#InEnglish

Surveillance tech and export licenses: a match made in Europe
The EU has struggled to regulate the export of dual-use items, and even judicial investigations into illicit exports have been fruitless. Area spa's manager speaks: his case still has a lot to teach

March 21, 2023

Lorenzo Bagnoli
Riccardo Coluccini

Tools that circumvent encryption, wiretapping technologies, spyware: the so-called dual-use items are products that can be used in both civilian and military environments, and that the European Parliament would propose to severely limit, if not ban altogether. The problem with these products, developed by companies operating in the fields of defence and intelligence, is that once purchased by governments they can be used to fight against terrorism and crime, as well as tools for internal repression against journalists and activists. And regulating their dissemination and commercialisation has so far proven a frustratingly ineffective effort.

The latest attempt to regulate this sector in the EU came with the September 2021 update to the export regulation: the Union sought to tighten controls and pushed Member States to be more transparent about the issuing of export licenses.

In a nutshell
  • For years, the European Union has been the scene of an international clash over whether to ban, or strictly regulate, technologies for cyber surveillance and espionage
  • The concerns are not only theoretical: instances of abuse against journalists, dissidents, activists and politicians are multiplying, and digital surveillance has increasingly become a tool of repression in the hands of governments around the world, from Spain to Mexico, from Israel to Vietnam
  • The companies developing these technologies will meet in 2023 in Prague, at one of the most important conferences in the sector, including three Italian sponsors previously the focus on controversy and journalistic investigations
  • One of them is Area Spa, the subject of a five-year investigation that came to nothing. The CEO himself, Andrea Formenti, calls for clear regulations and more effective controls to limit the de facto grey area in which companies in the sector operate
  • The Area case sheds a light on the problems inherent in surveillance technology export control mechanisms, as well as a huge discrepancy in the management of dual-use technology export licenses even between European countries

However, the field of intelligence support systems (ISS) does not consist only of manufacturing companies, but also of intermediary entities that resell the products, often with close ties to the purchasing governments. Export control laws, which were only amended after years of scandals, have failed to address possible licensing loopholes, such as the use of intermediaries or the exchange between affiliate companies. Finding the balance is difficult: the legislator must take into account both the necessary transparency on the use of potentially very dangerous tools, and the end-users’ (mostly agencies belonging to governments themselves, European or otherwise) need for a certain degree of secrecy. Concerns over these technologies are not merely speculative: over the years, there have been instances of abuse targeting journalists, dissidents, activists and politicians. Digital surveillance has increasingly become a tool of repression in the hands of governments around the world, from Spain to Mexico, from Israel to Vietnam.

The first European export regulation dates back to 2009, and since then several investigations (many still ongoing) have been launched into the international sales of certain products. There have been a few sanctions, but the judicial route has mostly proved lengthy and ineffective.

Investigations on surveillance hotshots

Every year, the city of Prague hosts the European edition of the most important trade fair for the surveillance industry: ISS World Europe (other editions are held in Asia, South America, North America and the Middle East). At these events, companies present themselves and cultivate relations to bid for contracts. All these companies share a peculiar trait: a large portion of them is, or has been, marked by a scandal or a judicial investigation. Starting with the main sponsor of the 2023 edition, NSO Group: the Israeli company develops the infamous Pegasus spyware, extensively covered by the Pegasus Project that detailed multiple scandals and instances of abuse against activists and journalists around the world. Despite huge losses suffered since being blacklisted by the Biden administration in November 2021, NSO continues to play a leading role in Europe.

The list of sponsors at the 2023 edition of ISS World Europe – ISS

Among the associate sponsors of the 2023 edition are Intellexa, the company involved in the PredatorGate scandal in Greece; Israel’s Elbit Systems, which also manufactures cluster bombs, leading Norway’s largest pension fund to ban investments in the firm last March; and Candiru, which according to two reports by Microsoft and Facebook, from July 2021 and December 2022 respectively, allegedly infected the devices of more than a hundred people (including journalists, activists and political opponents in Palestine, Iran, Lebanon and Yemen), by creating at least 130 fake accounts that were later removed by Facebook. In 2017, Britain’s Bae System, was the subject of a journalistic investigation for selling spyware used against political opponents in Saudi Arabia, the United Arab Emirates, Oman, Qatar, Algeria and Morocco. Finally, Germany’s Utimaco, whose wiretapping technology was sold through Norway’s Telenor to Burma in 2021, is feared to have been used by the regime against political dissidents.

