Predator, or the shocking truth about how far the industry’s tentacles have spread

Story of the week

The ‘Predator Files,’ published on 9 October 2023, [1] focuses on the “Intellexa alliance” — a complex, morphing group of interconnected companies — and Predator, its highly invasive spyware. This spyware and its rebranded variants can access unchecked data on devices. It cannot, at present, be independently audited or limited in its functionality to only those necessary functions proportionate to a specific use and target. Predator can infiltrate a device when the user clicks on a malicious link, but it can also be delivered through tactical attacks, which can silently infect nearby devices.

Intellexa alliance’s products are said to have been found in at least 25 countries across Europe, Asia, the Middle East, and Africa. They are said to have been used to undermine human rights, press freedom, and global social movements.

To add to the debate, let’s dive deep into the legal foundations of export controls of cyber-surveillance items regulated by EU law.

With EU Dual-Use Regulation 2021/821, export control has focused more on protecting human rights. Already under previous Regulation 428/2009, the competent authorities had to take into account indications as to whether the goods are used for internal repression or other severe violations of human rights [2] when deciding whether to grant a license for the export of goods listed in Annex I of the Regulation. This decision criterion continues to apply under the new Regulation [3]. In addition, Regulation 2021/821 now includes end-use – related controls of non-listed cyber-surveillance items (catch-all) that can be used in connection with internal repression, severe violations of human rights, or serious violations of international humanitarian law.

What are cyber-surveillance items?

“Cyber-surveillance items” means dual-use items designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting, or analyzing data from information and telecommunication systems. [4]

Cyber

The risk associated with the export of such items relates, in particular, to cases where cyber-surveillance items are specially designed to enable intrusion or deep-packet inspection into information and telecommunications systems to conduct covert surveillance of natural persons by monitoring, extracting, collecting, or analyzing data, including biometrics data, from those systems [5].

The criterion “designed for” means that the item must have already been given a broadened objective during development or design – in other words, it should at least be suitable for and objectively enable the covert surveillance of natural persons [6].

In addition, the emphasis on “specially designed” stresses that the covert surveillance of natural persons must have been to the fore during development and design – in other words, the product has been developed mainly for this purpose. The term “specially designed” does not require the item to be usable exclusively for the covert surveillance of natural persons. [7]

Items for the surveillance of operating status in the industry do not constitute cyber-surveillance items because they are not specially designed to enable the surveillance of natural persons. [8] . Microphones and cameras also do not constitute a cyber-surveillance item, even when they can also be used for covert surveillance. The items in question are not for the surveillance, extraction, collection, or analysis of data from information and telecommunication systems.

Items enable covert surveillance of natural persons in particular where, with the help of the items, the surveillance performed is not perceptible to the affected natural person; the affected natural person thus is not accorded the opportunity to orient behavior to such surveillance. Examples of such items can process visual images obtained by cameras from information and telecommunication systems (e.g., evaluation of biometric features because they enable covert cyber-surveillance (e.g., face recognition software).

Note that data acquired through open surveillance can nevertheless be covert – that is, diverted, evaluated, or processed in another way without the affected natural person having an opportunity to notice it. Items enabling such data processing from information and telecommunication systems regularly constitute cyber-surveillance items in Regulation 2021/821. Examples are items that enable intrusion into information and telecommunications systems (e.g., intrusion software) or an analysis of data contained in information and telecommunications systems (e.g., deep-packet inspection).

A separate treatment of the items, depending on their listing or not in Annex I of Regulation 2021/821

When checking whether an item is a cyber-surveillance item in terms of Art. 2 No. 20 Regulation 2021/821, it is required to first look at Annex I of Regulation 2021/821.

If cyber-surveillance items are listed in Annex I of Regulation 2021/82, they are subject to export control regardless of their proposed end use. Regulation 2021/821 requires authorization to export dual-use items listed in Annex I of said Regulation [9].

These listed items are not subject to control under Art. 5 Regulation 2021/821 but under Article 3 of the same Regulation.

Annex I includes, for example, the following cyber-surveillance items:

  • Systems, equipment, and components for the generation, command, and control or delivery of 5 See attachment intrusion software (Number 4A005);
  • Mobile telecommunications interception and monitoring equipment (5A001f);
  • Internet Protocol (IP) network communications surveillance systems or equipment (Number 5A001j);
  • Software for monitoring or analysis by law enforcement (Number 5D001e);
  • Systems, equipment, and components for defeating, weakening, or bypassing “information security” to perform “cryptanalytic functions” (Number 5A004a).

