>From - Sat Mar 02 00:57:27 2024
Received: by 10.52.64.173 with SMTP id p13mr3114551vds.0.1320119417450;
Mon, 31 Oct 2011 20:50:17 -0700 (PDT)
X-BeenThere: tscm-l2006_at_googlegroups.com
Received: by 10.220.1.131 with SMTP id 3ls3360364vcf.1.canary; Mon, 31 Oct
2011 20:50:13 -0700 (PDT)
Received: by 10.52.88.164 with SMTP id bh4mr3105972vdb.8.1320119413884;
Mon, 31 Oct 2011 20:50:13 -0700 (PDT)
Received: by 10.52.88.164 with SMTP id bh4mr3105970vdb.8.1320119413859;
Mon, 31 Oct 2011 20:50:13 -0700 (PDT)
Return-Path: <ber..._at_netaxs.com>
Received: from newmx3.fast.net (newmx3.fast.net. [209.92.1.33])
by gmr-mx.google.com with SMTP id b8si4900886vdu.2.2011.10.31.20.50.13;
Mon, 31 Oct 2011 20:50:13 -0700 (PDT)
Received-SPF: neutral (google.com: 209.92.1.33 is neither permitted nor denied by best guess record for domain of ber..._at_netaxs.com) client-ip 9.92.1.33;
Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 209.92.1.33 is neither permitted nor denied by best guess record for domain of ber..._at_netaxs.com) smtp.mail¾r..._at_netaxs.com
Message-Id: <4eaf6c75.2845340a.114c.6fe3SMTPIN_ADDED_at_gmr-mx.google.com>
Received: (qmail 28568 invoked from network); 1 Nov 2011 03:50:08 -0000
Received: from unknown (HELO NTR71408.netaxs.com) ([68.246.59.243]) (envelope-sender <ber..._at_netaxs.com>)
by newmx3.fast.net (qmail-ldap-1.03) with SMTP
for <tscm-..._at_googlegroups.com>; 1 Nov 2011 03:50:08 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 31 Oct 2011 23:49:59 -0400
To: tscm-l2006_at_googlegroups.com
From: bernieS <ber..._at_netaxs.com>
Subject: Proposed "Know Your Customer" Standards for Sales of
Electronic Surveillance Equipment
In-Reply-To: <20111031065830.4FAB6115396C_at_barracuda.ase.ro>
References: <20111031065830.4FAB6115396C_at_barracuda.ase.ro>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="===========_90272895=.ALT"
X-Antivirus: avast! (VPS 111031-1, 10/31/2011), Outbound message
X-Antivirus-Status: Clean
Below, we’ve outlined a proposal for companies to
audit their current and potential customers for
human rights abuses. We propose a simple framework:
* Companies selling surveillance technologies
to governments need to affirmatively investigate
and "know your customer" before and during a
sale. We suggest something for human rights
similar to what most of these companies are
already required to do under the
<http://www.justice.gov/criminal/fraud/fcpa/>Foreign
Corrupt Practices Act and the
<http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=b598042103e95=
c10c396b0140e0620b7&rgn=div9&view=text&node=15:2.1.3.4.21.0.1.7.22&id=
no=15>export
regulations for other purposes, and
* Companies need to refrain from
participating in transactions where their "know
your customer" investigations reveal either
objective evidence or credible concerns that the
technologies provided by the company will be used
to facilitate human rights violations.
We believe this framework would be most effective
if companies implement it voluntarily, thereby
ensuring the most flexible approach as
technologies change and situations around the
world shift. Nokia Siemens Networks has already
adopted a
<http://www.nokiasiemensnetworks.com/sites/default/files/document/human_rig=
ht_policy.pdf>Human
Rights Policy that incorporates some of these
guidelines. But if companies don’t act on their
own, and don’t act soon and with convincing
commitment, then some regulatory approach in the
U.S. is likely going to be necessary. As we noted
earlier this month, the
<https://www.eff.org/deeplinks/2011/10/eu-parliament-takes-first-step-bans-=
sales>EU
Parliament recently took a step toward preventing
sales of surveillance equipment to authoritarian
regimes, and members of the U.S. Congress are watching closely as well.
Here are some basic guidelines to ensure that
U.S. companies aren’t complicit in the abuse of
human rights around the world, regardless of
whether efforts are voluntary or through regulation.
