When in July Wikileaks published official records and internal correspondence belonging to Hacking Team — an Italian company that sells surveillance technology to governments and businesses — New Delhi too was caught in the crosshairs of the controversy that followed. Why did the Indian government talk shop with a little-known entity and its equally dodgy marketing agents, critics wondered, especially when Hacking Team had a history of selling spyware to autocracies in West Asia and North Africa? If lawful interception and espionage were indeed the stated objectives behind purchasing such technologies, why didn’t a government that spends trillions of rupees every year on defence spending simply go to a better manufacturer?
The answer to that puzzle lies in an instrument signed by members of the North Atlantic Treaty Organisation (NATO) and 13 other countries in the Dutch town of Wassenaar two decades ago. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, as the 1995 instrument is called, may have replaced stringent Cold War regimes, but merely substituted the ideological divide with that of a different sort.
The Wassenaar rules perpetuate a digital divide by restricting Western companies and governments from supplying crucial technologies to emerging markets. The document draws from an expansive list, ranging from technologies relating to the telecommunications sector to digital sensors, computing and aviation: in other words, technology that is indispensable to governments if they are to protect their critical information infrastructure. The Wassenaar guidelines do not bind member states but make it incumbent on them to craft a strong export control regime.
The early nineties arguably made for a good case to articulate such an arrangement — though the Cold War had ended, its relics in the form of authoritarian governments and armed militias subsisted, requiring a carefully calibrated approach to sharing sensitive technologies. Today, the Wassenaar regime threatens to become obsolete on account of its failure to distinguish between the legitimate security needs of governments and misuse of high-end technology. Far from relaxing the export control regime, member states have piled on to its restrictions. In 2013, the Wassenaar Arrangement added a new category pertaining to “intrusion software” that could potentially be used as “monitoring tools”, or to thwart “protective countermeasures” in cyberspace. Hardware and software that helped “extract information” were also classified within this restricted category.
The sweeping definitions in the 2013 amendment to the Wassenaar regime have prompted both computer scientists and policy analysts to highlight the “chilling effect” it may have on cybersecurity research. Without access to growing digital economies, Western companies have no exposure to emerging security threats to Internet companies and users. More importantly, developing country governments have no means to strengthen their domestic cybersecurity sector without knowledge sharing from their advanced counterparts.
The concern that these “intrusion” technologies may be used by governments to engage in mass surveillance on their citizens is legitimate. However, the Wassenaar Arrangement does not offer any qualitative consideration of towards governments that have sound domestic policies and legal checks on unlawful interception of communication. Moreover, the claim that Western democracies have been scrupulous in deploying surveillance technologies has been spectacularly demolished by the Snowden revelations. The sheer scale and depth of cooperation among the Five Eyes countries — the U.S., U.K., Australia, New Zealand and Canada, all members of the Wassenaar regime — on indiscriminate and illegal data-gathering and surveillance stand exposed today.
Technology transfer between governments, then, is an overtly political act, with human rights consideration being an important strategic factor.
Whether the United States government will let these restrictive rules stand in the way of its political relationship with India, then, remains to be seen. In May this year, the U.S. Department of Commerce sought to incorporate the 2013 Wassenaar amendment into domestic legislation, triggering protest from Internet companies who seek a secure environment to operate in emerging economies. The Electronic Frontier Foundation (EFF) has called the U.S. restrictions as an “unworkably-broad set of controls”. “Not only does the proposed implementation fail to contain Wassenaar exceptions, but it goes much further than the Wassenaar text,” argues EFF. During the subsequent two-month period created by the U.S. government to attract public comment on the proposal, it is understood that the Indian government too has expressed concerns regarding the wide scope of export controls.
Multilateral export control regimes — especially India’s membership in the Nuclear Suppliers Group (NSG) — have been a subject of discussion between India and the United States for nearly a decade. In 2010, the U.S. Deputy National Security Advisor had suggested the Obama administration supported “India’s full membership” in the NSG and the Wassenaar Arrangement, but there has been little progress on this commitment. Its recent moves to absorb the Wassenaar rules could potentially complicate bilateral discussions on cybersecurity and Internet governance. For those within the Indian establishment seeking preferential treatment from the U.S. on technology transfer, the episode should serve as a reality check. If New Delhi — through its endorsement of the “multi-stakeholder” model of internet governance — recently signalled its willingness to play by the rules that the U.S. has set for cyberspace, it must also introspect whether the political costs of that decision will be offset by strategic gains.
(Arun Mohan Sukumar heads the Cyber Initiative at the Observer Research Foundation, New Delhi)