You are here

Export Controls

What are export controls?

Export controls essentially allow countries to regulate what goods leave their borders. There are various reasons why they would want to do this related to their own national interests and international obligations. For example, a country would want to prevent arms being exported from its territory being used against their strategic interests, against their allies, or to commit human rights abuses. Most countries will therefore have some policy and legislation in place related to export controls and a system in place to enforce them.

Sometimes export controls can be positive, and sometimes they can be used in a negative way. In particular, from the 1940s until the late 1990s, many governments tried to prevent people around the world from protecting their communications by using export controls to stop the sale of goods that used encryption to protect them.

Because international trade is by its very nature, well, international, countries sometimes negotiate at international level what goods should be controlled, which specific countries or groups shouldn’t have access to certain goods, and how they should try to enforce this. This not only makes enforcement far more effective, it also ensures that states don’t lose out by excluding local industry from markets other states do not. Strategic goods that you would want controlled include military items and “dual-use” goods – equipment that is primarily civilian in nature but that can possibly have a military application or be used in the development of Weapons of Mass Destruction. So while in theory a country has complete control over its own export system, there is a strong incentive for them to base what is controlled and how they enforce the controls on international agreements.

There are various international fora and instruments through which governments decide this. These include inter-governmental forums regulating the transfer of specific types of equipment, international and regional embargos that limit the sale of specific goods to specific end-users, and international treaties and commitments that seek to influence national policy on when certain exports should be allowed and how this should be enforced.

Why are they relevant to surveillance technologies?

It has become impossible to ignore the impact that equipment used for surveillance has on people’s privacy and other human rights. Such equipment gives governments a frightening amount of access to people’s lives, allowing them to listen to phone calls, read emails, SMS messages, social networking messages and to extract data without a user’s knowledge. Modern communications mediums that hold great promise for facilitating social progress are being hijacked and used to facilitate repression. This has led to the targeting of pro-democracy activists, human rights campaigners, journalists, writers, protestors and political opponents. This is not just a human rights issue either; such equipment has the power to significantly increase the security and military capabilities of governments.

Yet, the speed at which such technologies develop has meant that it is a trade that is largely unregulated in contrast to military goods. This has resulted in the unrestrained export of surveillance equipment by companies based in developed economies to sometimes highly authoritarian regimes, with appalling consequences. Considering that the whole point of export controls is to control such trade and to protect human rights, it is vital that they be put in place to ensure that such equipment isn’t used in violation of them.

How are governments supposed to do that?

The first step that governments must take is to ensure that the relevant surveillance equipment actually comes within their scope of control. The easiest way for them to do this would be to simply insert surveillance technology into the national list of goods that requires a license. This would mean that when an exporter wants to sell surveillance equipment abroad, they would have to get a license from the government to do so. The government department(s) would then have to decide whether or not to allow the export to take place. France, for example, already has controls in place for IP monitoring systems, in light of revelations that French company had supplied such equipment to Ghadaffi's Libya. Apart from a few examples however, states have shown little willingness to pursue national controls unilaterally that aren’t agreed and enforced at the international level.

The international forum in which to pursue action that makes the most sense is the Wassenaar Arrangement (WA). The WA is a multi-governmental trade control regime in which participants agree what conventional weapons and dual-use goods should be controlled in order to promote international security. Crucially, the 41 participants include 5 out of the world’s 6 biggest arms exporters - the US, Russia, Germany, France and the UK. The WA is useful because when an item gets introduced into one of its lists, it is then taken up by states on a national level, and even by non-participating states such as Israel. The WA has two control lists – a munitions list that contains “traditional” military items such as small arms, ammunition and bombs, and a dual-use list that contains civilian items that could potentially have a military application, which includes, as examples certain types of imaging cameras and materials that are specially designed for use as absorbers of electromagnetic waves. Category 5 within Wassenaar controls certain telecommunications equipment along with the software and technology used for its production or use. This category has for some years contained controls on specific items that are used to identify your mobile phone details.

Crucially, in December 2013, the WA decided to include IP monitoring systems and software that's used to control your device via malware onto the dual-use list. While it shows that the WA states have recognised the need to include surveillance technology in control lists, it is a small start, and there needs to be a lot more categories included. This is only the beginning of effective action. It's also up to individual states themselves to implement the controls.

The WA is not the only international forum however. Member states of the European Union can similarly agree controls on items, as can the United Nations, or even an international treaty outside of any formal institution.

Once surveillance equipment is actually included within control lists, it becomes an issue of making sure that specific license applications are refused if its export would mean that end-users could use it for repression. This requires two things. Firstly, a policy must exist that stipulates an export will not be approved if there are human rights concerns, and the criteria used to judge this risk needs to be appropriate. Countries need to guarantee that their export control systems through their licensing authorities are effective enough to assess applications correctly and make sure that they are able to identify the risks in the first place. This commitment can be the result of purely national policy, or a result of international obligations prescribed by treaties or regulations. Secondly, countries must have sufficient capacity to enforce the controls through their customs network, intelligence agencies and law enforcement bodies. This means understanding how companies exporting surveillance technologies can skirt export controls, and developing an enforcement policy to stop them.

Other international efforts have involved the use of sanctions on specific equipment. The EU, for example, has put an embargo on any equipment that could be used for internal repression in Syria, which includes equipment that is used for the monitoring and surveillance of the Internet and telecommunications. Similar EU restrictive measures exist with relation to Iran. While useful, the difficulty in negotiating sanctions at international and even regional level makes their use highly selective, and their purpose inherently retroactive and temporary.

