A search for common ground: export controls on surveillance technology and the role of the EU

Discussion Prompt: To what extent can and should surveillance technology be subject to export control?

See all contributions to this question.

The near-decade since the Arab Spring has seen a significant expansion of controls on the transfer of Western surveillance technology to autocratic regimes. Nonetheless, with evidence of questionable transfers casting doubt on their efficacy, the success of these controls remains unclear, especially in the absence of public reporting obligations. EU institutions and EU member states are debating if and how EU controls in this area should be expanded. However, the path toward a strong, clear, and coherent European trade policy framework for surveillance technology remains far from clear.

The 2011 Arab Spring shone a light on the unregulated trade in surveillance technology. Reports indicated that Western companies had supplied surveillance technology to several states in the region — including Iran, Libya, and Syria — who were accused of using them in connection with serious violations of human rights. Moreover, there did not appear to be any regulations that would allow states to see this was happening and prevent it from taking place. In response, an increasing array of different types of surveillance technology have been made subject to states’ export controls. This article summarises these measures and the impact they have had. It also explores the lessons learned for the further expansion of export controls on surveillance technology and the development of other mechanisms for regulating their trade and use.

Export controls & surveillance technology

Controls on exports of dual-use items are a crucial component of global non-proliferation efforts. In contrast to arms export controls — which control items that are ‘specially designed’ for a military use — dual-use export controls are primarily aimed at regulating the trade in civilian items that have potential military applications. As such, they cover a wide range of items — including certain types of chemicals, pathogens, and software — and create licensing obligations for a broad array of companies and research institutes — including those in the energy, bio-technology, and IT sector.

Standards in dual-use export controls are agreed multilaterally via the various export control regimes — such as the 42-member Wassenaar Arrangement which focuses on conventional arms and ‘sensitive’ dual-use items — and imposed internationally via sanctions adopted by the UN Security Council. EU member states created a common legal basis for their dual-use trade controls in the 1990s under the EU dual-use regulation and use EU sanctions measures to place restrictions on exports of dual-use items that are often broader than those agreed at the UN.

The main focus of dual-use export controls — both in terms of the items covered and the concerns states apply when authorising exports — is preventing the proliferation of Weapons of Mass Destruction (WMD) and their delivery systems. However, even before 2011 Wassenaar controls also covered items used by intelligence or law enforcement agencies. Moreover, EU controls require member states to deny exports if “there is a clear risk that the […] equipment to be exported might be used for internal repression”. As such, when reports emerged in 2011 about the trade in surveillance technology and the lack of oversight states looked to dual-use export controls to fill the gap.

In 2012 and 2013 members of the Wassenaar Arrangement added mobile telecommunications interception equipment, intrusion software, and internet protocol (IP) network surveillance to the organisation’s list of controlled dual-use items. In December 2019 controls on monitoring centres and digital forensics were also added after several years of debate and discussion. The EU has included the 2012-2013 items in its own dual-use list and will add monitoring centres and digital forensics the next time it is updated in late 2020. Moreover, it has used EU sanctions to prohibit exports of a wide range of surveillance technologies to Iran, Myanmar, Syria, and Venezuela.

With little fanfare or attention a wide range of surveillance technologies have been made subject to export controls in many key supplier states. However, the process of developing and implementing these controls has been controversial. The controls on intrusion software generated criticism from companies and researchers on the grounds that they inadvertently captured processes for reporting software vulnerabilities and tools for testing IT-security. Meanwhile, NGOs complained that the controls had little impact, pointing to the large numbers of questionable transfers that have been approved since their introduction. Against this background, there has been a concerted push for creating stricter controls at the EU level. In the context of an ongoing review of the EU dual-use regulation, the European Commission and European Parliament have proposed creating additional controls on exports of surveillance technology that would be wider and more restrictive than those adopted at the Wassenaar level.

Finding a way forward

Making the controls that have been adopted to date work more effectively will require governments to draw more extensively on the knowledge and experience of experts in the private sector, NGOs, and academia in order to better understand the capabilities of different surveillance technologies and the human rights and security challenges they pose. Such a process should lead to the development of guidelines aimed at ensuring that the controls are applied effectively and consistently and that new ones are formulated in a clear and appropriate manner.

Harder to bridge will be differences about the overall aim of applying export controls to surveillance technology. These differences are on display in debates about changes to the EU dual-use regulation. Combined, the modifications proposed by the Commission and Parliament would, among other things, expand the range of human rights concerns governments consider when approving exports to include the right to privacy and freedom of speech. They would also increase the set of surveillance technologies that are subject to licensing requirements by creating a so-called ‘catch-all’ control that would cover items that are not covered by the EU dual-list but which might be used in human rights violations. Most EU member states view both steps as beyond what can be achieved through export controls and have resisted their adoption. As a result of these and other differences, the process of agreeing a new version of the dual-use regulation — which the EU had hoped to conclude by the end of 2019 — is continuing into 2020.

Navigating this complex set of issues requires a recognition that export controls are just one of a range of policy tools that can be used to improve standards in the trade and use of surveillance technology. Others include soft law mechanisms such as industry self-regulation standards that have been promoted by associations like the Global Network Initiative and the Telecommunications Industry Dialogue. What is needed is a determination of which surveillance technologies and which human rights and security concerns can be addressed in a meaningful way via export controls and which are better tackled by alternative mechanisms.

A role for the EU

The various EU institutions and EU member states are well-placed to lead in both the development of guidance material and determining where the division between export controls and other mechanisms should lie. A key starting point would be an assessment of how the Wassenaar and EU controls have been applied to date, including which surveillance technologies are included and excluded and which transfers have been approved and denied. This assessment would be helped if the review of the EU dual-use regulation created an obligation for EU member states to publish details of their approved and denied licences. However, both processes require a common understanding of the legitimate and illegitimate uses of surveillance technology and the regulations and oversight measures that states need to have in place to ensure that human rights abuses do not occur. Given the differences in EU member states’ views and practices in this area this may prove a challenging task. However, it is one that the EU must address if it is to live up to its goal of being a community of common values that is able to establish and promote high standards in human rights.

A search for common ground: export controls on surveillance technology and the role of the EU

Add comment

Other articles

The Pegasus scandal in Poland – between old problems with state surveillance and the current rule of law crisis

Finnish intelligence overseers’ right of access supersedes Originator Control

Cyber defence operations require a dedicated legal framework

Stalemates in Dutch intelligence oversight

Obfuscation as a strategy to pass mass surveillance powers