II. Factual Background - Telecommunications Infrastructure and Key Players

II. Factual Background: Telecommunications Infrastructure and Key Players

II. Factual Background: Telecommunications Infrastructure and Key Players

The internet provides an essential platform for populations and governments to communicate, share ideas, and access essential information, services and networks. Much of today’s communication, organizing, and collaboration happens on digital networks, through email, Voice-over-Internet Protocol applications and services (VoIP-like WhatsApp), social media accounts, and online platforms. As of 2010, almost 2 billion people around the world had access to the internet through computers or mobile devices.⁷ In 2010, only 17.7% of the Syrian population, or 3.9 million individuals, had access to the internet.⁸ This number has dropped significantly over the last ten years. In 2020, only 4.2% of the Syrian population had access to the internet.⁹ Syria ranked as 12th out of 14 Middle Eastern countries, in terms of population percentage that uses the internet.¹⁰ The number of mobile users or connections is significantly higher. As of January 2020, according to Data Reportal, the number of mobile internet users was 5.75 million, or 31% of the total population.¹¹ Mobile phones have played a key role in

⁷ Roser, Max, et al. Internet. OUR WORLD DATA, available at: https://ourworldindata.org/internet.

⁸ Internet Usage in the Middle East, INTERNET WORLD STATS, available at: https://www.internetworldstats.com/stats5.htm.

⁹ Internet Usage in the Middle East, supra note 8.

¹⁰ Internet Usage in the Middle East, supra note 8.

¹¹ Simon Kemp, Digital 2020: Syria, DATAREPORTAL (Feb. 18. 2020), at: https://datareportal.com/reports/digital-2020-syria.

Syria, “enabling ‘citizen journalists’ to capture events on the ground…[which] have served as a crucial source of information on the uprising.”¹² Social media and other platforms are primarily used to disseminate information, to follow unfolding events, and to voice opinions and support for movements or ideas.¹³

A. The Infrastructure of Surveillance

The Syrian telecommunications market is the most restricted and regulated among all Middle Eastern countries, based on the percentage of State-owned telecommunications infrastructure.¹⁴ The state-owned Syrian Telecommunications Establishment (“STE”) is both an internet service provider (ISP) and the official telecommunications regulator. STE has a monopoly over wired and wireless services throughout the regime controlled areas of the country.¹⁵ While the state has licensed to other smaller private providers, these providers rely on government infrastructure and are subject to state regulations.¹⁶ Through this control, the regime not only censors information based on political, social, and religious beliefs, but can also conduct surveillance of internet users in Syria.¹⁷ In essence, the STE provides the government control over what content the population can and cannot interact with on the internet.

In 2007, Nazem Bahsas, the head of the STE, solicited bids from companies to build a new “Central Monitoring System for public data networks and the Internet.”¹⁸ In 2008, the Syrian government solicited more requests for bids to build its surveillance system,¹⁹ which would be a content filtering system²⁰ combatting politically inopportune speech.²¹ Content filtering allows for the analysis of communication data packets through key words or attributes, which can then be stored for further analysis, blocked, or allowed to pass through without being stored. Alarmingly, Bahsas requested and clarified that this new system would be centralized so that it could have the capability of monitoring all telecommunications data inside Syria.²² Additionally, Bahsas demanded real time location tracking ability of up to fifty targets and that the monitoring be completely undetected by the Syrians who are being monitored.²³ In other words, the Syrian regime sought the capability to select any Syrian individual for any reason, monitor every website they visit, track their mobile device to determine their real time location, and do all of this without the individual knowing they are being tracked.²⁴ While the STE claimed this authority was needed to ensure system security from hacking and foreign and domestic infiltration, the power to surveille that this system delivered for the regime and the subsequent targeting, torture and killing of dissenters tells a different story.²⁵

In December 2008, the Syrian regime explained to prospective bidders that it was not interested in combating “classic spam.”²⁶ Rather, it was concerned with “propaganda mail which has the shape of spam.”²⁷ Within the context of the state-run STE system, this is troubling. Because the government has the power to determine what

¹² Olesya Tkacheva et. al, Internet Freedom and Political Space (2013) 85.