"Know Your Customer" Human Rights Process
[Note: These guidelines use key terms
Technologies, Transaction, Company and
Government which are defined at the bottom and capitalized throughout]
Affirmatively Investigate: The Company must have
a process, led by a specifically-designated
person, to engage in an ongoing evaluation of
whether Technologies or Transaction will be, or
are being used to aid, facilitate or cover up
human rights
abuses.<https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-c=
ustomer-standards-sales-surveillance-equipment#footnote3_9tsxxaj>3
This process needs to be more than lip service
and needs to be verifiable (and verified) by
outsiders. It needs to be an organizational
commitment, with real mechanisms in place
including tools, training and education of
personnel and career consequences for personnel
when the process is not followed. In addition, in
order to build transparency and solidarity, a
Company that decides to refuse (or continue)
further service on the basis of these standards
should, where possible, report that decision
publicly so that other companies can have the benefit of their evaluation.
The process should include, at a minimum:
* Review of what the purchasing Government
and Government agents and the Company personnel
and agents are saying about the use of the
Technologies, both before and during any
Transaction. This includes, among other things,
review of sales and marketing materials and
discussions, technical discussions and questions,
presentations, technical and contractual
specifications and technical support
conversations or requests. Some of the most
troubling evidence in the Cisco case are the
presentations made by Cisco employees that are
plainly marketing the company as assisting the
Chinese Government in combatting the
“<http://www.wired.com/threatlevel/2008/05/leaked-cisco-do/>Falun
Gong Evil Religion.”
* Review of the capabilities of the
Technology for human rights abuses and
consideration of possible mitigation measures, both technical and contractu=
al.
* Review the Government’s laws, regulations
and practices regarding surveillance, including
interception of communications, access to stored
communications, due process requirements, and
other relevant legal process as part of the
assessment of risk of how the Technologies may be
used or misused. For instance,
<http://www.nokiasiemensnetworks.com/sites/default/files/document/human_rig=
ht_policy.pdf>Nokia
Siemenssays that it will only provide core lawful
intercept (i.e. surveillance) capabilities that
are legally required and are "based on clear
standards and a transparent foundation in law and practice."
* Review U.S. State Department annual
<http://www.state.gov/g/drl/rls/hrrpt/>human
rights reports, relevant U.N. Reports, and other
credible reports about the Government, including
news or other reports from nongovernmental
sources or local sources that indicate whether
the Government engages in the use or misuse of
surveillance capabilities to conduct human rights abuses.
Refraining from Participation: The Company must
not participate in, or continue to participate in
a Transaction or provide a Technology if it
appears reasonably foreseeable that the
Transaction or Technology will directly or
indirectly facilitate human rights violations by the Government, including:
* The portion of the Transaction that the
Company is involved in or the specific Technology
provided includes building, customizing,
configuring or integrating into a system that is
known or is reasonably foreseen to be used for
human rights violations, whether done by the Company or by others.
* The portion of the Government that is
engaging in the Transaction or overseeing the
Technologies has been recognized as committing
gross human rights abuses using or relying on
similar Technologies, either directly or indirectly.
* The Government's overall record on human
rights generally raises credible concerns that
the Technology or Transaction will be used to facilitate human rights abuse=
s.
* The Government refuses to incorporate
contractual terms confirming the intended use or
uses of the Technologies by the Government and to
require the auditing of their use by the
Government purchasers in sales of surveillance Technologies.
Key Definitions and the Scope of the Process: Who
should undertake these steps? The field is
actually pretty small: Companies engaging in
Transactions to sell or lease Technologies to Governments, defined as follo=
ws:
* “Transaction” includes all sales, leases,
rental or other types of arrangements where a
Company, in exchange for any form of payment or
other consideration, either provides or assists
in providing Technologies, personnel or
non-technological support to a Government. This
also includes providing of any ongoing support
such as software or hardware upgrades, consulting or similar services.
* “Technologies” include all systems,
technologies, consulting services, and software
that are reasonably likely to be used to surveil
third parties, including but not limited to
technologies that intercept communications,
packet-sniffing software, deep packet inspection
technologies, certain biometrics devices and
systems, voting systems, and smart meters.
* “Company” includes subsidiaries, joint
ventures (especially joint ventures directly with
government entities), and other corporate
structures where the Company has significant
holdings or has operational control.
* “Government” includes formal, recognized
governments, including State parties to the
United Nations. It also includes governing or
government-like entities, such as the Chinese
Communist Party or the Taliban and other
nongovernmental entities that effectively
exercise governing powers over a country or a
portion of a country. For these purposes
“Government” includes indirect sales through a
broker, contractor, or other intermediary or
multiple intermediaries if the Company is aware
or should know that the final recipient of the Technology is a Government.