When exporting, therefore, one often ends up embroiled in scandals or judicial investigations, not least because of uncertain regulations. It is certainly very difficult for investigators to prove responsibilities, and the results from the trials rarely go beyond the media clamour over unsavoury business deals.

The economic consequences of scandals: the Hacking Team and FinFisher cases

While judicial investigations often end up stalling, there are some cases where the economic consequences are more tangible: companies go bankrupt or are taken over by other groups. This happened to the Italian Hacking Team, which was hit by a hacker attack that revealed its customers and internal details. In 2019, Hacking Team was acquired by Memento Labs, a company headed and coordinated by the Swiss-Italian InTheCyber. Germany’s FinFisher fared much worse: it filed for bankruptcy in February 2022, the German press reports, closing its offices, laying off employees and ceasing all business activity. FinFisher had been denounced in 2019 by a group of German NGOs and media, as its spyware had been allegedly used in Turkey against activists and dissidents two years earlier. Yet there was no export authorisation from the German control authority. According to Bloomberg in March 2022, the investigation by the German prosecutor’s office is still ongoing and FinFisher denies having supplied technology to Turkey or having violated export regulations. The company’s assets had been frozen, but the measure is no longer applicable due to insolvency.

International attention on FinFisher, however, dates back to at least 2011. During the riots in Egypt, protesters found documents showing that the Egyptian authorities had obtained a demo of the spyware. In the following years, multiple reports listed more than 30 countries suspected of using FinFisher, including Bangladesh, Egypt, Ethiopia, Oman, Saudi Arabia and Venezuela.

Among the sponsors of Iss World Europe 2023 are also three important Italian companies: RCS, IPS and Area, all involved in controversies with interesting outcomes. The former had developed Hermit, a spyware used in Italy and Kazakhstan, a country with a long history of spying on political opponents. IPS and Area were featured in the 2017 documentary Spy Merchants, produced by Al Jazeera, which showed, thanks to an undercover collaborator, how companies offered their clients the chance to circumvent export controls thanks to subsidiaries abroad.

In the case of Area, Al Jazeera reveals, the sale to South Sudan (an embargoed country), was concluded through Turkey, where the company has a partner. For IPS, on the other hand, the sale to Iran went through another partner company, Resi. Among those investigated was the vice-president of Area.

In an interview with IrpiMedia, the founder and CEO of Area Andrea Formenti – now head of the group that controls it, A+ – clarified that the case unveiled by Al Jazeera actually concerned «a personal initiative» by a former employee who worked in the sales department, and subsequently left the company for this and other reasons. «That initiative would in any case have stalled as soon as it was brought to the table for a pre-bid», Formenti assured. At any rate, Area was not notified of any criminal offences. Formenti explains that the expansion into the foreign market was a choice made a few years after founding the company. The option was to either expand the customer base in Italy and pursue business clients, or «attempt to offer [their products] to the authorities on an international scale». The choice fell on the second option. The expansion abroad was followed by judicial investigations.

Five years for a filing

The Italian justice system targeted Area at the end of 2012, when the Milan Prosecutor’s Office charged the company with financing terrorist activities, relating to the sale of surveillance technology to the Syrian regime. Due to a lack of clear evidence, the charge was downgraded to a violation of export regulations. There were concerns that the technology was being used by Syrian intelligence against political opponents. When nothing came to light, the same prosecutor requested and obtained the dismissal of the case after five years, in 2018. The lengthy investigation, and the ensuing media clamour, damaged the firm’s reputation heavily.

Despite being dated, this story reveals the problems inherent in the export control mechanisms for surveillance technology, as well as a huge discrepancy in the management of export licenses, even among European countries. The Area project in Syria, called Asfador, involved the export of products developed by a French company, Qosmos, and a German company, Utimaco. According to journalistic reports, it would provide a real-time monitoring system of the Syrian network: from an interception centre to probes to monitor internet traffic, including the capture and archiving of emails.

Nothing came of the project, however. No investigation has been opened into Utimaco in Germany, while in December 2020, Qosmos in France was cleared of charges of complicity in the torture of the Syrian population. In the latter case, the investigation did not focus on violations of export regulations, but on whether the surveillance systems had facilitated the detection of opponents who would then be captured and tortured by the regime.

