“When they first caught me, about 30 police just beat me up quite badly. They also dragged me on the road for about 100 meters and I think I lost consciousness,” Myat said. “But somehow I wasn’t bleeding, so they kept beating me until I bled.”

In the police car following his arrest, Myat was forced to unlock his smartphone, which was subsequently confiscated. Then he was moved to a secretive military compound in Shwepyithar Township, which the junta has been using to detain protesters, journalists, and others swept up in mass arrests. Myat was questioned by soldiers who only months before shared power with democratically elected civilian leader Aung San Suu Kyi, a Nobel Peace Prize laureate who nevertheless presided over a genocide by the same military of the Muslim Rohingya people, displacing some 740,000 to neighboring Bangladesh and according to United Nations investigators, killing more than 10,000.

On February 1, soldiers arrested Aung San Suu Kyi in an early morning raid. The military then declared a state of emergency and took control of the country. For the past four months, mass protests have spread throughout Myanmar, as hundreds of thousands have demonstrated against military rule.

In response, the Myanmar military and police have engaged in an increasingly violent crackdown, killing over 860 protesters and bystanders, injuring thousands, and brutally torturing political prisoners. The generals have restricted internet access; blocked Facebook, WhatsApp, Twitter, and Instagram; and used smartphone data as evidence for mass arrests.

According to leaked budget documents from Myanmar’s Ministry of Home Affairs and Ministry of Transport and Communications, which were provided by the activist group Justice for Myanmar, the military and police sought to buy a collection of forensic and surveillance technology from American, Chinese, Russian, and European companies between 2018 and 2021 that could extract data from smartphones, access phone conversations, and monitor people’s movements. While it’s unclear which of these products are currently being used, people who’ve been detained in Myanmar over the last two months report having had to unlock and hand over their smartphones, sometimes under duress.

One of the products currently in the possession of Myanmar’s security forces is a digital forensic tool from the Swedish company MSAB. It’s the European equivalent of Cellebrite, the Israeli company known for its phone-hacking devices, which also appears in the leaked documents; MSAB’s technology is able to break mobile phone encryption and extract call, contact, GPS, and other records, as well as messages sent and received via SMS, WhatsApp, Signal, and other apps. MSAB’s products can also extract passwords and login tokens from mobile devices, allowing authorities to remotely enter someone’s online services, including Google, Facebook, cloud storage, and others.

MSAB confirmed that it sold its forensic tools to Myanmar police in 2019, two years after security forces targeted the Rohingya in what the U.N. said could amount to crimes against humanity. According to the leaked budget documents, as well as tender documents found on government websites, MSAB also intended to sell a number of phone extraction products to Myanmar’s Bureau of Special Investigations in 2021 via a third-party distributor called MySpace International. The BSI is the intelligence arm of the Ministry of Home Affairs, which oversees domestic security and has long been controlled by the military. Following the February coup, MSAB called off the deal. Yet the company’s earlier products remain in the hands of Myanmar’s security forces.

MSAB states publicly that its vision is to make the world a safer place. At the same time, the company sold phone extraction hardware to a government still partially run by the military, widely condemned for an ongoing genocide, and known for its suppression of activists and journalists. And the European Union is investing in MSAB’s growth. Indeed, EU research money has developed technology that feeds into the same products that MSAB sold to Myanmar in 2019.

In response to critical questions about the 2019 sale, MSAB has said that limited technology was sold to police working for a civilian government and that the licenses for these forensic devices were canceled after the 2021 coup. Still, the scenario raises important questions about EU efforts to create tools for the security sector inside and outside the bloc. How should countries regulate the export of surveillance and forensic technology to places where there is a high risk of abuse, especially if that technology is being developed with public funds?

The Race to Develop Digital Forensics

MSAB is one of several European companies on the receiving end of public EU funding whose products appear in the leaked budget documents. Myanmar’s Ministry of Transport and Communications was under military control until the civilian government came into power in 2016, and its IT and Cyber Security Department assists with police investigations. The Ministry of Home Affairs remained under military control even during the civilian government. The past two ministers — Lieutenants General Soe Htut and Kyaw Swe — were both former spy chiefs.

Funding for MSAB and others comes from the EU’s flagship technological research program Horizon Europe, previously known as Horizon 2020. MSAB is the lead technology company on the “Formobile” project, a consortium of 19 companies, research institutions, and police departments set up in 2019 to develop technology to unlock mobile devices without user consent and extract and analyze data as evidence in criminal investigations.

In particular, the project members hope to develop technology to run these processes on counterfeit phones that are not typically available in Europe, Christian Hummert, a forensic researcher in Germany and coordinator of the Formobile project, told The Intercept. These types of devices, which present a challenge for European police accustomed to working with standard iOS and Android phones, are especially important because, as Hummert put it, they are often used by “foreign criminal groups with or by people coming to Europe from Africa or from Asia.”

