From the Unwitting to the Unscrupulous: Private Sector Complicity in Digital Repression

Adrian Shahbaz provides the fifth chapter to Global Policy e-book on 'Digital Repression: Causes, Consequences and Policy Responses'. The e-book's chapters will be serialised on Global Policy over the course of 2023. Please find the other chapter's here.

Technology companies have extended states’ capacity for digital repression. Around the world, governments have developed methods for coopting and even coercing internet firms into complying with abusive policies. Authorities have also procured new surveillance technologies from firms that have too often displayed disregard for business and human rights principles. This chapter outlines how different industry players range from unwitting to unscrupulous agents of state repression. 

Authoritarian intermediaries

Governments, led by the United States, had long pursued a laissez-faire approach to regulating the internet. However, driven by real and perceived online harms and, in some cases, a desire for regime control, an increasing number of states have passed legislation that imposes requirements on telecommunication firms, social media companies, and other internet intermediaries (Shahbaz and Funk 2021). Cybercrime, data protection, and antiterrorism laws can be controversial in democratic contexts; in autocracies, similar provisions are regularly used to pressure companies into compliance with human rights violations. 

Telecommunications companies and internet service providers (ISPs) consistently face demands to censor nonviolent political, social, and religious content, including independent journalism or materials related to marginalized populations. Most countries also require firms to retain data about their users, share it with law enforcement, and allow for lawful interception of electronic communications or to monitor their users. A 2009 cybercrime law obliges ISPs in Iran to filter thousands of nonviolent political, social, and religious websites that threaten the Islamic regime. Authorities have banned major foreign social media and communication platforms that have been crucial to documenting violence against nonviolent protesters (Alterman and Alimardani 2022). In Myanmar, the military ordered ISPs to shut down internet service entirely during a 2021 coup. Largescale crackdowns on freedom of expression and access to information, combined with rising pressure to cooperate with surveillance agencies, led the Norwegian ISP Telenor to exit the market in the following year (Dunant 2022). 

Search engines, social media, app stores, and other digital platforms routinely come under pressure to remove content. The Turkish government banned access to Twitter in 2014 for refusing to take down accounts and tweets that allegedly violated local laws, including “an account accusing a former minister of corruption”. Although Twitter successfully challenged the ban in court, the company has faced numerous bans and ultimately resorted to restricting posts for users based within the country (Ozbilgin and Coskun 2014; Gadde 2014). Vietnamese authorities used a similar tactic to coerce Facebook to take down anti-government posts in 2020. (Pearson 2020) Like ISPs, platforms receive requests from courts and executive agencies to hand over user data. Requests to platforms have expanded dramatically over the years; Google’s transparency report noted an increase from 27,625 requests in 2010 to 174,569 in only the first half of 2022 (Google 2022). 

Compliance with an illegitimate request can bring devastating consequences. For example, Yahoo cooperated with Chinese authorities in 2004 to identify a local journalist who used an anonymous email address to contact overseas human rights groups, leading to his imprisonment on a 10-year term (The New York Times 2007). Over the years, many multinational companies have closed their China-based operations as the country has ramped up its regulatory pressure against technology firms (Lin 2021). Their exit may leave space for firms with a more dubious commitment to human rights. A Wall Street Journal investigation found that employees at Huawei, a Chinese telecommunications firm, assisted Ugandan and Zambian authorities to repress local opposition figures and journalists (Parkinson et al. 2019).

Merchants of digital repression

While internet intermediaries can be complicit in rights violations in the course of offering information and communication services, surveillance companies play a more direct role in enabling state repression. States have long outsourced security and even military operations to the private sector. Today’s merchants of digital repression primarily market their products to law enforcement and intelligence agencies, as well as a variety of state and commercial actors. Two industries – facial recognition technology (FRT) and spyware – have particularly alarming consequences for human rights in the digital age. 

FRT systems analyze video and images against a database of photos to identify people in real-time or asynchronously. While inconsistencies in the technology can compound existing discrimination and lead to mistaken arrests, as it has in the United States, the effectiveness of FRT also presents a significant danger (Hill 2020). For example, police in Moscow used FRT to detain several activists and journalists in June 2022 because they were deemed to constitute “potential protesters”. (Current Time 2022). In 2011, members of the persecuted Falun Gong group sued Cisco, a US-based multinational, for allegedly facilitating human rights abuses after the leak of an internal corporate presentation regarding possible projects in Beijing (Reitman 2011). More recently, the US government condemned Hikvision, a Chinese company, for enabling mass repression and serious human rights violations against the Uyghur and other minority populations in the Xinjiang region of China (Bateman 2022). 

