Another U.S. company has been implicated in allegedly supplying Internet blocking equipment to a Middle Eastern country. From the BBC:
The US government is looking into claims that Syria restricted its citizens' access to the internet, using an American company's technology.
A group of hackers says it has downloaded data from the Syrian government telecommunications agency.
It says the records suggest equipment built by Blue Coat is being used to limit website access and, possibly, to monitor dissidents.
, which is based in Silicon Valley, has denied that it supplied equipment to Syria, which is subject to U.S. sanctions on anything but food and essential medical supplies.
Blue Coat products and services are usually used by corporations to manage data traffic, but can also be used as a monitoring tool or to block access to some websites.
It was the Swedish hacker collective, Telecomix
, which originally implicated Blue Coat:
[Telecomix ] said it downloaded 54 gigabytes of Syrian telecoms data in August.
The group says the files contained evidence of "web filtering and monitoring", and when it scanned internet protocol addresses associated with the Syrian authorities, some of them responded as being Blue Coat devices.
One member of Telecomix, who is known by the nickname KheOps, told the BBC:
"Also, we have info from the ground to confirm the info."
Another member, known as okhin, said it was likely that Syria had not bought the devices directly from Blue Coat because "those devices are extremely poorly configured, and we think that when Blue Coat sells devices they usually sell technical skill to configure and use them".
It would appear that all of Syria’s BlueCoat hardware calls home to update its ability to filter and monitor new objects that it has not encountered. Equally importantly, the Syrian logs are filled with queries related to BlueCoat systems, such as ‘bluecoat data collector,’ something that a general home user would have little interest in.
By current count, there are more than a thousand queries to BlueCoat’s client services documented in a few days of traffic logs. Considering the extent of this traffic and the peculiarity of its origin, that BlueCoat was not aware of the existence of these devices appears implausible.
Western tech companies have had a spotty record in their dealings with Middle Eastern regimes recently. Vodafone was criticized over its role in the Egyptian Internet black-out earlier this year. In 2009, Nokia was implicated in supplying Iran with mobile surveillance technologies. Another U.S. company, Narus, owned by Boeing, was accused of selling Egypt deep packet inspection technology.
The Electronic Frontier Foundation has called on technology companies to "know your customer"
and avoid being repression's little helper:
1. Companies selling surveillance technologies to governments need to affirmatively investigate and "know your customer" before and during a sale. We suggest something for human rights similar to what most of these companies are already required to do under the Foreign Corrupt Practices Act and the export regulations for other purposes, and
2. Companies need to refrain from participating in transactions where their "know your customer" investigations reveal either objective evidence or credible concerns that the technologies provided by the company will be used to facilitate human rights violations.
The situation gets trickier, however, if the Syrian authorities obtained the hardware from a third party. Blue Coat itself has said that it's possible that their equipment could have been acquired by Syria from a third party
on the gray market.
Just like illegal arms deals, tech hardware and software has a habit of making its way into countries that shouldn't have it. It doesn't appear that companies would bear any legal liability for -- through no fault of their own -- their hardware or software ending up in the wrong hands. (I asked a few experts about this, but the answer is far from clear. If anyone has any further insight, do let me know in the comments or by email.)