¹³ Id. at 86.

¹⁴ Syria, OPENNET INITIATIVE (Aug. 7, 2009), available at: https://opennet.net/research/profiles/Syria.

¹⁵ OpenNet Initiative, supra note 14.

¹⁶ Tkacheva, supra note 12, at 85.

¹⁷ OpenNet Initiative, supra note 14.

¹⁸Open Season, supra note 2.

¹⁹ Open Season, supra note 2, at 16.

²⁰ Open Season, supra note 2, at 16 (“Content filtering, in the context of communications traveling across the PDN and the internet, means analyzing the communications data packets and assessing them for key words or attributes, and then either blocking transmission of that message, storing a copy for further analysis, or letting the message pass through without storage. Such technologies are also widely used for censorship, particularly at politically sensitive moments, such as during public protests.”).

²¹ Open Season, supra note 2.

²² Open Season, supra note 2 (emphasis added).

²³Open Season, supra note 2, at 14.

²⁴Open Season, supra note 2.

²⁵ Open Season, supra note 2.

²⁶ Open Season, supra note 2, at 17.

²⁷Open Season, supra note 2.

constitutes “propaganda mail”, it has the authority to impose severe censorship on those it deems critical of or a threat to the regime. Furthermore, since the network infrastructure is completely run by the government, Syrian individuals have no opportunity to view content deemed as “propaganda mail” nor to decide for themselves whether to view it or not.²⁸

According to Fredric Jacobs, a researcher that spent time in Syria, “[e]very single piece of traffic that goes through [the Syrian network] is being recorded to hard disk drives.”²⁹ These drives are controlled and stockpiled by the Syrian regime.³⁰ Throughout the Syrian conflict that began in 2011, reports³¹ surfaced indicating that the regime monitored and tracked human rights defenders through digital surveillance in order to arbitrarily arrest, detain, torture, and kill them as a result of their resistance.³²

Mobile phone access is much more prevalent, making mobile service providers a key part of the telecommunications infrastructure. An estimated 55 percent of the country’s cellular market is dominated by Syriatel, a regime affiliated provider.³³ MTN Syria is the other major mobile service provider, a subsidiary of South African MTN. As outlined in Section IV below, MTN is subject to government regulation and has complied with government orders when it comes to filtering and blocking telecommunications of its users. The regime access to and surveillance of mobile phones is particularly consequential given the role mobile phones, in the hands of activists and human rights defenders, has come to play in bearing witness to the Civil War and ongoing violence in Syria. “The mobile phone has become the star of the popular revolutions…This small instrument has actually become stronger than the television cameras.”³⁴ Where outside observers and the international media fail to gain access to the country and local reporters and journalists are targeted and silenced, the citizen journalist has become the main witness and recorder of the situation in Syria.

B. Regime Intelligence Agencies

There are four main intelligence agencies in Syria, military and civilian. Their leadership and scope of operations is difficult to precisely identify as these agencies are secretive and the political situation is in constant state of flux.³⁵ The four agencies are: (1) The Department of Military Intelligence; (2) The Air Force Intelligence Directorate; (3) The General Intelligence Directorate; and (4) The Political Security Directorate.³⁶ The Military Intelligence and Air Force Intelligence fall under the Ministry of Defense. The General Intelligence Directorate and the Political Security Directorate fall under the remit of the Ministry of Interior. Each agency has multiple branches. The Department of Military Intelligence alone has 20 different branches. This means there are countless intelligence branches with responsibilities ranging from surveilling and controlling military and security

²⁸ Open Season, supra note 2, at 16-17.

²⁹ Id.

