Helping tech cos help themselves on human rights

Standing: CRT founders Elie Mersel and Matan Guttman. Sitting: consultants Yosef Shapira and Shmuel  / Photo: Cadya Levy, Globes

CyberRighTech advises Israeli companies on how to ensure that sensitive technology does not fall into repressive hands.

"Israel’s status as a "startup nation" was established decades ago. But its reputation for hi-tech innovation always depended on a dark side, one that is becoming ever harder to ignore… Israel had achieved a pivotal role globally in merging new digital technologies with the homeland security industry."

Although the above quote is taken from the opening of an article in online publication Middle East Eye, which has a left-wing political leaning, it best describes how Israel and its high-tech industry are sometimes perceived in a world where names like NSO make scandal-ridden headline stories about dark James Bond-style affairs.

Israeli cyber company NSO, which has developed a system designed for internal security organizations and is used for monitoring the smartphone activity of subjects under investigation, is constantly under legal and media fire. Proceedings are being conducted against the company, both in the United States and in Israel, in a stand-off with Facebook and Amnesty International. The two claim that NSO has developed tools used to hack into accounts belonging to human rights activists and opponents of dictatorial regimes. NSO denies any responsibility, claiming it only develops the technology and is not responsible for its use. just as an M16 manufacturer is not responsible for anyone killed by the use of the weapon it produces.

However, NSO’s critics believe there is a difference between the physical and technological worlds, as the development of a technology may demand deeper involvement than physical weapons production, such as detecting security breaches and vulnerabilities. Some companies also provide training and other services. Responsibility for the use of technology will likely be at the heart of moral and legal discussions over the next decade, as technologies improve, and until the legal world narrows the gap.

As things stand right now, "Companies are taking a risk that one day it will be determined that what they did was aiding and abetting war crimes and crimes against humanity," says Adv. Eitay Mack, who filed a petition on behalf of Amnesty International to revoke NSO's export license. "Some aren’t worried about it, and others are. It depends apparently on the corporate structure of some of the companies, each one has its own commitments. "

Recently, Israeli cyber company Cellebrite also had its name linked to negative events. Its clients include the police forces in Hong Kong, where there have been protests over the past year over China's growing involvement in the territory and a palpable fear of human rights violations by the authorities. Last week, Adv. Mack sent an urgent request to the Defense Export Control Agency (DECA) at the Ministry of Defense to halt Cellebrite’s exports.

"For a number of years, the Cellebrite system has been used legitimately by the Hong Kong police force, in accordance with legally issued orders and the supervision of the courts there," Mack's letter read. "Exports of the Cellebrite system to Hong Kong should have been halted as early as 2019, when the last huge wave of protests began, and there was clearly a dramatic deterioration. Unfortunately, this was not done, and according to reports from Hong Kong, over the past year, the Cellebrite company’s system has been used to break into about 4,000 cell phones of citizens and democracy activists - who have been arrested."

Cellebrite stated in response that "In accordance with the procedures and policies our company implements, we do not respond to specific customer concerns or the way our technology is used. We implement strict internal procedures that dictate how our technology is used. We do not sell our technology to countries on the Financial Action Task Force (FATF) black-list, or those sanctioned by the US government, the Israeli government or the international community. Cellebrite is not a company in the field of surveillance and does not engage in surveillance activities."

NSO, too, is taking steps to help it deal with the criticism leveled at it, and according to the company, also to prevent future complications. According to the company, it was one of the first in the world to adopt the UN principles and implement a plan to formulate internal regulation; measures led by Adv. Shmuel Sunray, the company's General Counsel. Sunray joined the NSO after 14 years as General Counsel at Rafael Advanced Defense Systems.

The world is beginning to wake up

Concerns about NSO and Cellebrite reflect the possible clash between the use of different technologies and issues related to human rights, especially in light of the technology’s sophistication. "I’ve seen lots of cases where a technology company enters a 'minefield' and gets into trouble, for example Israeli company AnyVision," says Dr. Matan Gutman, who founded a company that deals with the subject.

In the case of AnyVision, Microsoft announced that it would realize its investment in the company, which develops a face recognition technology implemented in Judea and Samaria. Microsoft's audit committee concluded that the company's technology was not used for mass surveillance of Palestinians in the West Bank, as alleged, but also that its investigation was limited due to legal restrictions. Microsoft concluded that its minority share did not allow for a sufficient level of monitoring.

"As a human rights expert, I have begun to see an awakening among international organizations and Western countries - the United Nations, the OECD, the European Union, the United States and the United Kingdom - when it comes to dealing with technology, individual rights and ethics," Gutman added.

