How BAE sold cyber-surveillance tools to Arab states

Getty Images A dancer tucks his Apple iPhone next to his traditional Omani dagger during a welcome ceremony in Muscat, Oman (5 November 2016)Getty Images

A year-long investigation by BBC Arabic and a Danish newspaper has uncovered evidence that the UK defence giant BAE Systems has made large-scale sales across the Middle East of sophisticated surveillance technology, including to many repressive governments.

These sales have also included decryption software which could be used against the UK and its allies.

While the sales are legal, human rights campaigners and cyber-security experts have expressed serious concerns these powerful tools could be used to spy on millions of people and thwart any signs of dissent.

The investigation began in the small Danish town of Norresundby, home to ETI, a company specialising in high-tech surveillance equipment.

ETI developed a system called Evident, which enabled governments to conduct mass surveillance of their citizens' communications.

A former employee, speaking to the BBC anonymously, described how Evident worked.

"You'd be able to intercept any internet traffic," he said. "If you wanted to do a whole country, you could. You could pin-point people's location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well."

How BAE sold cyber-surveillance tools to Arab states

One early customer of the new system was the Tunisian government.

The BBC tracked down a former Tunisian intelligence official who operated Evident for the country's veteran leader, President Zine al-Abidine Ben Ali.

"ETI installed it and engineers came for training sessions," he explained. "[It] works with keywords. You put in an opponent's name and you will see all the sites, blogs, social networks related to that user."

The source says President Ben Ali used the system to crack down on opponents until his overthrow in January 2011, in the first popular uprising of the Arab Spring.

Campaigners 'vanished'

As protests spread across the Arab world, social media became a key tool for organisers.

Governments began shopping around for more sophisticated cyber-surveillance systems - opening up a lucrative new market for companies like BAE Systems.

BAE Systems headquarters in Denmark
BAE Systems bought cyber security firm ETI for £137m in 2011

In 2011, BAE bought ETI and the company became part of BAE Systems Applied Intelligence.

Over the next five years, BAE used its Danish subsidiary to supply Evident systems to many Middle Eastern countries with questionable human rights records.

Freedom of information requests submitted by the BBC and the Dagbladet Information newspaper in Denmark revealed exports to Saudi Arabia, the UAE, Qatar, Oman, Morocco and Algeria.

While it is not possible to link individual cases directly to the Evident system, increased levels of cyber-surveillance since the start of the Arab Spring have had a direct and devastating impact on the activities of human rights and democracy campaigners in many of the states that acquired it.

"I wouldn't be exaggerating if I said more than 90% of the most active campaigners in 2011 have now vanished," says Yahya Assiri, a former Saudi air force officer who fled the country after posting pro-democracy statements online.

Manal al-Sharif
Manal al-Sharif says Gulf states have the money to buy advanced surveillance equipment

"It used to be that 'the walls have ears', but now it's 'smartphones have ears,'" says Manal al-Sharif, a Saudi women's rights activist who also now lives abroad.

"No country monitors its own people the way they do in the Gulf countries. They have the money, so they can buy advanced surveillance software."

The situation has led campaigners to voice deep concerns about the future of civil society in the Middle East.

"Surveillance will destroy people's confidence in organising, expressing and sharing ideas, trying to create a political movement," warns Gus Hosein of London-based Privacy International.

'Responsible trading'

The BBC has also asked for responses from the governments of Saudi Arabia, Oman and the UAE. It has not yet received any replies.

All sales of Evident were made entirely legally under Danish government export licences, issued by the Danish Business Authority.

BAE Systems in the UK declined a BBC request for an interview on the issue, saying it was against company policy to comment on specific contracts. But in a written statement the company said: "BAE systems works for a number of organisations around the world within the regulatory framework of all relevant countries and within our responsible trading principles."

AFP Saudis attend the International Cyber Security Conference in Riyadh on 27 February 2017AFP
Vision 2030 - Saudi Arabia's plan to diversify the economy and open up the country culturally

During the course of the BBC investigation, it emerged that sales of Evident could also potentially have an impact on national security in the UK.

An upgraded version of the system now offers another capability - decryption or, to use the technical term, cryptanalysis.

This enables users to read communications even if they have been security encrypted.

Cryptanalysis is such a powerful tool that its export is tightly controlled.

Export authorisations

The BBC has obtained a 2015 email exchange between the British and Danish export authorities in which the British side clearly expresses concern about this capability with reference to an Evident sale to the United Arab Emirates.

"We would refuse a licence to export this cryptanalysis software from the UK because of Criteria 5 concerns," says the email.

"Criteria 5" refers to the national security of the UK and its allies.

Getty Images A man talks on his mobile phone as he walks through the Dubai Heritage Village on 13 November 2013 in Dubai, United Arab EmiratesGetty Images
Since the 2011, Gulf states have stepped up efforts to curb dissent with tough cyber-crime laws

The worry is that the software could give users access to the UK's own communications.

"Once you've sold the equipment to someone they can probably do what they want with it," says Ross Anderson, professor of Security Engineering at Cambridge University.

"An Arab country wants to buy cryptanalysis equipment supposedly for its own law enforcement. They have embassies in London, Washington, Paris and Berlin. What's to stop them putting bulk surveillance equipment in our cities and then using the cryptanalysis equipment to decipher all the mobile phone calls they hear?"

Despite British objections, the Danish authorities approved the Evident export.

The Danish foreign ministry declined to be interviewed but in statement said the Danish Business Authority would not grant export authorisation if an EU member state requested that it did not because of security concerns.

Defence experts argue that at a time when countries around the world face heightened terrorist threats, there is a clear justification for sales of surveillance equipment.

AFP File photo showing a person walking behind a glass wall bearing machine coding symbols (17 October 2016)AFP
Cyber-security experts have expressed concerns about how surveillance tools are used

"It's a trade-off," says Jonathan Shaw, former head of Cyber-Security at the UK Ministry of Defence.

"I would imagine the consideration that plays in people's minds is not so much the economic advantage... but it's that the security of the state we're talking to is closely linked to ours. Or they are tracking people who are a direct threat to Britain and we need their assistance."

According to a 2016 UK Home Office report, mass surveillance technology has played a significant role in every major counter-terrorism investigation in the last decade.

"The more terrorist incidents there are, the more people will start to see the benefits of favouring security over privacy," Mr Shaw adds.

No-one from the UK government was willing to speak to the BBC about the implications of Evident sales, but the Department for International Trade issued a statement:

"The government takes its defence export responsibilities very seriously and operates one of the most robust export control regimes in the world. All export licence applications are assessed on a case-by-case basis against strict criteria, taking account of all relevant factors at the time of the application, including human rights considerations."

'Unacceptable'

Dutch MEP Marietje Schaake is one of the few European politicians prepared to discuss concerns about surveillance technology exports.

She says European countries will ultimately pay a price for the compromises now being made.

"Each and every case where someone is silenced or ends up in prison with the help of EU-made technologies I think is unacceptable," she told the BBC.

"I think the fact that these companies are commercial players, developing these highly sophisticated technologies that could have a deep impact on our national security, on people's lives, requires us to look again at what kind of restrictions maybe be needed, what kind of transparency and accountability is needed in this market before it turns against our own interest and our own principles."