#inEnglish

How Italy built Libya’s maritime forces

The Big Wall in the Mediterranean Sea was built upon contracts that are hard to track. Overall, the outsourcing of border control has cost over one billion euro. And the results have been underwhelming

For Italy, on the other hand, the charges only concern the violation of export regulations, and the geopolitical situation does not enter into the assessment. In fact, we read in the text of the filing: «”the communications surveillance system on a network operating with Internet Protocol (IP) was included in the catalogue of dual-use products” only as of January 1st, 2015», four years after the start of the war.

Questioned by Busto Arsizio prosecutor Francesca Parola, Formenti explained that Area had requested authorisation from the Ministry of Economic Development (now replaced in the role of granting licenses by the Ministry of Foreign Affairs), as this was one of the company’s first international operations. The Ministry had granted it, as its Under Secretary Ivan Scalfarotto, stated in a written reply to the Senate. Formenti’s statements were considered «more than credible» by the investigators, who chose not to take the matter before a judge. The export of Area’s systems to Syria lasted from February to November 2011, at which point the company broke off relations with Damascus altogether.

While there were no bureaucratic obstacles to the exports, Syria’s human rights track record complicated the issue. The context for the Damascus deal was very different from the current geopolitical framework. In March 2010, Italian President Giorgio Napolitano had visited Syria to strengthen diplomatic relations between the two countries. The day before the President’s arrival, Area had signed the agreement with the national telecommunications company, the Syrian Telecommunications Establishment (STE). Only a year later, riots broke out. On the other hand, the signs of repression were already evident, as Human Rights Watch explained in a July 2010 report detailing the prosecution of bloggers and dissidents, but this did not prevent Italy or other European countries from pursuing agreements. On the contrary, there was a wish to intensify diplomatic and trade relations with the country.

Not all countries were of the same opinion. In fact, the geopolitical situation was already taken into account by the United States, which had designated Syria as a «State Sponsor of Terrorism» since 1979, mainly for providing weapons and political support to Hizballah.

At the time of the Area case, the USA had already had a licensing system in place since 2003, which was further strengthened in 2011 and, since some of the products exported by the Area to Syria were of US origin, the US opened their own file. The case, however, was settled immediately and without repercussions with the payment of a $100,000 fine. «With the exception of certain medicines and food, no item subject to the Regulations may be exported or reexported to Syria without a Department of Commerce license», reads the settlement agreement. Specifically, in order to be lawfully exported to Syria, the US technology must obtain an U.S. Government authorization «which was not obtained», the press release reads and it must not exceed a certain value, the Italian company explains to IrpiMedia. Area followed the Regulation in one case but violated it in another. «We paid our fine but we were not subject to any restrictions», Formenti explains.

Other European companies in Syria

Area, Qosmos and Utimaco were not the only companies involved with Syria. According to a report by Privacy International, published in December 2016, the Syrian government allegedly built communications monitoring systems with the help of several other Western companies between 2007 and 2012.

In a case from 2008 and 2009, a Dubai-based reseller, AGT, in collaboration with the Italian company RCS, allegedly proposed the use of US-sourced equipment to intercept communications on the networks of a satellite internet service provider, Aramsat. Again, the same rules that cost Area the sanction would apply. AGT told Privacy International that the project was never completed. According to the project documentation examined by Privacy International, however, RCS ultimately did not include the hardware in its bid to AGT.

In June 2009, on the other hand, the Syrian government tried to acquire technology to directly intercept internet traffic, both into and out of the country, by tapping the two international exchanges in Damascus and Aleppo. One bidder for this project was allegedly the South African company VASTech.

The report also mentions Area among the bidders. Initially, RCS had jointly bid with AGT to provide the system but, after a demonstration of their technology yielded poor results and offers for further products from the two companies fell through, the Syrian Telecommunication Establishment (STE) awarded the project to Area. As Privacy International notes in its report, the STE’s call for tenders specified that «the system must be centralized and have [sic] the ability to monitor all the networks which use data communication services inside the Syrian territories», and at the time, the Syrian government maintained «tight control of telecom services through the telecom regulator and owner of the nation’s telecommunications infrastructure»: that body was the Syrian Telecommunications Establishment.

The aftermath of the Area investigation

The dismissal, after five years of investigation, has left both human rights associations and activists – due to the impossibility of identifying the end-user of the technology – and the company – due to a lengthy trial that only after confirmed the initial position – unsatisfied in many respects.

