To Regulate (Or Preferably Not): On Mueller’s claim of misdirected resistance to surveillance technology

A pair of blog posts this week from Milton Mueller have sparked multiple conversations filling my inbox (as well as an unprecedented amount of passive aggression, of which I do not approve, but the sheer number of people practicing it makes me reticent to name names). The posts take on the emerging cottage industry of opposition to the export of surveillance tech, largely produced by companies in Western countries and exported to some of the world’s worst human rights abusers. Now, I don’t mean to use the term “cottage industry” derogatorily, but the flurry of sudden interest around the issue is intriguing and spurred, it seems, in large part, by a series of stranger-than-fiction reports from Bloomberg and the Wall Street Journal this year documenting various cases.

Before I take on the task of rebutting some of the arguments in Mueller’s posts–which, by the way, I agree with in large part–I should note my own biases, for the sake of discussion. First, I have been amongst the throngs shouting opposition to the surveillance-industrial-complex. I have been doing it for about three years, while all the while not taking a particularly strong position toward any of the proposed solutions. Second, I largely oppose regulation of this industry by the United States government. This is for several reasons, but in a nutshell: I don’t trust them. If you require more detail, read this piece I wrote about it. Third, I think a lot of the current discussion/advocacy about this topic is unfocused and chaotic, which is a failure on our part. Though I have–along with other folks at some of the top human and digital rights organizations–coordinated a series of calls on the matter, it is admittedly a messy and complicated subject, and we don’t all agree on the solutions, which lends chaos to an already-chaotic situation.

Now, Mueller’s posts. The first, published on December 20 and entitled “Technology as symbol: Is resistance to surveillance technology being misdirected?“, starts strong with the premise that the movement against the sale of surveillance tech to repressive regimes–which Mueller applauds for both its publicizing of the issue and its awareness-raising of similar issues in democratic countries–has oversimplified the fight against the regimes using such technology, replacing the target (authoritarian regimes) with another, easier target (makers of the aforementioned technology).

As Mueller rightly points out, “It seems obvious, but gets lost in the shuffle: the problem lies in the users and uses of the technology, not in the equipment or software itself.” He continues, remarking that “this is not, at root, a problem of governments having or not having a specific device or piece of software. It is an institutional problem – one of balancing and routinizing social processes in ways that effectively limit, regulate and distribute political power and hold those who exercise it accountable.”

There is nothing disagreeable in either point, and it can certainly be said that some of the actors advocating for regulation in this space have focused heavily on certain regimes (Syria, Egypt, Libya) whilst turning a half-blind eye to the uses of surveillance technology in the United States, the UK, and other nations with the rule of law. Nonetheless, I would argue that the organizations leading the charge on this issue have been fairly even-handed, attacking restrictions on free expression in democratic and authoritarian countries alike.

Mueller then derides the call for regulation of surveillance technology, stating: “The problem with this approach is that information technology, unlike bombs or tanks, is fundamentally multi-purpose in nature.” On this point, I once again must agree. EFF has consistently chosen not to advocate for regulation of sales (by governments) for the same reason, opting instead to push for regulation at the corporate level and issuing a set of recommendations for companies wishing to do so.

Mueller also points out, as I have before:

Thus, there is little appreciation of the extent to which export controls and other restrictions might retard the overall diffusion and development of information and communication technology, cut off access to good people and good uses as well as bad ones, or restrict our own freedom to use the technology as and how we see fit.

Since I agree with Mueller on this, it’s worthwhile to put forth some of the counter-arguments. Essentially, those who argue for regulations tend to favor a licensing-style of such, in which companies must apply for licenses before being allowed to export their wares to a foreign government (or, in some variations, a foreign government on a particular list of “Internet-restricting countries”). This echoes the current sanctions placed on Cuba, Syria, Sudan, North Korea, and Iran to various degrees. Being well-versed in the regulations on Syria, what this means is that a company–such as Google–must apply for a license before it can release a product (either for sale or for download) in the country. Companies that fail to apply for a license but still make their product available can face severe penalties; violating the Commerce Department’s export controls on Syria, for example, can result in 20 years imprisonment and/or a $1 million fine. This, of course, has a chilling effect for Syrians, as many companies with limited resources find it not worthwhile to apply for the license and restrict their products from the country. Incidentally, EFF has also called for revision of export controls.

