Media: Europe’s spy technology expertise throws up awkward questions - Financial Times

Chris Bryant, Financial Times, 01.07.2013 Europe’s politicians are outraged about alleged US monitoring of EU telephone and computer communications. But when it comes to building and exporting spy equipment, few are as capable as Europe. That much was evident last month when the world’s leading sellers of electronic surveillance technology gathered in Prague at the ISS world trade show. Police and spy agency officials listened to closed-door presentations by a succession of European companies about their highly sophisticated internet and telephone communication interception wares. Hacking Team, a Milan-based maker of eavesdropping software, demonstrated in Prague its remotely-controlled spyware that can tap encrypted communications, Skype calls and instant messenger chats. The system also has audio and video capability, which allows police to spy using the target’s own webcam. Munich-based Trovicor schooled agents on its “cell-based monitoring solution” to handle mass recordings while Gamma International, a UK-German company, demonstrated its controversial “FinFisher” spyware tool for remotely monitoring mobile phone communications. At a time when European countries are loudly condemning the US and UK’s spying activities, Europe’s spy technology expertise is a potential source of embarrassment. Privacy activists and politicians fear that, if left unregulated, sales of European surveillance technology could infringe on human rights overseas, as well as damaging the cyber security of people in Europe. Marietje Schaake, a Dutch MEP who has campaigned for better export controls of surveillance technology, says: “We in the EU must ensure we practise what we preach.” Almost all countries have rules requiring telecommunications companies to build in a way functionality that enables law enforcement to monitor electronic communications, subject to a warrant. This statutory right is known in the business as “lawful interception”. “There is essentially no form of digital communication that law enforcement cannot have access to,” says Malte Pohlmann, chief executive of Ultimaco Safeware, another provider of lawful interception systems. The US has by far the biggest national budget for surveillance technology but it tends to buy large bespoke surveillance systems from big US contractors. US tech start-ups often receive NSA/CIA funding and are therefore discouraged from selling overseas, says Jerry Lucas, organiser of the Prague trade show.
We say: here are the tech products. What countries do with the technology they buy, that’s up to them to decide. We can’t police that- Jerry Lucas, organiser of ISS world trade show
This means that more than 50 per cent of the almost $6bn a year market for off-the-shelf surveillance equipment – the kind favoured by nearly all governments except the US – is controlled by western European companies, according to Mr Lucas. “It’s not helpful to say that all surveillance is bad – think about how it can be used to deal with child porn, organised crime or terrorism,” said a European vendor who declined to be identified. “I think every society has the right to defend itself.” Lawful interception becomes controversial when governments use it as a tool to commit crime rather than fight it. “In countries with no regulation, interception can be used by governments to secure power by spying on its citizens, not to prevent crime but to control behaviour,” Frost & Sullivan, the consultancy, noted in a 2011 study. When protesters stormed security service headquarters during the Arab Spring uprisings, they often found that secret police had purchased European surveillance technology to monitor protesters. Amesys, a French company formerly owned by Bull Group sold its Eagle internet analysis software to Colonel Gaddafi’s Libya in 2007 and was sued by the International Federation for Human Rights (FIDH) for alleged complicity in torture. The claim is being contested. Bull last year divested the unit and explained it signed the Libya contract during a period of Libyan rapprochement with the west. Bull says its business dealings complied rigorously with requirements set out in international, European and French conventions and firmly denies complicity to torture. In spite of these problems Mr Lucas says business is booming: “The public relations issues has not hurt the industry. It has created more demand for products!” he says. Mr Lucas does not allow attendees from Iran, North Korea or Syria at his trade shows but otherwise he claims ethical concerns are “not our responsibility”. “We say: here are the tech products. What countries do with the technology they buy, that’s up to them to decide. We can’t police that.” Hacking Team does not sell to countries blacklisted by international organisations such as the European Union, Nato and the US. In addition, an independent external board takes potential human rights issues into account before approving a sale. “There have been instances when we have said no, if we just don’t like something about a situation in a country,” says Eric Rabe, spokesman for Hacking Team. Gamma and Trovicor declined interview requests. Europe and the US block the sale of surveillance technology to Syria and Iran but activists say the export restrictions do not go nearly far enough. Eric King, head of research at Privacy International, says: “Lawful interception can only happen when there is the rule of law. [The export of] arms, weapons, bulletproof vests – even flares – are controlled. But surveillance equipment is not. And in the wrong hands this technology is just a dangerous,” he says. “No government has taken anywhere close to the steps required to control it.” The European parliament in October endorsed a proposal by Ms Schaake that would oblige EU companies to ask for export authorisation if they have reason to believe the export might infringe upon human rights or EU strategic interests. However, it has not yet become law. The German government says it is open to an expansion of the so-called Wassenaar Arrangement, an international export control regime, to better control dual-use surveillance technology. The difficulty, it says, is precisely defining the various technologies that should be subject to controls, particularly given the speed of technical advances and various potential uses of some technologies. But apart from Ms Schaake, few European politicians appear to have recognised that the continent’s prolific export of surveillance technology also poses a direct threat to the continent’s security. In fact, it was James Clapper, US director of national intelligence, who told the US Senate in March that foreign governments had begun using surveillance technologies originally marketed for “lawful interception” to target US systems. Christopher Soghoian, a security and privacy researcher at the American Civil Liberties Union at the ACLU, concludes: “It seems strange to turn a blind eye to selling hacking technology when European governments are at the same time investing in cyber security defence. “The government claims to be protecting civilians’ data and domestic businesses from foreign attack. But at the exact same time this industry is in direct conflict with that goal.”