Tools that circumvent encryption, wiretapping technologies, spyware: the so-called dual-use items are products that can be used in both civilian and military environments, and that the European Parliament would propose to severely limit, if not ban altogether. The problem with these products, developed by companies operating in the fields of defence and intelligence, is that once purchased by governments they can be used to fight against terrorism and crime, as well as tools for internal repression against journalists and activists. And regulating their dissemination and commercialisation has so far proven a frustratingly ineffective effort.

The latest attempt to regulate this sector in the EU came with the September 2021 update to the export regulation: the Union sought to tighten controls and pushed Member States to be more transparent about the issuing of export licenses.

However, the field of intelligence support systems (ISS) does not consist only of manufacturing companies, but also of intermediary entities that resell the products, often with close ties to the purchasing governments. Export control laws, which were only amended after years of scandals, have failed to address possible licensing loopholes, such as the use of intermediaries or the exchange between affiliate companies. Finding the balance is difficult: the legislator must take into account both the necessary transparency on the use of potentially very dangerous tools, and the end-users’ (mostly agencies belonging to governments themselves, European or otherwise) need for a certain degree of secrecy. Concerns over these technologies are not merely speculative: over the years, there have been instances of abuse targeting journalists, dissidents, activists and politicians. Digital surveillance has increasingly become a tool of repression in the hands of governments around the world, from Spain to Mexico, from Israel to Vietnam.

The first European export regulation dates back to 2009, and since then several investigations (many still ongoing) have been launched into the international sales of certain products. There have been a few sanctions, but the judicial route has mostly proved lengthy and ineffective.

Investigations on surveillance hotshots

Every year, the city of Prague hosts the European edition of the most important trade fair for the surveillance industry: ISS World Europe (other editions are held in Asia, South America, North America and the Middle East). At these events, companies present themselves and cultivate relations to bid for contracts. All these companies share a peculiar trait: a large portion of them is, or has been, marked by a scandal or a judicial investigation. Starting with the main sponsor of the 2023 edition, NSO Group: the Israeli company develops the infamous Pegasus spyware, extensively covered by the Pegasus Project that detailed multiple scandals and instances of abuse against activists and journalists around the world. Despite huge losses suffered since being blacklisted by the Biden administration in November 2021, NSO continues to play a leading role in Europe.

Among the associate sponsors of the 2023 edition are Intellexa, the company involved in the PredatorGate scandal in Greece; Israel’s Elbit Systems, which also manufactures cluster bombs, leading Norway’s largest pension fund to ban investments in the firm last March; and Candiru, which according to two reports by Microsoft and Facebook, from July 2021 and December 2022 respectively, allegedly infected the devices of more than a hundred people (including journalists, activists and political opponents in Palestine, Iran, Lebanon and Yemen), by creating at least 130 fake accounts that were later removed by Facebook. In 2017, Britain’s Bae System, was the subject of a journalistic investigation for selling spyware used against political opponents in Saudi Arabia, the United Arab Emirates, Oman, Qatar, Algeria and Morocco. Finally, Germany’s Utimaco, whose wiretapping technology was sold through Norway’s Telenor to Burma in 2021, is feared to have been used by the regime against political dissidents.

When exporting, therefore, one often ends up embroiled in scandals or judicial investigations, not least because of uncertain regulations. It is certainly very difficult for investigators to prove responsibilities, and the results from the trials rarely go beyond the media clamour over unsavoury business deals.

Among the sponsors of Iss World Europe 2023 are also three important Italian companies: RCS, IPS and Area, all involved in controversies with interesting outcomes. The former had developed Hermit, a spyware used in Italy and Kazakhstan, a country with a long history of spying on political opponents. IPS and Area were featured in the 2017 documentary Spy Merchants, produced by Al Jazeera, which showed, thanks to an undercover collaborator, how companies offered their clients the chance to circumvent export controls thanks to subsidiaries abroad.

In the case of Area, Al Jazeera reveals, the sale to South Sudan (an embargoed country), was concluded through Turkey, where the company has a partner. For IPS, on the other hand, the sale to Iran went through another partner company, Resi. Among those investigated was the vice-president of Area.

In an interview with IrpiMedia, the founder and CEO of Area Andrea Formenti – now head of the group that controls it, A+ – clarified that the case unveiled by Al Jazeera actually concerned «a personal initiative» by a former employee who worked in the sales department, and subsequently left the company for this and other reasons. «That initiative would in any case have stalled as soon as it was brought to the table for a pre-bid», Formenti assured. At any rate, Area was not notified of any criminal offences. Formenti explains that the expansion into the foreign market was a choice made a few years after founding the company. The option was to either expand the customer base in Italy and pursue business clients, or «attempt to offer [their products] to the authorities on an international scale». The choice fell on the second option. The expansion abroad was followed by judicial investigations.

Five years for a filing

The Italian justice system targeted Area at the end of 2012, when the Milan Prosecutor’s Office charged the company with financing terrorist activities, relating to the sale of surveillance technology to the Syrian regime. Due to a lack of clear evidence, the charge was downgraded to a violation of export regulations. There were concerns that the technology was being used by Syrian intelligence against political opponents. When nothing came to light, the same prosecutor requested and obtained the dismissal of the case after five years, in 2018. The lengthy investigation, and the ensuing media clamour, damaged the firm’s reputation heavily.

Despite being dated, this story reveals the problems inherent in the export control mechanisms for surveillance technology, as well as a huge discrepancy in the management of export licenses, even among European countries. The Area project in Syria, called Asfador, involved the export of products developed by a French company, Qosmos, and a German company, Utimaco. According to journalistic reports, it would provide a real-time monitoring system of the Syrian network: from an interception centre to probes to monitor internet traffic, including the capture and archiving of emails.

Nothing came of the project, however. No investigation has been opened into Utimaco in Germany, while in December 2020, Qosmos in France was cleared of charges of complicity in the torture of the Syrian population. In the latter case, the investigation did not focus on violations of export regulations, but on whether the surveillance systems had facilitated the detection of opponents who would then be captured and tortured by the regime.

For Italy, on the other hand, the charges only concern the violation of export regulations, and the geopolitical situation does not enter into the assessment. In fact, we read in the text of the filing: «”the communications surveillance system on a network operating with Internet Protocol (IP) was included in the catalogue of dual-use products” only as of January 1st, 2015», four years after the start of the war.

Questioned by Busto Arsizio prosecutor Francesca Parola, Formenti explained that Area had requested authorisation from the Ministry of Economic Development (now replaced in the role of granting licenses by the Ministry of Foreign Affairs), as this was one of the company’s first international operations. The Ministry had granted it, as its Under Secretary Ivan Scalfarotto, stated in a written reply to the Senate. Formenti’s statements were considered «more than credible» by the investigators, who chose not to take the matter before a judge. The export of Area’s systems to Syria lasted from February to November 2011, at which point the company broke off relations with Damascus altogether.

While there were no bureaucratic obstacles to the exports, Syria’s human rights track record complicated the issue. The context for the Damascus deal was very different from the current geopolitical framework. In March 2010, Italian President Giorgio Napolitano had visited Syria to strengthen diplomatic relations between the two countries. The day before the President’s arrival, Area had signed the agreement with the national telecommunications company, the Syrian Telecommunications Establishment (STE). Only a year later, riots broke out. On the other hand, the signs of repression were already evident, as Human Rights Watch explained in a July 2010 report detailing the prosecution of bloggers and dissidents, but this did not prevent Italy or other European countries from pursuing agreements. On the contrary, there was a wish to intensify diplomatic and trade relations with the country.

Not all countries were of the same opinion. In fact, the geopolitical situation was already taken into account by the United States, which had designated Syria as a «State Sponsor of Terrorism» since 1979, mainly for providing weapons and political support to Hizballah.