In the latter variation, as I mentioned, regulation would be restricted to “Internet-restricting countries,” a punishment for countries that block websites from their citizens’ view. This type of regulation has been presented before, multiple times, as the Global Online Freedom Act (for a timeless criticism of an earlier version of the bill, see Rebecca MacKinnon). The problems with such an approach should be, but somehow aren’t, obvious. First, a question: who creates the list of “good” and “bad” countries? Bahrain, a close ally of the United States, pervasively censors the Internet…would it make it on the “bad” list and would sanctions be levied thus? And even if the list were fair and just, what happens when such technology gets regulated? Do citizens of the “bad” countries suffer like Syrians have for years due to labyrinthine bureaucracy and poorly-worded export regs?

The primary concern about regulations should be, however, that they will do extremely little to curb the sale of surveillance tech. What happens when Cisco refuses to sell to Iran? Huawei steps in. And don’t forget all of those companies that have surreptitiously been selling to embargoed countries all along, such as American company BlueCoat to Syria and Israeli company Allot to Iran.

This is the point at which Mueller’s first post starts to annoy me. After his righteous concerns about export regulation are expressed, he goes on to throw up a giant straw man, advising advocates to “Stop focusing narrowly on information technology, and examine the tools of repression and aggression more generically,” and raising examples such as US arms sales to Saudi Arabia and Egypt.

Okay, so perhaps this is not exactly a straw man, but if–as Mueller seems to imply in his second post–his arguments are directed at activists and human rights organizations, rather than say, politicians and journalists, then this is simply unfair. The individual activists taking on this issue–many of whom, I’ve observed, live in the countries where such spyware is being sold–are surely not putting the technology before the arms. And as for the organizations, they’re either semi-single-issue (why would EFF talk about gun sales?) or have been holistically focused, tackling the gamut of human rights abuses, from surveillance to military repression. (I would also add here that current export restrictions on the aforementioned five countries include arms and airplane parts).

The second major argument in the first post is presented next. Mueller criticizes some of the advocacy around the sale of certain products, asking: “If you can blame a video surveillance camera for its misuse by repugnant governments, and argue for blocking the movement of those goods, what about integrated circuits, copper wires and lenses that go into them? What about the plastic housings? What about the shipping services that transported the material there?”

Now, if Mueller’s target here is those calling for regulation, I’m with him all the way. But if we’re talking about targeting companies, if we’re working on naming-and-shaming, then I do believe in a strategy of going after companies for their sale of complete products to governments, when the company has credible concern that the product will be used to commit human rights abuses. The vast majority of highly-publicized cases this year have involved the sale of complete systems to decidedly human-rights-abusing regimes like Libya, China, and Syria. I do see a moral obligation in calling out Cisco for its complicity in the Communist Party’s harassment of bloggers. I do see a moral obligation in calling out BlueCoat for its “oh noes, the embargoes!” response to the news that its products were sold to the Syrian regime (in the end, it turned out that BlueCoat was tracking the devices and was aware of their location, even if the sale was not intentional).

But alas, Mueller was talking about the would-be regulators, and therefore I agree:

If you really want to punish, isolate and sanitize your relationship to a repressive government, you cannot limit the sanctions to specific forms of ICT. There must be a comprehensive system of sanctions that prevents anyone in that country from doing any kind of business with the country involved. Even then, the regime may not change; think of North Korea. Even then, there will be leaks or route-arounds.

But then he concludes:

But activists concerned with real social change must think through this problem more deeply, and come up with strategies that strike more directly at the pillars of authoritarianism, censorship and arbitrary power, rather than lashing out at easy domestic targets.

This is why I accused him (a point he’ll refute in post 2) of taking cheap shots at activists. The assumption here is that those involved aren’t thinking about this problem more deeply, aren’t fighting these regimes from multiple angles. And as I wrote in my accusation, if Mueller’s target here is the journalists and the politicians whose shallow thinking culminates in the conclusion that Cisco is the the real enemy, then I digress. But if it’s the activists (again, many of whom are Egyptian, and Syrian, and Chinese), then I say “meh.”

Since Mueller’s second post starts with a refutation of something I said, I feel obliged to point something out. When Evgeny Morozov’s excellent Net Delusion was released this year, it was dismissed by some who felt that the use of the term “delusion” didn’t apply: after all, hadn’t Egyptians just toppled a dictator with the help of social media? I loved Morozov’s book, and so a point that irritated me throughout readings of both critiques of the book and reads through the man’s own columns was the idea that the main target of his arguments against “cyberutopians” were a very narrow subset of the population: namely, those working in the State Department, or even more specifically, Jared Cohen sycophants.