Hummert added that the majority of deliverables from the project — which received just under 7 million euros ($8.5 million) in public money from the EU — would feed directly into MSAB’s products.

“It was as though we were sitting at the table where criminals were chatting among themselves.”

One of the bloc’s research priorities has been to rapidly develop digital forensics, a field that encompasses a vast array of technologies that police say are needed to help solve crimes. Such was the case in June 2020, when European police cracked an encrypted communications network and intercepted information about planned arms sales, murders, and torture, leading to hundreds of arrests. “It was as though we were sitting at the table where criminals were chatting among themselves,” Jannine van den Berg, chief of the Dutch National Police Force, told the Associated Press.

This technology is not just being used by European police, but also by asylum officials. One of MSAB’s flagship products quickly scans and analyzes the data on a person’s smartphone; along with other software, it is used in Germany by asylum officials to “verify” the identity of asylum-seekers by assessing outgoing and incoming messages and calls, country domain data from internet browsers, language used in texts, and geolocation data.

In early June, the use of smartphone data to influence asylum requests was declared illegal by Berlin’s regional court, showing that the technology’s deployment inside the bloc may be outpacing European legal systems. Meanwhile, the sale of digital forensic products to countries outside the bloc such as Myanmar poses a new challenge for those who have been working to regulate technology exports that could be used to violate human rights.

Marietje Schaake was a Dutch member of the European Parliament in 2009, when reporting revealed that Nokia Siemens Networks, a joint venture between Germany’s Siemens and Finland’s Nokia companies, had exported surveillance technology to Iran, including a product to monitor telephone calls. Nokia’s technology was used to monitor leaders of the Green movement. Schaake said she didn’t want the EU exporting technology that could be used to spy on opposition leaders and stifle dissent.

Hoping to limit the sale of surveillance, hacking, and exfiltration technologies, Schaake and several other parliament members turned to an EU regulation based on the Wassenaar Arrangement, an international export control agreement that governs dual-use items as well as conventional arms. Dual-use products are those that have legitimate civilian applications but can also be used for military purposes. When Wassenaar was created in 1996, smartphones didn’t exist; its dual-use technology list was limited to computers, telecoms, and IT security. Over the next 10 years, Schaake pushed to change EU regulations to tackle emerging technology and try to prevent sales that could bolster the power of authoritarian-leaning regimes.

Schaake left the parliament in 2019 and is now the international policy director at Stanford University’s Cyber Policy Center. Later this year, the changes she fought for will finally come into effect: The EU’s new dual-use regulation will regulate “cyber-surveillance technology,” and the potential for human rights violations will become a key criterion for limiting exports. Whether or not MSAB’s 2019 sales to Myanmar would be prohibited under the new regulation will depend on Sweden’s interpretation and updates to its exports policy.

“I would have loved to have a stronger discussion about what is the desirable role of such technologies,” Schaake said. “But short of that, I think what becomes more important then is the context in which it can and cannot be used.”

A woman makes the three-finger salute while recording a protest against the military coup in Yangon, Myanmar, on Feb. 6, 2021.
Aung Kyaw Htet/SOPA Images/LightRocket via Getty Images

Unregulated Spy Tools

While the EU has its own dual-use export control regulation, each member country has its own national body that approves or denies export licenses for dual-use technology. MSAB applied to Sweden’s regulator for permission to sell its phone-hacking products in Myanmar in 2018. According to that regulator, Inspectorate of Strategic Products, the application was not approved due to the technology’s ability to break encryption.

In response to what it described as “systematic grave human rights violations” by Myanmar’s military and security forces, the EU also put in place an embargo on exporting dual-use products in 2018, specifically prohibiting the export of “equipment for monitoring communications that might be used for internal repression.”

The products that were eventually sold to Myanmar the following year were “not the most powerful levels of our technology,” explained Mike Dickinson, chief business development officer at MSAB. In a blog post on MSAB’s website, the company’s chair, Henrik Tjernberg, wrote that the products lacked the ability to break a phone’s encryption or recover deleted data. According to a spokesperson for the Swedish export regulator, this is the same modification that allowed MSAB to export to Myanmar despite the initial application denial. Yet data analysis and extraction tools can still be used against a person’s will — such as when a detainee is forced to unlock a phone that is then searched.

The same year it sold its forensic technology to the police in Myanmar, MSAB began work on the EU-funded Formobile project.

