Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas.
Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology.
“At a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses,” Edin Omanovic, research officer at Privacy International, told Motherboard in an email.
"As we learn time and time again, countries with bad human rights records often keep utilizing interception technology to perpetrate even more abuses and suppress dissent"
In 2015, the UK's Department for Business, Innovation and Skills (BIS) started publishing basic data about the exportation of telecommunications interception devices. Through the Freedom of Information Act, Motherboard obtained the names of companies that have applied for exportation licenses, as well as details on the technologies being shipped, including, in some cases, individual product names.
The companies include a subsidiary of defense giant BAE Systems, as well as Pro-Solve International, ComsTrac, CellXion, Cobham, and Domo Tactical Communications (DTC).
Many of these companies sell IMSI-catchers. IMSI-catchers, sometimes known as “Stingrays” after a particularly popular brand, are fake cell phone towers which force devices in their proximity to connect. In the data obtained by Motherboard, 33 licenses are explicitly marked as being for IMSI-catchers, including for export to Turkey and Indonesia. Other listings heavily suggest the export of IMSI-catchers too: one granted application to export to Iraq is for a “Wideband Passive GSM Monitoring System,” which is a more technical description of what many IMSI-catchers do.
IMSI-catchers typically extract the phone SIM card's unique identifying number, or IMSI, but many models are capable of more powerful surveillance techniques as well. Cobham, which has been granted at least one license, advertises IMSI-catchers that can be used to intercept SMS messages and voice calls from mobile phones.
A Cobham presentation describing IMSI-catchers. Image: Surveillance Industry Index
“IMSI catchers are probably one of the most controversial and yet more demanded pieces of surveillance technology marketed today. They are of dubious legality and their use raises serious ethical and privacy concerns due to their invasiveness and wide reach,” Claudio Guarnieri, technologist at Amnesty International told Motherboard in an online chat.
Some of the other export licenses for IMSI-catchers are marked as “temporary.” According to the Department for International Trade, which processed the Freedom of Information Request, this means the product has to be returned to the UK within one year. These licenses might be used for transferring equipment to be exhibited at a surveillance trade fair, or demoed to a potential client. A temporary license was granted for the export of an IMSI-catcher to Pakistan.
In all, Motherboard received entries for 148 export license applications, from February 2015 to April 2016. A small number of the named companies do not provide interception capabilities, but defensive measures, for example to monitor the radio spectrum.
The list of companies provided by the Department for International Trade
For a few licenses, the department withheld product descriptions, saying their disclosure would harm commercial interests. The department declined to link any of the companies to specific license applications, but in some cases the data provides enough information to make a clear connection.
For example, two temporary licenses are for “DNA Tracker,” a product made by Megablue Technologies Limited. DNA Tracker can not only track phones’ locations by their IMSI numbers, but also devices such as laptops through their individual MAC addresses. The data includes two successful license applications for temporary export of the product to China and Kuwait. The company's website suggests the gear could be deployed in airports, or for crowd monitoring and property protection.
A brochure for DNA Tracker, made by Megablue Technologies Limited. Image: Surveillance Industry Index
In another example, licenses refer to Marlin, a product made by TRL Technology Limited that can intercept calls made on the IsatPhone, Inmarsat and Thuraya satellite phone networks. According to the export data, permanent export licenses for Marlin were granted for Egypt, India, Indonesia, Israel, Kenya, Turkey and Vietnam (a license for export to Ethiopia was refused).
A TRL Technology Limited Brochure showing the Marlin system, which is used for targeting various satellite phone networks. Image: Surveillance Industry Index
Many of the countries that may have received products included in the export data have a history of abusing surveillance technology. Turkey framed a journalist using malware; the United Arab Emirates repeatedly spied on an activist, and the government of Saudi Arabia is suspected of hacking political targets.
“As we learn time and time again, countries with bad human rights records often keep utilizing interception technology to perpetrate even more abuses and suppress dissent. British and European companies by now should very well know the risks involved in enabling and empowering some oppressive governments. Therefore it is imperative that companies as well as licensing authorities appropriately evaluate human rights implications when making business decisions,” Amnesty International’s Guarnieri said.
Nick Haigh, external communications manager for BAE Systems Applied Intelligence, told Motherboard in an email, “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organisations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.” All of the other companies linked to the interception tech exports did not respond to questions on which customers or countries they would sell to.
A spokesperson from the Department for International Trade told Motherboard in an email that, “The UK government takes its arms export responsibilities very seriously and operates one of the most robust arms export control regimes in the world. We rigorously examine every application on a case-by-case basis against the Consolidated EU and National arms export licensing Criteria. We draw on all available information, including reports from NGOs and our overseas network as a key part of our assessment.” Export licensing requires the department to consider how the equipment will be used by the recipient country.
The export dataset can be found here.
from British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes