NSO Group, an Israeli cyberintelligence firm, makes spyware that it sells to a variety of government clients around the world. It has denied that those surveillance products were involved in the torture and murder of Washington Post journalist Jamal Khashoggi, although it has neither confirmed nor denied selling its products to the Saudi government — elements of which, the CIA has concluded, ordered the killing.
That may raise eyebrows, but this intermingling of privately sold technology and authoritarian regimes is hardly an outlier. Throughout the world, despots are also probably monitoring Internet traffic, communications and behavior — in many cases using surveillance technology supplied by U.S. and other Western companies.
Take, for instance, recent reporting: The U.S. firm Gatekeeper Intelligent Security sold facial-recognition technology to the Saudi government. The system identifies the faces of drivers and passengers in cars, even with blacked-out or tinted windows. The technology has also been sold to regimes in the United Arab Emirates, and “when combined with facial recognition and number-plate readers,” Forbes wrote, “it’s designed to help authorities track individuals of interest.” This is only the latest in reports about Western firms selling surveillance technology to authoritarian regimes.
From facial recognition software to GPS trackers to computer hacking tools to systems that monitor and redirect flows of Internet traffic, contemporary surveillance technologies enable “high levels of social control at a reasonable cost,” as Nicholas Wright puts it in Foreign Affairs. But these technologies don’t just aid and enable what Wright and other policy analysts have called “digital authoritarianism.” They also promote a sovereign and controlled model of the Internet, one characterized by frequent censorship, pervasive surveillance and tight control by the state. The United States could be a world leader in preventing the spread of this Internet model, but to do so, we must reevaluate the role U.S. companies play in contributing to it.
One way to address the spread of these tools head on is the use of export controls. Such policies have been in the news more than usual recently, not least because the Trump administration has pushed to tighten regulations on American export of emerging technologies such as the chips used in supercomputers that develop artificial intelligence. The administration’s proposed controls would place new limits on what kinds of technology can be sold and to whom. But when it comes to preventing export of surveillance technology to human rights abusers, the United States lags behind, particularly when it comes to Internet-based surveillance equipment.
Initial movement to prevent the spread of this type of surveillance equipment came through the 2013 Wassenaar Arrangement, a 41-member multilateral arms-control agreement in which the United States participates. The primary goal of the Wassenaar Arrangement was and still is to limit the sale and trafficking of dual-use technologies — those that could have both a civilian and military use. For instance, network penetration software — digital tools used to break into a wireless or physical network — is used by security researchers to probe for vulnerabilities just as it’s used by governments and militaries to intercept enemy communications. The Wassenaar Arrangement is not a treaty and therefore lacks binding power, but member states agree to establish and enforce export controls on items on the arrangement control list, which is updated every December.
One of the December 2013 additions to the control list was “IP network communications surveillance systems.” These are systems that classify, collect and can inspect all the digital traffic flowing through a network — what a hacker might use to intercept your email login at a coffee shop, or what a government might use to track the online activities of activists, at scale. Governments entered into negotiations on the Wassenaar Arrangement with a clearly defined human rights goal in mind: preventing despots and bad actors from obtaining technology that they could use to commit abuses domestically. Most Wassenaar participants, including every country in the European Union, have restricted the distribution of this technology. The United States, on the other hand, has not.
The sale of technologies such as spyware and facial-recognition systems to human rights abusers — which Wassenaar ventured to stop — enables insidious social control and encroachment on basic civil liberties. But if human rights concerns aren’t enough to move U.S. policymakers, there’s another reason to act: Exporting surveillance equipment enables digital authoritarianism and hurts U.S. national interests.
Authoritarian governance is a growing trend around the world. Building out domestic surveillance infrastructure to aid in the adoption of imported surveillance technologies — a characteristic of digital authoritarianism — exacerbates this global affront to democracy. It cuts domestic economies off from the global network and allows states at will to censor and slow access to Internet content they deem undesirable. This, in turn, contributes to the global rise in attacks on free press and open public discourse. More broadly, digital authoritarianism consolidates power in the hands of governments that are themselves hostile — or typically align themselves with powers hostile — to U.S. interests.
Enabling digital authoritarianism also supports a model — one championed by states such as China and Russia — that is opposed to free speech and threatens to further restrict it around the world. This is an approach that tries to establish such practices as content censorship, online surveillance and traffic throttling as global norms. That would fracture the Internet as we know it, encouraging governments to construct servers, cables and other domestic systems that can be tightly controlled by the state and cut off from the rest of the world as desired.
For many reasons, the United States and its allies do not subscribe to this vision of a sovereign and controlled Internet. Rather, the United States has long promoted an Internet that is global and open, largely for its democratizing force. Generally, this means that countries such as the United States have defended free speech online, protected net neutrality and advocated the economic benefits of a global Internet that connects markets and societies.
But when U.S. companies sell surveillance technology to the likes of Saudi Arabia, they are sending more than surveillance kits; they are also sending conflicting signals. On one hand, the United States cares deeply about protecting a global and open Internet. This was made clear in the 2018 U.S. National Cyber Strategy and the United States’ recent proposal to the U.N. General Assembly, co-signed by countries including Australia, Canada, France, Germany and Britain. On the other hand, American companies are selling surveillance technology that undermines this mission — contributing to the broader spread of digital authoritarianism that the United States claims to fight. (This also implicates allies such as Britain, whose companies have also sold surveillance technology to oppressive regimes.)
We won’t be able to allay this situation until the United States updates its approach to exporting surveillance technology. Of course, this must be done carefully. But digital authoritarianism is spreading, and U.S. companies need to stop helping it.