Building Secret State Surveillance Systems: How the Export of European Spyware Facilitates Human Rights Violations in Gulf States

The Danish government has traditionally been a vocal supporter for human rights. For example, the Government of Denmark was one of the signatories of a Human Rights Council Joint Statement on Saudi Arabia that expressed its concern regarding the murder and torture of journalist Jamal Khashoggi. Despite their good reputation, the Danish government has on occasion demonstrated a double standard. Although they may call on the governments to halt the torture of human rights activists, their business dealings with authoritarian regimes actually puts their lives in danger. The most prominent case of this is the 2017 sale of spyware to authoritarian states such as the United Arab Emirates (UAE) and Saudi Arabia. This dispatch will assess the sale of  the spyware, how the Danish government approved such a sale,  and how that sale may have put human rights defenders, that Denmark claims to protect, at serious risk.

BAE Systems Applied Intelligence is a business and technology consulting firm owned by BAE Systems. Although BAE systems is a British company, it has a subsidiary company based in Denmark. In 2017, the BBC and the Danish Newspaper Dagbladet discovered a sale of a spyware product called ‘Evident’ to authoritarian regimes, with Saudi Arabia and the UAE being among the main buyers. ‘Evident’ was developed by ETI, a Danish company specialised in high-tech surveillance that became part of BAE Systems Applied Intelligence in 2011. The surveillance tool can collect, catalogue and analyze the electronic communications of millions of people. A former ETI employee was quoted saying that by using the technology, “If you wanted to do a whole country, you could. You could pin-point people’s location based on cellular data. You could follow people around”. When this level of surveillance is put into the hands of authoritarian regimes like the UAE or Saudi Arabia, there is a legitimate fear that it will be used for cracking down on dissidents and human rights defenders.

Although BAE is a British company, the Danish government was directly involved in the approval of the ‘Evident’ spyware. According to the BBC, in 2015, a British official claimed that if the UK government had been asked for their permission to approve this sort of technology, it would have refused it “on the grounds that it could damage the security of the UK and its allies. It was feared that the technology could be used to decrypt and read the UK’s own sensitive communications”. However, the Danish government naïvely or blatantly approved the export as its “own intelligence service and foreign affairs advisers had not objected”. A written statement by BAE systems, designed to excuse the decision, stated that “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles”.

Regulations that had been put into place by the European Commission in October 2014 were specifically targeted at controlling the exports of spyware and internet surveillance equipment with specific concerns for human rights. Despite these regulations, the Danish Business Authority told Dagbladet that it had no issues when trying to approve the export license to the UAE’s Ministry of Interior as it “made a thorough assessment of all relevant concerns and saw no reason to deny the application”, according to the Danish Foreign Minister. This statement shows a clear discrepancy with the body of the regulation, as both Saudi Arabia and the UAE have a track record of using spyware against their own citizens. Marietje Schaake, a Dutch member of the European Parliament, described the sale of the spyware as being “unacceptable” and that “Each and every case where someone is silenced or ends up in prison with the help of EU-made technologies I think is unacceptable”.

Gulf nations such as Saudi Arabia and the UAE have a marred history of inflicting grave human rights violations upon government critics and human rights activists. Between 2011 and 2020, 35 journalists were imprisoned in Saudi Arabia. In more recent years, the government intensified the repression of writers and activists. In most of the cases the dissidents face sentences up to 15 years with charges such as “breaking allegiance with the ruler” or “participating in protests” that do not constitute as recognisable crimes. The 2014 law on terrorism uses very vague language to describe acts of terrorism and since then it has been used to to defend the arrests of members of the non-governmental organizations such as the Saudi Civil and Political Rights Association (ACPRA) (which includes Abdulaziz al-Shubaily, Issa al-Hamid, Mohammed al-Qahtani and Abdullah al-Hamid), as well as journalists and academics like Essam al-Zamel. Clerics have also been targeted by these despotic regimes; such as Salman al-Awda who may face execution.

In a statement, Amnesty International expressed its fears that governments buying the spyware would use it to crack down on government critics: “We are completely baffled by the Danish authorities [decision to], without blinking [an eye], give permission to export internet surveillance equipment to a country like the UAE”. In addition to this, Human Rights Watch expressed their concerns by stating that the UAE “often uses its affluence to mask the government’s serious human rights problems”. ADHRB reports have shown that the UAE and Saudi Arabia have forcibly disappeared individuals as well as detaining individuals who have spoken out against the authorities. By giving these countries access to spyware programs that can monitor the whole country and its communications, the Danish government has been complicit in the arrest of human rights defenders.

In 2018, the many human rights organisations reported on the arrest of the prominent UAE human rights defender Ahmed Mansoor. Due to his activism, he was sentenced to ten years in prison and received a fine of Dh1 million ($272,000 USD) on charges of insulting the “status and prestige of the UAE and its symbols” and using his social media account to spread “hatred and sectarianism” as well as “false information”. ADHRB reported that between 2011 and 2014, Mansoor’s computer was repeatedly infected with spyware by the UAE as a way to monitor his online activities. In 2016, it was discovered that his cell phone was infected with a spyware that transformed his phone into a monitoring device. Although unable to prove the source of the spyware, the Canadian-based technology rights group  Citizen Lab concluded that there were few credible alternatives besides the UAE. This spyware draws many similarities to the one sold by BAE systems.

As well as the spyware bought from BAE systems, another company that operates out of Italy called HackingTeam, sold a 20 percent stake to a Saudi Arabian investor called Tablem Limited. According to a Vice report, “Hacking Team sells hacking and surveillance technologies exclusively to government authorities. And it became infamous for selling its wares to authoritarian regimes such as Ethiopia, Sudan, Kazakhstan, and Bahrain, among others”. The Saudi investor, and by proxy the Saudi Arabian Government, is currently under a transition period with Mohammed Bin Salman (MbS). MbS is a figure known for heavily cracking down on government dissenters. According to Vice, the Saudi government is worried about “terrorism, Iran, and dissidents among their own citizens, giving them plenty of reason to seek surveillance tools”. This fits in well with the Saudia Arabia’s historical pattern of cracking down on human rights defenders. HackingTeam, however, continues to operate despite EU regulations prohibiting spyware sales to authoritarian regimes. This shows that the EU member states have therefore been complicit in the sale of spyware which has led to gross human rights violations and the deaths of human rights defenders, citizens and foreign nationals alike.

It is evident that the European parliament has not done enough to stop the sale of spyware to the Gulf states that show a pattern of human rights abuses. Despite the 2014 law, there has been continual evidence that European firms are still able to sell their software to these oppressive regimes. This includes the  case of BAE systems, where the Danish Government approved the development and export of these technologies to state human right violators. This pattern of behavior exposes the double standard of European Union membership: a country may theoretically have to follow the laws set by the EU, but in reality act in a way that they choose to interpret the law. The EU and its member states must ensure that double standards do not exist concerning the protection of human rights defenders within despotic regimes. Standardised implementation of such spyware regulations must be carried out to safeguard human rights defenders worldwide, but in particular states that have a track record of human rights violations.