In the Wikileaks documents, Serbia was among the countries where representatives of the companies who sell surveillance equipment were located and it is believed that someone in Serbia has bought FinFisher/FinSpy software, which can be used for surveillance of electronic communications. In our previous article, Share Defense has pointed out at Serbian legislation and possible abuses of these instruments.
The document published by Wikileaks shows that during last year, representatives of the companies who sell surveillance equipment have frequently visited Serbia. Tomas Miskovsky from Trovicor, whose name appears several times, draws special attention. If we consider information that was published in this document, we can assume that someone in Serbia has bought these surveillance tools from Trovicor.
Trovicor is one of the leading traders of equipment for interception and data surveillance in the world. This company claims that it supplies more than 100 countries around the world with equipment for legal interception by specialized monitoring centers. These centers can intercept telephone calls, text messages, VoiP calls (similar to Skype calls) and entire Internet communication. Spying on hard drives is not possible yet. Trovicor also offers the possibility of efficient processing and analyzing of vast amounts of data (so-called intelligent platforms). The problem is that Trovicor sells the equipment that can be abused and that could lead to human rights violations, especially concerning the right to privacy and freedom of expression. Companies like Trovicor are clearly violating internationally established principles in this area (OECD Guidelines) and Privacy International has filed a complaint to the Organization for Economic Co-operation and Development (OECD), along with many other human rights organizations. The complaint was sent to the OECD’s National Contact Point in Germany, situated in the Ministry of Economy and Technology.
There are some cases in which companies, including Trovicor, have sold the equipment for communication surveillance to authoritarian regimes such as Bahrain, Egypt, Vietnam, Syria and Yemen which have used it to spy on journalists, bloggers and dissidents. Import of this equipment is justified with protecting national security and combating terrorism. Two employees of this company admitted that they had installed the contentious equipment two years ago in Bahrain and the sale was confirmed by the spokesman of Nokia Siemens, who owns Trovicor. After Wikileaks’ announcement, there are assumptions that this type of service was provided in our country as well.
Companies aren’t concerned how their products can be abused or how that could lead to potential violation of fundamental human rights. Also, Reporters without Borders have marked Trovicor as an enemy of the Internet.
Import of the surveillance equipment
It is evident that import/export/transit of the equipment is a question of great importance for individual countries and on an international level as well. On the European Union (EU) level, an initiative for making a strict regulative of control and export of the equipment for communication surveillance was started recently. Regarding that the EU has regulated import, but not the export of the equipment, it is required to protect the countries outside the EU as well. Therefore, traffic control of the equipment is a question of national interest that should be clearly regulated.
In Serbia, guidelines on import and export of the equipment for communication interception, i.e. electronic surveillance, should be regulated by laws which deal with import and export of dual-use and military merchandise, because it is considered as equipment of special interest for national security. Until recently, this area has been regulated by the Law on External Trade of Arms, Military Equipment and Dual-Use Merchandise, and not long ago, a new Law on Import and Export of Dual-Use Merchandise was adopted and came into effect on November 8th, 2013. In accordance with the law, software and technology are both considered controlled merchandise that can used for military or civil purposes.
Under this regime, the law also puts technical assistance, which is defined as a “service referring to development, fabrication, modification, managing, assembling, testing, repairing, maintaining, storage or detection of dual-use merchandise, as well as other technical assistance like instruction, preparation, transfer of business knowledge and skills or expertise and advisory services, including the help provided verbally (Article 3)”.
Compared to an older version of the law, it can be noted that the current version doesn’t seem to give much attention to software and technology import and issues regarding their transfer. Another relevant fact is that the current version of the law is more focused on the export of the merchandise. Clause in Article 6, applied only to export, introduces an obligation that because of the importance of the merchandise, in situations when it is doubtful if certain equipment should be on the list, even though it is not there, the Ministry must be asked for an opinion whether an export license is needed. Having in mind that National lists, which determine what merchandise should be subjected to this regime, are complicated and too long and often require expert opinion on this issue, that shows just how much this clause is needed, but we do not see the problem with applying this clause to the import as well. Since the purpose of the law is to control the import/export/transit of the equipment of interest for the national security of the Republic of Serbia, there is no legitimate reason for import to be under more liberal treatment.
EFF has suggested an introduction of a “know your customer” standard. This framework should be based on two main points: companies that sell electronic surveillance equipment should, before and during the sale, research and get to know their customers and refrain from the transactions if there’s possible evidence or doubt that the company’s technology could be usef for violation of human rights.
The new law leaves out the obligation of previous registration for the activity with the competent Ministry – just an import/export license from the competent Ministry is needed. Among other things, with the request for issuing an individual license, along with other documents listed in the law, an especially important end-user certificate must be provided, which shows the importance of control and tracking of the equipment to its final destination (Article 12). What is also important to point out is that when competent Ministries decide on giving their consent and ultimately on issuing the license, it is very important to take into account if the equipment in question: “…endangers the security or defense interests of the Republic of Serbia, public security and constitutional order; endangers the respect of human rights in the end-user country; enables the outbreak or continuing of armed and other conflicts in the country of end-use; enables the use of merchandise for inciting riots in the country of end-use” (Article 15). The list of reasons for taking into account when issuing a license was expanded for improving the protection and respect of human rights, peace and limiting the possibilities of its misuse. In the end, it should be mentioned that the competent Ministry has a database on all issued, denied and revoked licenses and conducts oversight in cooperation with other state bodies (Articles 26 and 28).
The surveillance equipment regulation puts more emphasis that only the equipment that protects human right in a best way and leaves little space for abuse should be used. It is therefore important to be aware if the imported equipment used for communications interception and electronic surveillance could possibly violate fundamental human rights (right to privacy, freedom of expression, freedom of assembly etc) and see if there is a less intrusive equipment which could provide the same results.
Questions that need to be answered
Share Defense asks if the equipment used by our security services was imported by the procedure stipulated by the law. On the EU List of technology and merchandise, inter alia, there are “security of communications and means of information”, as well as software and technology. Having in mind that lists for equipment for which a license is needed, which are brought by the Government, are made according to EU lists, but are also quite complex, we can ask a question if the mentioned equipment, which should have been on these lists, passed through this procedure during import/export? Bearing in mind the relevance of the equipment and the possibility of using for illegitimate purposes, which could lead to violation of human rights, we believe that it is of great importance to develop a strict control of the equipment, prescribed by the current law. Also, the second important question, which can be determined based on the database of licenses managed by the competent Ministry, is whether Trovicor imported this equipment on the territory of the Republic of Serbia? Having in mind all that has been said and the fact that Trovicor was accused of cooperating with authoritarian regimes of Bahrain, Iran and Syria, the use of their equipment is questionable. Even though the company’s software and hardware were used for targeting, spying and locating political and human rights activists and journalists, the representatives of Trovicor claimed that the illegal versions of the software were used in those cases and that they only sell it to states. Taking into account the possibilities of their software and its level of intrusiveness on human rights, it is questionable whether this software could be in accordance with our legislative framework.