Software and technology for the above items are also regularly listed in separate numbers of Annex I.

Only non-listed cyber-surveillance items are subject to control under Art. 5 (1) Regulation 2021/821.

Items that do not satisfy the criteria required for the above-mentioned items listed in Annex I and that may, therefore, be subject to control under Art. 5 (1) Regulation 2021/821 may be, for example, the following:

  • Intrusion software, such as malware or Trojans, conducts covert surveillance of persons through their information systems.
  • Monitoring software that does not satisfy the cumulative requirements of Number 5D001e – in particular by not offering all functions mentioned in the sub-numbers, such as monitoring software that analyses communication content or metadata but cannot outline a related network of relationships.
  • Monitoring equipment that does not satisfy all parameters mentioned in Number 5A001j, such as the delivery of individual operations.
The trigger for export control under Article 5: A critical end-use

The Dual-Use Regulation is considered critical or sensitive a use « in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law ».

The connection depends on the specific objective of the end use of the items in the individual case. The purely abstract risk that the items may be used in a manner that violates human rights is not determinative. [10]

Because of the missing connection with a critical end-use, items used for purely commercial applications, such as billing, marketing, quality services, user satisfaction, or network security, are generally not subject to control under Article 5 of Regulation 2021/821 [11].

Internal repression

The surveillance of natural persons – such as the targeted surveillance of human rights activists or opposition leaders – can abet measures for internal repression.

Internal repression includes inter alia, torture and other cruel, inhuman, and degrading treatment or punishment, summary or arbitrary executions, disappearances, arbitrary detentions, and other major violations of human rights and fundamental freedoms as set out in relevant international human rights instruments, including the Universal Declaration on Human Rights and the International Covenant on Civil and Political Rights [12].

Serious violation of human rights

Cyber-surveillance items can be used not only for purposes of internal repression but also for other severe violations of human rights.

The human rights referred to in Art. 5 (2) of Regulation 2021/821 are a part of customary international law and anchored in widely recognized instruments of international law, such as the International Covenant on Civil and Political Rights (ICCPR). This involves an international covenant, ratified by many nations worldwide, which enshrines fundamental human rights (and corresponding government obligations).

The following, in particular, are considered among human rights that may be affected by the use of cyber-surveillance items [13]:

  • Right to privacy
  • Right to freedom of speech, association, and assembly
  • Right to freedom of thought, conscience, and religion
  • Right to equal treatment or prohibition of discrimination
  • Right to free, equal, and secret elections. Restrictions to the above rights must conform with the international human rights standards.

Regularly, this means that the restrictions must be prescribed by law and serve a legitimate purpose – e.g., be in the interest of a democratic society or national or public security, of the public order, for the protection of public health, public morality, or the protection of rights and freedoms of others. In particular, statutes and regulations to protect national security may be misused to the detriment of the above rights and, for example, excessively or arbitrarily compromise the right to freedom of expression or privacy. [14]

The violation of human rights must be “serious”. Criteria to categorize possible human rights violations as serious can be found, among other places, in the Guide to the Common Position 2008/944/CFSP10 (Number 2.6). Accordingly, the nature and consequences of the particular violation are determinative. Systematic and/or widespread human rights violations are regularly viewed as severe. However, violations that are not systematic or widespread may be considered “serious” – for example, due to the severity of the intervention. It is not necessary for a public institution, such as bodies of the UN, the EU or the Council of Europe, to have explicitly denoted a human rights violation as “serious”. [15]

Serious violation of international humanitarian law

International humanitarian law identifies rules, which in times of armed conflicts, serve to protect people who do not or no longer participate in hostilities (e.g., civilians and wounded, sick, or captured combatants) (called the Law of Geneva) and impose upon belligerent parties limitations regarding the means and methods of warfare (called the Law of the Hague). The Law of Geneva is articled in the four Geneva Conventions from 1949 and their Additional Protocols. Also, for serious violations of international humanitarian law, the specific objective of the end use of the items in the individual case is determinative. [16]

 

What to do in case of a critical end-use

The action depends on how the knowledge about a critical end-use was acquired.

