Key Concerns Regarding Governance in the Era of Militarisation of Tech

Governments are increasingly relying on data-intensive systems, both to wage wars and to administer public services. These systems, increasingly provided by the same firms using similar tools, will come to affect our day-to-day lives whether we are in war zones or town squares. This is the era of Militarisation of Tech.

The technologies that our governments rely on to deliver services and pursue their objectives are becoming increasingly data-intensive and militarised, which threatens our privacy, dignity, and autonomy.

The spread of these systems into our daily lives is no longer hypothetical. The same military contractor, such as Palantir, will be offering today its services to wage war, deliver humanitarian aid, and manage public sector healthcare data. Big Tech’s cloud services offered to governments extend from local government services to processing intercepted communications.

In theory, the deployment of any technologies, including those that process personal data, should be governed by specific legal frameworks. We have a duty to ask: are the necessary frameworks in place? Are they fit for purpose?

As our societies militarise and the lines between civil and military blur, we must have answers to these questions in order to ensure that democratic principles are sustained, the rule of law is upheld and human rights are protected.

Key concerns regarding the governance of militarised technologies

1. Risks to the Balance of Powers

The balance of power is at stake when the lines between civil and defence tech blur.

Data-intensive systems that operate seamlessly across contexts, allow for the fusion of military and civil data, tech, and infrastructures, put at risk the division between military and civil powers.

When it comes to sectors like science, technology, industry and data, the Chinese Government has already implemented a ‘civil-military fusion’ strategy that seeks to to integrate civilian and military sectors.

This means that civilian data is not exempt from national security classification, allowing the army to access massive civilian datasets. Chinese citizens and even foreign users of Chinese platforms may have their data accessed by the People’s Liberation Army (PLA). Also, Chinese tech companies like Huawei, Tencent, and Baidu may be legally obligated to share data — including user data, geolocation, and biometric information — with the military if requested.

In parallel, the US Government has also been promoting a US-version of such a fusion. The US Government has programs like DIUx (Defense Innovation Unit) and In-Q-Tel (the Central Intelligence Agency’s venture arm) to tap into Silicon Valley innovation. US companies may not be legally obligated to collaborate with the military, yet nearly all the Big Tech firms and other tech companies have been changing policies to ensure their data-derived tools can be used for military purposes, obtaining lucrative defence contracts, and providing services to the US military and its allies.

These interdependent relationships raise concerns not only about the military’s growing reliance on the private sector, but also about the increasing concentration of data and power within militaries worldwide. Such fusion tendencies fundamentally undermine the safeguards that uphold the rule of law and democratic principles.

However, the separation of military and civil powers is a core principle ensuring civilian government control and oversight over the military. Laws and constitutions often explicitly define the roles and limits of military and civilian powers to ensure clarity and prevent conflicts. Also, to avoid a fusion of political and military powers, often civilian leaders - typically elected officials - have ultimate authority over the military. For instance, while the military provides expert advice on defence and security matters, final decisions are made by civilian authorities. This maintains a balance between military expertise and civilian oversight. In parallel, the separation of powers within the government (executive, legislative, and judicial branches) ensures that there are mechanisms to oversee and regulate military actions. This prevents any single branch, including the military, from gaining excessive power.

The current governing frameworks have been founded and function under an assumed distinction between military and civil contexts, and operations. This separation is vital for ensuring that the military serves the state and its citizens, rather than becoming a political entity in its own right.

How can they put a break to the civil-military fusion that threatens our privacy, dignity and autonomy?

2. Gaps in the Legal Frameworks

As we explore in our explainer on some of the legal frameworks applicable to militarisation of technology, the various frameworks are dependent on their scope of application and the specific context in which they operate, while assuming a strict division between military and civil uses of technologies. This is true not only in the relationship between the laws of war and human rights law but across a diverse set of legal frameworks that theoretically govern data-intensive systems that operate across contexts.

For instance, various data protection frameworks often exclude military operations or national security matters from their scope, rendering as such applicable only in times of peace.

Another example relates to the regulation of dual-use items. The term dual-use items, meaning goods and technologies that may be used for both civil and military purposes is relevant only in relation to export controls of these items.

However, the dual-use regulations do not address certain important governance aspects specific to data-intensive systems, like data flows. Moreover, export controls per se are not pertinent when it comes to questions of regulation of the production or the use of dual-use items after the transfer has been completed.