Mueller’s posts thus strike me the same way: Just as he claims his first post “hit a nerve” with advocates (presumably meaning me, since my comment is in the next line), he then goes on once again to target not the advocates but the journalists. And that’s the thing: Mueller’s arguments are largely ones that I agree with (read: no nerves were hit), but the presumed target is off: his real beef seems to be with the journalists who have kept this story going all year. And in a sense, I get it: after all, we digital rights advocates feed off the news reports, and no doubt we wouldn’t have been so loud on the topic were it not for their reporting. If anything, that’s a call for a more tempered approach (which is part of, I assume, Mueller’s point).

In any case, I have no real problems with the second post. Like Mueller, EFF recognized that the reporting on Israeli company Allot’s sale of their NetEnforcer product to an Iranian ISP was a bit overblown. In fact, the story should have served an even better lesson: Sanctions don’t work. But alas, it did not, for most.

Ultimately, as Mueller reiterates near the end of post #2, the problem with the movement (again, lead in large part by journalists, not advocates), is the transfer of target from regime to corporation:

Western corporations and their shareholders do have a moral obligation to refrain from actively pursuing business opportunities with dictatorships when those opportunities involve supplying products and services specifically designed to aid their crimes and repression. But very few technologies are constructed so as to be only usable for crime and repression.

Post-Script: I wrote this a bit stream-of-consciousness, so if in any way I appear to contradict myself, feel free to point out in the comments. Second, I would note that while I see very different targets in journalists vs. advocates, Mueller does not appear to at numerous points, including journalists in “the movement.” In a sense (as I hinted at above), this is fair, for journalists inform advocates on these topics. In another sense, it feels odd to include the supposedly neutral (though I obviously don’t believe that rubbish) journalist in the makeup of a movement such as this one. But again, therein lies the problem, Mueller might posit: the journalists are establishing a certain policy narrative.

I welcome your comments, discussion, debate, etc, below. Just don’t be an asshole and subtweet me. You know who you are.

3 replies on “To Regulate (Or Preferably Not): On Mueller’s claim of misdirected resistance to surveillance technology”

Despite having learned the specific model of Huawei device doing national DPI in Iran, I continue to disagree fundamentally on the principle that the presence of spoilers negates the role of embargoes. I’d hope as well that my aggression in this matter was not considered passive.

Just read Evgeny’s email and it seems he feels the same. I could be persuaded, I suppose, but not on GOFA. It would take a fundamentally different, less secretive and bureaucratic administration for me to be, however.

And no, you were not passive aggressive. That designation goes to the folks subliminally tweeting (e.g., tweeting at someone without tweeting @ them) or writing long complainy private emails that were then forwarded over by sympathetic parties :)

I think it would be appropriate in the near future for me to write an extended case for sanctions, however, let me briefly air my thoughts on GOFA in hopes for your feedback.

My concern is that the core opposition to the bill stems from generalized ideology and not particular aspects of the text. Rather than GOFA being an potential impediment or ineffective, the argument that I have heard from you and Ms. MacKinnon is that its defects result from impressions of the ensuing interpretations and execution. At best, the most textual concern I have heard is from Chris Soghoian regarding the triggers.

I believe this is wrong manifoldly. Firstly, my own wretched pragmatism. The ‘Internet Freedom’ community has not been given some voucher for one free law, nor is it limited to one legislative remedy in its lifetime. There is absolutely no possibility that the current climate would allow for restrictions that include limiting domestic or friendly use of such systems. Continuing this, if civil society does not rise up in support of even an incomplete approach, the Congress will be encouraged to continue future work. Chris Smith is a Republican and yet he is writing that ‘US Companies are damaging American’s reputation and interests in democracy abroad.’ That is commendable even if his vision of ‘abroad’ is likely Iran, Burma and Syria.

GOFA is not the ends in itself, it is the creation of a platform that CSOs can use to remedy unforeseen abuses. Right now, how would we go about restricting export and addressing human rights abuses? There is a rare moment where support for Bahrain in the Congress on arms sales has wavered, in cases like this, GOFA would give a new point of access for activists to raise and address abusive practices. Any law can be amended, extended and revised, especially if a friendlier administration comes along. This is no different, it’s some version of GOFA or nothing.

As I mentioned elsewhere, the bill allows for unprecedented data on corporate policy, diplomatic reporting and standing for suit. To me, it seems unfair to hold those in countries that would be restricted hostage to the perfect.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.