Re: [liberationtech] Syria Crackdown Aided by U.S.-Europe Spy Gear

6 Jul 2018

      Thanks for sending this through Aaron

At the same I was reading this Bloomberg piece, I received an email from my
colleague saying that the residential neighborhoods of Homs (Syria) were
being raided at 3am that morning by death squads, who were "targeting
houses searching for activists." One can only imagine how better informed
the death squads will be about the identity and location of activists once
the new Syrian surveillance regime is properly activated.

This most recent report of 4 western technology companies (*Area SpA,
NetApp Inc., Qosmos SA and Utimaco Safeware AG*) selling their goods and
services directly and/or indirectly to the Syrian regime is clearly a life
and death matter. We are told it's only a matter of weeks till they flick
the 'on' switch. It demonstrates a number of issues, including:

   - *Surveillance is about systems.* What we see being developed in Syria
   (and previously in Tunisia, Egypt and others) is an intricate ecosystem of
   companies, each of which provide a component, and each reliant upon each
   other to enable the entire surveillance capability to properly operate. I'd
   argue that each company is therefore responsible (to a lesser or greater
   degree) for the whole.
   - *Surveillance is not a helicopter operation*. It is an endeavor that
   requires upgrades, tech support, loading of new rules to detect new
   malware/viruses, training and ongoing implementation. That is, we are not
   just talking about the sale of a product, we are also talking about Western
   companies providing ongoing services to regimes in order to make the
   surveillance, storage and tracking of opponents more effective.
   - *Liability is attached to the technology*. Laws need to move on from
   the current 'dump and devolve' approach. Having sold off its surveillance
   business to another company (Trovicor) following its sale of equipment to
   the Iranian regime, Nokia Siemen's clearly believes it's no longer
   responsible for the technology or its impacts (including the documented
   detention and torture of activists). It's like building a cluster bomb, and
   then pretending that is has nothing to do with you when it detonates.
   - *The detail is in the sales agreements*. Doing business with regimes,
   like any other customer, requires formal negotiation and contractual
   arrangements - as seen with Qosmos and Area in Syria. Is there a good
   reason why suppliers of dual-use technology shouldn't include clauses in
   such agreements which enable a seller to rescind the contract without
   damages if the product is used to abuse people's basic rights? Western
   governments should create a no-damages environment so that companies can no
   longer argue that they cant extract themselves from a contract when human
   rights intelligence becomes available.
   - *Technology platforms should include a kill switch*. High risk
   technology should include a set of enabling keys that are required by the
   operator to enable the use of that technology. The technology company
   should retain control of the keys, which can be switched off from 'home
   base' if it becomes clear that a technology is being used or re-sold to
   breach user's rights. Such technologies should include automated usage
   reports sent back to the producer that give the company aggregated
   knowledge of how their product is being used.

Again, this case demonstrates that the sale of technology to regimes is not
an isolated incident. Regimes have very few domestic or indigenous
suppliers. Instead, they are almost entirely reliant on western companies
to supply them. It is true that certain Western developed technologies have
legitimate purpose to stop spam or malware, which is why its difficult to
ban such technology. But clearly self regulation is not sufficient. We need
a government and inter-government regulatory environment - that includes
export licenses, a presumption against granting against such licenses for
dual use technologies, and ongoing impact assessments before and if such
technology is sold. The European Parliament's resolution from last month is
a step in the right direction though it needs to broaden the concept of
dual use technology, provide for ex ante controls and enable pan-Europe
enforcement. In the US, there should be an impact assessment of why certain
other technologies are banned (eg encryption, Google Chrome etc) which
would benefit the people and not the regimes.

This raises the broader issue of what we are calling 'human rights by
design' - there are human rights decision points all along the ITC line -
from the contract, to the design of the chip, to the operation of the
network - and human rights need to be embedded into the very design of the
project. Those interested should read the Silicon Valley
Standard<https://www.accessnow.org/policy-activism/press-blog/the-silicon-valley-standard>which
came out of the Silicon Valley Human Rights Conference (
rightscon.org) and sets out some of the broader principles for technology
companies. Needless to say companies should also join the GNI!

If the Bloomberg report is accurate, the period of plausible deniability is
over. The CEOs of all four companies should therefore withdraw their
companies from these contracts. If they do not they are very likely be
complicit in the abuses that Assad's regime is set to perpetrate once the
new surveillance infrastructure is operational.

Brett

-- 
Brett Solomon
Executive Director | Access
accessnow.org | rightscon.org
+1 917 969 6077 | skype: brettsolomon | @accessnow

On Fri, Nov 4, 2011 at 10:43 AM, Aaron Swartz <me@aaronsw.com> wrote:
...
http://www.bloomberg.com/news/2011-11-03/syria-crackdown-gets-italy-firm-s-a...
As Syriabs crackdown on protests has claimed more than 3,000 lives
since March, Italian technicians in telecom offices from Damascus to
Aleppo have been busy equipping President Bashar al-Assadbs regime
with the power to intercept, scan and catalog virtually every e-mail
that flows through the country.
Employees of Area SpA, a surveillance company based outside Milan, are
installing the system under the direction of Syrian intelligence
agents, whobve pushed the Italians to finish, saying they urgently
need to track people, a person familiar with the project says. The
Area employees have flown into Damascus in shifts this year as the
violence has escalated, says the person, who has worked on the system
for Area.
Area is using equipment from American and European companies,
according to blueprints and other documents obtained by Bloomberg News
and the person familiar with the job. The project includes Sunnyvale,
California-based NetApp Inc. (NTAP) storage hardware and software for
archiving e-mails; probes to scan Syriabs communications network from
Paris-based Qosmos SA; and gear from Germanybs Utimaco Safeware AG
(USA) that connects tapped telecom lines to Areabs monitoring-center
computers.
The suppliers didnbt directly furnish Syria with the gear, which Area
exported from Italy, the person says.
The Italians bunk in a three-bedroom rental apartment in a residential
Damascus neighborhood near a sports stadium when they work on the
system, which is in a test phase, according to the person, who
requested anonymity because Area employees sign non-disclosure
agreements with the company.
Mapping Connections
When the system is complete, Syrian security agents will be able to
follow targets on flat-screen workstations that display communications
and Web use in near-real time alongside graphics that map citizensb
networks of electronic contacts, according to the documents and two
people familiar with the plans.
[...] The price tag is more than 13 million euros ($17.9 million), two
people familiar with the deal say.
[...] b You may consider that any lawful interception system has a very
long sales process, and things happen very quickly,b [the CEO] says,
citing the velocity of Libyan leader Muammar Qaddafibs fall, only a
year after pitching his Bedouin tent in a Rome park on a visit to
Italy. b Qaddafi was a big friend of our prime minister until not long
ago.b
When Bloomberg News contacted Qosmos, CEO Thibaut Bechetoille said he
would pull out of the project. b It was not right to keep supporting
this regime,b he says. The companybs board decided about four weeks
ago to exit and is still figuring out how to unwind its involvement,
he says. The companybs deep- packet inspection probes can peer into
e-mail and reconstruct everything that happens on an Internet userbs
screen, says Qosmosbs head of marketing, Erik Larsson.
[...] Area is installing the system, which includes the companybs
b Captorb monitoring-center computers, through a contract with
state-owned Syrian Telecommunication Establishment, or STE, the two
people familiar with the project say. Also known as Syrian Telecom,
the company is the nationbs main fixed-line operator.
[...]
Schematics for the system show it includes probes in the traffic of
mobile phone companies and Internet service providers, capturing both
domestic and international traffic. NetApp storage will allow agents
to archive communications for future searches or mapping of peoplesb
contacts, according to the documents and the person familiar with the
system.
[...] Two people familiar with terms of the deal say that as a final
stage of the installation, the contract stipulates Area employees will
train the Syrian security agents who will man those workstations --
teaching them how to track citizens.
_______________________________________________
liberationtech mailing list
liberationtech@lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click
above) next to "would you like to receive list mail batched in a daily
digest?"
You will need the user name and password you receive from the list
moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
<http://www.europarl.europa.eu/parliament/public/staticDisplay.do?language=en&id=42>

_______________________________________________
liberationtech mailing list
liberationtech@lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE