Human rights activists and organisations were celebrating when the EU introduced restrictions on the exports of surveillance technology by the end of 2014.

Finally, more than three years after revelations in the aftermath of the Arab Spring had shown how the European surveillance industry helped dictators in the Middle East crack down on protests, the European countries were taking action.

Due to »growing security concerns regarding the use of surveillance technology and cyber-tools that could be misused in violation of human rights or against the EU's security«, as the Commission wrote in a press release at the time, the export of cyber-surveillance technology to countries outside the Union would now require governmental approval.

But today, the celebrations have been replaced by disappointment. The new rules have not had the effect many had hoped.

A cross-border investigation conducted by a network of European media outlets reveals that the EU’s member states have permitted exports of cyber-surveillance technology at least 317 times during the past two years. In comparison, 14 applications were denied.

Export licenses for surveillance-products per country. Credit: Leon De Korte / De Correspondent

Regulation is insufficient

Almost 30 percent of the issued licenses were for exports to countries that are ranked as ‘not free’ by the think tank Freedom House. One example is The United Arab Emirates – a country known for using surveillance technology against peaceful critics of the regime.

Researchers from Citizen Lab at the University of Toronto have previously documented how the famous human rights activist and United Arab Emirates national Ahmed Mansoor was spied on with cyber-surveillance tools from an Italian vendor. Yet, both Denmark and the UK have approved exports of systems capable of mass surveillance of internet traffic to the UAE. And Finland issued several licenses to the Finnish subsidiary of the Canadian company EXFO, allowing sales of mobile phone surveillance technology to the country.

52 percent of the licenses revealed by the investigation were for exports to countries that Freedom House ranks as ‘partially free’. This includes a country like Turkey, where the Erdogan government has cracked down on political opposition following a failed coup last year. Only 17 percent of the licenses were for exports to countries that Freedom House ranks as ‘free’.

»The data clearly illustrates that the current regulation is insufficient,« says Edin Omanovic, a research officer at the non-profit Privacy International.

»The very low amount of applications being denied is concerning. Given that many of the countries that these products are being sold to have a problematic human rights record and no legal framework regulating the use of surveillance technologies, a lot more exports should have been refused.«

Collin Anderson, an American security researcher who has authored a report on the regulation of cyber-surveillance technologies for the NGO Access Now and spoken about the subject in the European Parliament, draws a similar conclusion.

»The few cases where a denial has been issued are success stories. But the overall picture seems to be that the good intentions behind the rules have not been followed up in practice,« he says.

Dark industry

While our investigation is the first comprehensive and systematic attempt to map Europe’s surveillance exports, the actual figures could be much higher. 11 of the EU’s 28 member states have not disclosed the requested information. Among those are France and Italy, two countries known for housing some of the world’s largest companies in the field of surveillance.

»There are numbers you’ll never find,« says Marietje Schaake of the Alliance of Liberals and Democrats for Europe (ALDE) Party in Europe, who has been on the forefront to monitor the trade in digital weapons. »We are talking about a very grey, intransparent and dark industry.«

In the past years, journalists and researchers have uncovered several cases of European surveillance technology being used to crack down on regime critics in authoritarian countries. In 2011, a Bloomberg investigation found that activists in Bahrain had been tortured while being interrogated about private messages that the authorities had intercepted using equipment from Finnish-German Nokia Siemens Networks.

In Morocco, journalists from the opposition media platform Mamfakinch have been attacked with intrusion software from the Italian company Hacking Team. The same software has also been used by the Ethiopian government against journalists in exile in the US, researchers at the University of Toronto have found.

When the authorities in the EU member states determine whether or not to issue a license for the export of surveillance technology or other kinds of so-called dual-use products, the regulation says they should take »all relevant considerations« into account – including the risk that the technology could be used in violation of human rights. Dual-use products are goods that can be used for both civilian and military purposes.

But unlike the rules governing the export of conventional arms, it is not mandatory for the authorities to deny an export of dual use technology if there is thought to be »a clear risk« that it might be used for internal repression in the destination country. The authorities may instead choose to prioritize other interests such as boosting economic growth or maintaining a good relationship with the country in question.

