Is the state’s surveillance apparatus out of control?
In 2014, UK-based surveillance watchdog Privacy International published a procurement tender document issued by the Rapid Action Battalion (Rab) showing they were looking to buy mobile phone surveillance equipment known as "IMSI Catchers."
IMSI Catchers, or "stingrays" are powerful spying tools that let you listen to mobile telecommunications. They are portable devices used to covertly intercept mobile communications by infiltrating GSM networks and capturing the International Mobile Subscriber Identity (IMSI) of the target.
When activated, they send a signal that tricks mobile phones in a defined area into thinking they are communicating with a legitimate mobile phone network—that is why they are also known as "fake cell towers." In this way, IMSI Catchers allow users to indiscriminately gather data from thousands of mobile phones in a specific area and at public events such as political demonstrations, for which their highly portable "backpack" versions are very popular.
A subsequent investigation by Privacy International, together with Swiss magazine WOZ, uncovered that representatives from Rab were being hosted in Zurich by a manufacturer of IMSI Catchers, Neosoft, in August 2014. The Swiss authorities confirmed to Privacy International that they had reason to believe that the Rab representatives were in Zurich to receive technical training from Neosoft on how to use the surveillance technology.
Because such training would require an export licence, and none was sought by NeoSoft, the Swiss export authorities referred the company to federal prosecutors for a potential violation of export control laws, and the deal fell through.
At the time, the then additional director general of Rab, Colonel Ziaul Ahsan, told the media in Bangladesh that the import of some equipment from Switzerland had been stopped "just before the shipment of the materials" by the Swiss authorities due to campaigning by a human rights organisation.
But that didn't stop Rab from continuing to look for IMSI Catchers. In a June 2019 update, Privacy International reported three more tenders from the paramilitary unit—in November 2015, December 2016, and January 2017—for the purchase of such equipment.
It doesn't end there. Since procurement tenders are public documents, you can do a simple Google search for "Rab tender IMSI" and see the results for yourself. For the purposes of this article, three of them are mentioned from just the first page of the results: one each from the website of the Central Procurement Technical Unit (February 2019, for Backpack IMSI Catcher), the Daily Sun newspaper (December 2020, for Backpack IMSI Catcher), and the Rab website itself (February 2019, for Backpack IMSI Catcher).
Rab is far from the only one from Bangladesh on the market looking for these products. Tender documents show that in July 2018, the Bangladesh Police sought to buy an "IMSI Monitor/Mobile Tracker" and a "Back Pack IMSI Monitor/Location Finder." There is also one from October 2017 in the name of the police, for "IMSI Monitor/Mobile Tracker" and "Location Finder Equipment."
Additionally, Privacy International has reported on the basis of publicly available documentation that:
I) Four police officers received approval to travel to Canada in June 2019 for a "Factory Acceptance Test (FAT) relating to shipment of 04 pcs Back Pack IMSI Monitor/Location Finder."
II) In June 2019, six police officers received approval to travel to Canada for training on "Back Pack IMSI Monitor/Location Finder Tuning Antenna."
III) Six police officers were slated to receive training on using an "IMSI Monitor/Mobile Tracker" in Germany in September 2019.
From what is available in the public domain, we also know of at least one case, in which the tender process was followed all the way through to purchase and import of the said equipment.
In March 2021, the Toronto Star reported that Canadian tech company Octasic had sold IMSI Catchers to Rab in 2019. Octasic CEO Sebastien Leblanc confirmed to the Star that the Canadian government had approved the export of IMSI Catchers to Bangladesh, and that the technology itself was exported.
What all this indicates is that the capability to intercept, eavesdrop and store away—for use later, for better or for worse—our phone conversations extends significantly beyond the National Telecommunications Monitoring Centre (NTMC), the nationally-mandated body for such activity, which does its own procurement.
Until 2013, the NTMC was based at the headquarters of the Directorate General of Forces Intelligence (DGFI), the military intelligence agency. It is now under the home ministry. DGFI, however, continues to be involved in its operation, and it is headed up by a brigadier general.
