Thursday, 4 March 2010

How Nokia helped Iran "persecute and arrest" dissidents

A new report out of Finland suggests that the country's corporate poster child, Nokia Siemens, has been involved in some pretty tawdry dealings with Iran, dealings that go beyond the company's admitted involvement with the Iranian regime.

Journalist Hanna Nikkanen quotes Nokia's Lauri Kivinen saying that "there's been this perception internationally that we've supplied them [Iran] with internet surveillance equipment, but this is not true. The statement was made on February 20, 2010, but Nikkanen obtained leaked manuals to the equipment in question and concluded, " The surveillance made possible by the Nokia Lawful Interception Gateway (LIG) extends to mobile internet usage. Either Kivinen was lying or his knowledge of his company's core competence field isn't quite adequate."

Do the deals made in Espoo lead directly to arrests in Tehran?

Yes, they do

That might sound like an overwrought characterization of a complicated situation, but the words aren't ours—they come right from the European Parliament, which took the extraordinary step last month of trashing Nokia Siemens in a public resolution.

MEPs were disgusted by the aftermath of the contested Iranian election last year and the brutal crackdown on the Green movement in the country. In a resolution adopted February 10, Parliament railed against Iran's "jamming of international radio and TV networks, many international websites, including Facebook and Twitter, as well as local opposition sites and mobile-phone services in Tehran, thereby also causing transmission problems on networks in other Middle Eastern countries and even in Europe."

Where did the gear to do this come from? "European and Russian companies have been providing Iran with the necessary filtering and jamming devices, some of which might even pose a health risk to those living in the vicinity of the installations," said the resolution.

Then it named names: Parliament "strongly criticises international companies, in particular Nokia Siemens, for providing the Iranian authorities with the necessary censorship and surveillance technology, thus being instrumental in the persecution and arrest of Iranian dissidents," it said.

Parliament called on the European Commission to immediately ban surveillance tech exports to Iran and other countries where the gear "could be instrumental in the violation of human rights."

But it was legal!

Nokia Siemens has been battling such accusations since the Iranian election last year. On June 22, 2009, overwhelmed with press inquiries, Nokia Siemens issued a public statement on its involvement with Iran.

"Nokia Siemens Networks has provided Lawful Intercept capability solely for the monitoring of local voice calls in Iran," it said. "Nokia Siemens Networks has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran."

So it was only "local voice calls"? Not quite. Nokia Siemens admitted in a "further statement" that its gear could "intercept phone calls and text messages," so it's clear that there are data recording and analysis features built into the gear in addition to simple voice recording.

But every time the issue came up, Nokia Siemens made a valid point: this tech has all been pushed by the Europeans and Americans. Nokia Siemens says that these capabilities are "a requirement in the European Union, the United States, and most other countries, and parallels a similar requirement for landlines that has existed for decades."

Lawful intercept capabilities translate traditional wiretap rules into mobile networks, often adding new features like text message intercept along the way. The Internet posed an additional challenge, and US and European firms led the way in developing deep packet inspection gear that can siphon off an individual user's traffic and pass it to law enforcement. The idea was that the criminals could not gain anonymity simply by dropping their landlines and postal boxes for e-mail and Skype.

Accessing the surveillance network from a command-line interface

Such a system has huge potential for abuse, which is why judicial oversight has always been important. In a country like Iran, where such oversight and judicial protections are limited, some argue that international companies like Nokia Siemens have to be aware that their gear will be used differently than it will in Europe.

As one Iranian blogger put it last year, "True, the monitoring system may be used to prevent criminal and terrorist activities in democratic countries where violation of privacy is subject to court’s permission. But in a country like Iran, 'Lawful Interception' means much more than this. It means continuous violation of basic human rights of freedom seekers."

More communication is always better

The newly finished report on Nokia Siemens suggests that the capabilities sold to Iran go far beyond phone call monitoring, though the article is not specially compelling; where are the quotes from the manuals that illustrate this?

We spent some time trolling through the manuals, which are all in English and date from 2005-2007; none appear to suggest that the gear can monitor general Internet traffic from mobile devices. The Lawful Interception Gateway (LIG) software complained of in the article is, according to the documentation, able to "intercept 2G and 3G mobile data calls, and the IP Multimedia Subsystem (IMS)." IMS is used to deliver controlled "services" and help wireless providers avoid becoming mere "bit pipes," but IMS monitoring gear would not appear to allow general Internet monitoring of mobile devices. In any event, as Nokia Siemens points out, most of Iran's Internet traffic is on fixed lines.

But the Nokia Siemens gear does allow the monitoring of text messages, which were important organizing tools in the days after the disputed election (the Iranian Internet was essentially cut off completely from the world right after the election, and only restored piecemeal as new blocking capabilities were brought online). Combined with the Iranian regime's eventual decision to simply block sites like Facebook and Twitter wholesale at the border, many of the decentralized organizing tools were dismantled or made risky to use.

The intercept browser, circa 2006

The debate over Nokia Siemens' involvement in Iran mirrors quite closely the debate over China, where Cisco sold the country much of the gear it uses to conduct surveillance. And despite Cisco's claims about just offering basic functionality to the Chinese, it eventually emerged that the company's reps were pitching China on using the gear to combat the "evil" Falun Gong and other "undesirables."

China routinely makes the same argument made by companies like Nokia Siemens and Cisco: "Hey, America and Europe do it too! Any companies that want to do business here need to follow local laws."

Businesses routinely say they don't want to play global policeman, and that these are issues for governments to work out. Clearly, there is plenty of "gray area" here for debate, but it does seem as if there are a few regimes where companies might easily conclude that the likelihood of abuse is so great that no sales should be made. (Of course, "warrantless wiretapping" in the US might lead one to wonder where, exactly, surveillance safeguards can be guaranteed.)

On the other hand, Nokia Siemens likes the argument that Google made when it censored its Chinese search results: more connectivity is better for people, even if it comes with some undesirable caveats. Nokia "firmly believes that providing people, wherever they are, with the ability to communicate ultimately benefits societies and brings greater prosperity."