Several spyware companies have come under scrutiny for their dubious ethical practices and, in some cases, alleged unlawful practices. For over a decade, Citizen Lab and other groups have documented abuse by purveyors of targeted interception technology. Hacking Team, an Italian firm, claimed to have a system for vetting clients and restricting their use of the company’s spyware products if found to engaging in human rights violations. Nonetheless, investigative researchers found the company’s imprints on the devices of journalists and political activists in over 20 countries, and a leaked client list revealed contracts with the security agencies of several autocratic regimes, including Egypt, Saudi Arabia, and Sudan (Kopfstein 2014; Greenberg 2015). 

The scrutiny has resulted in limited accountability. One bombshell investigation found a list of over 50,000 phone numbers believed to have been targeted by Pegasus, a product of the Israel-based NSO Group (Kirchgaessner et al. 2021). Researchers have identified at least 180 journalists in the database (Rueckert 2021). In 2021, the US Commerce Department added the NSO Group and three Israeli, Russian, and Singaporean companies to a blacklist in response to their “malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad” (U.S. Department of Commerce 2021). Nonetheless, countless spyware firms remain in operation around the globe, and few governments have regulations in place that limit their use by law enforcement and security services (Mazzetti et al. 2022).

Addressing supply and demand 

The private sector is a crucial intermediary between states and citizens in the 21st century. In line with the United Nations Guiding Principles on Business and Human Rights, technology companies should evaluate and mitigate any human rights risks related to their business, particularly when operating in countries that lack the rule of law and respect for human rights. Firms should develop internal processes for pushing back against illegitimate government requests and map out scenarios in which they would decide to exit problematic markets entirely (Arun 2022). Researchers and investigative reporters play a powerful role in raising awareness of companies’ errant practices, and policymakers should respond with legislation that constrains opportunities for abuse by both the private sector and state agencies. Ultimately, the best defense against digital repression remains robust democratic institutions. 

Adrian Shahbaz is vice president for research and analysis at Freedom House. He oversees the organization’s portfolio of annual publications and special reports, including Freedom in the World, Freedom on the Net and Nations in Transit, as well as new streams of work on transnational repression, Beijing’s global media influence, and election integrity in the digital age. Adrian previously served as Freedom House’s director for technology and democracy and has authored or coauthored several internet freedom analyses, including Countering an Authoritarian Overhaul of the Internet (2022), The Global Drive to Control Big Tech (2021), The Pandemic’s Digital Shadow (2020), The Crisis of Social Media (2019), and The Rise of Digital Authoritarianism (2018). Prior to joining Freedom House, he worked as a researcher at the UN Department of Political Affairs, the European Parliament, and the Organization for Security and Co-operation in Europe (OSCE). He holds a master’s degree from the London School of Economics.

Photo by Pixabay

References

Alterman, Jon B. and Mahsa Alimardani. 2022. “Protest, Social Media, and Censorship in Iran.” Center for Strategic and International Studies. 18 October, 2022. https://www.csis.org/analysis/protest-social-media-and-censorship-iran.

Arun, Chinmayi. 2022. “The Exit Option.” Centre for International Governance Innovation. 13 June, 2022. https://www.cigionline.org/articles/the-exit-option/.

Bateman, Jon. 2022. “U.S. Sanctions on Hikvision Would Dangerously Escalate China Tech Tensions.” Carnegie Endowment for International Peace. May 6, 2022. https://carnegieendowment.org/2022/05/06/u.s.-sanctions-on-hikvision-would-dangerously-escalate-china-tech-tensions-pub-87089.

Current Time. 2022. “Dozens arrested in Moscow via facial-recognition system on Russia Day.” RFE/RL. 13 June, 2022. https://www.rferl.org/a/moscow-police-detain-dozens-using-facial-recognition-system/31896070.html.

