Jillian C. York

Jillian C. York is a writer and activist.

Tag: iran (page 1 of 6)

To Regulate (Or Preferably Not): On Mueller’s claim of misdirected resistance to surveillance technology

A pair of blog posts this week from Milton Mueller have sparked multiple conversations filling my inbox (as well as an unprecedented amount of passive aggression, of which I do not approve, but the sheer number of people practicing it makes me reticent to name names). The posts take on the emerging cottage industry of opposition to the export of surveillance tech, largely produced by companies in Western countries and exported to some of the world’s worst human rights abusers. Now, I don’t mean to use the term “cottage industry” derogatorily, but the flurry of sudden interest around the issue is intriguing and spurred, it seems, in large part, by a series of stranger-than-fiction reports from Bloomberg and the Wall Street Journal this year documenting various cases.

Before I take on the task of rebutting some of the arguments in Mueller’s posts–which, by the way, I agree with in large part–I should note my own biases, for the sake of discussion. First, I have been amongst the throngs shouting opposition to the surveillance-industrial-complex. I have been doing it for about three years, while all the while not taking a particularly strong position toward any of the proposed solutions. Second, I largely oppose regulation of this industry by the United States government. This is for several reasons, but in a nutshell: I don’t trust them. If you require more detail, read this piece I wrote about it. Third, I think a lot of the current discussion/advocacy about this topic is unfocused and chaotic, which is a failure on our part. Though I have–along with other folks at some of the top human and digital rights organizations–coordinated a series of calls on the matter, it is admittedly a messy and complicated subject, and we don’t all agree on the solutions, which lends chaos to an already-chaotic situation.

Now, Mueller’s posts. The first, published on December 20 and entitled “Technology as symbol: Is resistance to surveillance technology being misdirected?“, starts strong with the premise that the movement against the sale of surveillance tech to repressive regimes–which Mueller applauds for both its publicizing of the issue and its awareness-raising of similar issues in democratic countries–has oversimplified the fight against the regimes using such technology, replacing the target (authoritarian regimes) with another, easier target (makers of the aforementioned technology).

As Mueller rightly points out, “It seems obvious, but gets lost in the shuffle: the problem lies in the users and uses of the technology, not in the equipment or software itself.” He continues, remarking that “this is not, at root, a problem of governments having or not having a specific device or piece of software. It is an institutional problem – one of balancing and routinizing social processes in ways that effectively limit, regulate and distribute political power and hold those who exercise it accountable.”

There is nothing disagreeable in either point, and it can certainly be said that some of the actors advocating for regulation in this space have focused heavily on certain regimes (Syria, Egypt, Libya) whilst turning a half-blind eye to the uses of surveillance technology in the United States, the UK, and other nations with the rule of law. Nonetheless, I would argue that the organizations leading the charge on this issue have been fairly even-handed, attacking restrictions on free expression in democratic and authoritarian countries alike.

Mueller then derides the call for regulation of surveillance technology, stating: “The problem with this approach is that information technology, unlike bombs or tanks, is fundamentally multi-purpose in nature.” On this point, I once again must agree. EFF has consistently chosen not to advocate for regulation of sales (by governments) for the same reason, opting instead to push for regulation at the corporate level and issuing a set of recommendations for companies wishing to do so.

Mueller also points out, as I have before:

Thus, there is little appreciation of the extent to which export controls and other restrictions might retard the overall diffusion and development of information and communication technology, cut off access to good people and good uses as well as bad ones, or restrict our own freedom to use the technology as and how we see fit.

Since I agree with Mueller on this, it’s worthwhile to put forth some of the counter-arguments. Essentially, those who argue for regulations tend to favor a licensing-style of such, in which companies must apply for licenses before being allowed to export their wares to a foreign government (or, in some variations, a foreign government on a particular list of “Internet-restricting countries”). This echoes the current sanctions placed on Cuba, Syria, Sudan, North Korea, and Iran to various degrees. Being well-versed in the regulations on Syria, what this means is that a company–such as Google–must apply for a license before it can release a product (either for sale or for download) in the country. Companies that fail to apply for a license but still make their product available can face severe penalties; violating the Commerce Department’s export controls on Syria, for example, can result in 20 years imprisonment and/or a $1 million fine. This, of course, has a chilling effect for Syrians, as many companies with limited resources find it not worthwhile to apply for the license and restrict their products from the country. Incidentally, EFF has also called for revision of export controls.