³⁰ *Id. *

³¹ Nicole Perlroth, Hunting for Syrian Hackers’ Chain of Command, NYTIMES (May 17, 2013), https://www.nytimes.com/2013/05/18/technology/financial-times-site-is-hacked.html?pagewanted=all&r=0 (“Now sleuths are trying to figure out how much overlap there is between the rowdy pranks playing out on Twitter and the silent spying that also increasingly includes the monitoring of foreign aid workers.”).

³² See, e.g., Whittaker, *supra *note 3 (“[P]eople in Syria were being tracked online, and that information was being used to hunt down protesters.”).

³³ Tkacheva, supra note 12, at 85.

³⁴ “Mashhadiyāt Sūrīya [Vignettes from Syria],” al Hayat, March 26, 2012, quoted in Tkacheva, supra note 12, at 85.

³⁵ Human Rights Watch, “By All Means Necessary” Individual and Command Responsibility for Crimes Against Humanity in Syria (2011) 90, available at: https://www.hrw.org/report/2011/12/15/all-means-necessary/individual-and-command-responsibility-crimesagainst-humanity (“Given the secretive nature of the Syrian intelligence agencies, it is very difficult to verify information about their structure and commanders.”).

³⁶ Id.

officers, to monitoring and surveilling opposition forces, as well as monitoring and targeting civilian activists and critics.

Within the Department of Military Intelligence there are a number of branches focusing on civilian surveillance and associated operations. For example, according to one report, there is Branch 211 within Military Intelligence, also known as the “Technical Branch or the Automatic Computer Branch or simply the Computer Branch.”³⁷ This Branch monitors online activity and is involved in the blocking and unblocking of websites as well as providing support services to other surveillance branches, including Branch 225.

Branch 225, referred to as the “Communication Branch,” is also part of the Department of Military Intelligence, though it’s current placement within the state architecture is unclear. Branch 225 focuses on phone communications. It can “[block] specific numbers or [cut] off calls or [disable] SMS services.”³⁸ The Branch can tap phones and surveille mobile phone communications. The Branch can stop a text message once it has been sent but before it arrives to the designated number. Some reports suggest that Branch 225 also monitors internet communications and is at the forefront of the regime’s surveillance activities.³⁹ According to the Violations Documentation Center in Syria, this Branch has ballooned into a full department, affiliated with the Communications Department, and drawing officers from all four intelligence agencies.⁴⁰

These surveillance divisions are part of a larger state architecture of military and security forces involved in the arrest, detention, torture and killing of the Syrian people.

C. The Syrian Electronic Army and Third-Party Hacking

The state infrastructure of surveillance is further supplemented by the monitoring and hacking performed by state affiliated third-party hacking groups.⁴¹ These hacking groups are predominately referred to as “state-sponsored hackers.”⁴² State-sponsored hackers is a term used broadly to refer to hackers that are aligned with a government.⁴³ While the prevailing term is “state-sponsored hackers,” this report refers to the Syrian Malware Team (“SMT”) and Syrian Electronic Army (“SEA”) as “state-sanctioned hackers” in order to more clearly reflect the nature of the relationship. The two most prominent state-sanctioned hackers in Syria are the SEA and the

³⁷ A Report on Branch 215, Raid Brigade Military Intelligence Division—Damascus “A Conflict Between Death and Hope” Violations Documentation Centre in Syria (Sept. 2013) 6, available at https://www.vdc-sy.info/pdf/reports/1380463510-English.pdf.

³⁸ See e.g. Mark Clayton, Syria’s Cyberwars: Using Social Media Against Dissent, Christian Science Monitor (Jul. 25, 2012), available at https://www.csmonitor.com/USA/2012/0725/Syria-s-cyberwars-using-social-media-against-dissent.

³⁹ Clayton, supra note 38.

⁴⁰ A Report on Branch 215, supra note 37, at 6.

⁴¹ Third party hacking groups are hacking entities that are not officially governmental but may still be supplying the government with information obtained through hacking. See, e.g., Eva Galperin, Morgan Marquis-Boire, & John Scott-Railton, Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns, Electronic Frontier Foundation, available at: https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns (last visited Mar. 10, 2019) (establishing connections between certain Syrian malware and the Syrian government).

