Containing Weapons of Mass Surveillance

As the bodies continue to pile up in Syria, the Assad government’s war against its own people extends beyond physical space to cyberspace. Not satisfied with pervasive surveillance through Internet and mobile networks — conducted with the help of Western companies — the Syrian government also conducts outright cyber-warfare against its own people.

The attacks started in earnest in February 2011, when the Syrian government suddenly removed long-standing blocks on social media websites including Facebook, Blogspot, and YouTube. Had President Bashar al-Assad suddenly become a free-speech advocate? Hardly. The real reason soon became clear: Government hackers launched what security experts call a "man in the middle" attack on Syrian Facebook users, inserting a false "security certificate" onto people’s browsers when they tried to log into their Facebook accounts through the secure "https" version of the site. This attack enabled pro-government hackers to take over activists’ accounts and gain access to their entire network of contacts.

In May, an organization called the Syrian Electronic Army (SEA), a pro-government hacking group, emerged with its website hosted on computer servers belonging to the government-affiliated Syrian Computer Society. In June, Assad called it "a real army in virtual reality" — the first time, according to the Committee to Protect Journalists, a head of state is known to have praised a hacking group directly.

The tactics used to infiltrate activists’ computers and social-media accounts have grown increasingly sophisticated. In February, reports emerged about "Trojan" viruses being spread through social media, Skype, and e-mail, which among other things capture the infected computer’s webcam, disable anti-virus notifications, record keystrokes, or capture passwords, sending them to a computer address connected to the state-run Syrian Telecommunications Establishment. A fake YouTube site hosting opposition videos attacked visitors’ computers with a similar virus.

In an effort to thwart what he called a "malign use of technology" by the governments of Syria and Iran, on Monday U.S. President Barack Obama issued an executive order authorizing sanctions against individuals and entities that supply or aid governments’ use of technology against their own people. One Syrian individual, two Syrian entities, and four Iranian entities were named as initial targets. Although the new sanctions have been hailed as a step in the right direction by human rights and other groups dedicated to online free expression and privacy, they leave some troubling questions unanswered:

What about U.S. and other Western companies aiding Syrian surveillance? All of the people and entities sanctioned this week are Iranian or Syrian. But what about companies and individuals from other countries, including the United States, that aid and abet surveillance in those countries?

Take, for example the case of the California-based Blue Coat Systems, Inc. Last October, the international activist group Telecomix published log files taken from 13 Blue Coat devices deployed by the Syrian Telecommunications Establishment to monitor and block users’ activity. Facing scrutiny over apparent violation of a strict U.S. embargo against technology sales to Syria, Blue Coat later told the Wall Street Journal that these devices were shipped to a Dubai reseller that claimed the final destination as Iraq. In December, the U.S. Department of Commerce placed restrictions on a person and an entity in the United Arab Emirates for having sold the devices to Syria. But questions remain about what Blue Coat really knew or didn’t know, because after installation in Syria the devices transmitted regular automatic status messages back to the company’s computer servers. Blue Coat claims that it doesn’t monitor the origin of such messages.*

Perhaps Blue Coat’s management was genuinely unaware, and thus "the company" as an entity was unaware. But might it be possible to prove that certain individuals within the company did understand what was happening? If so, the text of the executive order appears to apply to them.

Many more companies could potentially be involved. On Monday, the Atlantic‘s John Hudson provided a substantial list of companies whose technology has recently been found in Syria: Hewlett-Packard and NetApp from the United States, the Dublin-based Cellusys, AreaSpA of Italy, and the British Creativity Software.

If and when companies like these — or their subsidiaries or individual executives – are sanctioned under Monday’s executive order, we will know that the Obama administration is serious about stemming the flow of Western-made surveillance technology to regimes with a clear track record of deploying it against their political opponents.

What about other sanctions that hurt Syrian activists? While sanctions against Iran and Syria are intended to constrain those countries’ governments, they have had the unfortunate side effect of constraining activists’ access to free online software and services used widely across the Middle East, including browsers, online chat applications, and online storage services. In February, on the occasion of Nowruz, the Iranian New Year, the Treasury Department issued new guidelines specifying the types of free software and services that can legally be offered by U.S. companies to Iranian citizens. They failed to issue similar guidelines for Syria, however — in part due to conflicting regulations from the Department of Commerce.

