James Shires, Leiden University
Introduction
Authoritarian adaptation to political uncertainties associated with the ubiquity of digital communications comes in many forms. Some responses are familiar to scholars of political violence across technological eras: vague national security threats, securitized public spaces, repressive action against protests, and the intimidation, imprisonment, and torture of activists, journalists, and other critical or dissenting voices.[1] Other responses are themselves enabled by digitalization, covered by other papers in this collection, including social media manipulation and transnational information operations. This paper highlights a less visible form of authoritarian adaptation through the constellation of various public and private actors involved in the procurement, installation, and maintenance of digital surveillance infrastructures. It argues that the implementation of such infrastructures – the micro-level expert routines and practices in their design and construction – represents a key site of power and contest overlooked by existing treatments.
This paper draws on my more detailed analysis elsewhere of the politics of cybersecurity in the Middle East.[2] It focuses on digital surveillance infrastructures in the states of the Gulf Cooperation Council (GCC), for two reasons. First, the GCC states are the most “successful” examples of authoritarian adaptation to digital activism in the Middle East.[3] These states largely avoided the violence and chaos that emerged from suppression of the “Arab Spring” movements in 2011 – although GCC military and security assistance to Bahrain and simmering tensions in eastern Saudi Arabia are important exceptions.[4] Domestically, these states are especially alive to the perceived dangers of social media and heavily invested in ensuring revolutionary politics do not rise up again.[5] Regionally, they have sought to influence the course of devastating conflicts in Libya, Syria, and Yemen online and offline, with varied results.[6]
Second, the Gulf states are extremely well-connected, both in terms of their embrace of digital technologies (internet penetration rates are consistently the highest in the region and compare favorably worldwide),[7] and because theiropenness to global capital has made them sites of significant digital expertise in e-government, energy, health, and other critical sectors.[8] These states have sought to use their reputation as leaders in digital innovation both to underpin long-term efforts at economic diversification and to deflect political criticism. Such claims were called into question after the 2017 Gulf crisis, as both Qatar and the quartet of blockading states sought to undermine the other’s international legitimacy.[9] Other regional expert relationships have emerged openly after the 2020 Abraham Accords, with a prominent Israeli role in Gulf digital technology sectors mooted almost before the ink was dry.[10] But flows of expertise are not just inward: digital communications networks in the Gulf have expanded to accompany aggressive foreign policies, as well as providing broader soft power and economic links to the horn of Africa and the Maghreb.[11]As such, although digital surveillance infrastructures are everywhere, they are especially notable in the GCC states: domestically resilient, regionally influential and globally integrated.
The infrastructural tendencies of digital surveillance
No state is content with unreachable communications transiting their territory. The implementation of digital surveillance technologies must therefore be considered in the context of broader information controls, as an explicit policy goal of both authoritarian and democratic states.[12] Of course, such controls vary between states, as well as the extent to which they are subject to appropriate checks and balances.[13]
Information controls are not necessarily constraining. Many states seek to steer and encourage certain kinds of online activity – nationalistic sentiment, for example – in ways that retain economic advantages and bolster public support for the regime or preferred allies.[14] States can also reshape their information environment indirectly, convincing citizens that pushing the boundaries of acceptable content online is not a good idea. Such “chilling effects” manifest in many forms, from the more physical and bodily forms of intimidation and violence noted above, to the promotion of dominant media narratives and certain forms of cultural and artistic production.[15]
Digital surveillance technologies play a central role in these dynamics. As discussed by Abroughi and Najem in their paper, some of the most high-profile instances of digital surveillance in the Gulf come from various forms of “spyware”, designed to hack into specific devices and send data back to the operator.[16] These “targeted” surveillance technologies are generally contrasted, in both academic and policy literature, with “mass” surveillance technologies that enable the near real-time analysis of internet communications at a national scale through deep packet inspection (DPI).[17] Unlike spyware, DPI surveillance can act as the basis for fine-grained internet censorship, by blocking websites or specific applications rather than resorting to blanket internet shutdowns and shunning social media platforms.[18] DPI technologies also enable more subtle forms of interference, such as throttling to slow access speeds or forcing protocols to downgrade to older security standards (see Alexei Abrahams in this collection).[19]
However, a strong distinction between targeted and mass surveillance technologies obscures what I call the infrastructural tendencies of digital surveillance. This is a double move, describing both the impetus for even highly targeted surveillance technologies to be incorporated into wider surveillance architectures, and the incorporation of these architectures in turn into the ever-expanding digital infrastructures of states and societies themselves. We can see the first part of this move in the spyware examples discussed by Abroughi and Najem. These spyware companies build and maintain highly complex back-end infrastructures to test, deploy, and receive data from spyware – often constructing separate ones for each task.[20] They can also combine this back-end (otherwise known as “command and control” or C2) infrastructure with DPI monitoring to provide an additional vector for infection. As such, the distinction between targeted and mass surveillance is better described as a spectrum from independent to infrastructural, highlighting how such technologies function within a wider set of capabilities.
