British defence and technology firms are exporting advanced spy tech, including powerful surveillance devices and telecommunications interception technology, to authoritarian regimes across the world. The firms, including subsidiaries of British defence giant BAE Systems, were licensed to sell the spy products since early 2015.
Some of the companies licensed to export the products were also granted approval to sell them to authoritarian regimes, such as Saudi Arabia, UAE, Turkey and Egypt which have been criticised for abusingsurveillance technology and for having poor human rights records.
According to information gleaned from documents obtained by Motherboard via the Freedom of Information Act, companies such as Pro-Solve International, ComsTrac, CellXion, Cobham, and Domo Tactical Communications (DTC) have applied for licences to export products and detailed the kind of devices that were shipped.
"At a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses," said Privacy International research officer Edin Omanovic.
Mass surveillance products
Among the devices sold are IMSI-catchers, also better known as "stingrays", which pretend to be mobile phone towers to trick nearby communications devices to connect to it. The documents reveal that 31 of the devices were licensed for export to Indonesia and Turkey.
"IMSI catchers are probably one of the most controversial and yet more demanded pieces of surveillance technology marketed today. They are of dubious legality and their use raises serious ethical and privacy concerns due to their invasiveness and wide reach," said Claudio Guarnieri, an Amnesty International technologist.
According to documents obtained from the Danish Business Authority by Lasse Skou Andersen of the Danish newspaper Dagbladet Information, there is an ongoing contract between the BAE Systems' subsidiary and the UAE government, dating as far back as December 2014. The contract reveals an internet surveillance product with "IP monitoring and data analysis" capabilities for "serious crime" and "national security" investigations.
The device can also be used to track a target's social media activities, obtain personal information and communications such as voice and video recordings, messages and more from various devices.
"This comes at a crucial time, just before the European Commission [EC] is set to decide whether or not it proposes updates to regulations regarding the export of surveillance technologies," Omanovic told the Intercept. "The fact that the export license was granted by the Danish authorities to the UAE, where human rights abuses are well established, and that this information was not publicly available, underlines why these reforms are urgently needed."
BAE Systems said, "It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organisations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles."
A spokesperson from the British Department for International Trade said, "The UK government takes its arms export responsibilities very seriously and operates one of the most robust arms export control regimes in the world. We rigorously examine every application on a case-by-case basis against the Consolidated EU and National arms export licensing Criteria. We draw on all available information, including reports from NGOs and our overseas network as a key part of our assessment."
Cyberspace Cold War
The authoritarian countries that the spy tech products have been shipped to have in the past have been accused of abusing surveillance technology to specifically target journalists and dissidents. For instance, a journalist in Turkey, who was jailed on terrorism charges was later found to have been framed by hackers who infected his computer with malware.
Another instance revealed how UAE dissidents were being targeted with spyware by a cyberespionage group called Stealth Falcon, which was found to have links with the UAE government. In May, Iran's counter-cyberwarfare group claimed that Saudi Arabia-based hackers were behind a targeted cyberattack on the government's websites, which resulted in a temporary outage of services.
ESET security researcher told IBTimes UK, "Cyberspace can definitely be considered a conflict zone, and it has been one for some time. Many scholars consider the 2007 cyberattacks on Estonia as the beginning of the era of cyber conflict. Clearly, the level of conflict has escalated in recent months and I would not be surprised if this became the 'new normal' facing companies and governments who are in any way involved with data that could be of value to adversaries."