As a result, Syrian activists say, they remain hamstrung. "Activists have a hard time installing communication software like the plugin required to use Google’s voice/video chat," the San Francisco-based Syrian blogger Anas Qtiesh told me. Google Earth, commonly used by activists in the region to plan protests and escape routes, is also blocked in Syria — not by the authorities but by Google, whose lawyers do not want the company breaking U.S. sanctions. Activists then look for unofficial "third party" sites offering downloads, but these sites are often infected with malware of the type described at the beginning of this article. The Electronic Frontier Foundation (EFF), an organization dedicated to protecting civil liberties online, has been following this issue closely and blames the U.S. government’s "piecemeal" approach to sanctions and licenses for causing confusion among companies about what is or isn’t legal.

What about other countries like Bahrain? It is "ridiculous," says the EFF’s Jillian York, that the executive order "only covers Syria and Iran and not Bahrain." Like Syria, the government of Bahrain employs aggressive tactics to censor and monitor its people’s online activity. Its human rights violations over the past year are well documented. In testimony to international lawyers, Bahraini torture victims have described being shown transcripts of their cell-phone text messages. Bloomberg reported in February that a Munich-based company called Trovicor helped the Bahraini government to install and maintain "monitoring centers" through which citizens’ emails, instant-message chat sessions, and cell-phone text messages are intercepted.

The U.S. relationship with Bahrain is obviously more complicated than with Syria and Iran. Many other countries with which the United States has more positive strategic and trade relationships also use technology to repress their people. Thus the Internet rights group Access is calling on the Obama administration and Congress to adopt a "more robust legal framework" including "a process for sanctioning other countries such as Bahrain, preventing third parties from reselling technologies, and requiring companies to be transparent about who they are selling to and what processes they have in place to prevent their products and services from being used in the commission of human rights abuses." The challenge lies in determining what exactly that legal framework and sanctions process should look like.

Sanctions are hard to get right. Last month, I wrote about a bill currently before the U.S. House of Representatives called the Global Online Freedom Act, which among other things seeks to revise U.S. export control laws to forbid the export of censorship and surveillance technology to a list of "Internet-restricting countries" — a list which one presumes would include more than Iran and Syria. However, the drafters of the bill, which has gone through many different iterations since it was first introduced in 2006, have had a tough time coming up with the right language that would avoid the type of collateral damage already created by existing sanctions. As Erica Newland of the Center for Democracy and Technology recently asked: "Can export controls be meaningfully extended in ways that reduce the spread of … ‘weapons of mass surveillance’ without diminishing the ability of dissidents to connect and communicate?"

Recognizing that the speed of technological innovation will likely always move light years faster than the speed of government, the EFF advocates a "Know Your Customer" program that could be implemented in a number of potential ways, through regulatory or legal action or through a voluntary framework if government action is not forthcoming. It would be structured in a similar way to the Foreign Corrupt Practices Act, which is aimed at preventing U.S. companies from engaging in bribery around the world. EFF suggests two main components: The first would require transparency about where companies are doing business. The second involves a framework for companies to audit and keep track of their customers. Companies should have a due-diligence process to determine the likelihood that their technologies will be used to carry out human rights abuses before doing business with a particular country or regional distributor. "If these big companies can be expected not to get business through bribes even though some of their foreign competitors do," concludes the EFF, "it’s reasonable to ask them not to conduct business that would result in enabling repression either."

President Obama has certainly taken a step in the right direction with Monday’s executive order. But the executive branch and Congress will need to do much more if they want to stem electronic abuses against activists in Iran and Syria — let alone anywhere else. It’s time to take decisive action to stop American and other multinationals from aiding and abetting the wrong side in the global digital arms race.

*UPDATE: According to a Department of Commerce spokesperson, the investigation of Blue Coat is "ongoing." The spokesperson declined to provide further details.