Many Europeans are upset over revelations that the United States government spies on them. But European companies are selling surveillance tools and know-how to other governments, allowing them to spy abroad. Their customers include some of the world's most abusive governments and at least one of them—Ethiopia—is targeting its diaspora population in Europe. The results extend beyond outrage over privacy violations: They put people in danger.
The global trade in this powerful "spyware" is virtually unregulated and that needs to change. Using digital technology to monitor the Ethiopian diaspora in Europe, the regime in Addis Ababa has brought its abuses right into Europe's midst. The EU needs to regulate the sale of such technology, at least to governments with such questionable human-rights records.
Inside Ethiopia, Prime Minister Hailemariam Desalegn's government abuses mobile and Internet networks to monitor opposition groups and journalists, and to silence dissenting voices. Using Chinese-made telecom equipment, the Ethiopian security agencies have nearly unfettered access to civilians' phone records and recorded calls. Taped calls have been played back to people being interrogated by security officials and used against them in trials under the government's deeply flawed antiterrorism law.
For mobile or Internet users in Ethiopia, the violation of the right to privacy is not an abstract harm. One Ethiopian man, who asked only to be identified as "Jirata," was once a member of a registered political party; he now struggles to survive as a refugee in Kenya.
"I was becoming well known and respected in my political party and one day security officials came and arrested me and showed me list of phone calls I had made," Jirata recalled to me in a recent interview. "They demanded to know who the foreign numbers were. I told them everything—I had nothing to hide. They began to beat me with a rubber whip, demanding I confess to belonging to the [banned] Oromo Liberation Front. I was kept in solitary confinement for three months and pulled out each night to be beaten."
His story is too common. Thousands of Ethiopians have fled threats to their lives and security, and many have found asylum in Europe. Now Ethiopian spy agencies are trying to silence any independent criticism of government policy by extending their reach abroad, with the aid of advanced surveillance tools designed and sold by several European companies. These tools give intelligence officials access to files, emails and activity on a target's computer. They can log keystrokes and passwords and remotely turn on a device's webcam and microphone—effectively turning a computer into a listening device.
Yohannes Alemu, a former refugee and now a Norwegian citizen who supports an Ethiopian opposition party that the government has banned, found out too late about the spyware. In late 2012, when Mr. Alemu's wife and two children were visiting family in Ethiopia, security officials detained and questioned her about her husband's political connections. They sent Mr. Alemu emails demanding more information about his opposition-party associates. He refused, and after 20 days his wife was finally released and returned to Norway.
That was not the end of the incident.
One of the government emails Mr. Alemu received contained an attachment infected with spyware known as FinFisher. FinFisher GmbH, based in Munich, did not respond to Human Rights Watch's requests for comment regarding the use of its product by Ethiopian authorities.
Once Mr. Alamu's computer was secretly infected, the Ethiopian security agencies had unfettered access to it. After Mr. Alemu unwittingly forwarded the infected emails to other people, the spyware gave Ethiopian security agencies potentially unfettered access to their computers, too. Researchers at Citizen Lab, a Toronto-based center focused on security and human rights online, confirms that at least one of Mr. Alamu's contacts' computers was monitored as a result. Different spyware developed in Italy has been used to target the computers of others in the diaspora.
Such sales are currently perfectly legal, but European companies nonetheless risk complicity in human-rights abuses when they provide products and services that facilitate Ethiopia's surveillance. Ethiopians living in the U.K., the U.S., Norway, and Switzerland are among those known to have been targeted with Addis Ababa's spyware. Citizen Lab has documented evidence of use of these tools in over 25 countries.
In December, the 41 member states participating in the Wassenaar Arrangement—a multilateral export-control regime for dual-use technologies—agreed to regulate the export of "intrusion software" and "IP network surveillance systems." This development signals growing consensus that the trade in powerful surveillance tools being used to violate rights should be reined in.
But much more is needed. The European Commission should lead efforts to regulate the export of such technology to governments with poor human rights records, and to implement the new Wassenaar controls without delay. Until then, Yohannes Alemu will not be the last victim of Ethiopian cyber-surveillance.
Felix Horne is an Africa researcher at Human Rights Watch and co-author of a new report, "'They Know Everything We Do': Telecom and Internet Surveillance in Ethiopia."