The International Fight Against Spyware Needs a Level Playing Field

Banksy says hi. Credit: nolifebeforecoffee/Flickr, CC BY 2.0

Banksy says hi. Credit: nolifebeforecoffee/Flickr, CC BY 2.0

In 1995, 41 NATO countries signed the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, defining export restrictions on some technologies leftover from the Cold War. In 2013, the Arrangement was amended to include “intrusion software” and surveillance systems. As a result, the signatories couldn’t export spyware even for legitimate purposes to emerging markets. Since then, a decision made by NATO countries has forced countries like India to consort with dodgy purveyors like the Italian Hacking Team, the British FinFisher and the French VUPEN for hacking and interception tools.

The nature of such deals was outed when, in an ironic twist, hackers outed the internal communications of Hacking Team on WikiLeaks in July 2015. The amendments have already been panned for being too broad – “unworkably” so, per the EFF: “the definition risks sweeping up many of the common and perfectly legitimate tools used in security research”. The amendments also subject spyware to the same restrictions as those in place for, for example, electronics, avionics and propulsion systems. And finally, the arrangement leaves it up to individual countries to enforce the specified controls and is not legally binding, i.e. non proactive, letting private enterprises engage in the irresponsible trade of spyware.

Then again, would India have purchased anything from the US government following Edward Snowden’s revelations in 2013? As long as the US reserves the right to hack, surveil, spy, and plant trojans and zeroday exploits, there will be smaller countries seeking to access defensive capabilities like encryption and firewalls one way or another in order to level the playing field – and someday justify mass surveillance and censorship by the persistence of need. Moreover, software development is already one of India’s strong suites and it’s not inconceivable that some years from now both India and China will become exporters of surveillance equipment and “intrusion hardware” in general.

Even the Wassenaar Arrangement would’ve been more credible and effective had it invited such ‘major’ importers to participate in drafting the export controls for “intrusion software” at least. The US Deputy National Security Advisor had said the Obama administration supported India’s inclusion in the Wassenaar Arrangement, but that was in 2010. For all these reasons, attempts to create a level playing field hence shouldn’t be ad hoc or perfunctory. Such attempts should also be multilateral and mindful of the needs of countries facing sophisticated threats from entities like the Islamic State.

In fact, two features, borrowed from the regulatory regime surrounding nuclear technology, come to mind:

First: Requiring aspiring receivers of surveillance and censorship technologies like India to have meaningful privacy laws before prospective senders agree to transfer technologies with guarantees provided through a binding agreement. This would protect the selling government from liabilities, allow it to claim meaningful guardianship over other countries’ use of spyware and surveillance technology, and also help make headway on issues like native encryption on ubiquitous electronic devices like mobile phones, which often make their way across borders.

Second: Having an independent body to monitor compliance, facilitate the resolution of disputes, and control which companies can sell surveillance tools to governments through licenses. Non-compliance with ‘standard practices’ – themselves arbitrarily defined, such as basic privacy laws – often results in either protracted disputes or disputes in which one party comes off smarting, and neither are desirable outcomes because they delay infrastructure development. Moreover, overreaching governments are often spurred by terrorism and other persistent threats to justify widespread surveillance and censorship, where counter-surveillance tools are neither accessible nor deemed necessary by a majority of the population, and where “bigger problems” often supersede such debates. Finally, it will also help countries have honest conversations on international surveillance regimes and not be distracted by programmes like PRISM. An independent international body could check and, by invitation, enforce compliance as well as help contain the use of networking tools for legitimate purposes.

Going after companies like Hacking Team – and VUPEN and FinFisher – alone is meaningless because they fulfil a need, albeit one we may not have fully understood but whose legitimacy manifests from time to time. But to keep such companies from selling what are tools of oppression in the hands of an oppressor, the recognition of certain first principles of digital privacy must be universal so that sanctions may be more uniformly and consensually imposed; so that groups like the NATO don’t have too much bargaining power in who gets to access surveillance equipment; so that the technical standards may be defined keeping a perspective more humanitarian than political in mind.

This article was originally published in the ORF Cyber Monitor, vol. 3 issue 8.