The second part of this move draws on the extensive theorization of infrastructures in Science and Technology Studies (STS).[21] Ensmenger notes that “technologies become infrastructure only after they are perfected to the point of being routine.”[22] From this perspective, digital surveillance technologies become more infrastructural the more they are accepted as a standard feature of digital societies. Both mass and targeted surveillance technologies function within a wider culture of surveillance that underpins the economic model of social media and, increasingly, our internet-connected lives more generally.[23] This approach to digital surveillance technologies as societal infrastructures helps avoid problematic but popular paradigms of “dual-use”, which seek to distinguish – for example – between the use of DPI for increasing efficiency, traffic management, and advertising on one hand, and its use for censorship on the other. Infrastructurally speaking, these are two sides of the same coin. New urban megaprojects in the Gulf, such as Saudi Arabia’s NEOM, and the rapid development of “smart city” initiatives elsewhere, provide the ideal ground for this highly infrastructural approach to digital surveillance. To take this insight further, the following section moves from the routinization of digital surveillance infrastructures overall, to the expert routines and practices crucial to their implementation.
Expert practices and surveillance infrastructures
Governments as a whole do not implement digital surveillance infrastructures. This task falls to specific actors: communications ministries, telecoms regulatory bodies, intelligence and security organizations, sector-specific or nationwide information technology authorities, and (especially) national cybersecurity institutions.[24] These government actors respond to formal legal requirements or policy directions as well as informal instructions from central figures or more powerful bodies. This delegation of surveillance authority serves several purposes, from cultivating specific technological capabilities, depoliticizing controversial decisions, or even favoring bureaucratic allies in a competitive space.
However, government actors often do not possess the right network position, the necessary equipment, or right kind of technological expertise for digital surveillance, and so they bring in a range of private sector partners. National telecoms companies and internet service providers (ISPs) occupy a central position in this ecosystem, as they often evolve from earlier public-sector entities and retain close elite connections. Telecoms companies and ISPs are mandated by governments to enable access to data centers and crucial nodes for internet traffic, such as connection points to undersea cables (telecoms companies are also often in the consortia that plan and build such cables), as well as responding to specific requests – and sometimes benefitting economically from doing so.[25] A whistleblower speaking to the Guardian in 2020 claimed that Saudi mobile telecoms companies had submitted “millions” of tracking requests through a global telecoms protocol (SS7) to determine the location of phones registered in Saudi Arabia while they were roaming in the US.[26] In Iran, these companies have even used their nodal position to re-route internet traffic by exploiting inbuilt protocol characteristics.[27] Their commercial partners provide DPI or similar products, data analysis, or specific capabilities such as geolocation. These partner companies usually originate either in the security and defense sectors (with strong relationships to intelligence agencies or their commercial intermediaries), or in companies offering broader traffic management and performance functions. These companies are often multinational, providing similar solutions across the region and worldwide.
