Die Präsidentin der EU-Kommission, Ursula von der Leyen, bei einer Rede zu Europas digitaler Zukunft in Brüssel, 19. Februar 2020.  © 2020 AP Photo/Virginia Mayo

(Brussels) – The European Union should adopt stronger regulations to prevent cyber surveillance technology developed in Europe from being sold to repressive governments,  Human Rights Watch said today in a letter to the European Union together with seven other human rights groups. EU member states that have hindered the progress of more robust legislation should drop their opposition.

For years, gaps in the current regulation have allowed the sale of so-called “dual use” items produced in the EU, including mass and intrusive surveillance systems,  to abusive governments. These government have used the technology to crack down on human rights defenders, journalists and opposition groups. In the letter, the groups urged the European Union to adopt legislation that requires companies to carry out human rights due diligence and mandates states to deny export licenses for cyber surveillance technology if there is a substantial risk that it  may be used to violate human rights.

“Weak EU rules have allowed companies to peddle spyware to repressive governments, helping them squash dissent,” said Wenzel Michalski, Germany director at Human Rights Watch. “The EU needs to plug the holes in its trade regime and stop being complicit in human rights abuses.”  

In 2016, the European Commission proposed a number of meaningful reforms, largely supported by the European parliament, to the regulation on trade in surveillance technologies. But the European Council gutted them in June 2019. The Czech Republic, Cyprus, Estonia, Finland, Ireland, Italy, Poland, and Sweden opposed the reforms, citing largely economic interests.  

As negotiations are about to restart, the European Commission has proposed new draft amendments in an attempt to find a compromise between the Council’s and the Parliament’s positions, but those amendments fall short of the reforms needed to rein in the surveillance industry.  

For almost a decade, cases of these technologies harming rights have cropped up throughout the world. The German company FinFisher’s product, FinSpy, can target mobile phones to obtain contacts, text messages, emails, locations, photos and other data, and to record calls. Italy’s Hacking Team sells government agencies a suite of remote monitoring spyware called Remote Control System (RCS), which provides access to computers and smart phones in real time.

The Toronto-based research group Citizen Lab has found evidence that FinSpy was being used by government agencies in over 30 countries, including many with abysmal records on rights, like Bahrain, Oman, and Qatar, and traced Hacking Team’s RCS to use in 21 countries, including by repressive governments in Saudi Arabia and the UAE.

In 2014 Human Rights Watch documented that the Ethiopian government has used both FinFisher and Hacking Team spyware against opposition group members and journalists overseas. The government has also previously used foreign technology to record private phone conversations and emails of people targeted for their alleged political beliefs. The United Arab Emirates (UAE) has used both FinSpy and RCS to target the high-profile Emirati activist Ahmed Mansoor. He is currently serving a 10-year sentence in prison issued in 2018 for “cybercrimes.”

The French firm Amesys, which became Nexa Technologies, is the subject of multiple judicial investigations in France for its role in facilitating human rights abuses. One investigation is looking into the use of its surveillance systems in Libya to identify, track down and torture the former Libyan leader Muammar Gaddafi’s political opponents.

The Crimes Against Humanity Division of the Paris Prosecutor’s office  opened a  second formal investigation  into allegations that its monitoring systems were sold to the authoritarian government of Abdel Fattah al-Sisi in Egypt as recently as 2014. President al-Sisi’s rule has been defined by brutal attacks against civil society and suppression of fundamental rights and of all forms of dissent.

In July 2019, security researchers found FinSpy being used in Myanmar, a country that committed atrocities against its Rohingya minority and regularly prosecutes journalists, activists and even satirical groups. FinSpy was also found to be used against the main opposition party in Turkey during a protest in 2017. Turkey’s communication minister at the time refuted all allegations regarding the use of FinSpy in 2018. But the following year German prosecutors opened an investigation into whether FinFisher broke the law by exporting its powerful spying software to Turkey without a permit.

Memento Labs took ownership over Hacking Team in April 2019. In a communication to Human Rights Watch, the company said it cannot comment on Hacking Team’s activities and that it has new policies and procedures to assess the human rights impact of its sales. FinFisher did not respond to a request for comment.

There are also questions as to whether EU states are facilitating the trade of spyware produced by the Israeli company NSO Group, whose Pegasus spyware has been documented as being used to target a wide swath of civil society, including at least 24 human rights defenders, journalists, and members of parliament in Mexico, an Amnesty International employee, Mansoor, Saudi Arabian human rights defenders, and, allegedly, the Saudi journalist Jamal Khashoggi, who was subsequently murdered.

 In a letter to Human Rights Watch and other organizations, Novalpina Capital, a European private equity firm that has controlling ownership in NSO Group, revealed that the exporting authorities in Cyprus and Bulgaria issue export licenses for NSO Group products, a claim both authorities deny.

In addition to stronger due diligence requirements, the organizations urged the European Union to improve its export control regime. The regime should include creating a system for states to update an EU control list for cyber surveillance technologies in a transparent and consultative manner, and denying export control licenses for non-listed items on human rights grounds.

A so-called “catch-all” clause would require the companies to inform the export authority when they have identified human rights risks associated with their exports, and the authority would authorize or deny the license upon evaluation of these risks. The groups also said that the EU should adopt appropriate human rights standards and transparency regarding export licenses granted, and denied, which is essential to meaningfully scrutinize the human rights impact of the trade in dual-use items.

“The EU should take the lead by putting its commitment to human rights ahead of the surveillance industry,” Michalski said. “The longer this trade is unregulated, the more likely it is that abusive governments will be able to spy on activists and perceived critics, and use that information to commit further abuses. That is a stark contrast with the EU’s stated support for human rights.