Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


The purpose of dual-use export controls

Larger European companies whose involvement in human rights abuses abroad has been publicly exposed tend to withdraw from trading with the government(s) in question in order to avoid further public relations disasters. Big-name exporters whose sales and share prices are dependent on maintaining uncontroversial reputations are therefore more likely to voluntarily restrict exports to non-democratic regimes in the future, and to take proactive steps to minimise the potential damage caused by tools that have already been exported.

However, smaller subsidiaries of these large companies are both better able to operate under the radar and less vulnerable to public outcry. Effective legislation is required to prevent companies from ‘selling at the back door’ and exporting dangerous technologies via lower-profile mechanisms.

Similarly, it is also common practice for European companies to abdicate responsibility for the fact that their technologies end up in the wrong hands by claiming that they sold to a middleman with no knowledge of the onward journey of the product. Legislation that required end-user agreements to be built into the contracts governing the export of surveillance technologies would allow companies to ensure that their technology was being used in compliance with human rights norms, whether or not its final user was an immediate customer.

The existing dual-use regulation potentially criminalises many firms that are completely unaware of it and against whom no enforcement action is taken. The classic case is the small software company that includes cryptography in its product; there are many others. Open general export licenses are available to cover some of these cases but firms in their thousands have not bothered to fill the forms as they have no idea that the rules might apply to them. The same holds for many nonprofits (e.g. universities) and private individuals (such as free software developers). The export control rules were designed for large companies with substantial compliance teams in touch with ministries; they cannot cope with thousands of SMEs and individuals. If the EU were to compel Member States that take a relaxed view of the matter to enforce the letter of the law, the consequences could be chaos. This issue was discussed in the UK House of Lords during the passage of the Export Control Bill that implemented the regulation.

Almost all surveillance technology will require some degree of maintenance by the company that developed and/or sold it, from simple software updates to operational teams on the ground in local offices. Such systems depend on a constant supply of upgrades, to platforms, applications and to the filters themselves. This deserves urgent and serious study. Companies that have previously sold potentially dangerous technology can mitigate the harm caused by refusing to provide maintenance unless the product is used in a human rights-compliant way. Post-sale maintenance gives companies the crucial ability to audit compliance with end-user agreements, and should be regulated by European law.