This exclusive report was compiled by Ben Wagner and Claudio Guarnieri, leading researchers on surveillance and digital security technology. The Berlin-based scholars work at the Centre for Internet & Human Rights, European University Viadrina.

From Mexico to Mozambique to Pakistan and beyond, there is now ample evidence that governments across the globe are using mass surveillance technologies such as FinFisher to spy on their citizens. This has driven researchers and advocates like ourselves to consider the source: Who makes these technologies? And who benefits from their sales?

Germany is a major exporter of these technologies, and as digital communications privacy has become a red-hot topic for the German public, the country has become an ever-more central actor in this field.

By cross-referencing information from a massive data leak in mid-August with the results of a recent parliamentary inquiry in Germany, we’ve come to suspect that the majority of surveillance technologies produced by German companies have been bought and sold under the table – in other words, without a license. The German government requires licenses for the sale of technologies that are considered to be “dual use” – products that can be used for both good and ill.

At the center of the inquiry lies the British-German company Gamma International, maker of the now infamous FinFisher surveillance toolset. Unsuspecting targets of surveillance typically end up downloading FinFisher unknowingly, just by clicking on a seemingly innocent link or email attachment. Once installed, the tool allows the user to access all stored information and monitor even encrypted communication. Keystrokes can be logged, Skype conversations recorded and cameras and microphones can be activated remotely.

Members of Germany’s parliament recently conducted an inquiry into the sale of surveillance technologies to foreign governments. In response, the German government stated that over the past decade, it has provided German companies with licenses to export surveillance technologies to at least 25 countries, many of which have long histories of human rights abuse. Between 2003 and 2013, surveillance technologies were exported to Albania, Argentina, Chile, India, Indonesia, Qatar, Kosovo, Kuwait, Lebanon, Malaysia, Morocco, Mexico, Norway, Oman, Pakistan, Russia, Saudi Arabia, Switzerland, Singapore, Taiwan, Turkey, Turkmenistan, USA and the UAE. German Green Party MP Agnieszka Brugger published the full set of questions and official government response on her blog.

How does Germany’s export market work?

The answers provided by the German government are complex to interpret, as their documentation covers any IT system that includes surveillance technology “components”. For example, a complete national telephone system that is sold for $10 million in total might include a surveillance component that costs $2 million – but the product is listed in public documentation as $10 million worth of exported goods which include licensed surveillance technologies.

Based on extensive conversations with relevant government officials, individuals from the private sector and the numerous leaked documents available, it is possible to get a relatively accurate estimate of the proportion of these technologies that are actually surveillance technologies. By a conservative estimate, around 20% of the overall IT systems delivered on this list are actually surveillance technologies, with the rest being generic IT systems and technologies. For example, in 2010 Germany exported 11,977,728 € worth of IT systems which include surveillance technologies. Thus we estimate that of these IT systems listed only 2,395,546 € are actually surveillance technology exports, with the rest exports of generic IT or telecommunications systems.

These figures also allowed us to build the following graph of German surveillance technology exports from 2010 to 2013:

Estimated total worth in millions of euros of licensed surveillance exports from Germany, 2010-2013.

Importantly, the German government explicitly denied having received any request from Gamma for a license to export their FinFisher product to Bahrain or Ethiopia. Official German government documentation also does not mention exports to countries like Bangladesh, Netherlands, Estonia, Australia, Mongolia, Bahrain and Nigeria, yet there is ample evidence that FinFisher has been sold to these countries. (Security researchers at the University of Toronto’s Citizen Lab have conducted an extensive series of technical investigations into the use of FinFisher products in a wide range of authoritarian and democratic countries. A full archive of these reports can be found here.)

Documents in the leaked FinFisher dump and analysis by Privacy International, suggest to us that Gamma has sold these technologies without any export license at all. This claim is based on numerous documents on how Gamma deals in technology the recent assertion of the British government that they would legally require Gamma to obtain a license for FinFisher if the company wanted to export it from the UK. Existing knowledge and research shows Gamma operates out of the UK and Germany, thus strongly suggesting that these technologies would have been exported from Germany. And Germany has repeatedly denied that it provided a license to Gamma to sell to several key countries where we know that FinFisher has been deployed. This leads us to the conclusion that FinFisher was exported from Germany without a license.

What does this mean for the German trade in surveillance technologies? Sales of licensed surveillance technologies are meager in comparison to the sales of unlicensed exports of FinFisher, let alone other surveillance products. Gamma is currently selling more surveillance tech than all licensed exports combined. Here is an overview of how licensed and unlicensed German surveillance exports compare:

Estimated total worth in millions of euros of licensed and unlicensed exports from Germany, 2010-2013.

And this is just one single company – there are likely others in Germany following this business strategy. Although the exact total of unlicensed German surveillance exports are hard to calculate, it should come as no surprise, given that business insiders from industry leader ISS World estimated their global industry worth at $3 – 5 billion. The significant gap between licensed and unlicensed elements of the surveillance technology industry shows the need for urgent and clear international regulation.

What has the German government done so far?

The German government also stated that it will further lobby to regulate surveillance technologies that harm human rights, a positive development that reflects an understanding of the seriousness of the issue. In light of these latest revelations, and the desire of certain parties to make this a key political issue, we are encouraged and hope further changes can be made to prevent even more dangerous technologies from being exported to repressive regimes. Findings like these suggest to us that greater regulation is needed in this sector.

And there is some precedent for this. Germany blocked exports of ‘Interception Management System’ software (a product similar to Utimaco’s LIMS system) to Iran in 2008. More recently, the government has suggested that companies should stop exporting surveillance technologies to Turkey.

The data also suggests that the global surveillance technology market is highly dependent on large contracts with a few individual countries. Response to the parliamentary inquiry showed the largest individual deals in 2006 and 2007 were brokered with Saudi Arabia and Turkey. It is hard to guess precisely what contracts these exports refer to, but they fit into the pattern of Internet surveillance being upgraded to deal with larger data volumes that became common around 2005. Tunisia faced similar issues in 2007, prior to the revolution, and opted to install Deep Packet Inspection surveillance technology in order to manage increasing quantities of data.

Advocating for surveillance regulation in a post-Snowden world

Left-wing parties in Germany now see regulation of surveillance technologies as an important political issue worth fighting for. Both the Greens and the Social Democrats SPD are fighting for ownership of the issue – this seems to have been the driving force behind the parliamentary inquiry. While the politicisation of issues like this is not always helpful, it is interesting to watch political parties compete to see who can better regulate surveillance technology in the interest of human rights.

Leaked documents from FinFisher show that the company now believes they are or may soon be subject to export restrictions in Germany, a fact that appears to have prompted them to begin asking their clients for additional information about what the exports will be used for – this is the type of information they would need in order to comply with German export control regulations. This suggests that export regulations for surveillance technologies may be having an impact before becoming law, as even some of the most ruthless companies are already reacting to ensure they comply.

Global standards and the Wassenaar Arrangement

And there may be more changes to come. Documentation suggests that the German government has begun to recognise the need to regulate more surveillance technologies that harm human rights. They explicitly cite surveillance “Monitoring Centres” – that can house data from e-mails, SMS messages, Internet and VOIP phone calls within a single data center – as technologies that can be misused and thus merit additional regulation. The primary venue for negotiating such changes to export controls is the Wassenaar Arrangement, a non-binding agreement between states on how to regulate certain “dual use” technologies internationally. Wassenaar essentially provides a long ‘control list’ of technologies that all member states believe could be misused. Each individual member state in the EU then implements the decisions in their national export control laws. These lists are updated annually at a large conference of Wassenaar member states. It typically takes an entire year for these changes to come into force within the national legal frameworks of the various Wassenaar member states. Like many human rights advocates, we believe the Wassenaar Arrangement provides the strongest platform for the German government to lobby for such changes and it has now repeatedly confirmed its wish to the German parliament to do so extensively. Better regulation of surveillance technologies is “of high political importance” to the Wassenaar member states as it is for the European Commission which considers this area “high priority.” Germany is also pushing heavily to have 2013 changes to the Wassenaar control list come into force at the EU level as quickly as possible. Some officials say they will move forward on the issue as soon as autumn 2014. This is an optimistic prognosis, but it speaks to the steps that the German government has taken at various different levels to speed the process. How realistic this timetable is remains to be seen, but it at least signals substantive intent by the German government after years of inaction.

Germany party politics and the bigger picture

Beyond surveillance technologies themselves, Social Democrat SPD party head and Minister of the Economy Sigmar Gabriel has declared his wish to interpret export control law more strictly in all areas. The tools for this have existed for some time in the form of “Political Principles for Exports” developed by the German government in the year 2000, but these were seldom strictly enforced. SPD Minister Gabriel has interpreted these principles more strictly to stop a variety of weapons exports from Germany. Thus additional regulations of dual-use surveillance technologies fit very well into his agenda. At the same time he has received criticism in the press and from German media and the Green party for not being able to prove that he has actually turned down a concrete request for surveillance technologies.

Here as in other cases the struggle is primarily political rather than substantive. We welcome the fact that two political parties are now competing in Germany on which can regulate surveillance technology better. In concrete terms, both have made strong commitments and the SPD government in power has not yet been able to fully document these. Perhaps most notable is the German government’s continued aspiration to become a leading voice in the international debates around the regulation of surveillance technologies. Time will tell whether they are actually able to fulfil this promise, but the signs remain promising.