On 10 April, Al Jazeera revealed how “surprisingly simple” it can be to circumvent sanctions and export control on cyber surveillance technologies. Al Jazeera’s four-month undercover investigation exposed the practices of merchants who sell spyware technologies as a “wi-fi router” and thereby readily escape from authorities’ export control radar. The investigation brought to light, for instance, an Italian communications company’s readiness to execute a 20-million euro deal to export to Iran an IP-intercept system which could be used for spying citizens. The company may be able to evade the EU’s export control by labelling the intercept
EU sanctions against Iran based on human rights violations
From Al Jazeera’s investigative story, the Italian company apparently proposed to bypass the export control regime under Council Decision 2011/235/CFSP and Council Regulation (EU) No 359/2011, established as a response to “serious human rights violations” in Iran. Initially, on 12 April 2011, the Council imposed travel bans and asset freezes regarding those individuals responsible for serious human rights violations in Iran. On 23 March 2012, however, the Council adopted Decision 2012/168/CFSP and thereby additionally imposed the export control of spyware. Included in Decision 2012/168/CFSP is the prohibition of the export of equipment or software which is “intended primarily for use in the monitoring or interception by the Iranian regime” of the “Internet and of telephone communications on mobile or fixed networks in Iran” (Article 2a). This prohibition is combined with a partly overlapping ban on the export to Iran of “equipment which might be used for internal repression” (Article 2b, para 1). The IP-intercept system, which might be used to monitor citizens’ internet activities, falls within the category of prohibited equipment. On 11 April 2017, the Council renewed the sanctions to be valid until 13 April 2018 (Council Decision (CFSP) 2017/689).
Cyber surveillance export control under current dual-use regulation
Even in an absence of country-specific sanctions, the export of an IP-intercept system may be subject to Council Regulation (EC) No 428/2009 of 5 May 2009, which is the EU’s primary legal framework on the export control of “dual-use” items, which can be used for “both civil and military purposes” (Article 2(1)). Annex I of Regulation No 428/2009 provides the extensive list of dual-use items subject to export authorization. “IP network communications surveillance systems” (Annex I, No. 5A001.j) were added to the list through the 2014 amendment of Regulation No 428/2009, in response to the amendments agreed at the December 2013 meeting of the Wassenaar Arrangement, one of the principal international frameworks for export control.
Even if a specific cyber surveillance tool is not on the list, a Member State may still restrict the export of such a tool for reasons of “human rights considerations” under Article 8(1) of Council Regulation (EC) No 428/2009. For instance, in 2012, Italy imposed, for reasons of public security and human rights, an authorisation requirement on the export of a set of telecommunication items (Public LAN database centralised monitoring system, Internet and 2G/3G services) to the Syrian Telecommunications Establishment in Syria.
Strengthening human rights-based export control
The European Commission has been situating the protection of fundamental rights as one of the normative pillars of the comprehensive policy review which was commenced in 2011. In September 2016, the Commission submitted a proposal (COM(2016) 616 final) to amend Council Regulation (EC) No 428/2009. Most notably, on the basis that a number of human rights are affected particularly by export of cyber surveillance technologies, the proposal aims to provide an “effective response to threats for human rights resulting from their uncontrolled export” (COM(2016) 616 final, page 6). Under the Commission’s proposal, the very definition of dual-use items has been modified to encompass “cyber-surveillance technology which can be used for the commission of serious violations of human rights or international humanitarian law” (Article 2, paragraph 1(b)). The kinds of human rights envisaged include “the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life” (page 6).
It remains to be seen how the Commission’s proposal, which follows the ordinary legislative procedure, will be decided upon by the Council and the European Parliament. One has to highlight, however, that to regard cyber surveillance technology as a dual-use item involves a fundamental conceptual shift from the traditional civil-military dichotomy to a much more normatively charged definition of duality. While the Commission’s September 2016 proposal still maintains the civil-military dichotomy as a definition of dual-use items, the export control of cyber surveillance technology—as a specific apparatus to prevent broadly termed “serious violations of human rights”—differs from the export control of, for instance, chemical materials which may be employed to synthesize chemical weapons.
Apart from the changes in the definition of duality, human rights-based export control requires EU institutions and national authorities to assess the human rights situations of a third country to which cyber technology is exported. This intensifies the existing tension between industrial countries and developing countries whose industrial development is not, in the long run, unaffected by the EU’s export control. Whatever revision is made to the EU’s dual-use control regime, however, it will remain difficult for national authorities to detect disguised export of cyber surveillance technology to a country in which the freedom of expression is severely limited, as unveiled by Al Jazeera’s coverage of spyware merchants.