Controlling cyber technology by Catch-all

Companies do not care what happens with their exported surveillance technology, according to a leading Dutch daily. The paper referred to an investigation of Al Jazeera in the murky world of surveilance exports. Reporter Simon Boazman wondered if it “will it ever be possible for this booming industry to be properly regulated?” The European Commision is trying exactly that, and proposed an improved Regulation on Dual use control, which is under pressure from the industry lobby.

During the North-African uprisings of 2011 it became clear cyber technologies were part of the tools for internal repression. Amnesty International summarised its concerns in 2014: “Surveillance technologies are not simply harmless tools. In the wrong hands they are often used as a tool of repression. Evidence is continuing to reveal the extent of this secretive trade that puts countless individuals at direct risk from human rights abusing governments. More and more stories emerge showing these damaging and often unlawful technologies affecting political activists, human rights defenders, refugees, dissidents and journalists, with some technologies placing entire populations under surveillance.” In 2014 Human Rights Watch released an article on the Ethiopian government spying on its citizens in Europe. The technology Ethiopia used was sold by European companies.

New Dual Use regulation

The misuse of surveillance tools and know-how is reasons for the EU to update and expand its Dual Use Regulation. A new Dual Use order is proposed by the Commission for the control of exports, transfer, brokering, technical assistance and transit of Dual Use items. The new ruling should have a number of objections:

* to prevent the spread of weapons of mass destruction (WMD);

* to prevent non-state actors from gaining access to sensitive items and will thus contribute to the fight against terrorism; and

 * in light of the increasing blurring between the civilian and defence sectors, to add to the EU's efforts to counter so-called hybrid threats*;

* for the provisions relating to the control of cyber-surveillance technologies, to contribute to the protection of human rights globally (and fill the juridical gap for control).

It is expected that adoption will not be earlier than by the end of 2017, with regulation entering at its quickest into force spring 2018. The proposal is wide ranging and has five different options: keeping present regulations; implementation and enforcement by soft law and guidance; system upgrade; modernisation; and complete overhaul implying full centralisation of controls at EU level. It must reduce administrative burden by making control simpler and less costly and improve security, human rights, and the fight against terrorism.

Dual use products are strategic goods which can be used both for militarily and civil applications. Many cyber technologies are already part of the Wassenaar Dual Use list. They are well-described on lists for strategic (military or dual use) goods. The European Commission wants to add a EU list for surveillance technologies. Besides military and dual use products, there are also products with an unforeseen military application. This category is controlled by a so-called Catch-all clause. This means that items not on the lists for strategic goods can still be controlled, also when it is newly developed technology not (yet) listed. The European Commission has proposed an expanded and uniform Catch-all policy for the whole EU to control cyber surveillance technologies (cost) effectively. The Catch-all clause targets technology considered a possible danger to security and human rights, without having all this technology obligatory to reporting. Compared to a leaked draft, several technologies are removed from the list, such as biometrics, location tracking devices, probes and deep package inspection systems. Industry influence seems to be strong.

Catch-all

The Catch-all is the least known part of the control on strategic products, but its importance can not be underestimated. One third of the EU Dual Use export denials were connected to Catch-alls, according to an 2009 evaluation report of Dutch arms export policy (see for further Dutch Catch-all info). A mandatory consultation procedure between competent authorities to ensure the EU-wide application and validity of Catch-all decisions is included in the proposal. As are regular exchanges of information between the Commission and Member States and a "Catch-all database" recording Catch-all licensing requirements, end-users and items of concern. Transparency to civil society will be a future issue here.

The current European Dual Use Catch-all (article 4) has – to summarize - a scope which includes items for: the development of weapons of mass destruction or missiles capable of delivering such weapons; military end-use in the country of destination subjected to an EU, UN or OSCE arms embargo; and for military use without the proper license required. The following Catch-all Provisions are still being edited and adjusted.

1.2.1. Ensuring legal certainty for the so-called ‘Catch-all’ clause

As a further way to increase controls on items that can be used for violations of human rights, the Commission is proposing to extend the ‘Catch-all’ clause initially introduced to protect national security:

Article 4(1): ‘An authorisation shall be required for the export of Dual Use items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part:

(d) ‘for use by persons complicit in or responsible for directing or implementing grave violations of human rights or international humanitarian law in situations of armed conflict or internal repression in the country of final destination, as identified by relevant public international institutions, or European or national competent authorities, and where there is evidence of the use of this or similar technology or equipment for directing or implementing such grave violations by the proposed end-user.

(e) ’for use in connection with acts of terrorism’

Government position

The Dutch government has a number of reservations about the Dual Use proposal. First of all it doesn't agree with the Commission that it will make control cheaper. Human Rights and anti-terrorism are added as issues and for that reason implementation of control will cost extra personnel at the Dutch ministry of Foreign Affairs, Finance, Internal Affairs and Defence. Secondly the Dutch government is of the opinion that cyber technology should be controlled according to lists of the international Wassenaar Arrangement on export controls for conventional arms and Dual Use goods and technologies and not by a list developed by the EU on its own (a viewpoint shared by the industry). “On a global level this [the EU developing its own list] creates disadvantages for European companies.” The Netherlands is also concerned the proposed implementation moment of the regulation (ninety days after publication) is too fast for medium and small enterprises to adapt. Exchange of Catch-all information among EU countries is also questioned, because catching is often based on the work of intelligence and security services and sharing this would collide with the confidentiality of the information. The sharing of intelligence is not compulsory in the EU (art 346 VWEU). The Netherlands also fears the Catch-all may be used for trade policies.

