Targeting targeted surveillance - The UN special rapporteur's report on the private surveillance industry

By: Amir Cahane

On May 28, 2019, the UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression released an advance version of his upcoming July report on surveillance and human rights to the UN Human Rights Council, in which he called for a public moratorium on the sale, use and transfer of digital surveillance tools. The special rapporteur’s statement of June 25, 2019, further stressed his call.

Given the chilling effects online surveillance has on free expression, the interest of the UN special rapporteur is clear. In 2013, the previous special rapporteur, Frank La Rue, submitted a report analyzing the implications of states’ surveillance of communications on the exercise of the human rights to privacy and freedom of opinion and expression. The current special rapporteur, David Kaye, previously examined issues pertaining to online surveillance in his 2015 report on the use of encryption and anonymity in digital communications. Government use and oversight of surveillance technologies are also the key priorities within the mandate of the UN Special Rapporteur on the Right to Privacy Joseph Cannataci. Whereas previous reports – by both aforementioned rapporteurs – focused on regulating government surveillance practices, the focus of the July report is the growing involvement of private companies in the development and proliferation of digital surveillance tools. The report lists surveillance technologies that provide access to digital content and metadata, such as computer interference, mobile device hacking network surveillance, IMSI catchers (“stingrays”), deep packet inspections (DPI) and also facial recognition and social engineering (the latter is employed to gain access to digital communication and data).

While government actors may deploy these surveillance tools in compliance with the applicable domestic legal framework – which may, in turn, contain robust human rights safeguards – the report stresses that this may not always be the case. Given the obscurity often shrouding the authorities’ purposes and practices when conducting surveillance operations, private actors are rarely in a position to be fully informed of the actual use of their products. Lack of transparency also adversely affects the ability of NGOs and third parties to assess claims of legitimate utilization made by various private developers of digital surveillance tools.

The report makes special reference to the “vulnerabilities market,” wherein security vulnerabilities found in various software products are bought and sold to be subsequently used to gain unauthorized access to digital communications, networks or data. When such vulnerabilities remain undisclosed, the entire private sector is potentially exposed to the risk of their nefarious misuse.

Furthermore, according to the report, surveillance products offered by private companies are not limited to off-the-shelf software, and include after-sale support and training. The private sector has also been lobbying for weakened export controls on digital surveillance technologies – including, recently, when the EU Parliament sought to introduce human rights controls to its regulatory framework. Another aspect worth noting is the revolving door between the private and public sector, where former government intelligence and law enforcement experts pursue a second career in the private sector, offering their knowledge and services to foreign governments that do not always adhere to basic human rights.

According to the report, digital surveillance software companies are far from complying even with the minimal standards of the UN Guiding Principles on Business and Human Rights. Not many of these companies make their customer policies public. Company policies pertaining to human rights are often clouded in opaque language that refrains from fully disclosing any internal safeguards and business practices.

The Wassenaar Arrangement on Export Controls and Dual-Use Goods and Technologies, which in 2013 added “intrusion software” and internet surveillance systems to its list of dual-use technologies, is regarded in the report as an unsuitable framework for addressing the threats posed by digital surveillance tools. The report claims that it lacks sufficient guidelines or enforcement measures addressing human rights violations directly, and that it is a second-order mechanisms, whose first-order purpose is to focus on exports, rather than on the manners in which these tools are employed to interfere with fundamental human rights.

A present effort to reform European export control regulation by expanding the list of dual-use items and considering the “respect for human rights in the country of final destination” went through its first reading in the European Parliament, yet in light of subsequent criticism its future remains unclear. Domestic export control measures are also varied. The report mentions the examples of the United States, which is party to the Wassenaar Arrangement but is yet to implement the 2013 additions, and Israel, a non-participant state whose enforcement of export controls on dual-use items regulated under the Arrangement remains secret.

Although the International Covenant on Civil and Political Rights obliges states to provide victims of human rights violations with access to effective remedies, victims of targeted surveillance have in practice had little success in obtaining them. The report provides examples of attempts by adversely affected individuals to commence litigation and formal complaints, which have yielded no effective remedies.

The report opens its recommendation chapter by stating that “It is insufficient to say that a comprehensive system for control and use of targeted surveillance technologies is broken. It hardly exists.” The lack of an enforcement framework on existing limitations on the use and operation of digital surveillance technologies makes it imperative for states to subject these technologies to strict oversight and control. In addition, private participation in the market for surveillance technologies should be subject to human rights impact assessments and a proven track record of compliance with its norms.

It was recently alleged that surveillance technologies provided by private companies to various state actors were used to persecute journalists, activists and political opponents. The report raises doubts whether the gravity of these allegations can be mitigated by the companies’ claims that they are genuinely evaluating the lawful status of their clientele, or that the sale of surveillance technologies is legally complaint with domestic law. With no transparency regarding their process and business connections, the sincerity of these claims is yet to be determined.

The UN Special Rapporteur calls for an immediate moratorium on granting licenses for the export of surveillance technologies. According to the report, the growing evidence on the misuses of digital surveillance tools originating in the private sector requires this urgent measure. Export of such technologies should resume only when technical barriers are put in place to ensure that the use of these technologies is in compliance with human rights standards, or only to states where their use is subject to an independent judicial ex ante authorization of their legality, necessity and legitimacy.

The report emphasizes the state’s obligations as users of surveillance technologies, followed by its obligations as export licensors. As far as their obligations as users of these technologies are concerned, governments must first and foremost provide a domestic legal framework in line with international human rights law. Secondly, alongside existing mechanisms for oversight for approval of the use of surveillance measures, there should also be controls in place over the acquisition of these tools and capacities, and these should take into account human rights considerations. Thirdly, victims should be provided with domestic legal tools of redress – by designing procedures fitting for the digital age, or even establishing truth commissions enabling victims to give testimonies.

