A giant leap backwards: Corporations divesting toxic surveillance companies

News & Analysis
A giant leap backwards: Corporations divesting toxic surveillance companies

When a product line becomes engulfed in controversy, the PR team's first move is to distance the corporation from the damage. The surveillance market is not immune to this approach, so when companies products are found to be in use by repressive regimes, the decision many boards make is simply to sell off that technology. This increasingly repetitive narrative is failing to solve any of the problems inherent with the sale of surveillance technology and in fact, is creating more.

The recent sale of Utimaco by the software giant Sophos to private equity firms in Germany and Luxembourg is the most recent in a series of sell-offs. Utimaco's 'lawful interception' product has been integrated into surveillance systems used in Iran that assisted in the arrest, detention, and torture of a university student. The company's technology was also sold to Syria during periods when EU and US sanctions were in force on the country, resulting in a push to update sanctions to include surveillance technology.

In an attempt to create stronger ties between parent companies and their subsidiaries that sell surveillance technology, Privacy International has written to the new owners of Utimaco: PINOVA Capital in Germany and BPI Investment Partners in Luxembourg. We have asked the firms to commit to three principles that they will hold Utimaco to in their operations:

  • A commitment to holding Utimaco to EFF's "Know Your Customer" rules, whereby Utimaco will thoroughly review and investigate any current and potential customers Utimaco has provided surveillance technology to or is  contracted to provide, with particular regard to the human rights impact of that technology.
  • Where these investigations reveal either objective evidence or credible concerns that Utimaco's products will be used to facilitate human rights violations, that Utimaco refrain from participating in that transaction in line with the OECD and UN Guiding Principles on Business  and Human Rights
  • In the event that it is revealed that Utimaco's products have been used to facilitate the abuse of human rights, conduct a thorough investigation into that sale and that all active technologies are disabled to prevent further abuses.

Before this latest news, however, we've seen other companies, including Amesys and Nokia Siemens Network, sell off their surveillance capabilities when they were found to be in countries with dismal human rights records. And it all follows the same three-step process: Surveillance technology is sold, then discovered in repressive regime, then finally parent company sells off the smaller division to distance itself. Keep in mind, of course, that these business deals are only a problem because the relationship is made public, not the fact that equipment like this enables human rights abuses.

Utimaco's role in Syria and Iran

First, let's look at Utimaco, previously a subsidiary of cyber-security firm Sophos Safeware, based in Abingdon UK. Utimaco sold surveillance technology aiding in "lawful interception", called Lawful Interception Management System (LIMS), which tapped into telecommunication lines and provided governments access to private communications between citizens. The system is able to monitor mobile phones networks, fixed telephone lines and also ISP networks, and can ingest several billion data records per day, according to brochures advertising the technology.

Utimaco's technology is one of the the choice du jour for firms when implementing surveillance companies. In a report by Reuters from December 2012, it was revealed that Utimaco's equipment was integrated into a proposal for Chinese company Huawei, in its 2010 bid for the deployment of a "Lawful Interception Solution" on MobinNet, Iran's first nationwide wireless broadband provider. Nokia's German Unit Trovicor (more on them later) had also purchased Utimaco software in 2006 for MTN Irancell, Iran's second largest mobile phone operator. Iranian security agents have confirmed that the arrangement between Trovicor, Utimaco, and MTN Irancell allowed for the government to spy on human rights activist Saleh Hamid, who eventually was detained and tortured for "spreading propaganda against the regime and contacting opposition groups outside Iran".

In November 2011, a Bloomberg investigation into the sale of surveillance equipment to Syria unearthed Utimaco involvement in a project being run by Italian company Area to install monitoring centres for the Syrian government. This took place while EU sanctions were placed on Syria, however these sanctions did not bar the sale of surveillance technology. However, after the news broke, parent company Sophos responded: "As Utimaco's majority shareholder, Sophos is taking the matter in Syria extremely seriously. We are appalled by the reports on the situation in the country and are working very closely with our team at Utimaco…As strong advocates for human rights, when we learned about these allegations, we took direct action to suspend our relationship with the partner and launch a thorough investigation."

Rightly, Sophos chastised the sale of the technology to a regime where the scope for abuse goes without saying and said they would launch an investigation into the sale.

However, the recent news of BIP Investment Partners and PINOVA Capital purchasing Utimaco reveals a familiar theme around the Sophos-Utimaco relationship. Sophos looks at Utimaco and the technology it sells; it balances up the benefit the sales give against the scope for human rights abuse through the technology's use by a repressive state; decides ultimately that the benefit it provides is nothing compared to the public relations nightmare the technology creates and divests its interest to a willing buyer. This is a sorry state of affairs and leaves a sour taste in the mouth for all the times Sophos declares itself as a "strong advocate for human rights". Advocates for human rights don't disown the problem if they can solve it, they engage with the issue and seek to find a more equitable state of affairs. Sophos has failed to live up to the standards it set itself.

Its An Oldie, But its No Goodie

This is not the first time that we have witnessed the divesting of interest of a troublesome surveillance technology by a much larger company. In 2011, Wall Street Journal journalists in Libya discovered scores of government intelligence files citing technology sold by Amesys, a subsidiary of French arms manufacturer Bull SA, that was being used by the Gaddfi regime. One set of files contained the private emails of a prominent Libyan journalist who routinely wrote about government corruption. Further reports revealed that Amesys's technology, the Eagle Monitoring Centre, was also intercepting e-mails of anti-Gaddafi activists outside of Libya, including Egypt and the United Kingdom.

In January 2013, it was confirmed that Bull and Amesys sold its Eagle monitoring system to UAE-based Advanced Middle East Systems. The sale came at the same time that Amesys was facing an inquiry into its complicity in acts of torture by the Gaddafi regime, a judicial investigation sparked after a complaint by the International Federation for Human Rights to determine whether to hold Amesys and its management criminally liable.

The judicial investigation, still ongoing, is a welcome development. However, the technology still exists. After Eagle was purchased by Advanced Middle East Systems, its name was changed to Cerebro. The name may be different, but the technology remains the same. So while Amesys may be held accountable for their past actions, the offending technology is out of their control and remains unaccountable.

The Eagle/Cerebro system, however, still has ties to France. Nexa Technologies, a French company, are the beneficial owner of Advanced Systems. The move to Dubai was presumably prompted by the Emirates' relatively laissez-faire approach to businesses and the opportunity to take advantage of free trade zones in Dubai. The UAE only formally enacted significant legislation concerning strategic trade controls in 2008 as a result of international pressure related to concerns that the Emirates were being used as a diversion point for dual-use goods.

So, although Advanced Systems is a UAE-registered company, it remains unclear precisely the point of departure for the export of this technology. Given Nexa's role, does it remain a French export issue? Do exports now go through the UAE and their light touch regulation? Is it exporting from a third point of departure that does not appear from the information on the companies involved? All of these questions remain unanswered. Ultimately, the ability to control the export of The Eagle/Cerebro system has taken a leap backwards.

Siemens? NSN? Trovicor? It's Anybody's Guess…

If tracking all this wasn't difficult enough, we thought we'd look at Nokia Siements Network. For years, Nokia Siemens Networks provided intelligence solutions to governments and was one of the biggest players in the surveillance technology market. NSN was a collaboration between two of the biggest telecommunication companies in the world: Nokia, the mobile phone handset manufacturer, and Siemens, the telecommunications giant. It had sold monitoring centres to Bahrain, which used the technology to gather intelligence on democracy activists. In particular, NSN technology assisted the Bahraini state in targeting Abdul Ghani Al Khanjar, an activist who was arrested and tortured for six months between August 2010 and February 2011.

This monitoring centre was maintained by Trovicor, a unit within NSN, which has a record of dealing with repressive regimes. In 2007, Trovicor installed and maintained a mobile network monitoring system in Iran, using products from Utimaco (remember them?) to deliver the project for Mamoud Ahmadinejad's repressive state. When the heat was turned up through campaigns like "No to Nokia" Trovicor was separated from the NSN relationship in 2009 and sold to Perusa Partners.

Despite this signal from Nokia that they had no interest in continuing with the Intelligence Solutions' project, in many ways Trovicor and Nokia are still very closely linked. When Trovicor was sold, several Nokia executives, including Head of Worldwide Sales and Customer Care Johann Preinsberger, went to head up Trovicor. Although Nokia Siemens "deplore[s] such use of a technology that can bring so many positive benefits to society", it was still maintaining "technical contractual links" in 2010 with Trovicor in Iran. Trovicor continue to operate on their own, still selling the NSN technology previously sold to Iran and Bahrain.

What's more, Nokia Siemens Networks recently splintered into separate entities. Siemens are no longer a participating partner with Nokia, and NSN has been rebranded Nokia Solutions and Networks.

Now, with all the sell-offs and breakups, relationship remain unclear. Despite the muddying of the waters, the splits mean that Nokia and Siemens become 'clean' and not be criticised for their complicity in the abuse of human rights'. Again, the underlying technology remains in the open market, but the players who developed and sold it now can claim they are divested from future use.

Missed Opportunities

It is obvious that the parent companies of Trovicor, Utimaco, and Amesys found it difficult to keep track of their surveillance arms' operations. When this weakness in self-regulation is exposed, the only actor that can step in are the nation states that they are based within. Governments are the ones who pass their eye over applications for licenses to export goods from Country A to Country B and make a judgement based on a number of factors, including the risk of abuse of human rights, as to whether the goods should be granted a licence.

Besides detailing just how incestuous and complicated the surveillance technology market is, these stories represent missed opportunities for the parent companies to effectively self-regulate and show that they really are invested in ethical business practices. What's worse, these new smaller and private companies become more difficult to engage with and hold to account, as opposed to their former homes in large, publicly-traded companies.

Target Profile