Press at risk as EU-based companies export surveillance software to hostile regimes

A photojournalists with his mouth tapped holds up his camera as he demonstrates with fellow colleagues in front of the journalist’s syndicate in Cairo against repeated attacks on members of the press in Egypt on April 4, 2014. AFP PHOTO / MAHMOUD KHALED

By Marwa Morgan,
Middle East and North Africa Program Intern 

In August, Danish Foreign Minister Anders Samuelsen told the daily newspaper Information that the government had authorized sales of online surveillance software to several Middle Eastern countries. While acknowledging the potential for human rights violations that could result from the use of these tools, the minister said that Denmark has an interest in the fight against “terror” groups, especially the militant group Islamic State.Denmark is not alone when it comes to surveillance exports. According to a 2016 policy review by the European Commission, three EU member states issued 27 export licenses of mobile surveillance in 2015 alone, and denied only two. The review said that intrusion software–which allows the covert interception and monitoring of online activity–exported from companies registered in EU member states was connected to government-sponsored online attacks directed at journalists, activists and human rights defenders in countries including Morocco, the United Arab Emirates, and Bahrain.The review estimated the dual-use technologies market in 2014 was worth €2.8 billion ($3.3 billion).The review did not specify details about the countries or licenses exported, but news outlets and human rights groups have separately reported that surveillance software from EU-based companies was exported to countries under EU sanctions–including SyriaIran, and Yemen. The sanctions prohibit the export of tools that can be used for “internal repression.”Current EU legislation on technologies, including cyber surveillance tools, specify licensing criteria between EU member states and non-EU countries, but leaves licensing decisions at a country’s discretion. On October 12, the EU parliament will vote on proposed legislation that will bind member states to a set of regulations and include a review mechanism that examines the potential abuse of these tools against journalists and activists.The EU proposal, which is focused on changing regulation rather than penalizing a specific company, is a welcome move. Of course, any proposals for reforming laws should be framed to ensure journalists are protected from surveillance and still able to access the tools they need to work and to stay safe online.CPJ has documented a growing trend of governments cracking down on independent journalism in the name of fighting terrorism worldwide. In addition to mass surveillance, journalists have also been targeted in phishing and hacking attacks that create a chilling effect among independent journalists and small news organizations that cannot afford tools to protect themselves.In response to that trend, CPJ has joined the Coalition Against the Unlawful Surveillance Exports (CAUSE), a coalition set up by civil society groups to ensure that surveillance technology exports do not contribute to human rights violations.

In some cases, government surveillance has forced journalists to leave their home country. Freelance journalist Houssam al-Deen said he knew he must had been “on the radar” for a long time before he had to flee Syria in 2011. Al-Deen told CPJ that during his military service in 2001, he learned that in addition to targeting journalists and activists, the Syrian government owned what was then state-of-the-art software that could scan e-mail messages for keywords. Al-Deen, who had worked for 14 years with international media outlets as a freelancer, said he felt vulnerable when several journalists were arrested while reporting on the civil war.

To try to protect himself, he logged on from different computers in internet cafés and made sure to delete all files and clear passwords after use. Yet these precautions were not enough protect him. Al-Deen said that while he was on a video call with his editors at the BBC in 2011, the police raided the internet café he was working from and arrested him.

“They had detailed logs of all my online activity and they confronted me with them during the interrogation,” he said.

The journalist, who was facing charges of espionage, said he had to pay $30,000 as a bribe to be released after spending two days in custody. He now lives as a refugee in Germany, where he works as an aid worker. “I was lucky that I had money,” he said. “I would have been doomed otherwise.”

CPJ and other rights organizations are aware of several journalists in at least 10 countries in the Middle East who said that they believe security agencies used cyber-attacks try to target or intimidate them.

Additionally, in Egypt since May 2017, at least 434 websites, including more than 90 news outlets and blogs have been blocked, according to local rights group Association for Freedom of Thought and Expression. The state-owned Middle East News Agency reported that government was behind the order to block the sites. The government did not issue an official statement or comment, according to reports.

In 2015, the EU released an action plan to defend human rights around the world. Yet by allowing countries such as Syria, Iran, and Yemen–all countries that, as CPJ research shows, have a poor press freedom record–access to surveillance software, the EU is failing to uphold its pledge.