Mr Smith opened proceedings explaining he takes decisions on behalf of Vince Cable on licensing the export of military and 'dual use' goods. This involves a two stage process:
- The first question is does it need a licence? The yes or no depends in most cases on whether it is on a control list. The control list is governed by the Wassenar arrangement agreed by 41 key countries involved in arms exports. The content of the list depends on which civilian goods have military application. So for example if something contained cryptography it could be refused a licence. If it is decided that the goods/services do need a licence then
- They look at "consolidated criteria" against which all export licences issued are judged on a case-by-case basis.
- Got EU legislation in place to block supplies of this kind of tech to Syria. Mr Smith's team worked as technical secretariat to the EU on this.
- The UK took the lead to put this on the table at Wassenar. The technology at the heart of the controversy was not controlled and they wanted it to be. The have been two discussions at Wassenar. For an international arms control issue it is moving like lightning - these things can take years - but it still appears to be incredibly slow in practice. He wants it sped up but some countries are procrastinating. The UK are working with the US and Germany to get an international control list. His ministers are behind this but will not back emergency unilateral legislation in the UK
- ECO and BIS are reaching out with various degrees of success to the companies involved in this field.
Eric King from Privacy International was next up. Part of the process he used to research the issue was to attend trade shows for the companies involved in flogging these technologies. He discovered a web of very complicated trading dominated by US, UK and German companies. They get together at trade shows (on surveillance and arms sales). Their product pitches are incredible to listen to. The rule of law, privacy, civil rights don't exist as far as these people are concerned. They act like cowboys. The way they dress - eg black shirts, red jackets & ties - company names like Panopticon, excitable conscience-free talk about facilitating mass surveillance and countrywide interception is the order of the day.
These people are not shipping boxes off the shelf with no idea of what they are doing or who they are dealing with. They are surveillance consultants. They do the installation and the tech support. A UK/German company (who I think he called Gamma?) regulate via DRM the number of intelligence agents who can use the technology; and charge by the number of people they spy on. These companies talk openly at the trade shows and in their promotional materials about spying on political opponents and left leaning universities.
It is really important that export controls be put in place. This is the only way to deal with them. There is a phenomenal amount to be done to hold these companies to account for the terrifying human rights abuses they are perpetrating and facilitating.
Ian Brown then had the opportunity to talk about the GNI digital freedoms report. He opened by asking rhetorically is regulation necessary and then immediately answering yes. If we need it then how do we make it effective?
Some issues that the stakeholders they engaged with raised -
- Dual use - some technologies have military and civilian applications. We cannot ban everything that can be put to nefarious uses
- When is a device a mass surveillance device as opposed to a lawful interception device?
- What about the context e.g use of the technology in countries without the rule of law?
- There is very broad availability of these technologies. So there would be little or no point in taking unilateral action in the UK on them.
- There is a thriving second hand market in these surveillance technologies
- Wassenar had some very sensible rules e.g. there is no point in adding certain goods to the control list because you cannot control their export
- The EU relies on member states to enforce export controls and yet many member states do not have export controls
- Civil society made the point that definitions have to be precise. Too narrow and you miss important stuff. Too broad and you hinder democracy activists who can use technology for positive ends
By and large cryptography control is obsolete. Besides we want democracy activists in repressive regimes to have access to cryptography and easy to use cryptography at that. In one Iranian case Nokia-Siemens equipment was used to find and arrest a 'dissident' activist.
The Communications Assistance for Law Enforcement Act (CALEA) in the US required back doors to be built into communications technologies to facilitate government surveillance.
Nokia-Siemens said they were not going to make any more money out of regimes like Iran. They separated off that branch of the company. Amasys (?), a French company doing business with Libya did the same thing. They sold of that part of the company.
The responsible thing for these organisations to do would be to be transparent about what they have shipped to whom and where.
It is not the only solution to the problem - this has to be tackled on multiple fronts - but export controls can help. There is kit which should be controlled but is not, yet.
Syria and Iran are easy to demonise - they are pariah states. But there is a spectrum. There are numerous other countries the UK patronises that are involved in well documented human rights abuses.
There followed a series of questions from the floor.
To what extent will enforcement be pursued against companies who break the rules?
Mr Smith from ECO replied it is largely a question for the CPS on whether to prosecute. BIS pursue a number of prosecutions every year. They win some and lose some. One of the questions the CPS ask is whether there is a legitimate defence where the company can reasonably plead ignorance of the uses to which their good would be put.
Ian Brown also responded to this question making the point that despite concerns about the effectiveness of export controls, without them all other methods of control will be circumvented. And if we relied on the reputation of companies we would not do business with arms dealers.
The next question related to the extent to which government acts as salesmen for the arms industry - to what extent is the government selling surveillance equipment. Also, hacking tools are not just used for domestic surveillance but for international spying. To what extent are concerns about spying taken into account i.e arming other countries to spy on the UK? What are the concerns about selling zero day exploits abroad?
BIS do not think the UK government are with knowledge aforethought selling surveillance equipment abroad. Do they explicitly take into account whether goods considered for licencing will be used against the UK - yes.
Would it be good if there was an international forum for the control of technology used to abuse human rights? Yes.
Are the UK government going to say they have to protect surveillance technology export in the interests of protecting the export of other technology? No.
The companies that are doing the most damage are software companies that come out of telcos. There are a clutch of these companies around Berlin run by ex- Stasi officers.
Some of these companies have decent motives and genuinely want to supply protective technology and tools to democracy activists. But there are a lot of people in the field who are glorying in dealing with despotic regimes, wreaking havoc and having a whale of a time, says Eric King of PI.
There was a question about the Communications Data Bill (CDB aka the Snoopers' Charter). Mr Smith from ECO BIS is confident that the motivation of those pushing the CDB is pure.
Specialist companies dealing in this area do not respond well to external pressure. We have to put export controls in place and sue them. A couple of recent cases have been pursued against Cisco under the US Alien Torts Act accusing them of aiding and abetting torture and imprisonment. It can be difficult to get evidence but if companies are selling stuff and don't do due diligence they should be held liable.
The final comment from the floor was that pressure should be applied to the venture capitalists funding these companies.
A concluding comment was then requested from the three panelists.
Ian Brown emphasised the point that it is principally governments who can make a difference. Ethical consumerism would help as would ethical capitalism on the part of the companies involved in these technologies.
Tom Smith said it is difficult but important to get these technologies under control and BIS are working hard to that end.
And finally Eric King said it is really important to get export controls on this stuff. That rounds off the notes on the second panel but I think it is worth finishing with the executive summary and recommendations from the report again. Plus a recommendation that it is essential reading for anyone with an interest in digital freedoms in international law.
"With around 2.3 billion users, the Internet has become part of the daily lives of a significant percentage of the global population, including for political debate and activism. While states are responsible for protecting human rights online under international law, companies responsible for Internet infrastructure, products and services can play an important supporting role. Companies also have a legal and corporate social responsibility to support legitimate law enforcement agency actions to reduce online criminal activity such as fraud, child exploitation and terrorism. They sometimes face ethical and moral dilemmas when such actions may facilitate violations of human rights. In this report we suggest practical measures that governments, corporations and other stakeholders can take to protect freedom of expression, privacy, and related rights in globally networked digital technologies. These are built on a detailed analysis of international law, three workshops in London, Washington DC and Delhi, and extensive interviews with government, civil society and corporate actors. "Even if you're not a digital policy geek, the full executive summary (page 4-7) and the recommendations (p41-44) should be essential reading for everyone.