Privacy International releases “Private Interests: Monitoring Central Asia”
Privacy international is proud to release “Private Interests: Monitoring Central Asia,” a 96-page report detailing its findings from an extensive investigation into electronic surveillance technologies in Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, and Uzbekistan.
The report brings together the findings of PI's team of investigative researchers, consultants, and technical, legal and policy experts, and is the outcome of consultations with confidential sources, regional experts, individuals who have been targeted by state surveillance, and surveillance and telecommunications companies. It involved an extensive open-source and literature analysis, a technical review of nearly 100 sensitive documents detailing government contracts and technical specifications, and in-country trips to the region and elsewhere.
The purpose of this report is to foster an effective policy and legislative response to the developing global surveillance industry by highlighting specific types of actors and technologies. As perceived and actual security threats continue to be met by governments with increased censorship and surveillance, and as the industry continues to offer states cheaper and more sophisticated and efficient options for carrying out surveillance, it is essential that the trade in surveillance technologies is placed under the microscope.
Some Central Asian republics have sophisticated surveillance capabilities
The report's findings highlight some of the surveillance capabilities of state authorities in the region, showing some of the technical parameters of electronic surveillance, as well as how and which companies have either directly provided surveillance technologies or have facilitated their use.
As electronic surveillance practices evolved through the Cold War and alongside the privatisation of telecommunications networks, Soviet and Russian domestic surveillance laws and techniques developed separately from those in the US and in European countries, where, respectively, legislation in the form of CALEA and protocols adopted by ETSI were introduced. The Central Asian republics analyzed in the report have adopted surveillance regimes similar to Russia’s System of Operative Investigative Measures (SORM). SORM provides an architecture by which law enforcement and intelligence agencies can obtain direct access to data on commercial networks. The key feature of SORM, as in other 'Lawful Interception' models, is that communications service providers (CSPs) and telecommunications equipment manufacturers are required to ensure that their network and equipment is compatible and made accessible to a monitoring facility from which analysts request, receive, store, and analyse intercepted data.
In the SORM model, a Punkt Upravlenia (PU) acts as a monitoring node used to manage the interception process. Detailed documentation obtained by Privacy International attests to how, in Kazakhstan, these PUs are purchased directly by CSPs and connected to their network. Typically, small local telecommunications companies act as the prime bidder for the supply of PUs, although they maintain commercial partnerships with several larger foreign-based companies which manufacture the necessary hardware. Several other companies certify, test, and maintain PUs throughout Kazakhstan. Various other surveillance projects – such as systems for IP, SMS monitoring, and software for SIP platforms, – then transmit data to these PUs. One documents lists some 34 switching centres across Kazakhstan as being engaged in the transmission of voice data to a PU. These documents, as well as some contractual documentation, will be made available on Privacy International's website.
In addition to the PUs, which are distributed across Kazakhstan, both Kazakhstan and Uzbekistan have sophisticated monitoring centres provided by the Israel offices of NICE Systems and Verint Israel - two multinational surveillance companies. These companies have contracted directly with the notorious successor agencies to the KGB, the KNB in Kazakhstan and the SNB in Uzbekistan, both of which have been widely implicated in human rights abusesi, to provide monitoring centres, as well as training and technical maintenance. Originally providing telephone-based interception, these monitoring centres have in the last few years been equipped with sophisticated Deep Packet Inspection technology, which allows the interception of internet data.
Although there are cost and technical limitations to the capabilities of the Kazakh and Uzbek security agencies, these monitoring centres provide the agencies with mass interception capabilities and access to the telephone, mobile, and internet communications of the entire population.
In addition to monitoring centres, Verint Israel attempted to facilitate Uzbek authorities’ interception of encrypted SSL traffic which, if successful, would have allowed authorities unprecedented access to private communications.
A 2010 document obtained by Privacy International shows that the German company Trovicor GmbH marketed a monitoring centre “for all cellular networks” to the Ministry of the Interior of Tajikistan in 2009, together with what appears to be a mediation device provided by fellow German company, Utimaco. Kyrgyzstan is likely using a monitoring centre provided by a Russian company.