It has long been alleged, of course, that advanced surveillance equipment procured to fight militancy, as Bangladesh became embroiled in the global War on Terror, was also being used on the civilian population. The established pattern was of an inopportune leak through government-friendly media outlets, putting opposition figures or critics of the government in an awkward or embarrassing position, and drawing some criticism of the intelligence services for allowing it. But lately, it's been more of a mixed bag.
Take the recent leaked conversation between the prime minister's adviser—on private sector affairs and business—and the law minister, talking about High Court judges and a pet project of Sajeeb Wazed Joy—possibly the most high-profile leak the country has witnessed since the famous conversation between Prime Minister Sheikh Hasina and Leader of the Opposition Khaleda Zia in 2013.
Or the one of the disgraced former state minister for information and broadcasting, Murad Hassan, in December. Both of these cases would seem to have been aimed at embarrassing the government, and they have driven feverish speculation as to who might have been behind them, along with their intentions.
The law minister has since come out and defended the content of the conversation he engaged in. The home minister, however, was forced to address how it may have occurred. It would be investigated, he said, while reiterating that the NTMC is the only agency authorised to carry out lawful interceptions.
Clearly, however, the capability to engage in such activity is not restricted to the NTMC, or the DGFI. The diffuse ownership of the requisite technology—IMSI Catchers—among different agencies means the entire apparatus of state surveillance is a lot more decentralised than what it once was, or what the home minister would have us believe.
That means less scope for exercising control over not only what gets recorded, but also what gets leaked.
The more pernicious threat
The Canadian government has received its fair share of criticism from privacy advocates for having allowed Octasic to export IMSI Catchers to Rab. In an article in The Globe and Mail last year, Edin Omanovic of Privacy International and Siena Anstis of Citizen Lab, which tracks the spread of surveillance software from its base at the University of Toronto, wrote, "That Ottawa may have sanctioned the export of this technology while the Digital Security Act (DSA) continues to be exploited is therefore of serious concern."
They also came down hard on Justin Trudeau's administration for failing to be open about it. While the Canadian government provides an annual report on the export of Canadian military goods, it excludes "dual-use or other sensitive items," including surveillance technologies.
While the ownership of such technologies (by the DGFI alone, it was long-assumed) has often come to the fore in the event of leaks, the really pernicious threat to democracy from equipment like IMSI Catchers is that by enabling authorities to spy on mobile phones in a blanket and non-targeted manner—covertly and independently of any operator—they endanger journalists, protesters and others wherever security agencies are deployed to crack down on government critics.
Although not as intrusive a technology as the notorious Pegasus software marketed by Israeli firm NSO—that through its advanced "zero click" capability, it can install itself and practically take over complete control of your phone without you having any idea—the use of IMSI Catchers is de rigueur when the objective is strictly surveillance. The advantage they have over spying software is that there is no installation required onto the target's phone. As long as you know where they are, you can simply turn up within the range of your target with your backpack version, and execute what is known as a "Man-in the-Middle-Attack," so-called because all the communication that was meant to flow between a phone and the nearest BTS tower must now go through you.
You can also see how, by performing their basic function of capturing IMSIs, stingrays can be very useful for any government looking to compile a list of, say, everyone who turns up at a protest or demonstration. The good news is that there are some moves currently underway to stop their proliferation.
An overlooked aspect of the US government's announcement of sanctions against a range of actors, including Rab and seven of its current and former officials, in December last year was the Export Controls and Human Rights Initiative (ECHRI), which was part of the same announcement. The ECHRI is meant to help curb authoritarian governments' "misuse of technology and promote a positive vision for technologies anchored by democratic values."
It will seek to do this by working to develop a written code of conduct to guide the "application of human rights criteria to export licensing policy and practice." It was joined in this initiative by Australia, Denmark, Norway, the Netherlands, France, the UK, and following extensive lobbying by Citizen Lab—in which the Octasic deal with Bangladesh figured heavily—Canada. The next time Rab floats an international tender for surveillance equipment, you can be sure they won't be getting takers from any of these countries. That was the good news. The bad news is that it does nothing to stop what is already out there.
Shayan S Khan is the executive editor of the Dhaka Courier.
Comments