Dunant, Ben. 2022. “Companies Quitting Myanmar Provide Hollow Victories Against Junta.” Foreign Policy. 27 September, 2022. https://foreignpolicy.com/2022/09/27/western-companies-leaving-myanmar-totalenergies-telenor-human-rights/.

Gadde, Vijaya. 2014. “Challenging the access ban in Turkey.” Twitter Blog. 26 March 2014. https://blog.twitter.com/en_us/a/2014/challenging-the-access-ban-in-turkey. 

Google. 2022. “Global requests for user information.” Google Transparency Report. https://transparencyreport.google.com/user-data/overview?hl=en. 

Greenberg, Andy. 2015. “Hacking Team breach shows a global spying firm run amok.” WIRED. 6 July, 2015. https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/.

Harwell, Drew. 2022. “Clearview AI to stop selling facial recognition tool to private firms.” The Washington Post. 9 May, 2022.  https://www.washingtonpost.com/technology/2022/05/09/clearview-illinois-court-settlement/.

Hill, Kashmir. 2020. “Another Arrest, and Jail Time, Due to a Bad Facial Recognition Match.” The New York Times. 29 December, 2020. https://www.nytimes.com/2020/12/29/technology/facial-recognition-misidentify-jail.html.

Kirchgaessner, Stephanie, Paul Lewis, David Pegg, Nina Lakhani, and Michael Safi. 2021. “Revealed: leak uncovers global cyber-surveillance.” The Guardian. 18 July, 2021. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus.

Kopfstein, Janus. 2014. “Hackers without borders.” The New Yorker. 10 March, 2014. https://www.newyorker.com/tech/annals-of-technology/hackers-without-borders.

Lin, Liza. 2021. “Yahoo Pulls Out of China, Ending Tumultuous Two-Decade Relationship.” The Wall Street Journal. 2 November, 2021. https://www.wsj.com/articles/yahoo-pulls-out-of-china-ending-tumultuous-two-decade-relationship-11635848926.

Mazzetti, Mark, Ronen Bergman, and Matina Stevis-Gridneff. 2022. “How the Global Spyware Industry Spiraled Out of Control.” The New York Times. 8 December, 2022. https://www.nytimes.com/2022/12/08/us/politics/spyware-nso-pegasus-paragon.html.

Ozbilgin, Ozge and Orhan Coskun. 2014. “Turkey lifts Twitter ban after court ruling.” Reuters. 3 April, 2014. https://www.reuters.com/article/us-turkey-twitter/turkey-lifts-twitter-ban-after-court-ruling-idUSBREA320E120140403.

Parkinson, Joe, Nicholas Bariyo, and Josh Chin. 2019. “Huawei Technicians Helped African Governments Spy on Political Opponents.” The Wall Street Journal. 15 August, 2019. https://www.wsj.com/articles/huawei-technicians-helped-african-governments-spy-on-political-opponents-11565793017.

Pearson, James. 2020. “Exclusive: Facebook agreed to censor posts after Vietnam slowed traffic – sources.” Reuters. 21 April, 2020. https://www.reuters.com/article/us-vietnam-facebook-exclusive/exclusive-facebook-agreed-to-censor-posts-after-vietnam-slowed-traffic-sources-idUSKCN2232JX. 

Reitman, Rainey. 2011. “Cisco and abuses of human rights in China: part 1.” Electronic Frontier Foundation. 22 August, 2011. https://www.eff.org/deeplinks/2011/08/cisco-and-abuses-human-rights-china-part-1.

Rueckert, Phineas. 2021. “Pegasus: The new global weapon for silencing journalists.” Forbidden Stories. 18 July, 2021. https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/.

Shahbaz, Adrian and Allie Funk. 2021. “The Global Drive to Control Big Tech.” Freedom on the Net 2021. Freedom House. https://freedomhouse.org/report/freedom-net/2021/global-drive-control-big-tech.

The New York Times, 2007. “Yahoo chief apologizes to Chinese dissidents' relatives.” The New York Times. 7 November 7, 2007. https://www.nytimes.com/2007/11/07/business/worldbusiness/07iht-yahoo.1.8226586.html.

U.S. Department of Commerce. “Commerce adds NSO group and other foreign companies to entity list for malicious cyber activities.” 3 November, 2021. https://www.commerce.gov/news/press-releases/2021/11/commerce-adds-nso-group-and-other-foreign-companies-entity-list