issues requires careful, evidence-based research. In this case, the research community, including Citizen Lab, played an important role highlighting the scope and scale of the global proliferation of these technologies, and their capabilities. Without this type of research, legal and other forms of advocacy would lack material evidence from which to build cases and push for reforms. Without it, much of the surveillance industry would remain hidden in the shadows. Yet research of this type requires not only knowledge, skill and ingenuity, it also requires equipment, capabilities, and resources.
As the commercial surveillance industry grows, so too must the bridges between research, policy, and advocacy communities. We must work together to ensure that the expansion of these technologies and markets is tracked with transparency, appropriate regulation, and the rule of law.