The closing of the case, however, still provides an opportunity to reflect on the issue of exports nodes. On the one hand, there is the question of the “end-user”: the danger of a technology depends in part on who will use it. The paperwork to apply for export license includes a document where this must be stated by law, but as IrpiMedia has already written, this was not always the case. Both the organisations filing the lawsuits and the investigators who then open the files often assume that the export license does not actually state who will use the technology. In the case of Syria and Area, some witnesses (who were Area employees at the time) had indicated the presence of a person connected to the Syrian secret services, the suspected users of the technology. This person, referred to as Firas, was never identified by the prosecutor.

On the other hand, even if a ‘suspicious’ end-user were identified, the company would have to be found responsible for the possible use of the technology to repress dissidents or journalists. Especially since government agencies are involved.

In the present case, Area, for its part, proved during the investigation that it had taken all the necessary steps to obtain the export license, even at a time when it was not required. Even today, Area claims to be insolvent to an Italian bank that had provided the funding for the project in Syria, which was never carried out.

«We would like as much clarity as possible», explains Formenti. «We would like to have a list of technologies that are classified with great care and with as much flexibility in dynamically adapting to technological and geopolitical evolution. We are extremely open». Currently, according to Area, there are contradictions in some cases. For example, licenses do not apply in the same way to two technologies that communicate with each other, such as the system that duplicates the traffic of telephone operators (so-called mediation systems) and the monitoring systems installed at public prosecutors’ offices where this data is recorded and analysed. The former are not subject to export authorisation while the latter are.

This discrepancy «tends to tilt the playing field: if you are a company dealing with mediation systems, you have much more wiggle room», says Formenti. According to the Area founder, more precise guidelines would also be needed at least at the European level with regard to which countries and entities companies are allowed to work with. Then there would be a need for ‘an independent control body, such as observers during elections’ that would periodically verify compliance with the license. On the composition of this body, there would be several avenues: third parties such as those that already exist and consult on the issuing of licensing, or better still, «subjects that would have a form of institutional accreditation», Formenti explained. A sort of single supranational body for all countries.

Currently, there are European countries that facilitate the export of surveillance technologies. This emerges from the November 2022 report published by the Committee mandated by the European Parliament to investigate the use of surveillance spyware, the PEGA Committee. There is no agreement on what choices should be made in order to control exports. The problem that Formenti himself notes here is also the willingness of governments and agencies to make their use of certain technologies transparent. In the absence of precise restrictions, individual firms are free to decide who it is appropriate to do business with based on their own criteria, outside of international standards.

Currently, the dual-use regulation already provides a sort of matrix similar to the one described by Formenti, where a precise list of technologies and software must be evaluated according to the type of end-user and their country of residence. This list, according to NGOs such as AccessNow, is not necessarily exhaustive, and in some cases is not up to date with the sector’s latest technological developments.

A proposal: ban spyware

At least as far as spyware is concerned – a controversial type of malware that allows to take control of any device remotely – the Green MEP and rapporteur for the PEGA Committee, Sophie In’t Veld, calls for the introduction of a moratorium to block its use and sale in Europe. A drastic solution that might not be effective, as it stems from an incomplete picture of the firms in the sector, and because not all European countries seem to share the same ideas about the solutions.

The Committee did not have an easy task, amid internal tensions and the unwillingness of some countries to provide the information requested. The Italian government did not offer explanations on the purchase and use of spyware, nor on the legal framework and the expenditure. Italy is certainly not alone in this list: only Austria, Poland and Cyprus replied to the questionnaire sent by the Commission in July 2022.

According to rumours revealed by EURACTIV, the report by MEP Sophie In ‘t Veld has the support of most parliamentary groups except the European People’s Party (EPP), which will presumably try to reduce the scope of the decisions taken to curb the illegal wiretapping scandal in Greece, the ‘European Watergate’. Néa Dimokratía, the party of Greek Prime Minister Kyriakos Mitsotakis (who was heavily involved in the scandal), is in fact a member of Epp.

The moratorium, reads the draft report, would be immediately applicable and proposes a blanket ban on exports unless countries meet certain requirements: prompt clarification of possible controversy in the case of spyware misuse, compliance with European standards on surveillance, willingness to submit to Europol inspections and investigations, and revocation of previously granted export licenses if they do not align with the spirit of the European regulation.

Once more, the report highlights the lack of rules and knowledge within the surveillance sector. «The Commission», it says, «has not so far undertaken an analysis of the situation nor an assessment of the companies that active on the European market». A list of surveillance companies operating within the European Union is not sufficient to have an exhaustive analysis of the market, as several operators work with a dense network of intermediaries and reseller companies, which are often very hard to identify. This corporate network is a risky component, but the potential for intervention in terms of controls and standards is limited, as some of the companies are often located in extra-European jurisdictions, where the rules of the great surveillance game are different.

