When young people took to the streets in Iran in 2009, asking “where is my vote?”, student leaders, bloggers and activists were traced to their homes, arrested and tortured. The world was outraged at the cruelty the Islamic Republic used to stifle critics. These young people should be able to enjoy their universal human rights. And the European Union (EU) should be an unequivocal ally to them.
But we quickly learned that the technology used for surveillance and repression was made in the EU, and actively assisted in the crackdowns. This was unacceptable, and in the European Parliament we began to push for updated laws that take into consideration how surveillance systems get smaller, faster and cheaper every day.
Until now, any country with the funds could buy sophisticated cyber surveillance systems. We demand much stricter controls on this trade, and that the human rights record of a country be checked before a licence is granted.
Year after year, more evidence emerged that EU member states approved exports of various surveillance technologies to countries with terrible human rights records. Three years ago, the client list of an Italian hacking company, that was itself hacked, was made public.
Contracts indicated cyber surveillance products were specifically marketed and sold to countries such as Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Russia, Saudi Arabia, the UAE and Uzbekistan. None of these rank highly in their respect for the rights of their people. The long-overdue update to the export controls of dual-use items was finally approved by the European Parliament in January. When implemented, the new measures will create extra checks before European companies that export cyber surveillance technologies to authoritarian regimes get a green light.
Some critics have argued that the new measures are impossible to implement. But this is not the first time EU legislation has prohibited trade in items that are used to violate human rights. The EU recently updated its legislation to restrict the trade in tools used for torture and applying the death penalty.
Similarly, the EU banned the import of minerals from conflict zones, to prevent a trade that finances and prolongs human rights abuses. Many companies already have hundreds of compliance officers employed to ensure they export within the framework of laws.
We made the updated controls as targeted as possible, and sought to avoid any unintended negative security consequences. That is why the European Parliament amended the definition of cyber surveillance items to be covered by the regulation.
By introducing new safeguards that exclude network and ICT security research from the scope, and clarifying the definitions of cyber surveillance and intrusion software, we aim to ensure that no legitimate security researcher is targeted by the reformed export control regime. Cross-border sharing activities around vulnerability disclosure and security incident response should not require an export control licence. If anything, cyber security needs to be strengthened.
We therefore want to have broad licence exceptions for encryption in the short term, and remove items containing cryptography from the control lists altogether in the long term. In the 21st century, it does not make sense to control the export of encryption products. Encryption is a key means to ensure that citizens, businesses and governments can protect their data against criminals and other malicious actors. The goal of this reform process is simple: to strengthen the protection of people’s rights, also online. For this to work we need to strengthen the controls and prevent the export of items that are designed, marketed and sold for repression. Similarly, we need to foster the use of encryption, and the work of security researchers. Repressive regimes do not deserve the help of our advanced surveillance market to find, arrest and torture people just because they exercise their universal human rights.