Thursday, April 03, 2014

Surveillance: Following the money: How States are funding surveillance technologies

IFEX

2 April 2014
Privacy International

Surveillance companies selling mass and intrusive spy technologies to human rights-abusing governments often are benefitting from the financial and institutional support from their home government, revealing a more closely-linked relationship between the sector and the State than previously believed.

Recent revelations concerning the funding of Hacking Team's surveillance technology with public money highlights the role of states in funding the development of surveillance technologies and companies. This discovery was preceded by the discovery that the South African Government funded the development of the mass surveillance system Zebra, made by VASTech. And with State supporting of national business abroad, including the UK promoting cyber-security exports, we are seeing a variety of ways the state is enabling the commercial surveillance market.

Once pieced together, a disturbing trend begins to emerge from what initially looked like isolated instances. So while it is perfectly normal and widely encouraged that governments invest public funds into 'high tech' and 'high growth' sectors, there seems to be little consideration for the human rights impact that these technologies have in repressive states.

There appears to be at least three common tiers of State involvement in supporting the development of surveillance technologies. The first is direct State funding via a Ministry of Trade or Development budget, as part of an investment in a 'home-grown', high tech and high growth start up. The second is a more indirect funding mechanism where public money is invested through publicly owned companies, or through shares held in venture capital funds. And the third is the least direct, but also potentially the most worrying, where the State 'envelops' the industry as part of a wider defence industry, and heavily promotes this new technology sector as part of its national export policy.

Tier 1: Direct funding

When we discovered the South African Government has been investing in the high tech sector, it was startling to see the surveillance company VASTech amongst the list of recipients and was receiving millions in public funds. VASTech is well known for having supplied Libyan dictator Colonel Gadaffi with their Zebra surveillance system, which is capable of 'capturing' and archiving 30-40 million minutes of mobile and land line phones every month.

The government responded that the grants were simply awarded based on the applications put in front of them and they were unaware that it would be used for 'nefarious purposes', despite acknowledging that authorities knew the technology could be used for 'mass surveillance'. The government has responded that, if they were aware of Zebra being advertised as being capable of mass surveillance before a second round of funding in 2010, then "certainly this would have provided a different outcome from the adjudication panel".

What is most worrying, though, is that despite their acknowledgements of why VASTech's surveillance technologies are problematic, and admitting that if they had known more about Zebra they may not have funded it, VASTech continues to receive taxpayer money from the South African Department of Trade and Industry for another VASTech project, "NEXT".

The government reponses to PI's investigation, and its actual position and continued funding of VASTech are at odds with one another. The funding stream Zebra has not been completed yet, and it provides the South African Government the opportunity to review its funding mechanisms to take into account a more thorough due diligence process of the technologies, analysing the human rights impact and the potential for internal repression, alongside the technical capabilities of the technology put in front of them. They have indicated that in some way if they had been provided with further information a different decision would have been taken, so perhaps this will jolt them into instituting a more comprehensive and open awarding process, with a greater risk assessment of the products they pour public money into.

As we can see, different problems emerge when public money is awarded in this manner, especially when trying to promote high-tech or high-growth areas. Governments must be completely aware of what types of companies they encourage and the exact projects they invest taxpayers money into. When awarding direct funding for technology start ups, governmental panels in charge of selection absolutely must have the technical understanding about what exactly is being proposed and what the technologies are capable of. Though there seems to be a failure of proper due diligence in the case of VASTech, authorities giving out large portions of public money must perform sufficient due diligence on the companies, their technologies, and, crucially, the potential risk for human rights abuses or potential use for internal repression.

Tier 2: Arms length

While in some cases, a direct and obvious line can be drawn from public money to these companies, as with South Africa and VASTech, there are other cases where the use of public money is one or two steps removed.

It is a common and normalised practice of governments to invest or partner in venture capital funds or more traditional and wealthy oil or pension funds. Either through the serious weight of pension funds or through partnership with venture capital funds, governments attempt to diversify smaller investments to return a larger amount, and so often invest in high growth industries such as the technology sector.

Through a serious of arms length investments, the State can often give the appearance of placing distance between the more uncomfortable elements of potential clients, while still being able to profit from their growth. In some cases, public money is passed through an organisation specifically established to manage the investments of the governmental authorities.

As we have recently highlighted in the case of Hacking Team in Italy, the wealthy Region of Lombardy had long established 'Finlombarda', a public company that implements the regional economic and social programs on behalf of the regional government. They own 100% of the share capital of asset management company 'Finlombarda Gestioni', who alongside another venture capital fund (Innogest) have funded Hacking Team with at least €1.5 million.

Unlike the South African Government's claims of ignorance regarding VASTech, the same defence couldn't be made with Hacking Team. The Milan-based company are well known suppliers of intrusive surveillance systems, and their 'Remote Control System', a suite of customised spying technologies, is designed to target electronic devices and allow the purchaser to copy files from a computer's hard disk; record Skype calls, emails, and instant messages; and turn on a device's camera and microphone without the victim's knowledge. Hacking Team's brochures boast that the Remote Control System can "monitor a hundred thousand targets". A recent report published by the Citizen Lab, an interdisciplinary research institute based at the University of Toronto, has shown indications that Hacking Team's technology has been used in Azerbaijan, Egypt, Ethiopia, Kazakhstan, Malaysia, Nigeria, Oman, Saudi Arabia, Sudan, Turkey and Uzbekistan, amongst others.

