The UK & surveillance exports: A piece of CAEC
UK parliamentary select committees are charged with overseeing the work of government in relation to particular topical issues or the work of particular departments. When it comes to UK Government policy on arms, it’s the Committees on Arms Export Controls (CAEC) that's responsible: a conglomeration of four select committees made up of serving Members of Parliament that collects evidence and conducts an inquiry into developments in export control policy and the preceding years’ exports of military and dual-use goods.
One of the most valuable aspects of the committees' work is the fact that it provides an avenue for other stakeholders such as civil society, industry, academia, and the general public to provide evidence and influence government policy. For over a year, Privacy International has been engaging the committees highlighting the proliferation of commercial surveillance companies in the UK and the urgent need for action to regulate their activities. Our written evidence to the committees has just been published, which you can find here.
While government scrutiny committees aren't particularly renowned as arenas of great drama, the chance to influence policy and a system that facilitates sales from the world's second biggest defence exporter makes the work of the committees highly valuable.
The main point of submitting evidence is to ensure that a topic is on the agenda of the committees and that its members and government officials are aware of the main issues. The written evidence in 2013 included submissions from large lobby groups, academics acting in their personal capacity, and NGOs. The latest inquiry reported that over £12 billion worth of military and dual-use goods had been granted licenses for export to countries that the UK Foreign and Commonwealth Office regards as of human rights concern, and the committees were particularly looking to take evidence related to this. Submissions covered a topics ranging from UK policy towards Bahrain, arms fairs, drones, the Arms Trade Treaty, license suspension mechanisms, the intricate workings of the licensing authority, and piracy.
Our intervention focused on several subjects:
Background Information related to surveillance, comments on general UK policy and the Wassenaar Arrangement
Surveillance companies are thriving in the UK. The Surveillance Industry Index details some 77 companies based in the UK that sell surveillance systems that are either not subject to regulation at all or that are not appropriately controlled.
Our evidence was submitted a few months before any agreement on targeted ‘intrusive’ malware and IP monitoring systems was reached at Wassenaar, so we were particularly looking to push this as a potential avenue the government should pursue. Nevertheless, Wassenaar is not the only appropriate forum – countries are able to impose controls unilaterally (though EU member states have to ensure they are in standing with EU law) and EU initiatives are just as feasible. It’s important that all potential paths are explored.
Transparency & cryptographic exports to Countries of Human Rights Concern
Despite the fact that the UK is one of the world’s largest exporters of controlled items, its export control system is in many respects relatively strong. In terms of transparency for example, statistics and some level of data concerning license applications are published and made available to the public. However this doesn’t readily apply to surveillance systems because they are either not controlled at all or because they are only controlled because they contain cryptography. Although figures on exports of cryptography are available, the range of items that employ cryptography makes it is impossible to know for certain what the actual item is. Nevertheless, it is clearly alarming that the cryptographic export make up the vast majority of UK controlled exports and that 20 of the 27 countries listed as of human rights concern by the FCO have received exports of cryptography.
The UK’s approach to exports of cyber security
One of the big issues in the UK at the moment is the fact that the government is looking to double exports by 2020 to £1 trillion per year and sees ‘cyber security’ exports as key to this. It makes absolute sense that the government is keen to promote this given that the UK has a strong security and ICT manufacturing sector.
However it is unclear whether trade officials and politicians are able to appropriately differentiate within this strategy between technology that can only be used legitimately to protects networks and those that can also be used for nefarious purposes. What makes this worrying is the fact that authoritarian countries in the Gulf are described as priority markets for such products.
Furthermore, intelligence gathering tools that are used for surveillance also appear to be being promoted by the UK. Hidden Technologies for example, a UK company that specializes in covert tracking and location equipment, has seen an increase in sales of 693% over the last three years thanks to intervention by the UK’s trade promotion arm.
End-use controls in the UK allow authorities to make any item subject to license if it is to be used for a WMD programme or if an item is to be used for military purposes in a destination subject to an arms embargo. Clearly this is an area that needs to be explored by authorities seeking to control exports of ICTs. Having an item on a control list may be useful, but given the speed at which technology can develop it is important that an avenue exists for officials to catch items not listed but that are destined to be used for particular purposes or by particular end-users.
Our final point was related to sanctions that have been used to prohibit the export of surveillance systems. Sanctions and embargoes contained within them are particularly useful given the relative speed at which they are implemented and the wide level of countries subject to their obligations. Our intervention focused on EU restrictive measures on Syria and Iran that prohibit a wide range of surveillance equipment. While this is to be welcomed, sanctions are highly ad-hoc and politicized instruments – they cannot be used as a permanent solution to the problem. Nevertheless, given that the EU recognizes that surveillance systems can be used for internal repression in these two cases, it is logical that regulation should be expanded to control such items across other sanctions regimes and more generally.
Getting surveillance on the radar
It's clear that the committees played a huge role in ensuring that the UK Government pursued action on surveillance systems, making it directly responsible for ensuring that malware such as FinFisher is now controlled under Wassenaar.
The work of the committees is not restricted to written evidence-gathering however; they also publish their findings each year and collect oral evidence from stakeholders and government officials. The oral evidence collected over the past month has been particularly interesting and relevant to the regulation of surveillance systems – a post on that is coming soon.