Surveillance capabilities are facilitated by a range of Communications Service Providers and network equipment manufacturers
CSPs and telecommunications equipment manufacturers have facilitated direct government access to their networks and to their subscribers’ data, in exchange for permission to operate in the countries, despite the serious human rights concerns raised by mass interception and surveillance practices and the complete absence of checks and balances they entail.
State surveillance should only be undertaken in the context of robust legal constraints and rigorous independent oversight. The direct access provided by the monitoring centres and mandated under the SORM model represents a challenge to the protection of individual human rights. In the Russian SORM model for circuit-switched networks, the PU is connected directly to node connections within the network. SORM thus allows states to intercept and analyse citizens’ communications within a more limited system of checks and balances. As such, CSPs operating on SORM networks have little meaningful opportunity to monitor and control state agencies’ interception activities or mediate the access the state has to subscribers’ data.
In Central Asia, large multinational equipment manufacturers have worked with authorities and companies to certify their products comply with SORM, and have procured equipment designed to ensure compliance. Telecommunications equipment vendors take into consideration national law enforcement requirements and ensure that their equipment is capable of fulfilling surveillance requirements. If their equipment is not directly compatible with SORM requirements, converters are used to ensure functionality. Locally-based companies, licensed and certified to ensure SORM compliance, act as prime bidders for SORM- related contracts and as re-sellers, sourcing hardware and software, and ensuring that network components are SORM compliant.
In Uzbekistan, human rights activists and others are targeted by state surveillance
Numerous journalists and activists living in Uzbekistan and outside of it, in exile, report that their communications have been monitored. Uzbek authorities appear to be monitoring the phones calls and emails of Uzbeks working on what state authorities perceive to be politically sensitive topics, often using transcripts of private communications in criminal proceedings against them. In some cases, authorities also appear to have obtained access to VoIP communications such as Skype. While the methods and stories vary, the testimonials evidence the politically-motivated nature of surveillance in Uzbekistan.
Their accounts vividly demonstrate the inherent danger of equipping such authorities with sophisticated mass or intrusive surveillance technologies. Where individuals have provided their consent, we have revealed their identities. In all other cases, we have concealed identities for security reasons.
The legal framework governing electronic surveillance in Central Asia is inadequate to ensure compliance with international human rights standards
While the legal frameworks governing surveillance by government bodies in Kazakhstan, Uzbekistan, and Turkmenistan appear, on their face, to reflect those States’ international human rights law obligations, there are significant gaps in the legislative regulation of surveillance both within and outside of the formal sphere of criminal investigations. With respect to the former, the provisions do not circumscribe surveillance powers to a level necessary to protect against their being used arbitrarily.
Our analysis suggests that security services in Kazakhstan, Uzbekistan, and Turkmenistan may be acting unconstrained by law or independent accountability mechanisms. Further, there does not appear to be any publicly available legislation regulating the conditions under which private companies operating in Kazakhstan, Uzbekistan, or Turkmenistan are or may be asked to monitor and intercept telephone, nor legislation governing the bulk collection of data pertaining to internet or digital communications, internet filtering or monitoring, collection or interception of or access to communications data, or the use of Trojans or hacking techniques.
Ensuring that these technologies no longer undermine human rights in Central Asia will require significant political will, and industry-led reform
Based on the findings of the report, Privacy International has formulated a series of recommendations to multilateral institutions, foreign governments, and export control authorities. Controls on the export of such technologies from the countries in which they are manufactured to repressive regimes like those in Central Asia must be prioritised. Surveillance technologies must not be exported where there is a risk they will be used for internal repression or to otherwise undermine human rights, and if there is no clear legal framework governing their use.
Companies selling electronic surveillance equipment to government agencies, communications service providers, and telecommunications equipment manufacturers also have a key role to play. The key policy challenge is how to enable communications services and networks to continue to operate effectively in Central Asia while ensuring that those governments’ desire to control and hijack services and networks for political control is checked. Confronting this challenge requires communications services providers and telecommunications equipment manufacturers to engage substantively in UN and industry-led business and human rights initiatives, including, for example, Corporate Social Responsibility and transparency measures, in conjunction with a broad range of other regulatory and soft law initiatives.