Inside the massive and unregulated world of surveillance tech Sharon Weinberger

A few years ago,

an American defense consultant I know

told me about a trip
he took to Uzbekistan.

His role there was to help sell technology

that the Uzbek government could use
to spy on its own citizens.

He eventually shared with me
the marketing material

he’d presented to the Uzbek government.

One glossy brochure featured technology
that could not just intercept phone calls,

but identify the caller,

regardless of what phone number
they were using,

based on their unique voiceprint,

and then identify their exact
geographic location.

This is a guy who had been involved
with the arms trade for years.

He wasn’t some Hollywood-type gunrunner
doing backroom deals.

He was just a guy that worked
with legitimate Western companies

to help sell their weapons abroad.

But he wasn’t bothered
by marketing this sort of technology.

For him, it was just the next step
in the arms trade.

And it was even easier than, say,
selling weapons to Iraq,

because it didn’t require
an export license

from the US State Department,

the way most arms sales would.

It turns out that these
tools of surveillance

are almost completely unregulated,

because as of today,
they’re not defined as weapons.

But they should be, and we need
to regulate them that way.

I’m a journalist
who has spent the last two decades

looking at how the military
and intelligence world

spurs the development
of new science and technology.

I’ve tracked the emergence of new weapons

and looked to see what happens

when companies start to market
these weapons abroad.

But what is a weapon
in the information age?

We know that armed drones are weapons,

missiles and bombs are weapons,

but the State Department
actually classifies

broad categories
of technologies as weapons.

So for example, a scientist going abroad
on an oceanographic research vessel,

they want to take
the latest night-vision goggles?

That, according to the State Department,
is potentially a weapon.

Why?

Well, because though night-vision goggles
are used today by scientists

and hunters around the world,

it was a capability
first developed for the military.

And yet, tools of surveillance

that an authoritarian regime could use
to spy on its own citizens,

on dissidents, on journalists,

that, according to the US government
today, is not a weapon.

And yet, these tools of surveillance

are part of a growing secretive
multi-billion-dollar industry.

The genesis of this spy bazaar
goes back some 18 years,

to a Hilton hotel in northern Virginia,

just a few miles away
from the US Central Intelligence Agency.

A few dozen people,
mostly dark-suited men,

gathered there in the spring of 2002

for a conference with
the unassuming name of ISS World.

You know, at first glance, this conference
probably looked like dozens of events

that used to take place
around the Washington, DC area.

But this event was unique.

ISS stands for Intelligence
Support Systems,

and the people who were there

were from companies
that built technologies to spy

on private communications.

In other words, these were
sort of wire-tappers for hire.

And the reason they were there
was that less than a year earlier,

the 9/11 terrorist attacks
on New York and Washington

had spurred the Congress
to press through legislation

known as the Patriot Act.

This gave the government
broad new authorities

to monitor communications.

Emails, internet activity, phone calls,

even financial transactions.

This created an instant demand for data.

And in the true American
entrepreneurial spirit,

an industry rose up
to help collect this data.

But back in 2002,

this was still a pretty modest affair.

Only about 10 percent
of the world’s population

was even online using the internet.

So most of what was being collected
were simple emails and phone calls

over landlines and cell phones.

But over the next few years,

the way that we communicate
began to change rapidly.

There was the introduction
of Skype, Facebook

and then, crucially, the iPhone,

and within a few years,

billions of us were walking around
with little computers in our pockets

that do everything
from monitor our exercise habits

to help us find romantic partners.

And suddenly, you didn’t necessarily need
the advanced capability

of the National Security Agency
or big telecoms

to monitor everyone’s communication.

In some cases,

all you needed was access
to that device in their pockets.

And that gave birth to an entirely
new type of industry.

You know, not many companies
can build missiles or aircraft,

but it doesn’t take a lot of capital
to create software

that can hack into someone’s smartphone.

Computer hackers
have been around for years,

but now their skills could be used
to build technologies

that were in high demand
by law enforcement

and intelligence agencies.

And soon, dozens
and even hundreds of companies

were getting into this
wire-tappers' market.

And that little conference in Virginia,

it grew and soon became known
as the Wiretappers' Ball.

Well, not much was known
about the Wiretappers' Ball

in those early years,

because the conferences
were closed to everyone

except the companies
and their government customers.

But journalists did begin to see
and hear reports

of companies getting
into this private spy market.

Spooky entrepreneurs
going around the world,

doing deals,

often with authoritarian regimes.

And it was, from the start,
a really loosely regulated market.

Some countries do require permission
to sell these technologies abroad,

but rarely with the type of scrutiny
that is given to traditional arms.

So for example, the Italian-based
company Hacking Team

reportedly sold its technology
to authoritarian regimes

in Egypt and Kazakhstan.

The Israeli-based company NSO Group
has reportedly sold its technology

to the regime in Saudi Arabia,

which has been accused of harassing,

and even, in one case,
killing one of its political opponents.