This framework isn’t the only reasonable option
for addressing the problem, of course. Yet given
the steps that these large companies who compete
in these markets already have to take – under the
export laws, the Foreign Corrupt Practices Act
and otherwise – this is a relatively small
addition. While some may argue that pushing U.S.
tech companies to have a strong human rights
filter will give a competitive advantage to
companies that don’t institute one, the same is
true about the anti-bribery laws. If these big
companies can be expected not to get business
through bribes even though some of their foreign
competitors do, it’s reasonable to ask them not
to get business enabling repression either.
Regardless of how tech companies get there,
efforts to bring democracy and freedom around the
world are hampered until they commit to making
business decisions that consider human rights
ramifications. No reasonable company, certainly
none in Silicon Valley, wants to be known as the
company that helps facilitate human rights
abuses. It’s time tech companies take real steps
to ensure that they aren’t serving as "repression’s little helpers."
*
<https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer=
-standards-sales-surveillance-equipment#footnoteref1_uoa5gw2>1.For
example, Narus, a Boeing subsidiary,
<http://www.huffingtonpost.com/timothy-karr/one-us-corporations-role-_b_815=
281.html>was
revealed to have sold to Libya sophisticated
equipment used for surveillance. Telecomix
<http://reflets.info/opsyria-web-censorship-technologies-in-syria-revealed-=
en/>recently
published log files from the Syrian
Telecommunications Establishment use of devices
made by California’s BlueCoat Systems, Inc. And
Cisco Systems is
<https://www.eff.org/deeplinks/2011/08/cisco-and-abuses-human-rights-china-=
part-1>facing
litigation in both Maryland and California based
on its alleged sales of surveillance equipment to
the Chinese to track, monitor and otherwise
facilitate the arrest, detention, or
disappearance of human rights activists and
religious minorities who have been subjected to gross human rights violatio=
ns.
*
<https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer=
-standards-sales-surveillance-equipment#footnoteref2_le9upd4>2.In
fact, unlike some of the
<https://en.wikipedia.org/wiki/Know_your_customer>other
places where it is used, "know your customer" is
a reasonable idea in the limited context of sales
of sophisticated technologies that can be used to
facilitate human rights abuses to countries at risk for repression.
*
<https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer=
-standards-sales-surveillance-equipment#footnoteref3_9tsxxaj>3.Maybe
it's time for companies that wish to sell this
sophisticated equipment to foreign governments to
have Human Rights Officers just as they now have Privacy Officers.
<html>
<body>
<br>
<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-you=
r-customer-standards-sales-surveillance-equipment">
https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-=
standards-sales-surveillance-equipment</a>
<br><br>
OCTOBER 24, 2011 - 6:39PM | BY
<a href="https://www.eff.org/about/staff/cindy-cohn">CINDY COHN</a> AND
<a href="https://www.eff.org/about/staff/jillian-york">JILLIAN C.
YORK</a><br><br>
<h2><b>“Know Your Customer” Standards for Sales of Surveillance
Equipment</b></h2><i>or <br><br>
How Technology Companies Can Avoid Being "Repression’s Little
Helper"<br><br>
</i>For years, there’s been ample evidence that authoritarian governments
around the world are relying on the technology of U.S. and European
companies to facilitate abuse of human rights, with a wealth of recent
evidence in the Arab Spring and
China.<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-kn=
ow-your-customer-standards-sales-surveillance-equipment#footnote1_uoa5gw2">
1</a> As we
<a href="https://www.eff.org/deeplinks/2011/10/eu-parliament-takes-first-=
step-bans-sales">
mentioned recently</a>, it's time for tech companies, especially those
selling surveillance equipment, to step up and ensure that they aren’t
assisting foreign governments in committing human rights violations
against their own people. One way tech companies can navigate this
difficult issue is by adopting a robust
<a href="http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=
=b598042103e95c10c396b0140e0620b7&rgn=div9&view=text&node=
=15:2.1.3.4.21.0.1.7.22&idno=15">
<i>Know Your Customer</a></i> program, similar to the one in the current
U.S. export controls or a program similar to that required by the
<a href="http://www.justice.gov/criminal/fraud/fcpa/">Foreign Corrupt
Practices
Act</a>
.<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-yo=
ur-customer-standards-sales-surveillance-equipment#footnote2_le9upd4">
2</a><br><br>
Below, we’ve outlined a proposal for companies to audit their current and
potential customers for human rights abuses. We propose a simple
framework:
<ol>
<li>Companies selling surveillance technologies to governments need to
affirmatively investigate and "know your customer" before and
during a sale. We suggest something for human rights similar to
what most of these companies are already required to do under the
<a href="http://www.justice.gov/criminal/fraud/fcpa/">Foreign Corrupt
Practices Act</a> and the
<a href="http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=
=b598042103e95c10c396b0140e0620b7&rgn=div9&view=text&node=
=15:2.1.3.4.21.0.1.7.22&idno=15">
export regulations</a> for other purposes, and
<li>Companies need to refrain from participating in transactions where
their "know your customer" investigations reveal either
objective evidence or credible concerns that the technologies provided by
the company will be used to facilitate human rights violations.