The implementation of digital surveillance infrastructures thus depends not only on technological capacity, but on the norms and practices of relatively small, transnational, expert communities straddling public and private sectors. However, such norms and practices are complex, messy, and at times unpredictable, and in the remainder of this section, I identify four main sources of friction in these expert communities.
First, perhaps the most obvious source of friction is geopolitical. Surveillance solutions are increasingly sold to the Gulf and other attractive economies by rival states or blocs. They can be useful lubricant for diplomatic overtures, as with French/UAE sales of surveillance technologies to Egypt after the seizure of power by President Abdel Fatah Al-Sisi in 2013.[28] But international markets are not easily negotiated. The starkest example is the rift between US and Chinese digital investment, often painted as a choice between Huawei and Cisco routers and other networking equipment (see Xiao Qiang in this volume).[29] In 2020, the US warned the UAE that reliance on Huawei would “risk rupturing [their] long-term strategic relationship”, including communication between their respective militaries.[30] My conversations with Huawei employees in the region suggest they are very aware of these dynamics, seeing negotiations with government clients as open competition between superpower surveillance architectures (and these interlocutors repeatedly mentioned the Snowden disclosures to underline US, as well as Chinese, risks). But the US and China are not the only actors in this congested market. An anonymous French surveillance specialist explained to a journalist that the alternative to their sales was “handing control to the Chinese or the Israelis… We tell ourselves we are doing it in the interests of our country.”[31] Russian, UK, and German companies and technologies are also regularly in the mix.[32] In this way, the national affiliation of private providers – both company headquarters and contractor citizenship – complicates authoritarian moves to procure the most effective forms of information control.
Second, installation and maintenance also introduce friction. Updating and recalibrating large-scale surveillance technologies is complicated but essential, not only because the internet itself is constantly changing, but because anti-censorship apps such as Signal and Psiphon also seek to circumvent existing controls. For example, Signal was blocked in December 2016 by the Egyptian and UAE authorities.[33] In response, the creators of Signal worked with activists to update the application to rely on “domain fronting”: using encrypted connections to a popular domain, in this case owned by Google, to act as a proxy for Signal messages. Google and Amazon subsequently decided to prevent domain fronting (interestingly, because it presented a “cybersecurity” risk), but by doing so made it easier for authoritarian governments to block Signal and other apps.[34] More generally, retaining qualified and motivated experts – often at significant expense from contractors – is dependent on wider calculations of cost and efficiency and can introduce unintended unreliability into supposedly powerful surveillance solutions.
Third, contracts with international suppliers can come with significant export control requirements, as well as attention from human rights advocates, NGOs, and journalists. The most sustained examination of this space has been conducted by CitizenLab, who discovered in 2011 that Canadian company Netsweeper provided DPI-based filtering technology to the UAE, Qatar, and Kuwait (with the addition of Bahrain in 2016).[35] They then detected that US company Blue Coat had DPI-based filtering and surveillance devices present in all GCC countries other than Oman by January 2013,[36] while McAfee’s Smartfilter was identified in the UAE and Saudi Arabia later in 2013.[37] These reports – among many others – comprehensively demonstrate the use of commercial filtering technologies by Gulf governments, most likely through telecoms companies. Despite increasing regulatory attention, export licenses for international suppliers are generally granted for diplomatically convenient sales, facilitated by the wide range of possible “dual-use” reasons for purchase discussed above.[38] Accompanying maintenance obligations mean that such licenses remain crucial for continuing functionality (in the US, through Technical Assistance Agreements or similar mechanisms). Several international suppliers have adopted human rights rhetoric and recommendations – such as ethics committees to review sales – in order to smooth this process, but with little noticeable effect on the wider market.[39]
Fourth, and finally, some states have sought to avoid these international hurdles by investing in domestic equivalents. The most well-known example is the UAE company DarkMatter, which has been reported to implement both targeted and mass surveillance solutions.[40] DarkMatter also applied to become an internet certificate authority, which would have given it greater leverage at an infrastructural level (permission was withdrawn by Mozilla in 2019).[41] However, shifting the locus of surveillance introduces different kinds of friction at the individual rather than corporate level. Key experts freely move between public and private sectors, between countries, and command high salaries. Media reporting indicates that these individuals sometimes reject offers they deem to be morally suspect, as well as reporting misuse or overreach to governments of their home states (for whom they were often originally employed).[42] In some cases, these experts even perform what I call a “moral manoeuvre”: altering the implementation of surveillance technologies on the ground, unbeknownst to their clients, to mitigate more extreme requests for surveillance.[43]Overall, the limited size of the expert community, and its transnational connections and dependencies, introduce value judgements and commercial tensions that are key sources of friction in the implementation of digital surveillance infrastructures.
