Legal developments affecting network surveillance technology: Ignore them at your peril

Political and social events highlight the immense benefits of technology, but also reveal technology's dark side. Consider Arab Spring. The uprisings demonstrated, on the one hand, how innovations such as social media can be used to evade and challenge repressive regimes and promote democracy, but on the other hand, the ability of the same regimes to capitalize on improved surveillance technology to counter those threats and suppress their citizens.

That irony hasn't been lost on Western governments. In an effort to blunt the negative role of technology in the Arab Spring, governments have reacted with remarkable speed to restrict the sale and export of surveillance technology to countries such as Iran and Syria. In the United States, for instance, a bill known as the "Global Online Freedom Act" (HR 3605) is currently pending that would prohibit the export of surveillance technology to countries that the government designates as an "Internet-restricting country." The EU has already taken steps to prohibit the export of certain surveillance technology to Syria and Iran.

IN THE U.S.: Obama authorizes sanctions against surveillance tech in Syria, Iran

BACKGROUND: The recent history of governments vs. the Internet

Action has not been limited to the proposal and implementation of new law. The United States has begun aggressively enforcing pre-existing laws that prohibit sales to sanctioned countries such as Iran and Syria. For instance, the U.S. Department of Commerce, Bureau of Industry and Security is currently investigating the sale to Syria of surveillance equipment manufactured by Blue Coat Systems. And investigations are being considered or already underway in France, Israel and the Netherlands on the sale of surveillance technology to repressive regimes by companies in those countries. [Also see: "EU IT companies to get guidance on human rights issues"]

In numerous ways, the government actions affect manufacturers and vendors of surveillance technology, as well as other parties involved in the transfer of such technology.

First, the government actions extend to a broad range of surveillance technology, from deep packet inspection to WEP and WPA code breaking equipment. Some of the actions are broad enough to include almost any type of surveillance technology, including those broadly referred to as filtering technology, tracking technology, or spyware.

To further complicate matters, some actions ambiguously define the scope of captured surveillance technology, leaving that task to a government agency or even the manufacturers and vendors themselves. Furthermore, the actions include not only hardware and software falling within the generic rubric of "surveillance" technology, but also information such as blueprints and manuals corresponding to such hardware and software.

Second, governments around the world are imposing restrictions on exporting, re-exporting, and transferring surveillance technology to unfriendly countries for nefarious end uses. Even among countries that have such laws already in place, such as the United States, the laws are becoming more aggressively enforced and/or getting amended to become more restrictive.

Finally, even if your business doesn't sell surveillance technology abroad, existing laws impose obligations on third party transfers within the United States. For instance, U.S. law prohibits companies engaging in business dealings with parties blacklisted on the Specially Designated Nationals (SDN) list published by the U.S. Department of Treasury Office of Foreign Assets Control (OFAC). In addition, it is unlawful to sell items or information if the seller has reason to know that the buyer will subsequently export, re-export, or otherwise transfer the items or information in violation of U.S. law.

Affected parties should bolster their compliance with existing laws and engage in the lawmaking process. As to the former, companies should refresh their knowledge of existing laws that apply to the sale and transfer of surveillance technology and implement policies, processes, and procedures to help comply with those laws. Examples of such measures include screening customer names against OFAC's SDN list and conducting brief due diligence to determine the intended end use of a sale.

As to the lawmaking process, companies that will be impacted by pending laws such as the Global Online Freedom Act should contact their representatives to convey their support or opposition and to explain how those laws would affect their business. Companies should also continue to stay abreast of developments in order to know how and when new laws will affect them.

A tidal wave of developments are on the horizon that no company within the network technology space can afford to ignore.

David Hardin is an attorney at Miller & Chevalier Chartered in Washington, D.C., where he specializes in U.S. export control and sanction laws.  

Read more about lan and wan in Network World's LAN & WAN section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Hardin, attorney at Miller & Chevalier Chartered in Washington, D.C.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts