- Global Voices Advocacy - https://advox.globalvoices.org -

The Arms Race Over The Internet Rages Onward – part 1

Categories: Activism, Advocacy, Internet governance, Regulation

In biology (which is my academic background), we use a very picturesque and accurate image to illustrate the arms race between a parasite and its host: the Red Queen's hypothesis [1]. What is referred to here is the little advice the Red Queen gives to Alice*:

It takes all the running you can do, to keep in the same place.

This translates into the observation that, in a system of two interacting entities with opposite interests, each of them will intend to counter-act the other and will get into a bidding dynamics to achieve more and more sophisticated ways to fight and/or circumvent the opposite part's attacks. This description of a trench welfare competition applies very well to the one between two political entities (remember the Cold War…), or between a repressive government and its citizens struggling for freedom.

With this respect, getting ‘behind enemy lines’ is a serious advantage. Happily, 2011's Chaos Computer Congress (CCC) was on his 28th edition named “Behind Enemy Lines”. The 28C3, as it is called for shortness, was thus constituted by a myriad of talks and workshops discussing what is to be behind enemy lines. To put it clearly, this idiom is quite ambiguous: for repressive governments, the freedom fighters are the enemy, and vice and versa.

Chaos radar, CC-by 2.0, photo by johnflan [2]

Chaos radar, CC-by 2.0, photo by johnflan

The Congress opened with a keynote from Evgeny Morozov [3]. I'd like to spend some time on this presentation, for a certain number of reasons. First, I was curious to know how Morozov would approach the topic of internet and freedom given his book “The Net Delusion”. In it, he harshly criticised what he referred to as a “cyber-utopian” movement that believes that – to put it bluntly – technology is the solution of every social and political issue. Morozov actually would have aimed at arguing that technology is not necessarily good, that it can very well be used to surveil and enslave as well as to liberate and empower, but this idea seemed discredited by all the “cyber-utopian” attack**.

That is why I was curious to attend this talk and see where it was going, what the angle of attack on technology in general and the internet in particular was to be. In the really tech-savvy atmosphere of the CCC, with all the Arab Revolutions as a background of 2011, with all the whistle-blowing around Western companies providing spying technology to dictatorships and with respect to the ‘behind enemy lines’ leitmotiv, it was a really interesting how Morozov would address the “marriage from Hell” [4]: this “secret love affair between dictators and Western technology companies”.

To be honest, it was an insightful and tempered summary. So, as Morozov puts it, the suspicions about cooperation between democratic and tyrannical governments are not new, but they had very often been rejected as conspiracy theory compliant feud because of a lack of robust proofs. Well, this year saw a turning point: some documents were actually discovered which clearly showed that technology companies were selling spying materials to oppressive governments. This transformed the idea of some abstract technology probably used by dictators into a concrete list of (mostly) Western corporations providing them with surveillance and censorship gear. And precisely because of these official proofs, the mainstream media picked the piece and began digging into.

I'll skip here the – unfortunately and infuriatingly – long list of companies developing surveillance and censorship technology and their respective clients. There is another question that stems from immediately: how to regulate this business activity, how to prevent these companies from selling that gear? Well, the first approach Morozov addressed was: “why not banning them?”. The answer he brought: bans are efficient if global, but it is extremely difficult to implement such policies and, more importantly, ensure they work well. As an illustration, you may think about the US trade embargo on Syria [5], that prohibits exports other than food and medicine. And still, BlueCoat, a US-based company, continuously sells surveillance and censorship technology to Syria. In the same time, EU-based companies such as Area S.P.A. (Italy), Utimaco Safeware AG (Germany), Qosmos (France) among others are not subjected to legal questioning when selling this kind of technology to Syria. Some of you may still raise an objection that the EU banned arms sales to Syria [6] as a sanction (May 2011): yes, but the latter does not include surveillance gear.

Ok, let's assume for a moment that now, these legal flaws are obvious and supranational legislators from the US and the EU would decide to work on a coherent set of regulatory rules. This is just a hypothesis that may very well not be validated, right, but even if it came to be, it still doesn't handle the other countries. Because there are many more countries in the world than the US and the 27 EU member states. As Morozov aptly invoked it, a recent article in the Washington Post told about a surveillance technology companies fair and estimated the participants to a total of 43 countries. So, what happens if a US/EU-based company sells its gear to, say, Moldova or South Sudan?*** And no, it is not a typo: the 5-month old country of South Sudan is already on the market for surveillance technology…

I am not sure whether it is extremely useful to get into details of how difficult implementing sanction policies actually is. Either their scope is too broad, in which case governments mostly get away; and on the top of it, these policies go overboard and harm citizens in their banal everyday use of the internet as an edge effect. Thus, various Syrian governmental sites are hosted in the US or Canada, but it has already happened for instance that ordinary citizens are unable to buy Skype credits… Or, conversely, the scope of the sanctions can be narrow, which generally ends up being ineffective since governments can set up a great number of shell companies.

Does all this mean there is no solution? Of course, not. Morozov talked about the “know-your-customer” rule, which is coherent with the EFF's proposal for companies [7] to monitor their customers for possible human rights abuses. He observed that we could learn from other (controversial) industries: it is thus probably easier to buy surveillance technology from a US company than to open a bank account in the US (because these banks have been prompted to thoroughly check out their clients, which does not respect customers’ privacy and is a kind of additional surveillance). Similarly, EFF's proposal builds a framework of a recommended way to go: technology companies must investigate who their potential customer is, both prior to and after the sale, and stop transactions if concerns arise that the technology is used in activities that violate human rights. With respect to reality, however, this corporations’ self-restrain resembles more a point from a wishlist rather than an actual regulation…

We could think of another, directly related, question: Morozov asks how much of the regulation should/could be delegated to technology. In other words, is fighting fire with fire a reasonable way to go? He cites two examples: kill switches and Websense. In the former case, we can think of the viability of remote kill switches and thus, a refusal to run updates may be implemented based on location. In the latter case, Websense periodically monitors where their technology is used: they declare 40,000 customers worldwide and claim that if they were to be used in Syria, they would switch off. This all brings us to the remark: how easy is it to defend fighting surveillance with more surveillance?

And even though some dictators were toppled, it is “too soon to call for victory in the Middle East”, warned Morozov. In Lybia, for instance, the current transitional government ordered the ban of porn sites whereas they were authorized under the Gaddafi regime. Despite a greater transparency regarding censorship in Tunisia, deep packet inspection (DPI) is still widely in use. Last but not least, SCAF – the Egyptian almighty military junta – has been arresting and subjecting to military trials individual bloggers, some of whom are sentenced and still imprisoned.

Morozov expanded this global overview at this point including Eastern European countries such as Russia, Belarus and Moldova as well as China. He pointed out to some recent developments from the CSTO side [8]. The Collective Security Treaty Organization, or CSTO, “a sort of a NATO block of countries from the former Soviet Union” as Morozov defined it, apparently got scared from the Arab Revolutions and would like to do all its best to prevent similar uprisings from happening on the territory of its member states (namely, Russia, Armenia, Belarus, Kazhakstan, Kyrgyzstan, Tajikistan and Uzbekistan). Morozov thus highlighted the commitment of the CSTO to sign the “list of steps aimed at securing the cyberspace of the member states“. Moreover, reported Morozov, CSTO's Secretary General Nikolay Bordyuzha declared that the point of the document is “to prevent the usage of modern information technologies for destabilization of the situation in the CSTO member states… The work on information counter-action is one of the priorities of the CSTO's activity”. Even though we haven't noticed these countries actively buying surveillance gear so far, this quite clear statement suggests that they may be its new customers soon.

#28C3 in Lego, CC-by-NC-SA 2.0, photo by dajmonpills [9]

#28C3 in Lego, CC-by-NC-SA 2.0, photo by dajmonpills

As aforementioned, Morozov talked about another disturbing development: China's involvement in the spread of cheap technology. He showed a picture from Huawei's implantation in Africa as it used to be in 2006 [10]. I was unable to find an update of this map on Huawei's website, so I went through their publicly available documentation [11]

Since entering the market in 1997, Huawei has established four regional headquarters, 20 representative offices, two R&D centers and six training centers across Africa. Huawei's fixed assets investment in Africa over the past decade has exceeded USD 1.5 billion.

As of January 2009, Huawei has more than 4,000 employees in Africa, 60% of whom are locally recruited.

The outcome is quite straightforward: according to the 2006 data, there were 14 representative offices within the African continent. Above, Huawei reports a total of 20 representative offices, which suggests an increase of 50% for the time frame 2006-2009. Additionally, they report 2,000 employees in Africa in 2006 and (at least) the double in 2009 which is a 100% increase within 3 years.

