Dec. 23 (Bloomberg) -- The clandestine arrangement worked smoothly for years. The Israeli company shipped its Internet-monitoring equipment to a distributor in Denmark. Once there, workers stripped away the packaging and removed the labels.
Then they sent it to a man named “Hossein” in Iran, an amiable technology distributor known to them only by his first name and impeccable English, say his partners in Israel and Denmark.
Israeli trade, customs and defense officials say their departments didn’t know that the systems for peering into Internet traffic, sold under the brand name NetEnforcer, had gone to a country whose leaders have called for the destruction of the Jewish state. Israel’s ban on trade with its enemy failed, even though a paper trail on the deals was available in Denmark.
The transactions illustrate how ineffective governments have been in blocking a global trade in new, intrusive surveillance technologies that authoritarian regimes can use as weapons for repression. Such gear from Western companies -- including tools that intercept e-mails and text messages, record Internet activity and map cell phone locations -- has been used to track and torture dissidents in countries including Iran, Bahrain, Syria and Tunisia, a Bloomberg News investigation this year showed. It’s unclear who Hossein’s customers were, or how the technology may have been used in Iran.
“The fact that the most murderous regimes are using Western technologies for surveillance highlights the fact that the current framework for controlling this dirty trade is not working,” says Brett Solomon, executive director of Access, a New York-based nonprofit that promotes online freedom. “How long are the innocent people of Syria and Iran to wait before Congress and the EU turn words into law?”
Yet there are ways to stem the flow of such technology, which can be used as a weapon but isn’t regulated like one. Many companies selling surveillance equipment that connects to the Internet have the ability to monitor their own customers, and governments could require them to do so while tightening export laws.
Anything connected to the Internet “can phone home and provide some sort of location data,” says Jon Oltsik, senior principal analyst at Milford, Massachusetts-based Enterprise Strategy Group, a technology consulting firm. Companies often stay in touch with their products to send software updates, and can also examine customers’ Internet addresses to determine where the equipment is, he says.
The method has already proved effective, stymieing Syrian efforts to circumvent the U.S. embargo during a crackdown that has killed more than 5,000 people.
‘Is Ignorance Bliss?’
San Diego-based Websense, Inc., a maker of Internet-filtering software, routinely scans the Internet addresses of prospective buyers, as well as its 40,000 existing customers, in order to prevent its products from going to embargoed countries or falling into the wrong hands, says Michael Newman, the company’s general counsel and interim chief financial officer.
In October, Websense blocked sales to two potential buyers, who listed their physical addresses in Switzerland and the United Arab Emirates, but who asked for the product to be downloaded to Internet addresses that the company traced to Syria.
“Companies should be taking these steps,” Newman says. “The question is, how much are you trying to know? Or is ignorance bliss?”
Such steps could have helped Blue Coat Systems Inc., a Sunnyvale, California-based maker of Web security and filtering products. Telecomix, a group that promotes online freedom, earlier this year uncovered computer logs that showed the company’s machines being used in Syria to filter Internet sites.
Blue Coat says its products were illegally shipped to Syria by a distributor and it had been unaware they were there. Spokesman Steve Schick declined further comment on the Syria sales, citing an ongoing investigation by the Department of Commerce.
Had Blue Coat been paying attention to the Internet addresses when connecting with its deployed machines, it would have spotted the suspect locations, says Peter Fein, a Chicago-based member of Telecomix.
“Claiming a lack of knowledge is no excuse anymore,” says Solomon, of Access. “Technology can be used as a weapon and should be treated with the same care and sold with the same due diligence.”
In this growing industry, with sales estimated at $3 billion to $5 billion, the potential for human rights abuse is profound. The 10-month investigation by Bloomberg News documented use of Western surveillance technology in political crackdowns and violent repression by governments across the Middle East and North Africa.
In Bahrain, authorities used European equipment to intercept phone calls and text messages of activists, who were confronted with details of their communications while being arrested and tortured. Amid Syria’s uprising, construction moved forward on a $17 million Internet surveillance system built with U.S., French, German and Italian technology.
“Stopping this trade is a shared responsibility across government and business,” says Meg Roggensack, an adjunct professor at the Georgetown University Law Center in Washington, D.C., and a senior advisor to Human Rights First, a non-profit organization based in New York and Washington. “It is extremely urgent. This is playing out in real time with real consequences for real people.”
Western governments are now trying to better regulate the trade. The European Union restricted sales of the technology to Syria after Bloomberg News exposed the project in that country. A bill introduced in the U.S. House of Representatives on Dec. 8 would bar sales of surveillance technologies by American companies to repressive regimes.
The U.K.’s Business Minister, Judith Wilcox, said the government was examining a block on the sale of mobile-phone surveillance software to Iran and Syria after Bloomberg News reported a British company sold location-tracking technology to Iran this year for use by the regime’s law enforcement.
Yet efforts to date have stumbled. After the U.S. Congress in 2010 prohibited government business with any company selling equipment to Iran that would restrict the flow of information or speech of its citizens, no companies were identified. Under current EU rules, each member state makes its own export decisions, which allows regulatory gaps.
“Right now, we’re not even trying,” says Marietje Schaake, a Dutch member of the European Parliament who is pushing for EU-wide standards. “The digital arms trade needs more scrutiny and regulations.”
Even when they impose bans, governments struggle to track surveillance sales. Often, technology vendors rely on distributors to sell their products, and simply trust that it isn’t falling into hands that will abuse it.
The shipments of Internet-inspection equipment from Israel to Iran illustrate the enforcement loopholes.