»The basic problem is that the dual use regulation, which now also covers cyber-surveillance technologies, was originally designed for a completely different purpose, namely to avoid the proliferation of weapons of mass destruction,« says professor Quentin Michel from Université de Liège, an expert in the field of export control regulations.

»Therefore, the regulation is mostly focused on security risks and is not geared to sufficiently address the risks of human rights violations associated with the export of cyber-surveillance technology.«

New regulation has been proposed

In a comment to the investigation a spokesperson from the EU commission states that »It is clear that the existing controls need to be made more efficient, consistent and effective. This includes addressing the proliferation of cyber-surveillance technologies and the risks they pose to international security, in order to better protect human rights and digital freedoms.«

In the fall of 2016 the EU commission put forward a proposal to strengthen the regulation. The new proposal would not make it mandatory for member states to deny an export if it is associated with risks of human rights violations. But it would, among other things, strengthen the human rights-related language of the rules and cover more categories of cyber-surveillance equipment than the three that are currently regulated.

The European Parliament’s rapporteur on the proposal, Klaus Buchner from the German Green Party, thinks the investigation highlights the need for such an update of the rules.

»The 14 denied exports in your data set have in effect strengthened human rights and strengthened the EU as a trading partner. The importance now is to harmonise this human rights focused approach across Europe in order to be overcome internal differences and patchy implementation,« he says.

It is still unclear, however, if the proposed bill will be passed. According to a memo from the Danish government, »there is a general scepticism among member states« towards the new proposed rules, since they would differ from international export control agreements such as the Wassenaar arrangement.

The Wassenaar Arrangement is a voluntary, but politically binding pact between 41 states that oversees export controls on munitions and arms like tanks, missiles and guns and digital weapons. European guidelines are in part based on the Wassenaar Agreement.

Member states also fear that the new emphasis on concerns for human rights would »create uncertainty about the interpretation and implementation and thus create large administrative burdens for both companies and authorities.« The proposal is set to be debated in the European Parliament on the 28th of February.

The dataset behind the investigation can be found here.

About the investigation In collaboration with a number of European media outlets, Information has worked on gathering information about the exports of surveillance technology from the relevant authorities in all EU member states and Norway. 18 countries have disclosed the requested information. These are Austria, Belgium, Bulgaria, Croatia, Denmark, Estonia, Finland, Germany, Ireland, Latvia, Lithuania, Malta, the Netherlands, Romania, Slovakia, Spain, the UK and Norway. With a few exceptions, the data covers the period 31st of December 2014-31st of December 2016.

7 countries have refused to disclose information, citing confidentiality. These are Cyprus, Czech Republic, France, Greece, Hungary, Italy and Slovenia.

1 country, Sweden, said it was not able to disclose the requested information, because the authorities have not registered this information in a sufficient detail.

3 countries have not responded to our inquiries. These are Poland, Portugal and Luxembourg. The data should be interpreted with the following in mind: The investigation only covers those types of cyber-surveillance technology that are currently subject to export control (see other fact box). The rules have been criticized for not controlling a range of other invasive surveillance technologies. The data does not reveal who the customer in the destination country is or what the equipment is to be used for. In certain cases, surveillance equipment can be used for entirely defensive purposes such as protection against cyber attacks. One license allows the export of a varying amount of surveillance technology. Therefore, the amount of licenses does not necessarily mirror the export value in euros. According to the German authorities, some companies choose to withdraw their application for an export license if, during an initial dialogue with the authorities, it becomes apparent that the license would most likely be denied. Such cases are not included in the data, and according to the German authorities it is not possible to quantify how widespread this practice is. The statistics cover all licenses. Therefore, some could be temporary licenses for the purpose of demonstrating the equipment for potential customers or similar. What Europe is exporting Three types of cyber-surveillance technologies are currently regulated under the EU’s dual use regulation. These are: Internet surveillance Internet Protocol (IP) network communications surveillance systems or equipment, and specially designed components therefor Mobile surveillance Mobile telecommunications interception or jamming equipment, and monitoring equipment therefor Intrusion software Software specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network capable device, and performing any of the following: a. The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; Or b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions * Germany has unilaterally put additional categories of cyber-surveillance under export control. These are included in the statistics for that country.