⁴² See, e.g., Kim Peretti, Emily Poole, & Nameir Abbas, 10 Lessons From US Indictments of State-Sponsored Hackers, Law360 (Jan. 31, 2019), https://www.law360.com/articles/1123471/10-lessons-from-us-indictments-of-state-sponsored-hackers (outlining recent attacks by hackers with state connections); see also Cathal McMahon, Exclusive: EirGrid Targeted by ‘State Sponsored’ Hackers Leaving Networks Exposed to ‘Devious Attack’, INDEPENDENT (Aug. 6, 2017), available at: https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html (discussing state sponsored hackers).

⁴³ JLT, What Does State Sponsored Hacking Mean?, Marsh (Dec. 22, 2017), https://www.jltspecialty.com/ourinsights/publications/cyber-decoder/what-does-state-sponsored-hacking-mean; see also Tal Kopan, DNC Hack: What You Need to Know, CNN (Jun. 21, 2016, 1:30 PM), available at: https://www.cnn.com/2016/06/21/politics/dnc-hack-russians-guccifer-claims/ (Many governments worldwide have high-level cyberespionage groups working for them, who may target secrets from other governments, intelligence agencies, government contractors, think tanks and academics.”); Sam Kim, Inside North Korea’s Hacker Army, Bloomberg (Feb. 7, 2018), available at: https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army (Chronicling the lives of hackers that work at the behest of the North Korean government).

SMT.⁴⁴ While some reports refer to these two organizations as the same entity, others differentiate the two.⁴⁵ SEA is known to be directly linked to the Syrian regime. The exact nature of SMT’s connection to SEA and the regime is up for debate. For example, certain members of the SMT have ties to the SEA. Connections like this suggest that the SMT may be a possible offshoot or part of the SEA.⁴⁶ Although the extent of their entanglement may be disputed, it is undeniable that both groups provide support to the Syrian regime.⁴⁷ In 2011, Assad affirmed the SEA’s existence and that its work benefits the Syrian army, calling them the “real army in virtual reality.”⁴⁸

In 2011, following anti-government demonstrations and Assad vowing to quash his “opponents with an iron fist” through violence and surveillance, the SEA thanked him for recognizing them and their role in the suppression of dissenters.⁴⁹ The SEA warned anti-regime media, “our message to the news agencies and reporters: if you have a shortage of professionals to report the correct news … the hordes of the Syrian Electronic Army will not be forgiving with you.”⁵⁰ After the SEA released this message, the group continued to target opponents of the regime.⁵¹

One of the first internationally recognized targets of the SEA was Harvard University.⁵² There, the SEA hacked the Harvard homepage and replaced it with an image of Bashar al-Assad and wrote the message: “Syrian Electronic Army were here.”⁵³ The SEA then accused the United States of actively working to overthrow the Syrian government.⁵⁴ This anti-U.S. message along with other consistent SEA attacks, and the hacking of Harvard’s website, led Harvard University to investigate the domain name of the SEA.⁵⁵ Investigation results indicated that the SEA was created by the Syrian Computer Society; a group that was created by Bashar alAssad prior to him assuming power.⁵⁶ The Syrian Computer Society was instrumental in providing the platform for the SEA to accomplish their hacking goals.⁵⁷

The Harvard University hack was only the beginning of SEA’s infiltration of foreign entities through hacking. Between 2011 and 2014, the SEA vandalized numerous other websites, including Forbes, CNBC, The Telegraph, The Chicago Tribune, Human Rights Watch, and UNICEF.58 A message on the homepage of Human

⁴⁴ See Kyle Wilhoit & Thoufique Haq, Connecting the Dots: Syrian Malway Team Uses Blackworm for Attacks, FIREEYE (Aug. 29, 2014), available at: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-forattacks.html.