At the time of the Area case, the USA had already had a licensing system in place since 2003, which was further strengthened in 2011 and, since some of the products exported by the Area to Syria were of US origin, the US opened their own file. The case, however, was settled immediately and without repercussions with the payment of a $100,000 fine. «With the exception of certain medicines and food, no item subject to the Regulations may be exported or reexported to Syria without a Department of Commerce license», reads the settlement agreement. Specifically, in order to be lawfully exported to Syria, the US technology must obtain an U.S. Government authorization «which was not obtained», the press release reads and it must not exceed a certain value, the Italian company explains to IrpiMedia. Area followed the Regulation in one case but violated it in another. «We paid our fine but we were not subject to any restrictions», Formenti explains.

The aftermath of the Area investigation

The dismissal, after five years of investigation, has left both human rights associations and activists – due to the impossibility of identifying the end-user of the technology – and the company – due to a lengthy trial that only after confirmed the initial position – unsatisfied in many respects.

The closing of the case, however, still provides an opportunity to reflect on the issue of exports nodes. On the one hand, there is the question of the “end-user”: the danger of a technology depends in part on who will use it. The paperwork to apply for export license includes a document where this must be stated by law, but as IrpiMedia has already written, this was not always the case. Both the organisations filing the lawsuits and the investigators who then open the files often assume that the export license does not actually state who will use the technology. In the case of Syria and Area, some witnesses (who were Area employees at the time) had indicated the presence of a person connected to the Syrian secret services, the suspected users of the technology. This person, referred to as Firas, was never identified by the prosecutor.

On the other hand, even if a ‘suspicious’ end-user were identified, the company would have to be found responsible for the possible use of the technology to repress dissidents or journalists. Especially since government agencies are involved.

In the present case, Area, for its part, proved during the investigation that it had taken all the necessary steps to obtain the export license, even at a time when it was not required. Even today, Area claims to be insolvent to an Italian bank that had provided the funding for the project in Syria, which was never carried out.

«We would like as much clarity as possible», explains Formenti. «We would like to have a list of technologies that are classified with great care and with as much flexibility in dynamically adapting to technological and geopolitical evolution. We are extremely open». Currently, according to Area, there are contradictions in some cases. For example, licenses do not apply in the same way to two technologies that communicate with each other, such as the system that duplicates the traffic of telephone operators (so-called mediation systems) and the monitoring systems installed at public prosecutors’ offices where this data is recorded and analysed. The former are not subject to export authorisation while the latter are.

This discrepancy «tends to tilt the playing field: if you are a company dealing with mediation systems, you have much more wiggle room», says Formenti. According to the Area founder, more precise guidelines would also be needed at least at the European level with regard to which countries and entities companies are allowed to work with. Then there would be a need for ‘an independent control body, such as observers during elections’ that would periodically verify compliance with the license. On the composition of this body, there would be several avenues: third parties such as those that already exist and consult on the issuing of licensing, or better still, «subjects that would have a form of institutional accreditation», Formenti explained. A sort of single supranational body for all countries.

Currently, there are European countries that facilitate the export of surveillance technologies. This emerges from the November 2022 report published by the Committee mandated by the European Parliament to investigate the use of surveillance spyware, the PEGA Committee. There is no agreement on what choices should be made in order to control exports. The problem that Formenti himself notes here is also the willingness of governments and agencies to make their use of certain technologies transparent. In the absence of precise restrictions, individual firms are free to decide who it is appropriate to do business with based on their own criteria, outside of international standards.

Currently, the dual-use regulation already provides a sort of matrix similar to the one described by Formenti, where a precise list of technologies and software must be evaluated according to the type of end-user and their country of residence. This list, according to NGOs such as AccessNow, is not necessarily exhaustive, and in some cases is not up to date with the sector’s latest technological developments.

A proposal: ban spyware

At least as far as spyware is concerned – a controversial type of malware that allows to take control of any device remotely – the Green MEP and rapporteur for the PEGA Committee, Sophie In’t Veld, calls for the introduction of a moratorium to block its use and sale in Europe. A drastic solution that might not be effective, as it stems from an incomplete picture of the firms in the sector, and because not all European countries seem to share the same ideas about the solutions.

