What are 'dual-use' surveillance technologies?

Dual-use technologies are goods, software, or technology that can be used for both civilian and military purposes. In this context, it refers to surveillance systems like network monitoring tools or spyware that could be used for legitimate law enforcement but are also easily repurposed by authoritarian regimes for political repression and human rights abuses.

Which EU countries were named in the report?

The Human Rights Watch report identified several major exporters, including France, Germany, Italy, and the Netherlands, for licensing the sale of surveillance technology to countries with poor human rights records like Egypt, Vietnam, and Morocco.

Why isn't the 2021 EU regulation effective?

According to the report, the regulation lacks strong enforcement mechanisms. The European Commission has not provided sufficient guidance, and member states retain significant discretion in granting export licenses. A lack of transparency and inconsistent application of human rights due diligence allows problematic exports to continue.

What can individuals do to protect themselves from this type of surveillance?

While state-level spyware is difficult to defend against, individuals can take steps to improve their security. This includes using end-to-end encrypted communication apps like Signal, keeping all software and devices updated, using strong passwords with two-factor authentication, and being vigilant against phishing attacks. For added protection, using a reputable VPN service can help obscure an individual's location and encrypt their internet traffic.

European surveillance tech is fueling global repression despite bloc-wide rules, report finds

Introduction: A Regulation Without Teeth

In September 2021, the European Union implemented Regulation 2021/821, an updated set of rules designed to control the export of “dual-use” items — technologies that can serve both civilian and military purposes. A key component of this updated regulation was the explicit inclusion of human rights considerations, a measure intended to stop EU member states from selling sophisticated surveillance tools to authoritarian regimes. Three years later, a damning report from Human Rights Watch (HRW) alleges these rules are fundamentally failing.

The report, titled "Trading in Turmoil," published on May 21, 2024, provides a detailed account of how EU member states, including France, Germany, and Italy, continue to approve the export of surveillance technology to countries with well-documented records of human rights abuses. The findings suggest that despite the EU’s stated commitment to democratic values, its member states are complicit in supplying the very tools used to suppress dissent, monitor journalists, and persecute activists worldwide.

Background: A Persistent and Profitable Trade

The export of surveillance capabilities from Western democracies to repressive governments is not a new phenomenon. For over a decade, investigations by organizations like Citizen Lab and Amnesty International have uncovered a shadowy international market. The infamous Pegasus spyware from Israel’s NSO Group brought the issue to global prominence, but European companies have long been active players. Firms like Germany’s FinFisher (formerly part of Gamma Group) and Italy’s Hacking Team were notorious for selling intrusion software to regimes across the Middle East and North Africa.

The 2021 EU Dual-Use Regulation was supposed to be a direct response to these scandals. It empowered member states to deny export licenses if there was a clear risk the technology could be used for internal repression or to commit serious violations of international human rights law. However, as HRW’s Deborah Brown noted, “The EU introduced strong new rules to stop its member states from selling surveillance tech to abusive governments, but three years on, the rules appear to be toothless.” The report argues that inconsistent application, a lack of transparency, and insufficient enforcement from the European Commission have created loopholes that companies and national governments continue to exploit.

Technical Details: The Arsenal of Digital Repression

The term “surveillance technology” encompasses a wide range of powerful tools. This is not about a single vulnerability or piece of malware, but a suite of capabilities sold for national security and law enforcement that are easily repurposed for political control. The technologies being exported from the EU include:

Deep Packet Inspection (DPI) Systems: These are highly advanced network monitoring tools installed at the internet service provider (ISP) level. DPI allows authorities to inspect the content of data packets flowing across the network in real-time. This enables mass censorship, filtering of specific websites or content, and the identification of individuals accessing forbidden information.
Lawful Interception Technologies: These systems provide governments with the ability to tap into and monitor telecommunications, including phone calls, SMS messages, and internet traffic. While they have a legitimate function in criminal investigations under court order, in repressive states they are often used without legal oversight to target political opponents.
IMSI Catchers: Also known as "Stingrays," these devices mimic cell towers, forcing all mobile phones within a certain radius to connect to them. This allows operators to intercept communications, identify individuals present at a location (such as a protest), and potentially push malware to connected devices.
Digital Forensics and Data Extraction Tools: These are hardware and software solutions designed to break into and extract data from seized digital devices like smartphones and computers, often bypassing passwords and local encryption. Companies like Cellebrite are well-known in this space, and European counterparts offer similar capabilities.
Biometric Surveillance: This category includes facial recognition systems for public CCTV networks, which can be used to track individuals and suppress freedom of assembly.

The core issue is that these technologies are sold as legitimate tools for fighting crime and terrorism, but without binding end-use agreements and rigorous human rights vetting, they become instruments of state control.

Impact Assessment: The Human Cost and Geopolitical Fallout

The impact of these exports is severe and multi-faceted. The primary victims are individuals on the front lines of democracy and human rights struggles.

Direct Targets: Journalists, human rights defenders, opposition politicians, and minority groups in countries like Egypt, Vietnam, Morocco, and China are directly targeted. Their communications are intercepted, their movements are tracked, and their private data is compromised, often leading to harassment, arbitrary arrest, and imprisonment. This creates a powerful chilling effect, silencing critical voices and dismantling civil society.
Undermining EU Credibility: The continued trade severely damages the EU's credibility as a global advocate for human rights. It exposes a deep hypocrisy where the bloc publicly condemns human rights abuses while its member states privately profit from the tools that enable them. This weakens its diplomatic leverage and moral authority on the world stage.
Proliferation and Blowback: Once these sophisticated tools are sold, control over them is lost. They can be reverse-engineered, captured by other state or non-state actors, or used by the recipient government to target EU citizens, diplomats, or business interests. The proliferation of these capabilities makes the entire global digital ecosystem less secure.

The responsibility is shared. It lies with the EU-based tech companies developing these systems, the national licensing authorities in member states who approve the sales, and the European Commission for its failure to ensure the 2021 regulation is uniformly and strictly enforced.

How to Protect Yourself

Defending against state-sponsored surveillance is exceptionally difficult, as these actors often use zero-day vulnerabilities and have immense resources. However, individuals, particularly those at higher risk, can take concrete steps to improve their digital security posture.

Use End-to-End Encrypted Communications: Rely on applications like Signal for messaging and calls. End-to-end encryption ensures that only the sender and intended recipient can read the content, protecting it from interception by ISPs or telecom providers.
Keep Software Updated: The most common infection vectors for spyware are vulnerabilities in operating systems and applications. Enable automatic updates on your devices to ensure you have the latest security patches.
Practice Strong Authentication: Use long, unique passphrases for every account and enable two-factor authentication (2FA) wherever possible. Prioritize hardware security keys or authenticator apps over SMS-based 2FA.
Be Wary of Phishing: Many targeted spyware attacks begin with a sophisticated phishing link sent via text or email. Be extremely cautious about clicking on unsolicited links, even if they appear to come from a known contact whose account may have been compromised.
Enhance Network Privacy: Using a trusted hide.me VPN can encrypt your internet traffic and mask your IP address, making it harder for network operators to monitor your online activity and track your location.
Consider Advanced Device Security: For individuals at very high risk, features like Apple's Lockdown Mode can significantly reduce the attack surface of a device by disabling features commonly exploited by spyware.

Ultimately, individual protection measures can only go so far. The HRW report is a stark reminder that the root of the problem lies in policy and a lack of political will. Without stronger enforcement, greater transparency in export licensing, and genuine accountability for member states and companies, the EU will continue to be a source of the very technologies that undermine the values it claims to uphold.