</ol><br>
We believe this framework would be most effective if companies implement
it voluntarily, thereby ensuring the most flexible approach as
technologies change and situations around the world shift. Nokia Siemens
Networks has already adopted a
<a href="http://www.nokiasiemensnetworks.com/sites/default/files/document=
/human_right_policy.pdf">
Human Rights Policy</a> that incorporates some of these guidelines.
But if companies don’t act on their own, and don’t act soon and with
convincing commitment, then some regulatory approach in the U.S. is
likely going to be necessary. As we noted earlier this month, the
<a href="https://www.eff.org/deeplinks/2011/10/eu-parliament-takes-first-=
step-bans-sales">
EU Parliament </a>recently took a step toward preventing sales of
surveillance equipment to authoritarian regimes, and members of the U.S.
Congress are watching closely as well. <br><br>
Here are some basic guidelines to ensure that U.S. companies aren’t
complicit in the abuse of human rights around the world, regardless of
whether efforts are voluntary or through regulation.<br><br>
<br>
<h3><b>"Know Your Customer" Human Rights
Process</b></h3><i>[Note: These guidelines use key terms Technologies,
Transaction, Company and Government which are defined at the bottom and
capitalized throughout]<br><br>
</i><b>Affirmatively Investigate:</b> The Company must have a process,
led by a specifically-designated person, to engage in an ongoing
evaluation of whether Technologies or Transaction will be, or are being
used to aid, facilitate or cover up human rights
abuses.<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-k=
now-your-customer-standards-sales-surveillance-equipment#footnote3_9tsxxaj"=
>
3</a> <br><br>
This process needs to be more than lip service and needs to be verifiable
(and verified) by outsiders. It needs to be an organizational
commitment, with real mechanisms in place including tools, training and
education of personnel and career consequences for personnel when the
process is not followed. In addition, in order to build transparency and
solidarity, a Company that decides to refuse (or continue) further
service on the basis of these standards should, where possible, report
that decision publicly so that other companies can have the benefit of
their evaluation.<br><br>
The process should include, at a minimum:
<ol>
<ol>
<li>Review of what the purchasing Government and Government agents and
the Company personnel and agents are saying about the use of the
Technologies, both before and during any Transaction. This includes,
among other things, review of sales and marketing materials and
discussions, technical discussions and questions, presentations,
technical and contractual specifications and technical support
conversations or requests. Some of the most troubling evidence in the
Cisco case are the presentations made by Cisco employees that are plainly
marketing the company as assisting the Chinese Government in combatting
the
“<a href="http://www.wired.com/threatlevel/2008/05/leaked-cisco-do/">
Falun Gong Evil Religion</a>.”
<li>Review of the capabilities of the Technology for human rights abuses
and consideration of possible mitigation measures, both technical and
contractual.
<li>Review the Government’s laws, regulations and practices regarding
surveillance, including interception of communications, access to stored
communications, due process requirements, and other relevant legal
process as part of the assessment of risk of how the Technologies may be
used or misused. For instance,
<a href="http://www.nokiasiemensnetworks.com/sites/default/files/document=
/human_right_policy.pdf">
Nokia Siemens</a>says that it will only provide core lawful intercept
(i.e. surveillance) capabilities that are legally required and are
"based on clear standards and a transparent foundation in law and
practice."
<li>Review U.S. State Department annual
<a href="http://www.state.gov/g/drl/rls/hrrpt/">human rights reports,</a>
relevant U.N. Reports, and other credible reports about the Government,
including news or other reports from nongovernmental sources or local
sources that indicate whether the Government engages in the use or misuse
of surveillance capabilities to conduct human rights abuses.
</ol>
</ol><br>
<b>Refraining from Participation: </b>The Company must not participate
in, or continue to participate in a Transaction or provide a Technology
if it appears reasonably foreseeable that the Transaction or Technology
will directly or indirectly facilitate human rights violations by the
Government, including:
<ol>
<ol>
<li>The portion of the Transaction that the Company is involved in or the
specific Technology provided includes building, customizing, configuring
or integrating into a system that is known or is reasonably foreseen to
be used for human rights violations, whether done by the Company or by
others.
<li>The portion of the Government that is engaging in the Transaction or
overseeing the Technologies has been recognized as committing gross human
rights abuses using or relying on similar Technologies, either directly
or indirectly.