Joining the dots: intermediaries evading regulation
Two strategies exist to take these technologies abroad: open a local branch, or relying on a network of local resellers. We learned from reading Area’s financial statements that it has two subsidiaries in non-EU territory: Area Llc, established in Oman in 2017, and Area Systems UK. According to the company’s statement to IrpiMedia, both were established with the aim of trading products in the two countries, and both have institutional customers.

While the company was forthcoming about the rationale behind the opening of the two subsidiaries, there was no transparency from public institutions as to the type of technology provided by Area. In the UK, more than 20 police departments contacted by IrpiMedia through a request for access to records replied that they could neither confirm nor deny having acquired technology from Area. The Italian Ministry of Foreign Affairs did not provide any answer regarding the Oman license. The country is precisely one of those cases where granting a license for the sale of certain technologies is delicate: Amnesty International describes it as a country where critics and journalists are regularly detained. There are also clear indications of surveillance technology that can be abused.

Researchers at the Citizen Lab, an interdisciplinary laboratory at the University of Toronto, have identified the use of the controversial Predator spyware; and according to Haaretz, NSO has also sold its Pegasus spyware to the country in recent years.

When the export takes place through resellers and partners, keeping track of things is even harder. In the PredatorGate case, we reported that Intellexa (a company founded by a former Israeli intelligence chief but whose headquarters have since moved to Greece) resold the spyware from the manufacturer Cytrox. In Mexico, a number of local companies signed agreements to resell NSO’s products to the government. The other large Italian company, RCS Lab, resells the capabilities of the small Italian firm Tykelab, under the brand name Ubiquo. RCS itself was recently acquired by the company that owns Cy4gate, which in turn is linked to Leonardo, a partly state-owned defence firm.

The Committee claims to have gathered information, yet to be confirmed, on the purchase of spyware by all EU countries. The most important supplier is the Israeli group NSO, which provided spyware to at least 14 countries. There are also indications that Pegasus is being misused in Poland, Hungary, Greece, and Spain, while in Cyprus there are currently only suspicions. Cyprus itself and Bulgaria are used as transit countries for the export of surveillance technologies. Most of the banks used by spyware providers are based in Luxembourg, while Ireland is the main tax base, as is already the case for big tech.

Area took part at the Security and Policing 2022 event together with its sister company Area Systems UK – Linkedin

Intra-group exports: a loophole in the European regulation

The regulation introduced in 2021 seeks precisely to correct these industry distortions. However, a loophole remains with regard to the transfer of licenses within the same corporate group. Let us assume that two companies, controlled by the same parent company, are registered in different countries: one within the European Union and the other outside. The export of technology from the European company to its non-EU sister would require an authorisation. This special authorisation, introduced in the latest regulation, applies only to Argentina, Brazil, Chile, South Korea, the Philippines, India, Indonesia, Israel, Jordan, Malaysia, Morocco, Mexico, Singapore, South Africa, Thailand and Tunisia, but excludes various surveillance technologies, such as software to facilitate infection by spyware and internet monitoring systems.

It is not clear what happens in other cases. At that point, all that remains is to refer to national regulations. According to Italian law (which came into effect in February 2018), an export license is needed even for simple technical assistance such as «instruction, advice, training, transmission of operating learning or skills or advisory services, including oral forms of assistance». The same applies in the case of access to servers for sharing information, which is considered an intangible transfer. In these cases, the company must equip itself with a system that ensures the security and traceability of access, to allow audits by the supervising authority. This would suggest that an Italian export license is always necessary.

But what if the sister company, registered outside the EU, wanted to re-export the technologies of the EU-registered company to a third country? What if the sister company is located in a country where there are no controls similar to those in the EU? Interpretations for this case differ even among researchers and insiders: Formenti would opt to apply for a license in Italy. However, he doesn’t rule out that someone might be using their own subsidiary to export technology outside the EU unlicensed. Two researchers also agreed on these two possibilities, but were not at liberty to make statements on the subject, given the current uncertainty.

The Ministry of Foreign Affairs did not reply to a request for comment on this matter sent by IrpiMedia.

CREDITS

Authors

Lorenzo Bagnoli
Riccardo Coluccini

Editing

Raffaele Angius
Giulio Rubino

In partnership with

Privacy International

Cover photo

Metaworks/Getty