By Brian Fung
February 7, 2013
When a U.S. company wants to export military technology, it has to go through a rigorous approval process in Washington. That’s because, of course, if it ends up in the wrong hands, the technology could interfere with U.S. foreign policy, destabilize conflict-prone regions, or worse.
Now one member of Congress wants to apply the same scrutiny to technology that “can be used for potentially illicit activities” such as Internet censorship.
Unveiled this week by Rep. Chris Smith, R-N.J., the Global Online Freedom Act of 2013 would, among other things, make it illegal for firms to export equipment that could facilitate digital monitoring. The latest measure resembles previous efforts at curbing online surveillance, but analysts say there’s a danger in the proposed law: The export controls cast too wide a net and could sweep up innocent companies by accident.
“It's very difficult to describe in words [the difference] between ‘bad’ software and ‘good’ software,” said Susan Crawford, a former special assistant on technology for the Obama administration and author of the book Captive Audience. “The consequences of getting it wrong could lead to stifling innovation and making life unnecessarily difficult for U.S. companies.”
Smith’s bill takes aim at firms that have been implicated in repressive governments’ domestic espionage. As monitoring schemes have become more complex, Western companies have become involved in selling goods and services to these governments.
In the Middle East, censorship is routinely tied to the private sector overseas. As a Bloomberg investigation revealed in 2011, American and British entities played a remarkable role in Tunisia’s powerful Internet surveillance machine:Western suppliers used the country as a testing ground. Moez Chakchouk, the post-revolution head of the Tunisian Internet Agency, says he’s discovered that the monitoring industry gave discounts to the government-controlled agency, known by its French acronym ATI, to gain access.In interviews following Ben Ali’s ouster after 23 years in power, technicians, activists, executives and government officials described how they grappled with, and in some cases helped build, the repressive Wonderland.
Several California-based companies, including the popular antivirus company McAfee, were found to have provided filtering services to Tunisia’s government. Among other tactics, Tunisian censors were capable of intercepting and rewriting e-mails in transit.
But not all technology lends itself well to the suppression of speech, and that’s precisely where Smith's proposal stumbles, watchdogs say. Whether they know it or not, companies like Cisco that provide networking hardware — routers and other equipment — often find their products repurposed in ways that advance foreign governments’ censorship agenda. The conundrum reveals what until now has largely been the concern of the defense industry: the so-called “dual-use” problem.
To say a product or technology is “dual-use” is to say it can be used for both peaceful and non-peaceful ends. Nuclear equipment is a great example. In civil contexts, it can help produce vast amounts of valuable energy. But in a more nefarious context, it can lead to weapons of mass destruction.
The Global Online Freedom Act reveals how far we’ve come from an era when “dual-use” meant technologies with possible military applications. Now the boundaries of that term are being forced wide open. Today, practically any Internet tool — social networks, open-source software, and so on — that can be co-opted for monitoring purposes could also be considered a dual-use technology. Over half of all U.S. smartphones run Android, Google’s open-source operating system. An app running on that system that collects location or browsing data could potentially run afoul of GOFA. Skype, whichEgyptian officials used to monitor opposition phone calls in 2011, might also plausibly fall into this category. Repurposing a civilian product for darker motives is no longer limited to the military realm — we’re now seeing completely ordinary technologies being (ingeniously) applied to “solve” intrastate problems.
The dual-use problem creates ambiguity that makes legislating much harder than we’d like. Building a kind of terror watchlist for tech suddenly becomes a monumental task when you aren't sure what should qualify.
Not only is a blacklist heavy-handed, but it requires constant updating as companies break up and products get updated in ever-faster product cycles. And it’s never been clear that unilateral export controls imposed by a single country are actually effective; repressive regimes will just find vendors elsewhere.
Smith is justifiably concerned about accidentally giving hostile governments the tools they need to stay in power. But without much more nuanced language, a bill aimed at creating new freedoms abroad could unwittingly limit them at home.
By Brian Fung
February 7, 2013