Conclusion
This exploration of digital surveillance infrastructures in the Gulf has demonstrated that implementation matters. Government attempts to reshape norms and practices of digital surveillance in the Gulf states must navigate technological, social, and political tensions within key expert communities. The choices made by such experts, in specific bureaucratic and commercial contexts, determine how these states enact information controls amid geopolitical, economic, and moral disagreements, thereby contributing to the broader trajectory of authoritarian adaptation in the Middle East. In the future, although relevant expert communities are likely to remain transnational, the increasing territorialization of online activities, including national social media applications, competition over cable connections, and localization requirements for data storage and cloud computing, will probably divide surveillance infrastructures further along global and regional political fault lines. To return to the definition of infrastructure introduced earlier, this paper has approached the authoritarian desire to perfect digital surveillance infrastructures skeptically, suggesting that the routine work of their implementation and maintenance – the possibility of their failure and thus their visibility – will remain an important determinant of authoritarian adaptation in an increasingly digital world.
[1] See e.g. Charles Tilly, The Politics of Collective Violence (Cambridge; New York: Cambridge University Press, 2003); Marc Lynch, The Arab Uprising: The Unfinished Revolutions of the New Middle East (New York: PublicAffairs, 2013).
[2] James Shires, The Politics of Cybersecurity in the Middle East (London, UK: Hurst/Oxford University Press, 2021).
[3] See e.g. Robert Uniacke, “Authoritarianism in the Information Age: State Branding, Depoliticizing and ‘de-Civilizing’ of Online Civil Society in Saudi Arabia and the United Arab Emirates,” British Journal of Middle Eastern Studies, March 21, 2020, 1–21.
[4] Toby Matthiesen, Sectarian Gulf: Bahrain, Saudi Arabia and the Arab Spring That Wasn’t (Stanford, California: Stanford University Press, 2013).
[5] Alexei Abrahams, “Regional Authoritarians Target the Twittersphere,” MERIP, December 17, 2019.
[6] Christopher Davidson, Shadow Wars: The Secret Struggle for the Middle East (Oneworld Publications, 2016).
[7] Some internet statistics put Qatar and the UAE at over 100% internet penetration (internetworldstats.com). The ITU, using a more conservative methodology, still puts these states at over 99%. Another notable difference is Oman, which has 76.8% internet penetration from internetworldstats and 95.2% from the ITU.
[8] James Shires, “Enacting Expertise: Ritual and Risk in Cybersecurity,” Politics and Governance 6, no. 2 (2018): 31–40; James Shires and Joyce Hakmeh, “Is the GCC Cyber Resilient?” (London: Chatham House Royal Institute for International Affairs, March 2020).
[9] James Shires, “Disinformation in the Gulf,” in Cyber War & Cyber Peace in the Middle East: Digital Conflict in the Cradle of Civilization, ed. Michael Sexton and Eliza Campbell (Middle East Institute, 2020), 93–107.
[10] Reuters Staff, “UAE, Israeli Cyber Chiefs Discuss Joining Forces to Combat Common Threats,” Reuters, September 24, 2020, https://www.reuters.com/article/us-israel-gulf-emirates-cyber-idUSKCN26F2UK.