How could public financing could go to a surveillance company that sells such invasive software, and has with a track record of their products being found in numerous repressive states? While we await from a response from Italian authorities, it is important to point out that countries in the past has taken action to ensure that public money is invested more seriously and ethically. In 2009, the Norwegian Council of Ethics recommended to the Ministry of Finance that the surveillance company Elbit Systems, which provides surveillance systems for the 700 km long barrier separating Israel and the West Bank, be excluded from their Pension Fund investments. After the Ministry of Finance agreed to the Council's recommendation and removed Elbit from the fund, Minister of Finance Kristin Halvorsen said "We do not wish to fund companies that so directly contribute to violations of international humanitarian law". Several other large pension funds including those from Norway, Sweden, and Denmark have also withdrawn their investments due to human rights concerns.

What these actions demonstrate is that a high bar can, and has been, set for what constitutes an appropriate funding of taxpayers money when it comes to the potential violation of human rights. States have the means and power to invest public money ethically, and human rights must always take precedence over higher returns. Impact assessments need to be considered by all public authorities when appropriating public money into investments.

Tier 3: A new defence sector

Stepping back from the finer details of government panels and venture capital funds, governments are also continuing to increase their efforts to promote and internationally market the trade and investment properties of their own booming 'cyber' industries.

The United Kingdom, in an attempt to grow and rebalance its economy after the 2007-8 Financial Crisis, is in the midst of trying to double its exports to £1 trillion by 2020 -- a strategy that draws heavily on security exports and 'cyber security' exports. The defence sector in the UK has traditionally been one of the world's largest and to this day, the UK Prime Minister issues a staunch defence of it's exports. Recently, he said "I will go on banging the drum for British exports, including defence exports. We had very good progress with the order from Oman, which will secure and safeguard jobs in his constituency".

The UK has shown particular strength in the cyber security market, reflecting its past dominance in the conventional defence industry and recognising the need to adapt and modernise to the fast paced change of modern technology. The international expertise of GCHQ and 'supply chain' of associated businesses have meant the UK market for cyber security is estimated to be worth approximately £2.8 billion, and the UK Government now believes that 'cyber security' exports now make up one in three of all sales coming out of the UK security sector.

This has led to a policy of proactively promoting UK cyber-security products. Last month, UK Trade and Investment - the department responsible for promoting British business and exports abroad - showcased location tracking manufacturer Creativity Software at a "Cyber and Information Security Showcase" event at the British embassy in Vienna, Austria. Creativity Software, which sell monitoring centres, and phone and location monitoring technology, made headlines in 2011 after it was reported that they had sold geo-location tracking software to Iran.

From a regional perspective, a worrying and accelerating trend is the continual expansion of the EU's Framework Programme for Research (FP7 being the most recent) into 'homeland security' or surveillance themed areas. The surveillance aspect of EU funding increased in line with a greater focus on border controls, biometrics, and irregular migration, especially relating to FRONTEX and the scope of their work. However, the sphere of funding has shifted noticeably towards monitoring of digital communications, facial recognition, "predictive reasoning in urban environments", or "sharing, exploitation and analysis of open and private information sources". Security and intelligence researcher Dr. Ben Hayes has coined the growth of the EU Security-Industrial complex as a "NeoConOpticon".

While technology that defends systems and networks is to be welcomed, the conflation of these with surveillance and law enforcement equipment is not.

Another example of fusing government promotion of trade and the surveillance industry occurred in 2013 when the Indonesian Military (TNI) purchased £4.2 million of "sophisticated wiretapping devices" from UK based Gamma TSE (a subsidiary of Gamma International) for the TNI's "Strategic Intelligence Agency" (BAIS). This raised concerns even amongst domestic legislators as well as national and international human rights defenders due to the potential for the TNI to "overstep its bounds". The concerns relate to not only the widely criticised and continuing poor human rights records of the Indonesian security forces - the timing of the purchases raises serious concerns regarding the scheduling of both Presidential and legislative elections in mid 2014, and the previous behaviour of the security forces in violent crackdowns on political dissent and free speech. This 'upgrading' of the equipment and the human rights concerns of providing such a military with these tools was even recently raised in the UK Parliament.

This worrying development was only made possible due to the underwriting of the purchase by the UK Government via their provision of export credit guarantees to the Indonesian military. In essence, if the Indonesian Government fails to pay Gamma TSE, the UK Government and therefore the UK taxpayer is left with the bill. This export and the simultaneous supporting of the surveillance industry via the provision of government backed export credit guarantees is further evidence of the problematic development in the enveloping of the surveillance technology industry by the wider defence export sector of national governments.

More investigation needed

The more that we look into the financing of surveillance companies, the more these types of stories come out. It is likely that more surveillance technology companies receive state funding through direct provisions in departmental budgets, indirect funding through publicly owned venture capital funds, or state sponsored industry support through wider trade and export policies.

Companies must be held to account not only for the technologies they sell, but how they receive their money. And pressure must be placed on States who use public finances that prop up this industry and allow it to proliferate throughout the world. As the industry matures, the links between public money and the development of surveillance technologies are aspects that will need to be watched closely.