The Committee did not have an easy task, amid internal tensions and the unwillingness of some countries to provide the information requested. The Italian government did not offer explanations on the purchase and use of spyware, nor on the legal framework and the expenditure. Italy is certainly not alone in this list: only Austria, Poland and Cyprus replied to the questionnaire sent by the Commission in July 2022.

According to rumours revealed by EURACTIV, the report by MEP Sophie In ‘t Veld has the support of most parliamentary groups except the European People’s Party (EPP), which will presumably try to reduce the scope of the decisions taken to curb the illegal wiretapping scandal in Greece, the ‘European Watergate’. Néa Dimokratía, the party of Greek Prime Minister Kyriakos Mitsotakis (who was heavily involved in the scandal), is in fact a member of Epp.

The moratorium, reads the draft report, would be immediately applicable and proposes a blanket ban on exports unless countries meet certain requirements: prompt clarification of possible controversy in the case of spyware misuse, compliance with European standards on surveillance, willingness to submit to Europol inspections and investigations, and revocation of previously granted export licenses if they do not align with the spirit of the European regulation.

Once more, the report highlights the lack of rules and knowledge within the surveillance sector. «The Commission», it says, «has not so far undertaken an analysis of the situation nor an assessment of the companies that active on the European market». A list of surveillance companies operating within the European Union is not sufficient to have an exhaustive analysis of the market, as several operators work with a dense network of intermediaries and reseller companies, which are often very hard to identify. This corporate network is a risky component, but the potential for intervention in terms of controls and standards is limited, as some of the companies are often located in extra-European jurisdictions, where the rules of the great surveillance game are different.

The Committee claims to have gathered information, yet to be confirmed, on the purchase of spyware by all EU countries. The most important supplier is the Israeli group NSO, which provided spyware to at least 14 countries. There are also indications that Pegasus is being misused in Poland, Hungary, Greece, and Spain, while in Cyprus there are currently only suspicions. Cyprus itself and Bulgaria are used as transit countries for the export of surveillance technologies. Most of the banks used by spyware providers are based in Luxembourg, while Ireland is the main tax base, as is already the case for big tech.

Intra-group exports: a loophole in the European regulation

The regulation introduced in 2021 seeks precisely to correct these industry distortions. However, a loophole remains with regard to the transfer of licenses within the same corporate group. Let us assume that two companies, controlled by the same parent company, are registered in different countries: one within the European Union and the other outside. The export of technology from the European company to its non-EU sister would require an authorisation. This special authorisation, introduced in the latest regulation, applies only to Argentina, Brazil, Chile, South Korea, the Philippines, India, Indonesia, Israel, Jordan, Malaysia, Morocco, Mexico, Singapore, South Africa, Thailand and Tunisia, but excludes various surveillance technologies, such as software to facilitate infection by spyware and internet monitoring systems.

It is not clear what happens in other cases. At that point, all that remains is to refer to national regulations. According to Italian law (which came into effect in February 2018), an export license is needed even for simple technical assistance such as «instruction, advice, training, transmission of operating learning or skills or advisory services, including oral forms of assistance». The same applies in the case of access to servers for sharing information, which is considered an intangible transfer. In these cases, the company must equip itself with a system that ensures the security and traceability of access, to allow audits by the supervising authority. This would suggest that an Italian export license is always necessary.

But what if the sister company, registered outside the EU, wanted to re-export the technologies of the EU-registered company to a third country? What if the sister company is located in a country where there are no controls similar to those in the EU? Interpretations for this case differ even among researchers and insiders: Formenti would opt to apply for a license in Italy. However, he doesn’t rule out that someone might be using their own subsidiary to export technology outside the EU unlicensed. Two researchers also agreed on these two possibilities, but were not at liberty to make statements on the subject, given the current uncertainty.

The Ministry of Foreign Affairs did not reply to a request for comment on this matter sent by IrpiMedia.