[11] Adam Hanieh, Money, Markets, and Monarchies: The Gulf Cooperation Council and the Political Economy of the Contemporary Middle East (New York: Cambridge University Press, 2018).
[12] Seva Gunitsky, “The Great Online Convergence: Digital Authoritarianism Comes to Democracies,” War on the Rocks, February 19, 2020.
[13] Ron Deibert, “Authoritarianism Goes Global: Cyberspace Under Siege,” Journal of Democracy 26, no. 3 (July 13, 2015): 64–78; Ronald J. Deibert, Reset: Reclaiming the Internet for Civil Society (House of Anansi Press Ltd, Canada, 2020).
[14] Andrew Leber and Alexei Abrahams, “A Storm of Tweets: Social Media Manipulation During the Gulf Crisis,” Review of Middle East Studies 53, no. 2 (December 2019): 241–58.
[15] Adel Iskander. “Re(membering) Culture and Heritage: Egypt’s Latest Political Turf War,” POMEPS-GDPi-ARD Workshop Cyberpolitics Workshop. Ahmed Shaheed and Benjamin Greenacre: Binary Threat: How Governments’ Cyber Laws and Practice Undermine Human Rights in the MENA Region. POMEPS Studies 43. (2021).
[16] Afef Abrougui and Mohamad Najem. Follow the Money for Better Digital Rights in the Arab Region. POMEPS Studies 43. (2021).
[17] This distinction structures the export controls discussed in the following section.
[18] Navid Hassanpour, “Media Disruption and Revolutionary Unrest: Evidence From Mubarak’s Quasi-Experiment,” Political Communication 31, no. 1 (January 2, 2014): 1–24.
[19] See e.g. Netblocks, “Facebook Messenger, Social Media and News Sites Disrupted in Egypt amid Protests,” NetBlocks (blog), September 22, 2019, https://perma.cc/K3WV-754U; Ronald Deibert, Joshua Oliver, and Adam Senft, “Censors Get Smart: Evidence from Psiphon in Iran,” Review of Policy Research 36, no. 3 (2019): 341–56.
[20] Winnona DeSombre et al., “Countering Cyber Proliferation: Zeroing in on Access-as-a-Service” (Washington, D.C: Atlantic Council Cyber Statecraft Initiative, February 2021).
[21] P. N. Edwards, “Infrastructure and Modernity: Force, Time , and Social Organization in the History of Sociotechnical Systems,” in Modernity and Technology, by Thomas J. Misa, Philip Brey, and Andrew Feenberg (Cambridge, Massachusetts: MIT Press, 2001), 185–226; Keller Easterling, Extrastatecraft: The Power of Infrastructure Space, Reprint edition (Verso Books, 2016).
[22] Nathan Ensmenger, “The Environmental History of Computing,” Technology and Culture 59, no. 4 (2018): 514.
[23] See David Lyon, The Culture of Surveillance: Watching as a Way of Life (Cambridge, UK: Polity Press, 2018); Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for the Future at the New Frontier of Power (Profile Books, 2019).
[24] James Shires, The Politics of Cybersecurity in the Middle East, Chapters 3&4.
[25] Matteo Colombo, Federico Solfrini, and Arturo Varvelli, “Network Effects: Europe’s Digital Sovereignty in the Mediterranean” (London, UK: European Council on Foreign Relations, May 4, 2021).
[26] Stephanie Kirchgaessner, “Revealed: Saudis Suspected of Phone Spying Campaign in US,” The Guardian, March 29, 2020; for more detail on the vulnerability and exploitation, see Kim Zetter, “The Critical Hole at the Heart of Our Cell Phone Networks,” Wired, April 28, 2016.
[27] Loqman Salamatian et al., “The Geopolitics behind the Routes Data Travels: A Case Study of Iran,” ArXiv:1911.07723 [Cs], November 19, 2019
[28] Olivier Tesquet, “Amesys: Egyptian Trials and Tribulations of a French Digital Arms Dealer,” Telerama, July 5, 2017, https://perma.cc/L288-BMJN.
