The reported license is part of the Dutch transparency policy on strategic goods. Many of the Dutch strategic exports are on advanced technology and the Netherlands in 2019 was responsible for a quarter of all EU dual-use exports (p. 35 of Dutch annual arms export report). Often the specifics are hard to understand. This is not improved by the fact the reporting is extremely rudimentary. In the above mentioned case the name of exporting entity was not provided. Neither was the receiver on the other end in Myanmar. That is not an exception, but common policy. The date of license, a minimal description, end use, value and a EU dual use code is all what is given. That means not if the end user in Myanmar is an intelligence service, telephony provider, armed forces, foreign or domestic.
The
Encryption equipment can be used to confidentially exchange information. It is part of the secrecy part of diplomacy, but also militarism. Philips USFA laid the foundation for this technology in the Netherlands and exported this kind of equipment to a wide range of destinations as was exposed in 1992 by peace activist aiming for conversion of this military activity by Philips USFA/Crypto. In 2003 these Phlips activities were partly sold to Compumatica Secure Networks in Uden en Fox-IT in Delft.
Dutch licenses for definitive dual use exports (there are also temporarily exports for trade shows, used by external parties etc.) were valued € 11 billion in the period Jan-Jul 2021. Of this Category 5 took 6 per cent, that is € 642 million, more than the total average of military exports in the same time span. The list of category 5 clients is wide ranging, it includes countries in the North and the Global South (see map, note that reporting for EU and NATO (+ Australia, Japan, New-Zealand, and Switzerland) is exceptional, covering a large part of the globe).
Information technology became mainstream news this year when the activities of Israeli company NSO were spotlighted. The company sold its knowledge and technology to regimes which used it to spy on opposition, human rights activists and journalists. The current levels of information technology makes it a dangerous weapon in the hands of despots, security services and the like. In the EU dual-use policy code 5A001j deals with surveillance systems or equipment, the interception of data. Control is essential and the EU policy on dual use states among more on cyber surveillance:
1. This authorisation does not authorise the export of items where ... the items in question are or may be intended, in their entirety or in part: ... for use in connection with a violation of human rights, democratic principles or the freedom of expression as defined by the Charter of Fundamental Rights of the European Union, by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of Internet use (e.g. via Monitoring Centres and Lawful Interception Gateways).
The receiver of the technology makes a major difference. The EU names a few potential clients such as military, paramilitary, police, intelligence, surveillance end-use, other security end-use by the government, entities acting on behalf of the government. Mobile Phone provider or a secret services as end user can make world of difference (although both must be watched with care).
Licenses for exports of this technology are not always given by the Dutch authorities, pointing at the controversial character it has. The Netherlands denied three information security licenses. One had the United Arab Emirates as end receiver and two had Saudi Arabia. In case of these denials the receivers were provided, being respectively the UAE Ministry of Defence, the Saudi Royal Guard, and Air Force, but not the Dutch firm carelessly applying for such an export license. The other major Arab military power in the Middle East Egypt was denied several sales in the past few years: in 2018 to the Ministry of Internal Affairs by Alkan Telekom/Mantrac; in 2019 sales to the General Intelligence Service were refused two times.
(text continues under table)
Code |
Shortened description Category 5 telecommunication and information security |
5A001a1 |
Telecommunications systems, equipment, components and accessories specially designed to withstand transitory electronic effects or electromagnetic pulse effects, both arising from a nuclear explosion. |
5A001b3 |
Being radio equipment employing "spread spectrum" techniques, including "frequency hopping" techniques |
5A002 |
"Information security" systems, equipment and components ... |
5A002a |
… designed or modified to use 'cryptography for data confidentiality' having a 'described security algorithm', where that cryptographic capability is usable, has been activated, or can be activated by any means other than secure "cryptographic activation" ... |
5A002a1 |
… items having "information security" as a primary function; |
5A002a1a |
… for the purposes of 5A002.a., 'cryptography for data confidentiality' means "cryptography" that employs digital techniques and performs any cryptographic function other than any of the following: a. "Authentication"; |
5A002a2 |
Digital communication or networking systems, equipment or components, not specified in 5A002.a.1. |
5A002a3 |
Computers, other items having information storage or processing as a primary function, and components therefor, not specified in 5A002.a.1. or 5A002.a.2. |
5A002a4 |
Items, not specified in 5A002.a.1. to 5A002.a.3., where the 'cryptography for data confidentiality' having a 'described security algorithm' meets specified criteria |
5A003b |
Systems, equipment and components, for non-cryptographic "information security" specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards. |
5D002 |
"Software" as follows: a. specially designed or modified for the "development", "production" or "use" of systems, equipment and components for defeating, weakening or bypassing "information security", or specified under 5A002, 5A002.a, 5A002.b (a 'cryptographic activation token' ), 5A002.c (Designed or modified to use or perform "quantum cryptography") 5A002.d (Designed or modified to use cryptographic techniques to generate channelising codes, scrambling codes or network identification codes), 5A002.e (Designed or modified to use cryptographic techniques to generate the spreading code for "spread spectrum" systems ), 5A003 (a. Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion; b. see above), 5A004 (Systems, equipment and components for defeating, weakening or bypassing "information security"). |
5D002a1 |
Equipment specified in 5A002 or "software" specified in 5D002.c.1 |
5D002b |
"Software" having the characteristics of a 'cryptographic activation token' specified in 5A002.b. |
5D002c |
"Software" having the characteristics of, or performing or simulating the functions of specified equipment |
5D002c1 |
Equipment specified in 5A002.a., 5A002.c., 5A002.d. or 5A002.e |
5E002 |
Technology" for the "development", "production" or "use" of equipment specified in 5A002, 5A003, 5A004 or 5B002 ("Information security" test, inspection and "production" equipment ), or of "software" specified in 5D002.a. or 5D002.c. |
5E002a |
"Technology" for the "development", "production" or "use" of specified equipment. |
5E002b |
"Technology" having the characteristics of a 'cryptographic activation token' specified in 5A002.b. |
All codes are specified either directly following the code or when a code refers to other sub-codes between brackets in the description column. The full specifications and definitions are described in EU regulation 2021/821 of 20 May 2021 |
The Netherlands has an industry on information security which is larger than the two companies previously mentioned. The Haque Security Delta shows a wide range of companies and government branches involved. This industry is of great importance, not only because of the financial size of its exports, but also of strategic importance by its nature and applications. The government is using and scrutinising its sales and cooperating at the same time. This conflict of interest may create the potential something slips through is always possible. Compumatica Secure now part of Tesorion) is a blank slate, but owners change and so are policies. (now part of NCC Group PLC) and also a party buying part of Philips USFA works for and with the Dutch State. The company is based in many countries, one of them the UAE. It has even a broader history in the Middle East delivered its knowledge and was proving workshops (see Buro Jansen en Janssens with a number of articles on n Fox-It, in Dutch and English and the search engine) to Syria, Egypt, Saudi Arabia and the UAE.
At least the naming of suppliers and type of recipients in a country is essential for proper control of government policy by Parliament and civil society organisations. Such control is even more important while the government is controlling companies it has a direct interest in and connection to. The system of Dutch reporting on the individual licenses was introduced in 2004-05. At the time the Netherlands was at the vanguard of public reporting on strategic goods in Europe, but after two decades of having a half transparent system it is time for a new wave of openness.
Last September 2021 Norwegian Telenor sold its Myanmar operations to avoid European Union sanctions after continued pressure from Myanmar's military junta to activate intercept surveillance technology, the company's Asia head told Reuters. Showing the fine line between phone providers and spying on journalists and opposition.
Written for Stop Wapenhandel