Allot Communications Ltd., a Hod Hasharon, Israel-based firm whose stock trades on Nasdaq and the Tel Aviv Stock Exchange and which reported $57 million in sales last year, sold its systems to a Randers, Denmark-based technology distributor.
Workers at that company, RanTek A/S, repackaged the gear and shipped it to Iran, according to four former employees of Allot and RanTek. The shipments were legal under Danish law.
Skirting a Ban
A sale as early as 2006 is corroborated by an export license application filed by RanTek, though the name of the customer in Iran was redacted by Danish authorities who provided the document to Bloomberg News.
The former employees identified the buyer as the technology distributor, Hossein.
The sales skirted a strict Israeli ban that prohibits “trading with the enemy,” including any shipments that reach Iran, Syria and Lebanon.
“This covers everything,” says Gavriel Bar, manager of the Middle East department at Israel’s Ministry of Industry, Trade and Labor. “Imports, exports, direct, indirect. An Israeli company is not allowed to trade with Iran in any way.”
Israeli lawmaker Nachman Shai called for a parliamentary investigation today, and the country’s Defense Ministry said it had begun to examine the report. Allot shares fell 5.1 percent to $15.84 at 11:04 a.m. in New York, after earlier plunging as much as 13 percent.
Three former sales employees for Allot say it was well known inside the company that the equipment was headed for Iran. Allot officials say they have no knowledge of their equipment going there and are looking into RanTek’s sales.
‘Breach of Contract’
“We do not authorize any sales to Iran,” says Jay Kalish, executive director of investor relations at Allot. If its products were shipped there by RanTek, it would be a “breach of contract,” he says.
Kalish says it’s challenging to track where its products go after they’ve been sold. Customers often don’t connect digitally to Allot, making electronic tracking difficult. The company has hundreds of distributors and their products have even appeared for sale on eBay, he says.
Allot said in a statement today that its policy is to comply fully with Israeli and non-Israeli laws, including all applicable export laws and regulations.
The product sold by Allot, NetEnforcer, conducts “deep-packet inspection” of networks. The technology has commercial uses, such as helping a mobile network operator prioritize certain types of traffic or eliminating spam.
But deep-packet inspection has also been used to snoop into e-mails in countries including Tunisia, even allowing officials to change the contents, Bloomberg News found. It can also prevent activists from using the Web anonymously, leading to arrest and torture in countries such as Iran, says Ben Wagner, of the European University Institute near Florence, Italy, who has studied the technology.
“I cannot conceive a way that DPI could be exported to Iran without a concern,” he says.
Allot’s Kalish says the equipment sold through RanTek was best suited for managing a company’s Internet traffic and lacked the capacity for wide-scale Internet surveillance.
RanTek officials didn’t respond to e-mails and phone calls seeking comment.
The lax controls on the Israeli technology shipments, which didn’t require export licenses, contrast with tighter restrictions on weapons sales, which do need licenses.
Companies such as Allot are almost on an honor system to comply with the rules, says Rifat Azam, a professor of international business law at the Interdisciplinary Center, a private university in Herzliya, Israel.
In the absence of strong laws and policing, bad press and the threat of reputational damage has spurred companies to curb dealings with repressive regimes.
Area SpA called off construction of the Internet surveillance system in Syria only after Bloomberg’s story was picked up by Italy’s major newspapers and sparked a protest by Syrian and Internet-freedom activists outside the company’s headquarters near Milan. The coverage also spurred an online petition by Access that gathered more than 10,000 signatures calling for a stop to the Syria project.
Paris-based Qosmos SA, which had supplied deep-packet inspection probes for Area’s Syria system, said when contacted for the story that it had already decided to pull out. Qosmos’s head of marketing, Erik Larsson, later added that the company would exit all work in interception and focus on other uses of the technology, such as market research and network management.
“We don’t want to be in that business because we don’t have the control and there’s not enough regulation,” he said. “If you’re using it to track down opponents and torturing them and killing them, then the technology is in the wrong hands.”
In the case of Iran, Dublin-based AdaptiveMobile Security Ltd. had sold and proposed systems for blocking and filtering text messages. When asked about the Iran business for a Bloomberg News story, the company said it plans to cease doing business in Iran when its contract is up in 2012, because continuing in the country’s current political climate could damage its reputation.
Measures that governments could take include examining the trade records of foreign customers. Such checks of public records in Denmark would have exposed the shipments of Israeli goods to Iran.
For now, self-regulation by companies may be critical to any recipe for change.
In a Dec. 8 speech, U.S. Secretary of State Hillary Clinton said lawmakers’ efforts to employ sanctions and control surveillance exports will only go part of the way.
“In the 21st century, smart companies have to act before they find themselves in the crosshairs of controversy,” she said.
Websense says self-policing kept it from falling afoul of Syria sanctions in October. The company also can refuse to provide updates, shutting down a product within weeks if it moves to a location where Websense doesn’t want it or if the company finds it’s being used for repression, Newman says.
It took such steps in 2009, for example, when it learned that two of its customers in Yemen were using its products to carry out government censorship of the Internet, says Newman.
In a digital arms race that pits repressive regimes against their citizens, says Access executive director Solomon, anything that loosens the tyrants’ grip on electronic communications might just save lives.
-- With assistance from Jonathan Ferziger in Tel Aviv, Vernon Silver in Rome and Frances Schwartzkopff in Copenhagen. Editors: Marcia Myers, Melissa Pozsgay
To contact the reporter on this story: Ben Elgin in San Francisco at firstname.lastname@example.org