Era of the digital mercenaries
“My computer was arrested before I was.” This perceptive comment was made by a Syrian activist who had been arrested and tortured by the Assad regime. Caught by means of online surveillance, Karim Taymour told a Bloomberg[1] journalist that, during interrogation, he was shown a stack of hundreds of pages of printouts of his Skype chats and files downloaded remotely from his computer hard drive. His torturers clearly knew as much as if they had been with him in his room, or more precisely, in his computer.
Online surveillance is a growing danger for journalists, bloggers, citizen-journalists and human rights defenders. The Spyfiles that WikiLeaks released in 2012 showed the extent of the surveillance market, its worth (more than 5 billion dollars) and the sophistication of its products.
Traditional surveillance has not completely disappeared. Policemen continue to lurk near Internet cafés in Eritrea. Vietnamese dissidents are followed and sometimes attacked by plainclothes policemen. The Chinese cyber-dissident Hu Jia and his wife Zeng Jinyang have had policemen stationed at the foot of their apartment building for months. Intelligence agencies still find it useful to tap the phones of over-curious journalists. But online surveillance has expanded the range of possibilities for governments.
This year’s “Enemies of the Internet” report is focusing on surveillance – all the monitoring and spying that is carried out in order to control dissidents and prevent the dissemination of sensitive information, activities designed to shore up governments and head off potential destabilization.
Today, 12 March, World Day Against Cyber-Censorship, we are publishing two lists. One is a list of five “State Enemies of the Internet,” five countries whose governments are involved in active, intrusive surveillance of news providers, resulting in grave violations of freedom of information and human rights. The five state enemies are Syria, China, Iran, Bahrainand Vietnam.
The other is a list of five “Corporate Enemies of the Internet,” five private-sector companies that are “digital era mercenaries.” The five companies chosen are Gamma, Trovicor, Hacking Team, Amesys and Blue Coat, but the list is not exhaustive and will be expanded in the coming months. They all sell products that are liable to be used by governments to violate human rights and freedom of information.
Their products have been or are being used to commit violations of human rights and freedom of information. If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens. If their digital surveillance products were sold to an authoritarian regime by an intermediary without their knowledge, their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights.
Research by Bloomberg, the Wall Street Journal and the University of Toronto’s Citizen Lab has established that surveillance technology used against dissidents and human rights defenders in such countries as Egypt, Bahrain and Libya came from western companies. Two types of corporate products are criticized in our report: on the one hand, equipment used for large-scale monitoring of the entire Internet, and on the other, spyware and other kinds of tools that permit targeted surveillance.
This type of spyware is used to spy on the content of computer hard disks, recover passwords, access instant messaging content and monitor VoIP conversations. It can be installed on computers directly or remotely via the Internet, without the user noticing, by means of false updates or email attachments. Use of this kind of spyware by the private sector is limited. Some producers supply it directly to state agents such as intelligence and security services. Others openly advertise their software’s ability to track down and spy on government opponents. Authoritarian regimes use it to spy on journalists and their sources and thereby suppress freedom of information.
Some surveillance technology can be used in two different ways. It can be used for the legitimate purpose of combating cyber-crime. And, in the hands of authoritarian regimes, it can be turned into formidable censorship and surveillance weapons against human rights defenders and independent news providers. The lack of legislation and oversight of trade in these “digital weapons” allows authoritarian governments to identify critical journalists and citizen-journalists and go after them.
Reporters Without Borders calls for the introduction of controls on the export of surveillance software and hardware to countries that flout fundamental rights. The private sector cannot be expected to police itself. Legislators must intervene. The European Union and the United States have already banned the export of surveillance technology to Iran and Syria. This praiseworthy initiative should not be an isolated one. European governments need to take a harmonized approach to controlling the export of surveillance technology. The Obama administration should also adopt legislation of this kind, legislation such as the proposed Global Online Freedom Act (GOFA).
Governments did already negotiate about the inclusion of surveillance technology into the most comprehensive international treaty on export controls, the Wassenaar Arrangement. Unfortunately, they did not yet put these negotiations into force, to help journalists, bloggers and activists around the world.
Democratic countries seem increasingly ready to yield to the siren song of the need for surveillance and cyber-security at any cost. This is evident from all the potentially repressive legislation that is being adopted or proposed, legislation that would open the way for generalized surveillance. FISAA and CISPA in the United States, the Communications Data Bill in Britain, theWetgeving Bestrijding Cybercrime in the Netherlands – they would all sacrifice online freedom of expression to combatting cyber-crime (for more information, see the “Overview of Cyber-censorship in 2012” chapter). If governments that traditionally respected human rights adopt this kind of repressive legislation, it will provide the leaders of authoritarian countries with arguments to use against the critics of their own legislative arsenals.
Increasingly widespread cyber-censorship and cyber-surveillance are endangering the Internet model that the Net’s founders envisaged: the Internet as place of freedom, a place for exchanging information, content and opinions, a place that transcended frontiers. The Internet is also being threatened by the battles between governments for influence. Standardized surveillance is one of the leading calls of countries fighting for control of Internet governance. During the World Conference on International Telecommunications in Dubai last December, China backed a proposal aimed at dramatically extending ITU control over the Internet. With the support of Russia, Saudi Arabia, Algeria and Sudan, China called for the protection of the “physical and operational safety of networks,” use of DPI in new generation networks[2] and an end to ICANN’s management of domain name space and IP address spaces.
The situation is complex for news providers, who are torn between, on the one hand, the need to protect themselves and the safety of their sources while online and, on the other, the desire to gather and circulate information. Protection of sources is no longer just a matter of journalistic ethics; it increasingly also depends on the journalist’s computer skills, as cyber-security specialist Chris Soghoian noted in an op-ed piece for the New York Times.
If war reporters care about their physical safety, they take a helmet and bullet-proof vest when they venture into the field. Similarly, all journalists should equip themselves with a “digital survival kit” if they are exchanging sensitive information online or storing it on a computer or mobile phone. Reporters Without Borders is gradually developing such an Online survival kit on its WeFightCensorship website. It explains the need to purge files of their metadata, which give too much information away; it explains how to use the Tor network or Virtual Private Networks (VPNs) to anonymize communications; it offers advice on securing communications and data on mobile phones and laptops and so on.
Journalists and netizens must learn to evaluate the potential surveillance risks and identify the data and communications that need protecting in order to find appropriate solutions, preferably ones that are easy to use. The sophistication of the methods used by censors and intelligence agencies is testing the ingenuity of news providers and the hactivists who are ready to help them. But the future of freedom of information depends on the outcome of this battle. This is a battle without bombs, prison bars or blank inserts in newspapers, but if care is not taken, the enemies of the truth may sweep the board.
Note: The 2013 “Enemies of the Internet” report is different from previous years’ reports. Instead of trying to cover all forms of cyber-censorship in all countries, it focuses on the subject of online surveillance. It takes a close look at the activities of five countries and five companies that are “leaders” in this domain, but the list is far from exhaustive. The fact that countries that figured in the 2012 list of “Enemies of the Internet” do not appear in the 2013 list does not mean there has been any improvement in online freedom of information in those countries. Read about other noteworthy developments in the field of cyber-censorship in the past year.
Photo by RobH (Own work) [CC-BY-SA-3.0], via Wikimedia Commons
- [1] Read the “Hackers in Damascus” article
- [2] The December 2012 ITU summit in Dubai aimed to establish uniform Internet standards.One of the proposals at the conference was the standardized use of Deep Packet Inspection technology. This type of technology is extremely intrusive as it can be used to access the content of emails, intercept instant messaging and access all the content that a user has viewed while browsing.