But hang on, aren't all governments entitled to use such technology legitimately to stop terrorists and crooks?

It is generally accepted that countries have a right to self-defense and a need to provide security for their citizens. Surveillance technology can have legitimate purposes similar to other security equipment that Governments can use to legally fight organised crime and counter perceived and real terrorist threats. The issue, however, is that surveillance should only be conducted within a robust legislative framework containing an appropriate system of safeguards and oversight, and in keeping with the principles of proportionality and necessity. Often, the use of surveillance technology has no real safeguards - in which case authorities can use surveillance technology for any purpose they wish, including spying on citizens for political control. There is already evidence that surveillance technology has been used by some Governments to silence political dissent, as well as secretly monitor and intimidate journalists and civil rights activists. Governments that permit these technologies to be exported need to know where they are going, if the buyer has a record of human rights abuses, and if they have an appropriate legal framework governing the use of suveillance. Hence the need for export controls.

Won't this harm legitimate trade? And aren't other measures more effective than controlling export?

Export controls should not impede legitimate trade, and indeed many other products across a wide range of sectors require some form of regulation for export. The point is not to harm the export of technology that makes networks safer or that help develop a country's telecommunications infrastructure. It is about targeting the types of technologies that are used purely for surveillance for state-surveillance purposes.

One argument that has emerged is that rather than regulate a trade, we should ensure that people's privacy is protected through securing their communications. There are other things that we can do to protect ourselves and others from harmful government surveillance. The widespread use of good cryptography, correctly, is a fundamental security measure. However, in itself it is not enough. For a start, it is difficult to get individual users to use encryption well, and oftentimes companies and individuals have legislative constraints that prohibit them from adopting encryption. Further, such a solution somewhat exonerates governments, ignoring the fact that what they are doing is a violation of their legal obligations, and placing the burden on individuals. Far from empowering people, focussing on a solely technological solution to state wrongdoing cements the power imbalance and legitimises government action.

Other vital initiatives place an emphasis on the companies themselves to self-regulate. Asking the companies to know-your-customer and to have a strong corporate social responsibility policy do go some way to addressing responsibility, but on their own, they have limitations. It is not an either/or situation: for a strong and coherent solution, a multilayered, comprehensive approach is needed, with regulatory oversight (export controls) at its heart.

It is also a matter of accountability: export controls mean that the decision to export a product is made accountable to oversight mechanisms and to the public. Further, it is one of the best ways of guaranteeing transparency over this highly secretive industry.

Why should we support a regulation that also undermines our ability to protect ourselves by using encryption?

Subjecting cryptography to export controls was an unworkable and disastrous policy. That's why PI fought against any regulation on the development, sale, use, and deployment of cryptography. Cryptography is a key security measure to protect the confidentiality of communications, and to also ensure trust and confidence in digital interactions. Despite strict controls up until the 1990s, governments realised, some under duress, that in order to increase confidence in the then-emerging Internet economy, greater security was required. Encryption was becoming an essential safeguard for electronic commerce and global communications. The ready availability of strong cryptography (made available for use by human rights activists) over the Internet made export controls a competitive disadvantage for companies in controlled countries. To meet the interests of the US controls, the US National Security Agency worked with companies to introduce technologies that contained backdoors or reduced security obstacles for the NSA, which hindered US companies' abilities to sell their products to governments and companies overseas. As increased risks of surveillance by states and criminals increased, cryptography export controls became untenable and were eventually liberalised.

These controls still exist however, but in a much diluted form, and are only likely to get more liberalised.

If developed economies are already spying on their citizens and people across the world, why can't other countries?

Spurred by the Snowden disclosures, our understanding about the spying practices of the NSA and its intelligence partners within the Five Eyes has drastically increased. It's apparent that all countries do conduct surveillance against their own populations and against other countries; however, this does not legitimise abuse. Significant legislative reforms do need to be urgently adopted to curtail the spying activities of the Five Eyes, but this doesn't mean that other countries should be allowed to follow their example and that we shouldn't do anything to stop other countries having access to similar capabilities. And this is particularly true in countries where there is a lack of respect for human rights.

OK. So what's Privacy International doing about it?

Privacy International works with partners across the world to ensure that we have export controls in place to help protect our privacy and other human rights. We investigate different types of surveillance technologies and the companies that develop and sell them, and how they do so. And we try and find out whom they're selling them to. We go to arms shows, conduct in-country investigations, reach out to the industry itself, and speak with victims and government authorities. This is a lengthy process - these companies are highly secretive and do not readily publish their product information, and certainly do not publish where it is they're selling their goods. We do this so that we can bring changes in policy. Our research looks at how export controls should be used to protect human rights, and how they can effectively be put into place. We engage in international advocacy, highlighting the issue and putting pressure on governments and institutions to ensure that the trade in these technologies respects human rights. We also aim to hold these companies to account, highlighting evidence and direct examples in order to bring changes in their export practices and business standards. Where necessary, we take legal challenges to ensure both Governments and surveillance companies are held to account and to ensure redress for victims.

We don't do this alone. The Coalition Against Unlawful Surveillance Exports, for which we act as secretariat, brings together civil society fighting to protect human rights against the trade. To find out more about CAUSE, visit www.globalcause.net