According to the Dutch government, adding human rights and anti-terror controls gives the EU a frontrunner position. But the government expects that opposition to the proposal will be strong, foremost against sharing of intelligence and broadening the Dual Use regulation to include human rights.

Industry opposition

Moreover, the industry is lobbying strongly against the proposal. Although politically correct underlining that human rights and security are very important, they have a range of arguments against the proposed policy, and the Catch-all is one of their major issues. Digital Europe – combining the lobby strength of big names in the IT industry, and member of the Expert Group set up by the Commission - calls the proposal disproportionate: “it creates the wrong environment for the operation and growth of digital services.” The Federation of German Industries (BDI), operating under the slogan 'Voice of German Industry', wrote in a 2016 report: “Avoid Catch-all rules, give preference to product and country lists.” BusinessEurope wrote in its March 2017 Newsletter: “Businesses need certainty and predictability. The development of guidelines will contribute to achieving this objective but it is important that businesses are involved in the process.”

The industry wants a clear definitions of products which should fall under the regulation; technology should “be controlled by technical characteristics and capabilities and not by their potential misuse,” Digital Europe states. But the proposal is not as vague as the industry portrays. Bert Gevers et al state: “The only items which are actually added to Annex 1 in the Proposal are inserted in the brand new Category 10 (“other items of cyber-surveillance technology”). (…) As such, the addition of these items to the list of controlled Dual Use items, will likely not result in serious competitive disadvantages for EU exporters.”

With the present proposal, industry gets the least demanding option. Because it is either a clear and sharp definition with a Catch-all in the background as safety net for what should be controlled, or a broad definition of Dual Use which is much more demanding for the industry because it brings much more products under obligatory reporting. Vanderkerckhoven en Kreijen wrote on the demand for technological specifics: “(..) it seemed contradictory that a ‘Catch-all’-provision would be updated with a list of very specific items and end-uses. At least from a legislative perspective it makes more sense to include specific items in the definition of ‘Dual Use’ items and its Annexes.”

Black list

Digital Europe proposes a Catch-all based on a published list of excluded entities or end-users. Digital Europe states the current application “is based on a minimum of legal certainty, e.g. if the country of destination is subject to an arms embargo,” and with the new proposal this certainty disappears. But already items can be stopped by using the Catch-all without an arms embargo and thus without a clear certainty for the exporter. That is the reason the Catch-all is used with prudence. In the Dutch export control user guide on strategic goods it is stated: “Since the imposition of a Catch-all provision may lead to diminished legal certainty, the government uses its power to impose a mandatory license requirement with great prudence and caution.” This seems also be the policy of EU countries in general, as Vankerckhoven en Kreijen state: “but it must be said that at least under the current Regulation the different national export control authorities have used their power to impose a license based on the Catch-all provision, with great prudence and caution.” The Catch-all offers flexibility to governments to control (new) technology. Black lists, technology lists and country lists run against this flexibility and can for example be diplomatically unwise. That it is based on 'awarness' in the industry to ask if an license is needed, means that governments have to provide information and education for industries. The Netherlands had a well-known case with applying a catch-all in the exports by Slebos Research to Pakistan in connection with the nuclear programs of Abdul Qadeer Khan (see for more Project Butter Factory). Slebos got a suspended fine of € 85.000, with a probation of one day only, despite the seriousness of the case.

Economy versus human rights

During a Civil Society Dialogue meeting Denis Redonnet, director of EU Trade Strategy in the Directorate for Trade, stated that “(t)he right balance between security and economics” was leading. Official documents are however loaded with economic considerations. It is clear that sometimes security and human rights policy can come at the expense of economic interests. This can not be said enough to counter the IT-industry lobby.

Civil society stakeholders are less visible in the lobby. In 2015, the Steering Committee of the Coalition Against Unlawful Surveillance Exports (CAUSE), bringing together large human rights organisations, open society and technology organisations, published a report stating e.g. “The use of a dedicated catch-all mechanism, with stipulation on end-use and end-users, should be employed to future proof the Dual-Use Regulation in light of technological developments by allowing member state authorities to subject emerging technologies of concern to export authorisation.” CAUSE showed how Italy prevented in 2012 the sale of surveillance technology to Syria.

Some EU-countries are publishing their Dual Use exports. The Netherlands is one of those and accuracy is even growing. In 2017 the Netherlands reported the export of crypto software to a number of countries: Afghanistan, Belarus, Central African Republic, DR Congo, Egypt, Iraq, Israel, Lebanon, Norway, Pakistan, Saudi Arabia, Russia, Somalia, Turkey and Ukraine. According to CAUSE controls on those deliverances should be ended, because, “cryptography is a key security measure to protect the confidentiality of communications, and to also ensure trust and confidence in digital interactions.” The Netherlands stated on earlier deliverances that the end users were private companies, mostly in the telecom sector, and that the danger of technology being used for human rights violations is carefully considered by the Dutch government. Considering the countries of destination, those controls are not redundant.

 

* Hybrid threats refers to mixture of activities often combining conventional and unconventional methods, that can be used in a coordinated manner by state and non-state actors while remaining below the threshold of formally declared warfare. The objective is not only to cause direct damage and exploit vulnerabilities, but also to destabilise societies and create ambiguity to hinder decision-making.

 

MB april 2017

.