[29] But see online maps of Chinese investment in the Gulf released by the Australian Strategic Policy Institute (ASPI) for a more complex picture beyond two or three headline companies.
[30] Simeon Kerr, “UAE Caught between US and China as Powers Vie for Influence in Gulf,” Financial Times, June 2, 2020; Narayanappa Janardhan, “Beijing Signals Growing Interest in Regional Conflict Management,” Arab Gulf States Institute in Washington, December 22, 2020, https://perma.cc/YH2U-MRP6.
[31] Tesquet, “Amesys”; Al-Jazeera Investigative Unit. See also “Spy Merchants: Spying on Dissent through Illegal Means,” Al-Jazeera, April 10, 2017, https://perma.cc/2CNY-EQR2.
[32] BBC, “How BAE Sold Cyber-Surveillance Tools to Arab States,” BBC News, June 15, 2017, https://perma.cc/75ZM-NXYD; Winnona DeSombre et al., “Countering Cyber Proliferation: Zeroing in on Access-as-a-Service” (Washington, D.C: Atlantic Council Cyber Statecraft Initiative, February 2021).
[33] Staff Report, “Infinite Eyes in the Network: Government Escalates Attack on Secure Communication,” Mada Masr, February 10, 2017, https://perma.cc/8DJ5-SHD9. Further attempts to block Signal in early 2017 inadvertently blocked all Google traffic to Egypt, causing outages and highlighting the technological limitations and experimental character of online censorship.
[34] Moxie Marlinspike, “A Letter from Amazon,” Signal Messenger, May 1, 2018, https://signal.org/. See also Marlinspike’s reflections in “Looking back at the front”, on the same blog.
[35] Jakub Dalek et al., “Tender Confirmed, Rights at Risk: Verifying Netsweeper in Bahrain” (Citizen Lab, September 21, 2016); Nicki Thomas and and Amy Dempsey, “Guelph-Based Software Censors the Internet in the Middle East,” The Toronto Star, June 13, 2011, https://perma.cc/KH8H-KXPT.
[36] Morgan Marquis-Boire et al., ‘Planet Blue Coat: Mapping Global Surveillance and Censorship Tools’ (Citizen Lab, January 2013).
[37] Bennett Haselton, ‘Smartfilter: Miscategorization and Filtering in Saudi Arabia and UAE’ (Citizen Lab, 28 November 2013).
[38] Privacy International, “The Global Surveillance Industry,” July 2016; James Shires, The Politics of Cybersecurity in the Middle East, Chapter 4.
[39] Bill Marczak et al., “Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?” (Citizen Lab, March 9, 2018); Qurium Media Foundation, “How Operators Use Sandvine to Block Independent Media in Egypt,” September 21, 2020, https://perma.cc/H6K5-5255; Ryan Gallagher, “Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm,” Bloomberg.Com, August 28, 2020.
[40] Christopher Bing and Joel Schectman, “Special Report: Inside the UAE’s Secret Hacking Team of U.S….,” Reuters, January 30, 2019, https://perma.cc/8DGA-95EQ
[41] Christopher Bing and Joel Schectman, “Mozilla Blocks UAE Bid to Become an Internet Security Guardian…,” Reuters, July 9, 2019, https://perma.cc/P9J3-E42H.
[42] Moxie Marlinspike, “A Saudi Arabia Telecom’s Surveillance Pitch,” May 13, 2013, https://perma.cc/GT39-6JL5; Jenna McLaughlin, “Spies for Hire: How the UAE Is Recruiting Hackers to Create the Perfect Surveillance State,” The Intercept (blog), October 24, 2016, https://perma.cc/5TXR-W8MV; Hagar Shezaf and Jonathan Jacobson, “Revealed: Israel’s Cyber-Spy Industry Helps World Dictators Hunt Dissidents and Gays,” Haaretz, October 20, 2018.
[43] James Shires, The Politics of Cybersecurity in the Middle East, Chapter 4.