The proliferation and abuse of cyber surveillance technology is a global policy problem. Such a global problem requires a set of solutions derived from and coordinated through international, regional and domestic policy-making realms. Cyber surveillance technology allows users such as intelligence and law enforcement authorities to surreptitiously monitor, exploit and analyse data that is stored, processed and transferred through information and communications technology (ICT). While there is no generally agreed definition, the term is understood as encompassing not only the finished products of equipment and software, but also the provision of expertise required to create and develop these items and facilitate their implementation. There is danger lying in the unregulated surveillance technology sold to countries with dubious human rights records and weak(er) rule of law, as recognised by concerned human rights groups and journalists across the world.
Governmental use of cyber surveillance technology is not new and is not the only strategy adopted by autocrats and public officials with repressive motives. In the face of rapid technological development and diversification of internet-based communication tools used in our daily lives, government authorities have questioned the viability of traditional intelligence gathering and interception methods, many of which are incapable of meeting new challenges arising from dramatic technological changes. Notably, states are increasingly interested in equipping themselves with ICT-powered surveillance tools that provide direct access to communications data. They heavily rely on the private sector in obtaining and developing those tools. The surveillance industry has thus become a burgeoning industry. A complex web of Western companies in North America and Europe dominated the industry in its infancy, but a group of Chinese firms is now on the rise.
There are various types of surveillance goods and technologies ranging from tools that are commercially available for private users to more sophisticated products exclusively marketed to government agencies. The Surveillance Industry Index (SII) offers a publicly accessible database on the surveillance sector. Based on the analysis of more than 1500 product brochures published by commercial surveillance companies, the SII identifies eleven categories of surveillance technologies: internet monitoring, phone monitoring, location monitoring, analysis (mapping out relationships between monitored users and finding patterns within data), intrusion, monitoring centre, biometrics, audio, video and counter surveillance, miscellaneous equipment. A single product may fall into multiple categories. While this article is not the proper forum to discuss specific surveillance techniques in detail, some examples help illustrate what commercial surveillance products can do in practice.
The troubling connection between commercial surveillance companies and authoritarian governments with mass surveillance programs was first revealed in the context of the so-called “Arab Spring” in the early 2010s. ICT-powered surveillance tools developed and marketed by private companies were employed to monitor and track down political opponents, human rights campaigners and journalists. There are many cases that show how cyber surveillance technology can be used in connection with the violations of citizens’ rights to privacy and freedom of expression and political association. In many of these instances, illicitly obtained information of targeted individuals was used to subsequently detain and/or torture them. The Egyptian case involving UK-based Gamma International and its subsidiary Finfisher is one example. The use of network surveillance technology has also been widespread. Some well-established cases involve network surveillance systems marketed, installed and maintained by Amesys in Libya, Blue Coat in Iran and Syria, Sandvine in Egypt, and Trovicor in Bahrain over the last decade. Troublingly, these companies are headquartered in a number of liberal democracies, including France, the United States, Canada and Germany respectively. State-led surveillance programs now operate across a broader range of countries. New industry actors and products have been proliferating across the sector.
Questions arise as to how to control the sale and distribution of ICT-powered surveillance tools to places where the implementation of such technology by state actors could lead to serious human rights violations. In the highly commercialised surveillance market, one cannot expect that private companies would exercise a sufficient degree of self-regulatory end-use(r) assessment to prevent abuse of their products in the importing countries. Against this difficulty in regulating cyber surveillance technology, a group of states have made efforts to tackle the issue at a multilateral forum where they can adopt common rules designed to address multifaceted uses of this technology and coordinate their regulatory stance. One of the most significant strategies has been the use of export control mechanisms aimed at restricting the supply side of surveillance products. Currently, the only multilateral agreement that provides a legal framework for that purpose is the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“the Wassenaar Arrangement”).
Originating from the Coordinating Committee for the Control of Multinational Export Controls (COCOM), an institutional mechanism to prohibit transfers of arms and nuclear-related items to the Soviet bloc during the Cold War, the Wassenaar Arrangement sets out an extensive list of controlled dual-use items agreed among a geographically diverse group of 42 countries. Members include Argentina, Australia, Canada, India, Japan, Mexico, South Africa, South Korea, the United States, most EU members and Russia. The vast majority of top suppliers in the surveillance sector are based in Wassenaar states. Since 2012, they have gradually extended the scope of the Arrangement to regulate certain types of surveillance products. Initially, this amendment was a collective response to growing criticisms about the repressive use of cyber surveillance during the so-called “Arab Spring” movement. Despite the good will of various policymakers and human rights groups working for the Arrangement’s success, domestic implementation of Wassenaar measures for surveillance products has not been particularly successful. Using such global control regimes to restrict the use and spread of cyber surveillance technology has been met with strong opposition from technology companies and governments with different ideas. It remains to be seen how the current movement to mobilise the Wassenaar Arrangement and other related regional (most prominently the EU setting) and domestic export control mechanisms will overcome these challenges and work towards the proper regulation of cyber surveillance technology.