A Danish subsidiary of British defense contractor BAE Systems is selling an internet surveillance package to the government of the United Arab Emirates, a country known for spying on, imprisoning, and torturing dissidents and activists, according to documents obtained by Lasse Skou Andersen of the Danish newspaper Dagbladet Information.
The documents from the Danish Business Authority reveal an ongoing contract between the defense conglomerate, BAE Systems Applied Intelligence A/S, and the Middle Eastern oil federation dating back to at least December 2014.
The contract describes an internet surveillance product capable of deep packet inspection — “IP monitoring and data analysis” for “serious crime” and “national security” investigations. That could include capabilities like mapping a target’s social networks and extracting personal information and communications from devices including voice recordings, video, messages, and attachments.
According to the company’s contract, revealing any details about the agreement could have extreme consequences for its relationship with the “End User,” presumably the UAE government.
In a written statement, BAE Systems said, “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.”
The Danish Business Authority told Andersen it found no issue approving the export license to the Ministry of the Interior of the United Arab Emirates after consulting with the Danish Ministry of Foreign Affairs, despite regulations put in place by the European Commission in October 2014 to control exports of spyware and internet surveillance equipment out of concern for human rights. The ministry told Andersen in an email it made a thorough assessment of all relevant concerns and saw no reason to deny the application.
According to Edin Omanovic, a research officer with Privacy International, this is one of the first tests of the commission’s new export controls, which are due to be updated next month.
“This comes at a crucial time, just before the European Commission is set to decide whether or not it proposes updates to regulations regarding the export of surveillance technologies,” he wrote in an email to The Intercept. “The fact that the export license was granted by the Danish authorities to the UAE, where human rights abuses are well established, and that this information was not publicly available, underlines why these reforms are urgently needed.”
“Without such safeguards, the current assessment criteria used by European governments to approve license applications will only serve as a rubber stamp,” he continued.
The disclosure of the BAE Systems deal comes after researchers from the University of Toronto’s Citizen Lab reported that a prominent human rights activist in the UAE was the target of an attempt to install potent spyware on his iPhone in an attack linked to the Israeli company NSO Group.
Human Rights Watch writes that the UAE “often uses its affluence to mask the government’s serious human rights problems,” which include arbitrary detention, torture allegations, threats to free speech, labor exploitation, and more. The UAE has led a systematic crackdown on members of the Muslim Brotherhood and other dissidents. Reporters have written about the UAE developing an emirate-wide surveillance program, while security researchers have uncovered weaponized malware attacks targeting Emirati activists and journalists.
And it’s not the first time the subsidiary, formerly known as ETI, has sold spyware to repressive regimes. Before being acquired by BAE Systems, the company sold surveillance equipment to the kingdom of Saudi Arabia, Information previously reported, as well as the corrupt Zine El Abidine Ben Ali regime in Tunisia prior to the Arab Spring uprisings.
Following Bloomberg’s exposé on the sale to Ben Ali and the acquisition by BAE Systems, representatives from BAE told a Danish documentarian, Mads Ellesøe, that the company has since “enhanced” the subsidiary’s export control process to comply with its human rights policies — drawing the new sale to the UAE into question.
A spokesperson for BAE Systems Applied Intelligence, also known as BAE Systems Detica, said in an emailed statement that “Since acquiring ETI in March 2011, we have enhanced its processes including introducing the BAE Systems Code of Conduct and associated policies on ethical conduct which are now integrated into the processes that govern all aspects of the day-to-day business. … BAE Systems Detica has instituted a further formal process, governed through a business conduct committee, which assesses relevant opportunities on the basis of responsible trading risks, ethical concerns and reputational risks.”
Some surveillance companies have suffered after being exposed for selling equipment to repressive regimes, like Hacking Team — the Italian firm whose internal emails were leaked last summer. Hacking Team also sold spyware to the UAE, reportedly to help the government spy on pro-democracy activists. However, Hacking Team may be bouncing back, as it’s due to present new “cutting edge” surveillance tools at the trade surveillance show ISS Latin America in October.
The U.S. government’s National Security Agency hosts some of the top hackers and surveillance tools in the world, capable of “touching” more of the internet than Google through deep packet inspection. Its XKeyscore program, first revealed by The Guardian, feeds off of a truly massive stream of worldwide online traffic from the backbone of the internet and automatically analyzes and inspects that traffic as it flows in.