Who are the clients for Dutch Information Security tech?

In January 2019 the Dutch government gave a license for information security technology to Myanmar. It was reported as part of the routine reporting of individual licenses and just one of many information security equipment as well ands software annual dual use exports (military or civil). Lets dive into the complicated issue of the massive volume of Dutch Information Security exports and Dutch praised openness on its exports.

The reported license is part of the Dutch transparency policy on strategic goods. Many of the Dutch strategic exports are on advanced technology and the Netherlands in 2019 was responsible for a quarter of all EU dual-use exports (p. 35 of Dutch annual arms export report). Often the specifics are hard to understand. This is not improved by the fact the reporting is extremely rudimentary. In the above mentioned case the name of exporting entity was not provided. Neither was the receiver on the other end in Myanmar. That is not an exception, but common policy. The date of license, a minimal description, end use, value and a EU dual use code is all what is given. That means not if the end user in Myanmar is an intelligence service, telephony provider, armed forces, foreign or domestic.

The EU code for dual-use (military and civil applications) exports, the so-called SG-Post, however classifies the specific technology and is not unimportant. In this Myanmar case it were 5A002a1 and 5D002c1 licenses. Category 5 deals with telecommunication and “information security”. Here both codes refer to equipment for encryption. But the licenses also include technology which can be used for defeating, weakening or bypassing “information security” and which was delivered to a number of countries. Under the Category 5 Dutch export licenses were exports in 18 different subcategories (see table).

(text continues under table)

Encryption equipment can be used to confidentially exchange information. It is part of the secrecy part of diplomacy, but also militarism. Philips USFA laid the foundation for this technology in the Netherlands and exported this kind of equipment to a wide range of destinations as was exposed in 1992 by peace activist aiming for conversion of this military activity by Philips USFA/Crypto (2). In 2003 these Phlips activities were partly sold to Compumatica Secure Networks in Uden en Fox-IT in Delft.

Dutch licenses for definitive dual use exports (there are also temporarily exports for trade shows, used by external parties etc.) were valued € 11 billion in the period Jan-Jul 2021. Of this Category 5 took 6 per cent, that is € 642 million, more than the total average of military exports in the same time span. The list of category 5 clients is wide ranging, it includes countries in the North and the Global South (see map, note that reporting for EU and NATO (+ Australia, Japan, New-Zealand, and Switzerland) is exceptional, covering a large part of the globe).

Information technology became mainstream news this year when the activities of Israeli company NSO were spotlighted. The company sold its knowledge and technology to regimes which used it to spy on opposition, human rights activists and journalists. The current levels of information technology makes it a dangerous weapon in the hands of despots, security services and the like. In the EU dual-use policy code 5A001j deals with surveillance systems or equipment, the interception of data. Control is essential and the EU policy on dual use states among more on cyber surveillance:

1. This authorisation does not authorise the export of items where … the items in question are or may be intended, in their entirety or in part: … for use in connection with a violation of human rights, democratic principles or the freedom of expression as defined by the Charter of Fundamental Rights of the European Union, by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of Internet use (e.g. via Monitoring Centres and Lawful Interception Gateways).

The receiver of the technology makes a major difference. The EU names a few potential clients such as military, paramilitary, police, intelligence, surveillance end-use, other security end-use by the government, entities acting on behalf of the government. Mobile Phone provider or a secret services as end user can make world of difference (although both must be watched with care).

Licenses for exports of this technology are not always given by the Dutch authorities, pointing at the controversial character it. The Netherlands denied three information security licenses. One had the United Arab Emirates as end receiver and two had Saudi Arabia. In case of these denials the receivers were provided, being respectively the UAE Ministry of Defence, the Saudi Royal Guard, and Air Force, but not the Dutch firm carelessly applying for such an export license. The other major Arab military power in the Middle East Egypt was denied several sales in the past few years: in 2018 to the Ministry of Internal Affairs by Alkan Telekom/Mantrac; in 2019 sales to the General Intelligence Service were refused two times.

(text continues under map)

The Netherlands has an industry on information security which is larger than the two companies previously mentioned. The Haque Security Delta shows a wide range of companies and government branches involved. This industry is of great importance, not only because of the financial size of its exports, but also of strategic importance by its nature and applications. The government is using and scrutinising its sales and cooperating at the same time. This conflict of interest may create the potential something slips through is always possible. Compumatica Secure (now part of Tesorion) is a blank slate, but owners change and so are policies. Fox-It (now part of NCC Group PLC) and also a party buying part of Philips USFA works for and with the Dutch State. The company is based in many countries, one of them the UAE. It has even a broader history in the Middle East delivered its knowledge and was proving workshops (see Buro Jansen en Janssens with a number of articles on n Fox-It, in Dutch and English and the search engine) to Syria, Egypt, Saudi Arabia and the UAE.

At least the naming of suppliers and type of recipients in a country is essential for proper control of government policy by Parliament and civil society organisations. Such control is even more important while the government is controlling companies it has a direct interest in and connection to. The system of Dutch reporting on the individual licenses was introduced in 2004-05. At the time the Netherlands was at the vanguard of public reporting on strategic goods in Europe, but after two decades of having a half transparent system it is time for a new wave of openness.

Last September 2021 Norwegian Telenor sold its Myanmar operations to avoid European Union sanctions after continued pressure from Myanmar’s military junta to activate intercept surveillance technology, the company’s Asia head told Reuters. Showing the fine line between phone providers and spying on journalists and opposition.

Martin Broek