⁴⁵ See Wilhoit & Haq, supra note 44; see also Kaspersky Law Global Research and Analysis Team, Syrian Malware, The Ever-Evolving Threat 31 (2018), available at: https://media.kasperskycontenthub.com/wpcontent/uploads/sites/43/2018/03/08074802/KL_report_syrian_malware.pdf (hypothesizing that hacker operations are more likely different groups working together).

⁴⁶ See Wilhoit & Haq, supra note 44.

⁴⁷ Kaspersky Law Global Research and Analysis Team, supra note 45; see also 360 Gold Rat Organization—Targeted Attacks in Syria, Threat Intelligence Center (Jan. 4, 2018), available at: https://blogs.360.cn/post/SEA_role_influence_cyberattacks.html (describing the relationship between hackers and the Syrian government).

⁴⁸ Harding, Luke and Charles Arthur, “Syrian Electronic Army: Assad’s cyber warriors.” THE GUARDIAN (Apr. 20, 2013), available at: https://www.theguardian.com/technology/2013/apr/29/hacking-guardian-syria-background.

⁴⁹ *Id. *

⁵⁰ Id.

⁵¹ Id.

⁵² See Rodrique Ngowi, Harvard Website Hacked, Defaced, A.P. (Sept. 27, 2011), available at: http://archive.boston.com/news/local/massachusetts/articles/2011/09/27/harvard_website_hacked_defaced/ (explaining the details of the hack on Harvard’s website, which was conducted in 2011—the same year anti-Assad protests began).

⁵³Id.

⁵⁴Id.

⁵⁵ Id.

⁵⁶ Id.

⁵⁷ Id.

⁵⁸Katrina Bishop, Global Websites Hacked by Syrian Electronic Army, CNBC (Nov. 27, 2014), available at: https://www.cnbc.com/2014/11/27/global-websites-hacked-by-syrian-electronic-army.html.

Rights Watch, an NGO dedicated to documenting abuses of human rights in Syria and around the world, said “Syrian Electronic Army Was Here. All Your reports are FALSE!!! Stop lying!!!”⁵⁹

In order to gain access to these websites, the SEA utilized “phishing.”⁶⁰ While “spear phishing” is targeted towards an individual, often using personal information, “phishing” targets a large group of individuals in an attempt to steal information.⁶¹ In these SEA phishing attacks, hackers sent emails to news outlets and organizations with links embedded with malware capable of transmitting location and intercepting communications.⁶² Once the user opened the link, malware installed itself onto the computer or electronic device.⁶³

This phishing technique was used by the SEA to hack into the Associated Press (“AP”). After successfully phishing an AP employee, SEA hackers then used the AP’s twitter account to publish a false news story, “Breaking: Two Explosions in the White House and Barack Obama is injured.”⁶⁴ Fortunately, the tweet was quickly determined to be baseless, but the damage had already been done. The initial panic caused by the fake tweet resulted in a loss of “$136 billion in equity market value.”⁶⁵ Further, the SEA has successfully used these phishing techniques to gain access to the websites of The New York Times, the United Nations Human Rights Council, and Microsoft.⁶⁶ One of the SEA hackers, a Syrian national called Peter Romar, was arrested and convicted for participating in these attacks.⁶⁷

The SEA also directed its capabilities and gained access to information on regime opponents and critics within Syria. The SEA shared information of anti-Assad activists’ meeting locations and identities directly with the Syrian regime. For example, in 2013 SEA members hacked into the messaging app “Tango” and stole the personal phone numbers, email addresses and contact information for millions of people.⁶⁸ While Tango acknowledged a data breach, it did not confirm the extent of the information stolen, nor the method the SEA used to access the data.⁶⁹ After obtaining the Tango information, the SEA announced that it would be “handing the information over to its country’s government”— the regime. Experts expressed concern that this would almost certainly lead to people being hurt or worse.⁷⁰ The SEA also obtained sensitive data about individual activists through other social media platforms and messaging apps.⁷¹ This sensitive data included, people’s birthdays, personal serial numbers, ID cards, CVs, and blood types.⁷²

⁵⁹ Max Fisher, Syria’s Pro-Assad Hackers Infiltrate Human Rights Watch Website and Twitter Feed, WASH. POST (Mar. 17, 2013), available at: https://www.washingtonpost.com/news/worldviews/wp/2013/03/17/syrias-pro-assad-hackers-infiltrate-human-rights-watchweb-site-and-twitter-feed/?utm_term=.9452432eb8b9.

⁶⁰ Fisher, supra note 5.

⁶¹ Phishing, Microsoft Windows available at: https://docs.microsoft.com/en-us/windows/security/threatprotection/intelligence/phishing#spear-phishing (last visited Apr. 3, 2019).

⁶² Fisher, supra note 59.

⁶³* Id. *

⁶⁴ AP Twitter account hacked in fake ‘White House blasts’ post, BBC NEWS (Apr. 24, 2013), available at: https://www.bbc.com/news/world-us-canada-21508660.

⁶⁵ Id.

⁶⁶ Lee Ferran, Inside the Syrian Electronic Army, REAL CLEAR LIFE (June 2018), available at: http://www.realclearlife.com/technology/inside-the-syrian-electronic-army/.

⁶⁷ Department of Justice, Syrian Electronic Army Hacker Pleads Guilty, (Sept. 28, 2016), available at: https://www.justice.gov/opa/pr/syrian-electronic-army-hacker-pleads-guilty.

⁶⁸Jacob Kastrenakes, Syrian Electronic Army Alleges Stealing “Millions” of Phone Numbers from Chat App Tango, VERGE (July 22, 2013), available at: https://www.theverge.com/2013/7/22/4545838/sea-giving-hacked-tango-database-government.

⁶⁹ Id.

⁷⁰ Id.

⁷¹ *Id. *

⁷² See John Scott Railton, Daniel Regalado, Nart Villeneuve, Behind the Syrian Conflict’s Digital Frontlines, 7-9 (Feb. 2015), available at: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf.

SEA has used SMT malware, which some speculate has been developed with some assistance from Russia and/or Iran.⁷³ SMT malware is capable of remotely turning on a target’s phone or computer and extracting files, contact lists, location data, passwords, and, in some cases, has the ability to copy all contents and programs on a user’s phone.⁷⁴ One expert noted, “the minute you download this it will take control over your computer…[it] can turn on your phone camera, it can extract files” from any electronic device it is installed on.⁷⁵ While the older SEA monitoring techniques featured short, abrupt—often unsophisticated—messages accompanying the attack, alerting the user;⁷⁶ the new malware runs and functions like professional, legitimate programs, resulting in the user being less likely to know they are being monitored or had any sensitive information stolen.⁷⁷

D. Mass Surveillance and Persecution

The regime controlled telecommunications infrastructure and a drove of state and state-sanctioned surveillance forces have empowered the Assad regime to conduct indiscriminate mass digital surveillance of the Syrian population.⁷⁸ The Syrian Ministry of Communications has created a network that allows the government nearly complete authority over the internet.⁷⁹ The regime monitors all online activity and websites for any content that is anti-regime.⁸⁰ As Section IV below shows, the regime then uses any content that it deems “revolutionary” to persecute critics and human rights defenders.⁸¹ The vast and comprehensive scale at which this digital surveillance has occurred and is occurring inside Syria should be a great cause of concern for the international community as a whole.

Section III outlines the human rights implicated by mass surveillance. While the rights of all Syrian people, especially anyone critical of the regime, are endangered and have been breached as a result of surveillance, the rights of human rights defenders have been disproportionately impacted. The right to privacy, freedom of expression and of participation, the right to life and freedom from torture and cruel, inhuman and degrading treatment are all at stake in the regime’s, and its affiliated groups’, campaign of surveillance and persecution. Section IV identifies how the infrastructure of surveillance together with an enabling legal framework has led to censorship, monitoring, hacking and detention of journalists, activists and human rights defenders.