Privacy International files complaint with South African export control body regarding export of surveillance tech to Libya

News & Analysis
Privacy International files complaint with South African export control body regarding export of surveillance tech to Libya

In our ongoing campaign to prevent the sale of surveillance technologies to repressive regimes, Privacy International today has filed a complaint with the South African body responsible for arms controls, asking for an investigation into South Africa-based surveillance company VASTech for the potential illegal export its technology to Libya.

In this case, Western-made surveillance technology was found by the Wall Street Journal when journalists entered the communications monitoring centre of the Gaddafi regime in August 2011. They found English-language training manuals carrying the logo of a French company called Amesys, and reviewed emails that indicated that VASTech provided Libya with tools to tap and log all international phone calls going in and out of the country.

While the French have started an inquiry into Amesys, no action has been taken by the South African authorities to investigate the contribution VASTech made to the regime, even though this issue has repeatedly been brought to their attention by Privacy International. In our complaint we argue that, as certain surveillance technology falls within the scope of section ML11 of the Control List of the Wassenaar Arrangement and requires an export licence, the South African export control authority should investigate whether VASTech's technology was legally exported to Libya.

VASTech and surveillance in Libya

VASTech is a South African company that develops surveillance technology and sells it worldwide. Its flagship product is the Zebra Strategic Telecommunication Network Monitoring system (“Zebra”). From brochures we have obtained at the world's most notorious surveillance trade shows, we know Zebra is designed to intercept voice, SMS, MMS, email and fax communications on connected networks and to retain this data for extended periods of time, enabling agents to analyse the stored communications and reveal networks of people.

Finding VASTech’s Zebra system in Libya in August 2011 indicates that the Gaddafi regime had access to a very sophisticated and intrusive system for monitoring communications. When exported to a repressive regime that does not have safeguards in place to govern the use of this intrusive technology, the equipment can facilitate large scale violations of the privacy and freedom of expression and the targeting of political opposition members, human rights activists and journalists. A peek at Libya's record demonstrates continual human rights abuses, and it is likely that VASTech's technology would have aided internal repression there.

Our contact with the NCAC Inspectorate

The complaint against VASTech is the latest in a series of attempts by Privacy International to hold companies to account for the export of dangerous surveillance tools to abusive foreign regimes, where they can be used to target political dissidents, human rights defenders, lawyers and journalists for arrest and torture, by pushing for enforcement action by export control authorities.

Concerned about the potentially illegal export of the Zebra system to Libya, we repeatedly reached out to the National Conventional Arms Control Committee (NCAC) since June 2013 to inquire after VASTech’s export permits. As we are still awaiting an answer from the Committee, we have proceeded to file an official complaint with the Inspectorate.

The lack of response from the NCAC Committee so far stands in stark comparison to France, where a judicial inquiry has been launched into Amesys' involvement in the Gaddafi regime after a complaint by FIDH. Amesys entered into an agreement with the government of Libya to make technology available for the purpose of intercepting communication, data processing and analysis. They are currently subject to a judicial investigation for complicity in acts of torture in Libya by the specialised unit in war crimes, crimes against humanity and genocide within the Paris Tribunal.  This response shows the French position is clear: It is not right for companies to enter into a commercial agreement with a dictatorial regime and provide it with a means to reinforce the repression of its population.

In contrast, the NCAC Committee has not responded to several letters and phone calls we placed in relation to VASTech. Sadly, this appears to be in line with their enforcement record.

Since 2009 only 48 potential export contraventions have been investigated, and in only two cases companies have been fined, while during 2012 only 4,407 permits were granted by the Committee for the export of arms to 94 countries, for a total worth of R13 billion (a little over £8 billion). With our official complaint, we urge the NCAC Inspectorate to finally take action, investigate the export and provide clarity on its legality.

Wassenaar Arrangement

South African export laws require companies to obtain a licence for the export of items that are included in the Control List of the Wassenaar Arrangement, the key international instrument that imposes controls on the export of conventional arms and dual-use goods and technologies.

The agreement has been established in order to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies. Participating states, such as South Africa, seek to ensure through their national policies that transfers of these items do not contribute to the development or enhancement of military capabilities that undermine these goals, and are not diverted to support such capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each participating state.

So how does VASTech fit into this?  Privacy International argues that VASTech's surveillance technology should be brought within the scope of the Wassenaar Control Lists. Section ML11(a) indicates that the export of “electronic equipment specially designed for military use” is controlled. Note ML11(a) explains that this equipment includes, but is not limited to “Electronic systems or equipment, designed for surveillance and monitoring of the electromagnetic spectrum for military intelligence or security purposes or for counteracting such surveillance and monitoring” and “Digital demodulators specially designed for signals intelligence”. As this list is not exhaustive, VASTech's Zebra system could well fall within the scope of this provision as well.

This becomes particularly evident when the Zebra system is sold to a military regime, such as the Libyan regime at the time, which will use it to further military control and thereby fulfil a military purpose. Equipment such as the Zebra system then can be considered specially designed for military use, and thus would require a permit authorised by the Committee.

In other countries however military and civilian intelligence are increasingly interlinked and it is often impossible to draw a clear distinction between the two, which would also plead for a broad interpretation ML11(a). At the same time surveillance continues to gain importance in how modern warfare is conducted, with conventional warfare's role being reduced in favour of increased intelligence collection, for instance being used to guide drones strikes.

If the NCAC Committee agrees with us that Zebra falls under ML11(a) this would be an important step in controlling the export of surveillance technology. There is undoubtedly enough evidence to compel the NCAC Committee to investigate, and we hope this complaint will help force a response from a committee that has otherwise been silent.