And we do think of weapons
as things that kill people.

But in the information age,

some of the most powerful weapons
are things that can track and identify us.

This is something that the Pentagon
and CIA have recognized for years,

and they’ve tried to build technologies

that can track people,
suspected terrorists, around the globe.

The Pentagon has invested
in something called smart dust,

little microsensors
the size of specs of dust

that you could scatter on people
without them knowing it,

and then use it to track their location.

The Pentagon, through
its venture capital firm,

has invested in a beauty products company
once featured in “Oprah Magazine”

to build a device that could
surreptitiously collect DNA

just by swiping across the skin.

But something remarkable has happened
over the past decade.

In many cases, what the private
marketplace has been able to do

has far outstripped what the Pentagon
or CIA even thought was possible.

Back in 2008,

the Pentagon had a secretive database
of DNA from terrorists.

It had about 80,000 samples.

Well, the private company AncestryDNA

today has samples
from over 15 million people.

23andMe, the second-largest
genealogical database,

has samples from over 10 million people.

So now, maybe you don’t need
these James Bond-worthy techniques

of collecting DNA

if we’re willingly handing it over
to private companies

and even paying for the honor of doing it.

Well, what could you do
with a sample of someone’s DNA?

In the United States and China,

researchers are working
on using DNA samples

to build images of people’s faces.

So if you pair DNA
with facial recognition technology,

you have the basis of a really
powerful surveillance system

that could be used to track individuals
or entire ethnic groups.

And if you think that sounds
a little bit paranoid,

keep in mind that the Pentagon
last year sent out a memo

to all of its service members,

warning them precisely not to use
those commercial DNA kits

over concerns that information
could be used to track them

or their family members.

And yet, even with the Pentagon
raising concerns about this technology,

almost nothing has been done
to reign in this market.

One American company, Clearview AI,

has been collecting billions
of images of people’s faces

from across the internet,

like those pictures you post on Instagram
of you and your friends and family,

and then selling its facial
recognition services

to US government
and law-enforcement agencies.

And even if you think

that’s a perfectly acceptable
application of this technology,

there’s nothing to stop them
from selling to private individuals,

corporations or even foreign governments.

And that’s exactly
what some companies are doing.

That Wiretappers' Ball
that started in northern Virginia?

Today, it’s held in multiple cities
around the globe.

Thousands of people now attend
the ISS trainings and conferences.

And more of the companies showing up
are coming from the Middle East and China.

The spy bazaar has gone global.

And at arms shows now around the world,

you’ll see companies displaying
facial recognition technology

and phone hacking software,

displaying right next
to traditional arms manufacturers

with tanks and missiles.

And walking around these arms shows,

it’s pretty easy to go down
dystopian rabbit holes,

thinking about future
surveillance technology

that will track our every move.

And I remember one
Pentagon adviser telling me

that what the military really needed
were space-based satellites

that could track people anywhere on earth
based just on their DNA.

It’s enough to make you invest
in tinfoil hats.

But the truth is,

we don’t know what sort
of technology the future will bring.

But we know that today,
in the absence of regulation,

this marketplace is already exploding.

And in fact, one of those companies
accused of selling surveillance technology

to authoritarian regimes,

today, it’s offering to help track
those infected with COVID-19.

And of course, technology does offer
the tantalizing promise

of helping control a pandemic
through contact tracing.

But it also opens up another door,
to privatized mass surveillance.

So what do we do
about this private spy bazaar?

We can hide, go offline,

get off social media,
ditch our smartphones,

go live in a cave,

but the truth is, we’re not trained
to be professional spies,

we can’t live under false identities
or with no identities.

And even real spies are having a hard time
staying below the radar, these days.

It doesn’t matter how many
passports Jason Bourne has

if his face or DNA
is in someone’s database.

But if even governments have lost control
of the tools of spying,

is there anything we can do about it?

One argument I’ve heard

is that even if the US
were to restrict companies

from selling this sort
of technology abroad,

companies based in China
might simply step in.

But we regulate the arms trade today,

even if we do it imperfectly.

And in fact, there was a multilateral
proposal several years ago

to do just that,

to require export licenses
for surveillance software.

The United States
was among those countries

that agreed to these
voluntary regulations,

but back in Washington,
this proposal has simply languished.

We have an administration
that would rather sell more weapons abroad

with fewer restrictions,

including to some of those countries

accused of abusing
surveillance technology.

I think to move forward,
we would need to revive that proposal,

but even go one step further.

We need to fundamentally change
how we think of surveillance technology

and define these tools as weapons.

This would allow government

to regulate and control
their sale and export

the way that they control
traditional arms,

advanced aircraft and missiles.

But that means recognizing
that technology that tracks who we are,

what we do, what we say,

and even in some cases, what we think,

is a form of advanced weaponry.

And these weapons
are growing too powerful,

available to the highest bidder,

and according to the whims
of the spy bazaar.

Thank you.