First case: The authorities have informed the exporter about a critical end-use

An authorization is required to export cyber-surveillance items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for a critical end-use [17].

Notification is usually made by an individual letter to the exporter in which the exporter is referred to the existing authorization requirement for the specific export in question. The same letter may already include the licensing authorities’ decision on the issuance of the export license.

Second case : The exporter is aware of a critical end-use

Where an exporter is aware, according to its due diligence findings, that cyber-surveillance items which the exporter proposes to export, not listed in Annex I, are intended, in their entirety or in part, for a critical end-use, the exporter shall notify the competent authority. That competent authority shall decide whether or not to make the export concerned subject to authorization.

The criterion “aware” is only fulfilled through positive knowledge or awareness, which, from a criminal perspective, is to be understood in terms of direct intent. Merely “to deem possible” is insufficient, so indirect intent or even negligent ignorance does not establish a duty to inform. [18]

However, awareness also exists when the exporter is acquainted with sufficient sources of knowledge from which the exporter can acquire the knowledge in a reasonable way and without extraordinary effort. Nor may the exporter deliberately ignore apparent indications; it is improper and may be tantamount to awareness to willfully look away and intentionally pass up a seemingly obvious opportunity to take note of something that any other in such position would have perceived. The complete failure to perform due diligence is improper (“passivity does not protect”). [19]

The due diligence mentioned in the legal provisions is part of the exporter’s Internal Compliance Programme (ICP). It is recommended to undertake measures for assessing the risks connected with the export as part of this due diligence, such as executing a three-stage, transaction-related screening process based on item, destination, and end-user reference points. [20]

This awareness must be present in the enterprise in the person of the exporter or, in the case of legal entities, the entity’s representative. In enterprises, it comes down to the awareness of the internal organization’s employees responsible. These can also be from different departments. [21]

Because, according to particular national legislations, the knowledge of these employees is imputed to the enterprise [22], the findings acquired from the transaction-related screening processes must be accumulated in one division in the enterprise. Only in this way is it possible to assess whether there is awareness in the enterprise. [23]

Where in the specific individual case, an exporter is aware, according to its due diligence findings, that non-listed cyber-surveillance items that the exporter proposes to export are intended for any of the sensitive end uses, the exporter is obligated to notify the competent authority and must ensure that the intended export does not occur before a final decision by the authority. [24]

Third case: The exporter has grounds for suspecting a critical end-use

A third possible case is reserved for national legislation of the EU Member States. They may adopt or maintain national legislation imposing an authorization requirement on the export of cyber-surveillance items not listed in Annex I if the exporter has grounds for suspecting that those items are or may be intended, in their entirety or in part, for a critical end-use.

Until now, there are only four countries (out of 27) to have implemented such a national law: Sweden [25], Romania [26], Slovenia [27] and Denmark [28].

Information exchange between EU Member States and authorities

EU Regulation 2021/821 has also instituted an exchange of information between EU Member States and the European Commission. A Member State which imposes an authorization requirement must immediately inform its customs authorities and other relevant national authorities and shall provide the other Member States and the Commission with relevant information on the authorization requirement in question, in particular as regards the items and entities concerned, unless it considers that it is not appropriate to do so in light of the nature of the transaction or the sensitivity of the information concerned. EU Member States shall give due consideration to the information received and review it within 30 working days. They shall inform their customs authorities and other relevant national authorities. In exceptional cases, any Member State may request an extension of those 30 days. However, the extension shall not exceed 30 working days.

Where all Member States notify each other and the Commission that an authorization requirement should be imposed for essentially identical transactions, the Commission shall publish in the C series of the Official Journal of the European Union information regarding the cyber-surveillance items and, where appropriate, destinations subject to authorization requirements as notified by Member States for that purpose.

Member States shall review this information at least annually based on relevant information and analyses provided by the Commission. Where all Member States notify each other and the Commission that the publication of an authorization requirement should be amended or renewed, the Commission shall promptly and accordingly amend or renew the information published under paragraph 6 in the C series of the Official Journal of the European Union.

All information exchanges shall follow the legal requirements concerning the protection of personal information, commercially sensitive information, protected defense, foreign policy, or national security information. Such exchanges of information shall be made via secure electronic means.