The export of surveillance technologies should be subject to a national human rights review and company compliance with the Guiding Principles on Business and Human Rights. Where these conditions are enforced via the Wassenaar Arrangement mechanisms, the report calls for enhanced transparency at the national and international levels, for example by setting clear guidelines for public disclosures concerning licensing standards, revocation, misuse and so forth.

Export licenses for surveillance technologies should be granted subject to rigorous implementation of the Guiding Principles on Business and Human Rights. The report lists the following set of minimal responsibilities to be adhered by private companies: Customer polices under which sale of surveillance technologies is limited to clients compliant with international human rights law; frequent employment of human rights due diligence processes; internal policies and standard contractual clauses that prohibits product customization, targeting, servicing or assistance that violates international human rights law; internal processes to ensure “human rights by design;” transparency reporting; regular consultations with civil society groups about the impact of their products; and grievance and remedial mechanisms.

Alongside these propositions, the report calls for a co-regulatory model that involves meaningful participation not only from the government and the private sector but also from civil society actors such as NGOs and academia. The reports suggests to draw inspiration from the Montreux Document on Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict. The Montreux Document offers public disclosure and due diligence principles that might be of relevance. Another example of co-regulation of private security mentioned in the report is The International Code of Conduct for Private Security Service Providers.

The report concludes with a call to establish a new UN working group or task force to monitor and report on abuses stemming from online surveillance.

While NGOs and civil society organizations have been arguing for several years that the ever-growing industry of digital surveillance tools is involved in various violations of human rights, the Special Rapporteur report adds an important voice to the discourse, raising awareness about of an industry that thrives on secrecy.

Nevertheless, it appears that the report could have used a more rigorous methodology. The vast array of surveillance measures considered therein may be too broad to group in one category – wrapping together various tools spanning from IMSI catchers to facial recognition measures, through social engineering and hacking tools. While all these surveillance measures may be utilized in manners inconsistent with human rights standards, each poses a different threat, varying in scope and effect. Some of them are more relevant within the framework of mass surveillance, whereas the main concern of the report appears to be targeted surveillance.

Similarly, the discussion of the “vulnerabilities market” blurs the line between surveillance tools (the “exploits,” which may be subject to an export control regime) and technical know-how (the “vulnerabilities,” which can be developed into executable code). It might have been advisable to further expand on this topic in order to shed light on the major threat to global cybersecurity stemming from unregulated trade of software vulnerabilities (and exploits) – a concern that may be particularly effective in gaining political and public support for the recommendations made in the report.

The hyperconnectivity and proliferation of the internet of things (IoT) paves the way for new methods of deriving intelligence based on what we do rather than on what we say. While adopting a rather wide, phenomenological understanding of digital surveillance, the report – whose focal point remains the freedom of opinion and expression – seems to overlook the threat posed by digital surveillance that collects and processes metadata originating from IoT devices. These devices, which range from medical devices, through autonomous cars and ride-sharing vehicles to smart toys and connected home devices, constantly measure, process, store, and transmit a plethora of data metrics. Such information, when acquired by digital surveillance tools, may have chilling effects that extend beyond the purview of the freedom of expression on to rights pertaining to autonomous human activity as a whole.

The above examples illustrate the complexity of the issue at hand: certain digital surveillance tools may be used interchangeably for both targeted and untargeted surveillance; some intrusive technologies may be utilized not only for intelligence-gathering purposes but also for offensive ones (i.e. used as a weapon), by interfering and disrupting the operation of connected devices; the distinction between the effects of content and metadata surveillance is becoming more and more obsolete, the latter might be posing a greater threat to human freedoms. Rather than bundling “digital surveillance tools.” As a whole, the report could have possibility gained more by providing a more nuanced approach, tailored for the specific adverse effects of each surveillance measure on human rights and cybersecurity interests.

Weapon export and use moratoria have been previously employed as an interim regulatory measure while a convention or a treaty was negotiated and drafted. The same reasoning applies to the report’s urgent call for an immediate suspension of the export and use of digital surveillance tools until the implementation of the core policy recommendations of the document. The report finds that the “mounting evidence that privately developed surveillance tools are being used for manifestly illegitimate purposes” justifies the call for an extreme step such as a moratorium. However, in light of arguments used to promote past weapon export moratoria (which differ in their regional scope, the magnitude and nature of the human rights violations they aimed to curtail, and their political circumstances), highlighting the broader spectrum of human rights violations as well as cybersecurity risks, and threats to data integrity and protection posed by specific types of surveillance tools, may present a more compelling argument for the urgent call for a moratorium.

The call for an immediate unilateral suspension of the export and transfer of digital surveillance tools may ephemerally raise public interest in the issue. However, it may also draw attention away from the core policy recommendations offered by the report, which deserve a thorough public discussion.

Regardless of the realization of the weapon export moratorium, governments and private entities alike should address the report’s call to establish human-rights compliant mechanisms for the transfer of digital surveillance technologies, on the state and company level. The comprehensive list of minimal responsibilities the report offers for private surveillance companies should be reviewed, further developed and implemented by both private and government actors. 

Additionally, the report’s recommendation to establish public mechanisms for approval and oversight of surveillance technologies is long overdue. In this context, the report also briefly mentions that policies regarding the stockpiling of software vulnerabilities should also be subject to public oversight mechanisms. These important suggestions should be picked up by policy makers worldwide and expanded upon.