In the latter variation, as I mentioned, regulation would be restricted to “Internet-restricting countries,” a punishment for countries that block websites from their citizens’ view. This type of regulation has been presented before, multiple times, as the Global Online Freedom Act (for a timeless criticism of an earlier version of the bill, see Rebecca MacKinnon). The problems with such an approach should be, but somehow aren’t, obvious. First, a question: who creates the list of “good” and “bad” countries? Bahrain, a close ally of the United States, pervasively censors the Internet…would it make it on the “bad” list and would sanctions be levied thus? And even if the list were fair and just, what happens when such technology gets regulated? Do citizens of the “bad” countries suffer like Syrians have for years due to labyrinthine bureaucracy and poorly-worded export regs?

The primary concern about regulations should be, however, that they will do extremely little to curb the sale of surveillance tech. What happens when Cisco refuses to sell to Iran? Huawei steps in. And don’t forget all of those companies that have surreptitiously been selling to embargoed countries all along, such as American company BlueCoat to Syria and Israeli company Allot to Iran.

This is the point at which Mueller’s first post starts to annoy me. After his righteous concerns about export regulation are expressed, he goes on to throw up a giant straw man, advising advocates to “Stop focusing narrowly on information technology, and examine the tools of repression and aggression more generically,” and raising examples such as US arms sales to Saudi Arabia and Egypt.

Okay, so perhaps this is not exactly a straw man, but if–as Mueller seems to imply in his second post–his arguments are directed at activists and human rights organizations, rather than say, politicians and journalists, then this is simply unfair. The individual activists taking on this issue–many of whom, I’ve observed, live in the countries where such spyware is being sold–are surely not putting the technology before the arms. And as for the organizations, they’re either semi-single-issue (why would EFF talk about gun sales?) or have been holistically focused, tackling the gamut of human rights abuses, from surveillance to military repression. (I would also add here that current export restrictions on the aforementioned five countries include arms and airplane parts).

The second major argument in the first post is presented next. Mueller criticizes some of the advocacy around the sale of certain products, asking: “If you can blame a video surveillance camera for its misuse by repugnant governments, and argue for blocking the movement of those goods, what about integrated circuits, copper wires and lenses that go into them? What about the plastic housings? What about the shipping services that transported the material there?”

Now, if Mueller’s target here is those calling for regulation, I’m with him all the way. But if we’re talking about targeting companies, if we’re working on naming-and-shaming, then I do believe in a strategy of going after companies for their sale of complete products to governments, when the company has credible concern that the product will be used to commit human rights abuses. The vast majority of highly-publicized cases this year have involved the sale of complete systems to decidedly human-rights-abusing regimes like Libya, China, and Syria. I do see a moral obligation in calling out Cisco for its complicity in the Communist Party’s harassment of bloggers. I do see a moral obligation in calling out BlueCoat for its “oh noes, the embargoes!” response to the news that its products were sold to the Syrian regime (in the end, it turned out that BlueCoat was tracking the devices and was aware of their location, even if the sale was not intentional).

But alas, Mueller was talking about the would-be regulators, and therefore I agree:

If you really want to punish, isolate and sanitize your relationship to a repressive government, you cannot limit the sanctions to specific forms of ICT. There must be a comprehensive system of sanctions that prevents anyone in that country from doing any kind of business with the country involved. Even then, the regime may not change; think of North Korea. Even then, there will be leaks or route-arounds.

But then he concludes:

But activists concerned with real social change must think through this problem more deeply, and come up with strategies that strike more directly at the pillars of authoritarianism, censorship and arbitrary power, rather than lashing out at easy domestic targets.

This is why I accused him (a point he’ll refute in post 2) of taking cheap shots at activists. The assumption here is that those involved aren’t thinking about this problem more deeply, aren’t fighting these regimes from multiple angles. And as I wrote in my accusation, if Mueller’s target here is the journalists and the politicians whose shallow thinking culminates in the conclusion that Cisco is the the real enemy, then I digress. But if it’s the activists (again, many of whom are Egyptian, and Syrian, and Chinese), then I say “meh.”

Since Mueller’s second post starts with a refutation of something I said, I feel obliged to point something out. When Evgeny Morozov’s excellent Net Delusion was released this year, it was dismissed by some who felt that the use of the term “delusion” didn’t apply: after all, hadn’t Egyptians just toppled a dictator with the help of social media? I loved Morozov’s book, and so a point that irritated me throughout readings of both critiques of the book and reads through the man’s own columns was the idea that the main target of his arguments against “cyberutopians” were a very narrow subset of the population: namely, those working in the State Department, or even more specifically, Jared Cohen sycophants.

Mueller’s posts thus strike me the same way: Just as he claims his first post “hit a nerve” with advocates (presumably meaning me, since my comment is in the next line), he then goes on once again to target not the advocates but the journalists. And that’s the thing: Mueller’s arguments are largely ones that I agree with (read: no nerves were hit), but the presumed target is off: his real beef seems to be with the journalists who have kept this story going all year. And in a sense, I get it: after all, we digital rights advocates feed off the news reports, and no doubt we wouldn’t have been so loud on the topic were it not for their reporting. If anything, that’s a call for a more tempered approach (which is part of, I assume, Mueller’s point).

In any case, I have no real problems with the second post. Like Mueller, EFF recognized that the reporting on Israeli company Allot’s sale of their NetEnforcer product to an Iranian ISP was a bit overblown. In fact, the story should have served an even better lesson: Sanctions don’t work. But alas, it did not, for most.

Ultimately, as Mueller reiterates near the end of post #2, the problem with the movement (again, lead in large part by journalists, not advocates), is the transfer of target from regime to corporation:

Western corporations and their shareholders do have a moral obligation to refrain from actively pursuing business opportunities with dictatorships when those opportunities involve supplying products and services specifically designed to aid their crimes and repression. But very few technologies are constructed so as to be only usable for crime and repression.

Post-Script: I wrote this a bit stream-of-consciousness, so if in any way I appear to contradict myself, feel free to point out in the comments. Second, I would note that while I see very different targets in journalists vs. advocates, Mueller does not appear to at numerous points, including journalists in “the movement.” In a sense (as I hinted at above), this is fair, for journalists inform advocates on these topics. In another sense, it feels odd to include the supposedly neutral (though I obviously don’t believe that rubbish) journalist in the makeup of a movement such as this one. But again, therein lies the problem, Mueller might posit: the journalists are establishing a certain policy narrative.

I welcome your comments, discussion, debate, etc, below. Just don’t be an asshole and subtweet me. You know who you are.

Journalistic Verification, Amina Arraf, and Haystack

How did a Syrian blogger, who told beautiful and heartwrenching stories of life as a lesbian in Damascus, manage to trick so many people? How did an American software engineer, whose passion for the Iranian cause led him to build what he dubbed the safest of circumvention tools, do the same? The stories of Amina Arraf and Haystack contain odd parallels: Both took advantage of fervor around Middle Eastern uprisings, both had a grassroots formation of followers…and both thrived on the promotion of professional journalists, whose praise helped garner them support. Both were also absolutely sensational stories that may have caused journalists, otherwise scrutinizing, to discard their usual standards.

I’ve written extensively on the Haystack story, but to quickly re-cap: Circumvention tool comes out of nowhere, built by young, outspoken engineer. Wild claims about efficacy. Media picks up on the hype, young engineer wins awards, media builds the hype even further. Circumvention and censorship experts begin to raise doubts about the tool itself, eventually get ahold of it, tear it apart. Turns out it’s not as secure as the engineer–and by extension, the media–had hyped it to be.