Conclusion

The export control of cyber-surveillance items under EU Dual-Use Regulation 2021/821 is paramount in safeguarding human rights and addressing the growing concerns surrounding global surveillance. A precise understanding of the definition and treatment of such items, particularly concerning their listing in Annex I, is essential for legal compliance and responsible export practices. The regulation represents a significant step in curbing the proliferation of invasive cyber-surveillance technology and its potential for misuse on a global scale.

Sources:

[1] https://eic.network/projects/predator-files.html, accessed 10 October 2023

[2] Regulation 428/2009, Article 12, in conjunction with Council Common Position 2008/944/CFSP of 8 December 2008 defining common rules governing control of exports of military technology and equipment, Art. 2 (2) b)

[3] Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast), Official Journal L 206 of 11 June 2021, p. 1-461, Article 15

[4] EU Regulation 2021/821, Article 2 (20)

[5] EU Regulation 2021/821, Recital 8

[6] Leaflet on Art. 5 of the EU Dual-Use Regulation (Regulation (EU) 2021/821), published by the German Federal Office of Economics and Export Control (BAFA), October 2021

[7] BAFA Leaflet, October 2021

[8] BAFA Leaflet, October 2021

[9] Regulation 2021/821, Article 3

[10] BAFA Leaflet, October 2021

[11] EU Regulation 2021/821, Recital 8

[12] Council Common Position 2008/944/CFSP, Art. 2 (2) b)

[13] BAFA Leaflet, October 2021

[14] BAFA Leaflet, October 2021

[15] BAFA Leaflet, October 2021

[16] BAFA Leaflet, October 2021

[17] EU Regulation 2021/821, Article 5(1)

[18] BAFA Leaflet, October 2021

[19] BAFA Leaflet, October 2021

[20] BAFA Leaflet, October 2021

[21] BAFA Leaflet, October 2021

[22] For example, in Germany, Section 166 of the German Civil Code – BGB

[23] BAFA Leaflet, October 2021

[24] BAFA Leaflet, October 2021

[25] An export authorisation shall be required for the export of non-listed dual-use items where an exporter has grounds for suspecting that cyber-surveillance items, which they propose to export, are or may be intended for any of the uses referred to in Article 5(1) of the Regulation (Section 4 a of the Dual-Use Items and Technical Assistance Control Ordinance (2000:1217)). Source : Information on measures adopted by Member States in conformity with Articles 4, 5, 6, 7, 8, 9, 11, 12, 22 and 23, Official Journal of the European Union C 208 of 15 June 2023, pp. 19-61

[26] An export authorisation shall be required for the export of non-listed dual-use items where an exporter has grounds for suspecting that cyber-surveillance items, which they propose to export, are or may be intended for any of the uses referred to in Article 5(1) of the Regulation (article 5(4) of GO 43/2022 on the control regime for operations concerning dual-use items). Source : Information on measures adopted by Member States in conformity with Articles 4, 5, 6, 7, 8, 9, 11, 12, 22 and 23, Official Journal of the European Union C 208 of 15 June 2023, pp. 19-61

[27] An export authorisation shall be required for the export of non-listed dual-use items where an exporter has grounds for suspecting that cyber-surveillance items, which they propose to export, are or may be intended for any of the uses referred to in Article 5(1) of the Regulation (Article 4(2) of the Act Regulating the Control of Exports of Dual-Use Items (Zakon o nadzoru izvoza blaga z dvojno rabo (Uradni list RS, št. 37/04, 8/10 in 29/23). Source : Information on measures adopted by Member States in conformity with Articles 4, 5, 6, 7, 8, 9, 11, 12, 22 and 23, Official Journal of the European Union C 208 of 15 June 2023, pp. 19-61

[28] An export authorisation shall be required for the export of non-listed dual-use items where an exporter has grounds for suspecting that cyber-surveillance items, which they propose to export, are or may be intended for any of the uses referred to in Article 5(1) of the Regulation (Article 2(8) of the Danish Export Control Law). Source : Information on measures adopted by Member States in conformity with Articles 4, 5, 6, 7, 8, 9, 11, 12, 22 and 23, Official Journal of the European Union C 208 of 15 June 2023, pp. 19-61

Related Posts

Join Our Newsletter