NSO Group, an Israeli cyberintelligence firm, makes spyware that it sells to a variety of government clients around the world. It has denied that those surveillance products were involved in the torture and murder of Washington Post journalist Jamal Khashoggi, although it has neither confirmed nor denied selling its products to the Saudi government — elements of which, the CIA has concluded, ordered the killing.
That may raise eyebrows, but this intermingling of privately sold technology and authoritarian regimes is hardly an outlier. Throughout the world, despots are also probably monitoring Internet traffic, communications and behavior — in many cases using surveillance technology supplied by U.S. and other Western companies.
Take, for instance, recent reporting: The U.S. firm Gatekeeper Intelligent Security sold facial-recognition technology to the Saudi government. The system identifies the faces of drivers and passengers in cars, even with blacked-out or tinted windows. The technology has also been sold to regimes in the United Arab Emirates, and “when combined with facial recognition and number-plate readers,” Forbes wrote, “it’s designed to help authorities track individuals of interest.” This is only the latest in reports about Western firms selling surveillance technology to authoritarian regimes.
From facial recognition software to GPS trackers to computer hacking tools to systems that monitor and redirect flows of Internet traffic, contemporary surveillance technologies enable “high levels of social control at a reasonable cost,” as Nicholas Wright puts it in Foreign Affairs. But these technologies don’t just aid and enable what Wright and other policy analysts have called “digital authoritarianism.” They also promote a sovereign and controlled model of the Internet, one characterized by frequent censorship, pervasive surveillance and tight control by the state. The United States could be a world leader in preventing the spread of this Internet model, but to do so, we must reevaluate the role U.S. companies play in contributing to it.
One way to address the spread of these tools head on is the use of export controls. Such policies have been in the news more than usual recently, not least because the Trump administration has pushed to tighten regulations on American export of emerging technologies such as the chips used in supercomputers that develop artificial intelligence. The administration’s proposed controls would place new limits on what kinds of technology can be sold and to whom. But when it comes to preventing export of surveillance technology to human rights abusers, the United States lags behind, particularly when it comes to Internet-based surveillance equipment.
Initial movement to prevent the spread of this type of surveillance equipment came through the 2013 Wassenaar Arrangement, a 41-member multilateral arms-control agreement in which the United States participates. The primary goal of the Wassenaar Arrangement was and still is to limit the sale and trafficking of dual-use technologies — those that could have both a civilian and military use. For instance, network penetration software — digital tools used to break into a wireless or physical network — is used by security researchers to probe for vulnerabilities just as it’s used by governments and militaries to intercept enemy communications. The Wassenaar Arrangement is not a treaty and therefore lacks binding power, but member states agree to establish and enforce export controls on items on the arrangement control list, which is updated every December.
One of the December 2013 additions to the control list was “IP network communications surveillance systems.” These are systems that classify, collect and can inspect all the digital traffic flowing through a network — what a hacker might use to intercept your email login at a coffee shop, or what a government might use to track the online activities of activists, at scale. Governments entered into negotiations on the Wassenaar Arrangement with a clearly defined human rights goal in mind: preventing despots and bad actors from obtaining technology that they could use to commit abuses domestically. Most Wassenaar participants, including every country in the European Union, have restricted the distribution of this technology. The United States, on the other hand, has not.
The sale of technologies such as spyware and facial-recognition systems to human rights abusers — which Wassenaar ventured to stop — enables insidious social control and encroachment on basic civil liberties. But if human rights concerns aren’t enough to move U.S. policymakers, there’s another reason to act: Exporting surveillance equipment enables digital authoritarianism and hurts U.S. national interests.