The European Union provides annual financial aid to many different developing countries around the world. Various privacy groups, chief among them Privacy International, are raising alarms about some of these EU aid programs. Funds, equipment and training are reportedly going to the intelligence agencies of repressive governments and being used explicitly for domestic surveillance; examples include training seminars that taught participants how to perform “man in the middle” WiFi attacks and monitor dissidents on social media.
EU aid used to support “unaccountable” surveillance
A recent report from Privacy International outlines the material support for surveillance programs around the world, all of which were conducted under the auspices of humanitarian aid and law enforcement knowledge partnerships. Privacy International identifies incidents in at least a dozen countries that span the Balkans, the Middle East and North Africa.
The report was created from hundreds of documents obtained by Privacy International under EU laws that mandate public access to government information. It paints a picture of EU aid being directed into surveillance programs that wiretap citizens, track the mobile phones of migrants, use biometric systems for deportations and spy on the activities of social media users.
The controversial EU aid programs appear to be centered on EU member states that share borders with non-member states, with much of the training focus on border crossings and migration. The largest of these training authorities is the Hungary-based European Union Agency for Law Enforcement Training (CEPOL), which develops and coordinates law enforcement training programs for many EU member states. CEPOL also trains government agencies in Algeria, Jordan, Lebanon, Morocco, Tunisia and Turkey. Ostensibly these partnerships are about relatively innocuous subjects such as stopping financial crime and implementing cyber security best practices, but the documents unearthed by Privacy International show that these arrangements extend into the supply of surveillance equipment and training in the use of it.
The documents specifically outline this type of training and EU aid being provided to participants from the intelligence and law enforcement agencies of Albania, Algeria, Bosnia and Herzegovina, Kosovo, Montenegro, and Morocco. The training included subjects such as techniques for cracking mobile devices, methods for investigating charities, and how to monitor social media users and map out their connections using open source tools.
While those subjects might be argued to be necessary for legitimate law enforcement purposes such as thwarting terrorism, elements of the surveillance training indicate that this was not always the focus. A 2019 training conducted for Algerian law enforcement officers laid out how to create fake social media profiles to gather intelligence and how to manage large amounts of them while covering one’s tracks. This behavior is generally against the terms of service of major social media platforms such as Facebook. The training also identified ways to find pages that are not supposed to be public but can be accessed via security oversights and glitches, as well as the use of WiFi “pineapples” to intercept internet users with a “man in the middle” attack.
In terms of border controls, the report indicates that countries to the south and east of the EU are having their security agencies outfitted with a variety of surveillance equipment: drones, wiretapping tools, cameras, and the international mobile subscriber identity catcher (IMSI) used to indiscriminately scoop up information from groupings of phones gathered at protests and demonstrations. These tools were provided to Niger, Bosnia and Herzegovina, Lebanon, Libya and Jordan among others. IMSIs, which appear to have been provided to Niger, are highly controversial devices to the degree that the United Kingdom government refuses to confirm that it makes use of them.
And in West Africa, EU aid is being provided to build mass biometric personal data identification systems used for migration controls and deportations. Privacy International alleges that French contractor Civipol is creating these systems without any privacy or human rights risk assessments.
Review of EU aid program needed
Some of the countries in which this EU aid is being provided are under governments that have an established history of human rights abuses and surveillance of government dissidents. For example, Morocco has been caught hacking in an effort to track activists and journalists. Algeria has long struggled with issues concerning freedom of the press and government corruption, with journalists being arrested for “defamation” of officials under very broad and vague laws. And the Niger government has arrested journalists and has been accused of “disappearing” political dissidents.
Privacy International and a dozen other NGOs issued a letter asking European governments to review their programs and address the issue, with particular focus on foreign governments that have “unaccountable” intelligence services and might use these surveillance tools for repression. It asks for the implementation of risk assessment and due diligence processes in distribution of these EU aid funds, as well as the establishment of a fund to promote privacy and data rights and protect people who face daily threats from unaccountable surveillance.