The same year it sold its forensic technology to the police in Myanmar, MSAB began work on the EU-funded Formobile project. MSAB confirmed that some results from the Formobile project have already been incorporated into its extraction software, called XRY. A blog post on the Formobile website also describes updates to MSAB’s extracted data visualization tool, XAMN. According to the leaked budget documents, Myanmar authorities sought to buy both tools, as well as MSAB products related to counterfeit phone compatibility, cloud token extraction, and other technology directly related to Formobile’s work. Still, it’s unlikely that any results from the project made it into updates for the MSAB forensic devices in Myanmar before February 2021, when the company says they canceled the licenses.

Dickinson told The Intercept that MSAB’s sales to Myanmar were licit given the country’s democratic elections in 2015 after decades of military rule. But local analysts say that a short look at Myanmar’s political context would call this reasoning into question. Even during Aung San Suu Kyi’s tenure, 25 percent of parliament seats were reserved for the military, which continued to wield influence. Journalists were also subject to persecution: In 2017, two Reuters journalists were arrested and jailed for 500 days for investigating the army’s killing of 10 Rohingya Muslim men and boys. Police in Myanmar used forensic tools from Cellebrite — MSAB’s largest competitor — to extract data from the journalists’ phones and wield it as evidence against them.

“I think the argument that, you know, it was fine because you’re selling to a government led by a Nobel laureate just shows a lack of due diligence on the country’s context,” said a political analyst in Yangon who asked to remain anonymous due to security concerns. “You essentially had parallel centers of power at the top between the military and the civilian government. And the military control not only the armed forces, but also the police force, and also had substantial political power.”

“People who get spied on by this stuff should be able to sue the company and the government and get remedies.”

“When you look at the framework for human rights in Myanmar, it’s just not fit for purpose,” the analyst said. “There are no human rights protections on issues like surveillance, data privacy, and data protection.”

While Wassenaar attempts to provide transparency and a guiding framework to the issue of technology exports, some say the arrangement will struggle to keep up with the pace of technological change and is unlikely to prevent technology from winding up in the hands of those who want to buy it.

Cindy Cohn, the executive director of the Electronic Frontier Foundation, says that export regulations might not be the best tool for keeping surveillance tools out of the hands of authoritarian regimes. Cohn argues that means for legal redress are needed when European or American surveillance technology is used to spy on citizens. “I think people who get spied on by this stuff should be able to sue the company and the government and get remedies. We’ve got all these tools out there in the world that are basically letting foreign governments wiretap citizens anywhere in the world without any legal process whatsoever.”

But beyond that, Cohn said, is a larger conversation about what kinds of surveillance and forensic technology should be developed and used, regardless of their potential exports. “I think that the problems with these spy tools are not just the problems of them being used by ‘bad foreign governments,’” said Cohn. “I think we need to talk about the use of these spy tools by the ‘good governments’ that we like, and how uncontrolled and unregulated it is.” In the U.S., Cohn added, “The big question for a lot of companies now is, should they sell to ICE?”

An Opaque System

When he was released, Myat got his phone back, but friends warned him not to use the same SIM card. He didn’t know which parts of his phone had been accessed during his four days in prison. Myat did a factory reset on the phone and now only uses it on Wi-Fi in hopes that he can avoid ongoing surveillance.

Myat still has pain that sometimes jolts his body; when he coughs or sneezes, his ribs and chest ache. He emphasized that the beatings he experienced during his arrest and imprisonment were nothing compared to the suffering of others. “There were one or two detainees from the student unions; they were taken away with black hoods over their heads and they didn’t come back.”

Myat and other detainees who made it out now lack any redress mechanisms to find out if their data was copied from their phones or if they are still being monitored.

In the EU’s race to develop cutting-edge security technology, some of the biggest funding recipients have been arms companies and those building surveillance and forensic tools for law enforcement and border security. Critics say the bloc should be doing more to regulate what new technology is created and where it can be exported, and to make those transactions transparent. “A lot of these companies are not keen to say, ‘We’re selling to military intelligence in this or that country,’” said Schaake, the former Dutch MEP. “It’s an opaque system that we want to open up.”

According to Dickinson, the MSAB executive, after the February coup the company stopped plans for any future collaboration with Myanmar and revoked the licenses on the forensic technology it sold two years ago. At least, he said, that meant whoever now had the devices wouldn’t be able to update them. Such a distinction means little for Myat and Myanmar’s citizens, who are facing the possibility of life under an increasingly violent and well-equipped military dictatorship. Is MSAB confident that its devices aren’t currently being used in Myanmar?

Dickinson wouldn’t say.

Correction: June 15, 2021

This article has been updated to clarify the relationship between the Wassenaar Arrangement and the EU’s dual-use export regime.

_______________________________________________

Zach Campbell – zachcampbell@​pm.me

Caitlin L. Chandler – caitlin.chandler@​protonmail.com

With additional reporting by Thin Lei Win.

Go to Original – theintercept.com