For instance, governments across the world increasingly procure cloud services that operate across public functions – including military, police and intelligence services. Yet with few exceptions cloud services are not regulated by export controls.

Also, companies are developing surveillance technologies by testing and training them in conflict zones under questionable conditions. These technologies are often deployed on populations in precarious situations without adequate oversight, and later marketed for civilian use in entirely different contexts. For example, Corsight AI, an Israeli firm, developed facial recognition systems capable of identifying individuals even when wearing masks, goggles, or shields—initially tested in harsh environments, such as warzones. The company later promoted this technology for pandemic-related uses, such as monitoring mask compliance.

Similarly, AnyVision, another Israeli startup, faced serious criticism over its use of facial recognition to monitor Palestinians in the West Bank. Following public backlash and Microsoft’s withdrawal of investment, the company rebranded as Oosto and continued selling the same technology.

Currently, there are no comprehensive regulations governing the transfer of these technologies or the sensitive data they collect from conflict zones. The existing regulatory gaps allow governments and private companies to exploit data during armed conflict, with little accountability.

We believe that complex issues require a multi-dimensional approach. Therefore, we want to decipher how several relevant regulatory frameworks could be employed together to ensure the effective regulation of data-intensive systems. A series of diverse rules must reflect the complexity and multifaceted nature of data-intensive systems and different contexts they are deployed.

3. Lack of Cross-Sectoral Institutional Monitoring and Enforcement

Alongside legal frameworks, the various stakeholders involved in ensuring compliance by both state and private actors with existing regulations, need to collaborate and work in tandem to ensure the appropriate monitoring of data-intensive systems. Put simply, governments are not the only institutions deploying these tools.

For instance, these tools are becoming central to the operations of private military and security companies (PMSCs). They are deploying a range of technologies such as surveillance systems, drones, and biometric tools. Yet despite their growing role in the business models of many companies, the use of these tools often fall through the cracks of existing oversight regimes.

Whether these PMSCs are providing hotel security, protecting government officials, or offering military training and logistical support, they are gaining access to sensitive data and embed themselves in the fabric of our daily lives. At one end of the spectrum, firms may offer routine security for commercial properties or diplomatic missions. At the other extreme, groups like the Wagner Group have been involved in direct combat operations, regime protection, and resource extraction in countries such as Mali and Syria.

States may already have a regulatory framework for private security providers, such as national laws or licensing systems. Yet the surveillance technologies and data-intensive systems overall are seldom considered by regulators when overseeing the operations of private security and/or military companies. Similarly, many data protection authorities are often lacking the mandate and/or resources necessary to effectively bring the activities of these companies under their authority:
“The lack of awareness and expertise among regulators is a significant barrier to effective regulation. Indeed, many do not fully understand the scope, nature, or risks linked to the use of data-intensive systems for the provision of private security services, as the technologies used are often complex and opaque.”

In response to these developments, civil society actors across many sectors need to come together exchange knowledge and build joint advocacy strategies to hold these practices, tools, and organisations to account.

Towards a Holistic Approach to Governance of Data-Intensive Systems

Deriving a solution for this complex problem requires a comprehensive, multi-faceted, and cross-sectoral ecosystem governing data-intensive systems.

Governments, regulators, tech companies, and civil society need to work together to ensure the effective holistic governance of data-intensive systems, taking into consideration their entire lifecycle as well as the wider context within which they operate.

As the boundaries and contexts of deployment of the technologies increasingly collapse into each other, these frameworks need to evolve accordingly, while steadfastly preserving a clear separation of powers between military and civil applications of technology.

This is why, through the Militarisation of Tech Project at PI, we are collaborating with a diverse group of organisations, who are working in different sectors and using a variety of tactics to help uncover how data-intensive systems are or are not governed, to identify gaps in regulation and risks. This way, we hope to build a holistic understanding of the different legal frameworks as well as monitoring and oversight governing data-intensive systems in war and peace, including:

• human rights
• data protection
• export and trade controls
• regulation of private military and security companies
• arms controls
• international humanitarian law; and
• corporate responsibility.

This cross-sectoral and interdisciplinary approach aspires to be the starting point of developing guidelines to govern data-intensive systems and put the brakes on the Militarisation of Tech.