This seems to be insufficient to the Chinese giant, as appears from Morozov's talk. Indeed, he told about the $9.5-million aid that China supplies to Moldova that is aimed to economical and technological development. The latter includes video-surveillance, allegedly for traffic regulation. For some reason thus, Moldova benefits from the benevolence of the Chinese government, and gets millions of dollars of financial aid and video-surveillance technology for free. As Morozov pinpoints it, this gear may also reveal very useful to identify people in cases of protests, as for instance these happening in 2009.

China is also extremely careful about the efficient “traffic management, long-distance education and local security” in Belarus. Thus, video-surveillance technology is also provided although the extent to which this is subsidised by the Chinese government remains unknown. Lastly, it is unclear how much this material is used for political monitoring…

A puzzling phenomenon that Morozov briefly discussed is the increasing number of Western academics who receive funding from the Chinese government to set up NGOs and hire people to label and annotate street surveillance images. The example here is with The Lotus Hill Institute [12] created in 2005 by an UCLA scholar with funding from the Chinese government. But why does academia enter in this field? Well, technologies for automated facial recognition, data mining, etc. require huge academic expertise. Thus, both universities and governments are eager to invest into, without necessarily taking into serious account the geopolitical implications of these activities.

Towards the end of his keynote, Morozov argues that the point we should very seriously consider is the link between the spread of surveillance gear and the domestic surveillance debate in democratic countries. Indeed, these technologies have not been specifically created for the Middle East, but rather for home surveillance. In other words, building specifically tailored tools for surveillance in democracies has further implications as these reach other countries. He pointed to a very thought-provoking opinion letter by Tatiana Lucas [13], World Program Director at Intelligence Support Systems (ISS) that “encapsulates this debate really well”. This piece was in response to a priorly published article by the Wall Street Journal [14] on “a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001”. Mrs Lucas writes that such articles as the latter will have a negative effect on the job market in the US and claims the following:

We are concerned that the article and others like it contribute to an atmosphere where Congress isn't likely to pass an updated lawful-interception law. The law would require social-networking companies to deploy special features to support law enforcement. Without the update, the opportunity for U.S. companies to develop and launch intercept products domestically for eventual export will be greatly curtailed.

As Morozov summarized it, this particular paragraph made the following points: first, “if dictators need help in suppressing democratic uprisings, we are here to help”. Second, since such media coverage might give a negative image to this particular domain, the chances this has an alleviating effect of the job creation appears real and worse: “our dictator-helping jobs are going to China!”. And last but not least, the third statement is that the US needs of law enforcement policies are the major driver of this surveillance market. Morozov continued by encouraging us to “attack and ridicule” these “we-are-here-to-help” arguments.

This was a logical and smooth transition to what Morozov referred to at “the most important bit”, namely: “getting foreign policy right”. The focus on technology and sanctions shouldn't prevent us directing the pressure on the foreign policy debate into the right direction. In other words, we should contribute to broad the current debate: for instance, it is quite fashionable to speak ill of Iran since it is a widely known black sheep, but in the same time Saudi Arabia is a very good friend of Western countries. Similarly, there are serious reasons to believe that Gaddafi bought surveillance and censorship technology from the French company Amesys while visiting the then-newly elected president Sarkozy back in 2007, when Gaddafi was considered as an ally…

Thus, the future challenges are not only to focus on the easy target that is Iran, but to engage into a broader debate. For instance, Washington approved a $60-billion arms deal with Saudi Arabia in 2010 and in 2009 EADS (the European Agency of Defense and Security) proudly announced [15] that they became the prime contractor in a huge deal aiming to ensure the security of the totality of the Saudian frontiers… Moreover, a $53-million arms sale to Bahrain is currently under consideration in the White House while deadly crackdown on protestors is ongoing.

What can we do for this? As activists and citizens, we can engage into civil surveillance of the surveillance technology and system:


Here ends part 1 of my walk around ‘enemy lines’. To be continued with part 2 that will tell about “How Governments Have Tried To Block Tor”…

* Carroll, Lewis (1960, reprinted 1998). “2 The Garden of Live Flowers”. Through the Looking-Glass and What Alice Found There
** The Guardian published a long review from Cory Doctorow [18] where he dismantles a whole bunch of points and I really recommend you (re)reading it.
*** It is exactly what happened: BlueCoat claimed to have sold its products to a distributor in the UAE, allegedly to be shipped to Iraq, so they somehow ignore how the technology ended up in Syria…