<li>The Government's overall record on human rights generally raises
credible concerns that the Technology or Transaction will be used to
facilitate human rights abuses.
<li>The Government refuses to incorporate contractual terms confirming
the intended use or uses of the Technologies by the Government and to
require the auditing of their use by the Government purchasers in sales
of surveillance Technologies.
</ol>
</ol><br>
<b>Key Definitions and the Scope of the Process:</b> Who should undertake
these steps? The field is actually pretty small: Companies engaging in
Transactions to sell or lease Technologies to Governments, defined as
follows:
<ol>
<ol>
<li>“Transaction” includes all sales, leases, rental or other types of
arrangements where a Company, in exchange for any form of payment or
other consideration, either provides or assists in providing
Technologies, personnel or non-technological support to a Government.
This also includes providing of any ongoing support such as software or
hardware upgrades, consulting or similar services.
<li>“Technologies” include all systems, technologies, consulting
services, and software that are reasonably likely to be used to surveil
third parties, including but not limited to technologies that intercept
communications, packet-sniffing software, deep packet inspection
technologies, certain biometrics devices and systems, voting systems, and
smart meters.
<li>“Company” includes subsidiaries, joint ventures (especially joint
ventures directly with government entities), and other corporate
structures where the Company has significant holdings or has operational
control.
<li>“Government” includes formal, recognized governments, including Sta=
te
parties to the United Nations. It also includes governing or
government-like entities, such as the Chinese Communist Party or the
Taliban and other nongovernmental entities that effectively exercise
governing powers over a country or a portion of a country. For these
purposes “Government” includes indirect sales through a broker,
contractor, or other intermediary or multiple intermediaries if the
Company is aware or should know that the final recipient of the
Technology is a Government.
</ol>
</ol><br>
This framework isn’t the only reasonable option for addressing the
problem, of course. Yet given the steps that these large companies who
compete in these markets already have to take – under the export laws,
the Foreign Corrupt Practices Act and otherwise – this is a relatively
small addition. While some may argue that pushing U.S. tech
companies to have a strong human rights filter will give a competitive
advantage to companies that don’t institute one, the same is true about
the anti-bribery laws. If these big companies can be expected not to get
business through bribes even though some of their foreign competitors do,
it’s reasonable to ask them not to get business enabling repression
either.<br><br>
Regardless of how tech companies get there, efforts to bring democracy
and freedom around the world are hampered until they commit to making
business decisions that consider human rights ramifications. No
reasonable company, certainly none in Silicon Valley, wants to be known
as the company that helps facilitate human rights abuses. It’s time tech
companies take real steps to ensure that they aren’t serving as
"repression’s little helpers."
<ul>
<li>
<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-you=
r-customer-standards-sales-surveillance-equipment#footnoteref1_uoa5gw2">
1.</a>For example, Narus, a Boeing subsidiary,
<a href="http://www.huffingtonpost.com/timothy-karr/one-us-corporations-r=
ole-_b_815281.html">
was revealed</a> to have sold to Libya sophisticated equipment used for
surveillance. Telecomix
<a href="http://reflets.info/opsyria-web-censorship-technologies-in-syria=
-revealed-en/">
recently published </a>log files from the Syrian Telecommunications
Establishment use of devices made by California’s BlueCoat Systems, Inc.
And Cisco Systems is
<a href="https://www.eff.org/deeplinks/2011/08/cisco-and-abuses-human-rig=
hts-china-part-1">
facing litigation</a> in both Maryland and California based on its
alleged sales of surveillance equipment to the Chinese to track, monitor
and otherwise facilitate the arrest, detention, or disappearance of human
rights activists and religious minorities who have been subjected to
gross human rights violations.
<li>
<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-you=
r-customer-standards-sales-surveillance-equipment#footnoteref2_le9upd4">
2.</a>In fact, unlike some of the
<a href="https://en.wikipedia.org/wiki/Know_your_customer">other
places</a> where it is used, "know your customer" is a
reasonable idea in the limited context of sales of sophisticated
technologies that can be used to facilitate human rights abuses to
countries at risk for repression.
<li>
<a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-you=
r-customer-standards-sales-surveillance-equipment#footnoteref3_9tsxxaj">
3.</a>Maybe it's time for companies that wish to sell this sophisticated
equipment to foreign governments to have Human Rights Officers just as
they now have Privacy Officers.
</ul></body>
</html>
--===========_90272895=.ALT--
Received on Sat Mar 02 2024 - 00:57:27 CST
This archive was generated by hypermail 2.3.0
: Sat Mar 02 2024 - 01:11:46 CST