International agreement reached controlling export of mass and intrusive surveillance technology
Two new categories of surveillance systems were added into the dual-use goods and technologies control list of the Wassenaar Arrangement last week in Vienna, recognising for the first time the need to subject spying tools used by intelligence agencies and law enforcement to export controls.
While there are many questions that still need to be answered, Privacy International cautiously welcomes these additions to the Wassenaar Arrangement. Undoubtedly, these new controls don’t cover everything they could, but the recognition that something needs to be done at Wassenaar level is a foundation to build from.
Understanding what the new controls actually do is heavily based on how individual states implement the agreements. The ostensible intention of the additional controls is clear enough however.
The two new categories are the result of two separate proposals from the French and UK governments. Proposals to include new categories to the control list are discussed periodically throughout the year by various working groups focusing on technical and policy-related aspects. However, it is the Plenary meeting, which convened last week, that is the official decision-making and political body of the Arrangement that formally introduces new controls. The Arrangement is also supported by a small secretariat based in Vienna. For an inside scoop on how these negotiations tend to unfold, some of the US embassy cables are highly recommended.
The UK proposal was aimed at controlling what they called “Advanced Persistent Threat Software and related equipment (offensive cyber tools)”. It’s now clear that what they meant by this is malware and rootkits, which governments can use to extract data from and take control of a device.
The term used “intrusion software”, echoes the “offensive IT intrusion” marketing lines used by FinFisher and others and defines itself as:
"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
The language is focused on the fact that the targeted items are designed to avoid security features on a device. The intention is that if an item is designed to bypass the security features on your phone or computer and then scoops up or changes the data on it, it will be caught. This feature is at the heart of many government IT intrusion solutions being sold. Products like Hacking Teams Da Vinci Early brochures explain how Remote Control System “bypasses protection systems such as antivirus antispyware and personal firewalls.” Meanwhile FinFisher boasts it’s capabilities provide for the “bypassing of 40 regularly test antivirus systems”
However, isolating the unique features of a product is the most challenging aspect of coming up with a definition, and questions remain as to the intended scope of these clauses.
A full analysis of what surveillance systems we think might be caught is on the way in collaboration with the New America Foundation’s Open Technology Institute and Digitale Gesellschaft. Stay tuned.
“IP network surveillance systems”
The French proposal targeting “IP network surveillance systems” is likely to be aimed at controlling general traffic analysis systems such as Deep Packet Inspection (DPI) items, which can classify and collect information flowing through a network. IP (Internet protocol) is one of the core standards upon which today’s communications infrastructure is built. Today IP networks are used to carry information from all our network devices including laptops and mobiles right the way around the world. Your online searches, emails and VoIP calls all transmit through these networks and protocols. The interception of these communications lies at the heart of many mass surveillance systems.
The French proposal seeks to control some of this technology:
5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of 'hard selectors'; and
b. Mapping of the relational network of an individual or of a group of people.
This set of controls is targeted at a very narrow class of products, moreso than we would have liked to have seen. In order for a product to get caught in these controls, it would need to fulfill all of the above criteria – which is no easy feat. Here are a few of the problems:
- Carrying out analysis on “carrier class IP network” is aimed at targeting powerful analysis systems – specifically those that have the capacity to carry out large-scale analysis reliably. What constitutes “carrier class” will however be open to interpretation by member states, given that there are a number of definitions that could be cited by any of the competent bodies. (here and here)
- “Analysis at the application layer” greatly restricts the scope of the control, given that many surveillance products operate at layers other than the application layer, which is usually thought to refer simply to applications such as IMAP and BitTorrent among many others.
- Extraction of selected data and its indexing means that the product needs to be actively retrieving the metadata and content from the IP traffic as well as actively storing this data.
Further, the controls call for the product to be “specially designed” to search through the captured data based on certain characteristics of an individual (such as name, political affiliation, tribe etc) and must use this data to deliver what’s known in the industry as “actionable intelligence”, meaning it has to be able to collate the captured data to identify relationships between the targeted individual or group.
A full analysis of how far this control goes to capturing some of the surveillance systems we’ve seen exported in the last few years is also underway. Additional questions need to be answered by national export control authorities on how far they will interpret this element of the control.
What does this mean?
Taken together, the new addition on IP analysis systems is extremely narrow – and as a result risks failing to adequately catch some of the systems that are of most concern. It does however, control complete system that extract data, analyse it and map it. Conversely, the new controls on intrusion software, suffer from overly broad definitions and could result in more products being caught than intended unless clarifying statements are made.
But after two years of campaigning, supported by the Wikileaks SpyFiles, the investigative reporting by Bloomberg and the Wall Street Journal, legal efforts by FIDH, technical research undertaken by Citizenlab, and push in the European Parliament by Dutch MEP Marietje Schaake, tangible progress is finally being made. This is the go-ahead for the participating states and countries to interpret and implement the new controls to create what we hope will become an effective mechanism to control the trade that is being used to repress and violate rights the world over.