In the case of Amina Arraf, her blog–Gay Girl in Damascus–gained a following amongst bloggers and Middle East enthusiasts, then was quickly catapulted into relative blogger stardom after a series of articles in prominent publications profiled her. Therefore, when on June 6, her “cousin Rania” posted to her blog that she had been kidnapped, the public was quick to believe it. It wasn’t until the next day, when Andy Carvin and others began to question the story, that the details started unraveling as the public quickly jumped in to sleuth the story.

So what made journalists cast aside their usual levels of scrutiny? Or, is it perhaps that journalists are not as careful as we trust them to be?

I would argue that the journalistic treatment of the Haystack story was far more problematic, not least because it was easier to verify: After all, the product’s engineer was based in the US. He was reachable by phone and traveled for several interviews and awards. Numerous journalists met him, and yet not one after questioned the security of the tool. In the case of Amina, the journalists (the pseudonymous “Kathryn Marsh” and Shira Lazar) who first profiled her should have seen red flags when they couldn’t get her on the phone, but they were also dealing with a situation in which digging too much could’ve put an already endangered woman in far more danger.

The Facebook page of "Amina Arraf", before it was removed

Nevertheless, the details laid out on Amina’s blog (parents’ and siblings’ names, place of birth) and her now-defunct Facebook account (over 100 photographs, numerous comments about her life) could have been checked up on. And the details in her blog that numerous Syrians have now picked apart (her father standing up to the mokhabarat, her spotting a Syrian woman in the Umayyad mosque wearing a Star of David) could have been scrutinized early on.

I asked Zeynep Tufekci, a colleague and friend who has written about both cases, for her take: “Arguably, Haystack was verifiable whereas it is never possible to completely verify Amina’s identity without somewhat endangering her. Haystack can and should be avoided and journalists should have done much better job re: Amina. But I’m not sure they can completely avoid a future Amina.”

Now, this is where I need to insert my own role in all of this: While I did not fall for the Haystack story (and was one of the earliest to question its veracity), I very much fell for Amina Arraf. Why? Well, first of all, I had spoken with her numerous times. Her knowledge of Syria stood up to my tests. Her personality in private conversation was consistent with her personality on the public blog. Friends claimed to know her (one even suggested she knew her “in real life” – looking back, the suggestion was rather vague, the boastfulness of someone who wants to get close to a story).

I was also late to believe she wasn’t real, and that, for me, is both easier and more painful to explain. It is also a story I hesitate to share, but one which continues to haunt me, as well as remind me every single day why I do what I do.

In 2009, I wrote a piece for the HuffPost entitled “Blogging in Iran: A Dangerous Prospect.” After writing the story, a young Iranian blogger named Omidreza Mirsayafi emailed me to tell me his story. He wrote:

When I see your post on the mentioned website, I became so happy that a journalist in other corner of world writes about the situations of Iranians journalist & bloggers and is concerned about us.

I don’t want talk about my past experiences because it saddens me. these days I’m so sad and I don’t know what to do. I was sentenced two years and six months in prison just for the contents of my blog. just for explain my ideas. many of journalist and bloggers and human rights activists got into trouble specially in last 4 years.Iran GOV heap scorn on the people of Iran specially the journalists, students, human rights & woman activists. We wish one day write in our blogs & papers trouble-free.

After this initial email, Omidreza and I exchanged a few more emails, and had a few chats. He even called me once. But new as I was to this scene, and owing to my own personal circumstances at the time, I didn’t do as much as I should, as much as he asked. On March 18, 2009, he died in Tehran’s Evin Prison. I wrote about it three days later, confessing my own guilt over having not said enough.

It is very much because of this story that I had–no, have–difficulty letting Amina’s story go. While her story has unraveled almost completely at this point, there’s still a small chance that the girl behind the blog was kidnapped. And even if she wasn’t, there is no doubt that thousands of Syrians have been imprisoned these past few months, hundreds killed. While Amina, if entirely fake, should not be the face of those Syrians, it’s so easy to ascribe her that role. We wanted to believe in her. We saw the beauty and tragedy in her stories and put her on a pedestal. Some have suggested it was because she was a lesbian, others have suggested it was her purported dual American citizenship. I don’t really believe it was either. Rather, it was the sense of courage we saw in her, to tell her story so loudly, that made us believe.

West Censoring East: Or Why Websense Thinks My Blog is Pornography

Today, the OpenNet Initiative has released a paper, authored by Helmi Noman and myself, enumerating the widespread use of American- and Canadian-built filtering technologies in the Middle East and North Africa.  The paper, entitled “West Censoring East: The Use of Western Technologies by Middle East Censors 2010-2011“, looks closely at Websense, McAfee’s SmartFilter, and Netsweeper in Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, Sudan, Tunisia, the United Arab Emirates, and Yemen, and particularly at how websites–including my own, the OpenNet Initiative’s, and Amira Al Hussaini’s blog–have been mis-categorized by these technologies, resulting in what is essentially censorship.

While I suggest you read the paper (or this excellent Wall Street Journal article reporting on it), I’d like to discuss briefly why my blog was categorized as pornography by Websense.  Frankly, I find it utterly fascinating: About a year ago, Helmi Noman–my co-author–discovered that this very blog was blocked in Yemen.  Upon further investigation, Helmi realized that the reason for the blockage was not political content or anything of the sort, but that my blog had been categorized–by Websense–as pornography.

After Websense barred Yemen from future software updates, I thought the problem had been solved until Luke Allnutt–who works at RFE/RL, which uses Websense in its offices–tweeted that he couldn’t get to my blog.

I quickly wrote to Websense, and received a fairly rapid reply, telling me that my blog had been reclassified as a personal site.  Great–I then pushed back a bit, asking how my blog had been categorized as a pornographic site in the first place.  My assumption was that their automated system was based on keywords, and that my blogging about Helmi Noman’s paper (“Sex, Social Mores, and Keyword Filtering: Microsoft Bing in the ‘Arabian Countries‘”) had caused it; after all, it caused “Arab sex” to be the #1 search term for my blog.

Turns out, that wasn’t the case at all.  In fact, what happened was significantly more chilling.  Here’s the text of an email sent to me by Patricia Hogan, Senior Public Relations Specialist for Websense:

Hi Jillian,

Regarding your questions about blog classification, the problem seems to come from the comments, not the posts. Indeed, you appear to be the victim of comment spam (which often contains pornographic links or links to malware).

Look at the comments after this post: https://jilliancyork.com/2008/09/11/blog-strike-for-mohammed-erraji/. The last comment has pornographic links and the one preceding it has links to pharmacy spam, which often leads to malware. This is just one post that we looked at. You may have more.

Comment spam has been hounding bloggers (and more recently Facebook users), so Websense developed tools to help keep blogs and readers safe from spam like this. We offer free plug-ins for many blog platforms to help prevent this type of comment abuse (go to http://defensio.com/downloads for more information). We don’t want you to be victimized again from unscrupulous posts, and our plug-in allows you to control what content you wish to appear on your site.

I hope this helps. Please let me know if you have any more questions.


Sr. Public Relations Specialist

ph: +1.858.320.9393
fax: +1.858.784.4393

What Hogan is saying is that anyone can manipulate Websense software by spamming a blog’s comments section with porn outlinks. Let me say that again: Websense can be manipulated by anyone wishing to censor anyone else, just by adding a few links to porn in the comments section.

SmartFilter appears to have similar problems. A few months ago, blogger Sabina England reported that her blog was blocked in the UAE, which uses the software. While she may have a similar issue with “porn spam,” our suspicion at the time was that SmartFilter was detecting keywords, and had blocked England’s blog based on the use of the words “cunt,” “sexy,” and “whores” in a poem she had written.

I find this utterly chilling; now, I will say that Yemen has stopped using Websense and we’re not aware of any other countries–at least in the Middle East and North Africa–that use the software. Nevertheless, plenty of schools, libraries, and workplaces use Websense and other tools, and while their blocking of pornography may be justified, the mis-categorization of URLs by these technologies means that there are chilling effects, even to blocking porn.

Older posts

© 2018 Jillian C. York

Theme by Anders NorenUp ↑