To help companies in need of advice on on the matter, Gutman - an adjunct professor at the IDC - founded CRT with Elie Mersel. Gutman served as Mersel's chief of staff when the latter was director general of the State Comptroller's Office. CRT, an acronym for CyberRighTech, wants to help companies avoid conflicts between the use of technology and human rights, by formulating rules and work procedures that comply with international rules.

"Eli and I have talked a lot about these issues in recent years, and we understand that the ecosystem of technology and innovation must also have a dimension of accountability to investors, customers, employees and, above all, the general public," Gutman says. The company also recruited well-known advisers: retired judge Yosef Chaim Shapira; Prof. Shmuel Hauser, former chairman of the Israel Securities Authority and Senior Vice President at Ono Academic College; and retired Supreme Court justice Salim Joubran.

"Not everyone can invest like Facebook"

Mersel, who serves as the company's president, says that "The high-tech industry has become Israel's showcase to the world. We believe that the company executives want to do good. They do not want their technology to become a double-edged sword, either for them or for the State of Israel's reputation. A giant company like Facebook establishes a controller for similar reasons. That move indicates the general direction, but not every company can allocate a $130 million budget for this purpose, as Facebook did recently."

The idea is that just as companies rely on legal and accounting consultants, so they will also use CRT to reduce their exposure to lawsuits or sanctions down the road. In fact, even organizations that acquire technologies have a duty to make sure that they come from companies that respect human rights.

" The fact that the ethical aspect of technology companies has risen to the surface is highly important. As far as corporate responsibility is concerned, this is perhaps the heaviest issue in the relationship between business and society, and it is not discussed enough, "says Momo Mahdav, who specializes in corporate responsibility by virtue of his position as CEO of NGO Maala, and is not connected to CRT. Each year, Maala publishes the "Maala Corporate Responsibility Index," which is based on a comprehensive questionnaire in the areas of society, the environment, ethics and transparency. "Maala’s approach is that the a priori intent of most companies, executives, entrepreneurs and developers is positive, and in our experience, when consultants come and point out to the company the need to manage issues that have gone unmanaged, it has a positive impact."

Gutman adds that "Our initiative reflects the dramatic change taking place today in the regulation of technology companies - from protecting information and privacy (e.g. GDPR) to significantly protecting the broader principles of ethics and human rights. Take, for example, the attack on facial recognition technologies and concerns of discriminating against minorities. In accordance with instructions by justice ministries in the US and UK, a company that adopts a proven ethical culture which includes an effective compliance program, can prevent criminal and regulatory proceedings against it and its executives. In fact, even organizations that acquire a technology have a duty to ensure the purchase was made only from companies that respect human rights."

"We also say ‘No’ to deals"

How does this process look in action? CRT's first customer is Cobwebs Technologies, which has about 100 employees in Israel, the United States and Singapore. Cobwebs specializes in intelligence gathering on the web, and serves as a kind of "Google for intelligence" that searches both the visible Internet, the Dark Web, and even blockchain networks. The system facilitates detection and mapping of personal connections for criminal, security and financial investigations, and is provided to many government, security and business entities around the world.

The motivation for the company's engagement with CRT and the process it underwent was described by Cobwebs Technologies president Omri Timianker: "The virtual world is a Wild West where users do whatever they please. Control of information and enforcement of human rights issues is in the hands of technology companies; this created a crisis of trust between citizens and their governments and law enforcement entities. Therefore, we set ourselves the goal of reducing violations of the right to privacy due to the use of our products. The process with CRT, refined procedures were refined, and unofficial processes were written down with clear criteria. The process touched on all aspects of our activity: development, marketing and sales, contractual engagement, and corporate governance."

"In the end, where do all the scandals come from? From customer selection and the sales process. So, we added the use of international metrics that examine corruption, democracy and liberty in countries around the world. We set a threshold which, if a country scores below it, requires CEO approval in order to make the sale. Beforehand, we wouldn’t have thought about those things, and now we have a committee meeting once every two weeks to discusses these issues and also say 'No' to deals. It's not easy, but it's very important because of the potential for damage. In the end, we’re managing risk," adds Timianker.

Although criticism of NSO continues, the company says that it has incorporated international criteria and control mechanisms both in its sales processes and when the product is in use by customers. According to NSO's legal counsel, the company even has ambitions to make its process an industry standard. "This is something that every player operating in this market should abide by," said Adv. Sunray. "Given the thought and work we’ve invested into formulating an active, living and breathing plan, we’d like to harness the support of the appropriate entities to help make this an internationally recognized standard."

"Not doing enough"

"We already knew about so-called soft laws (a general name for a variety of legal instruments in international law that are not binding) from multinational corporations, for example, oil or pharmaceutical companies. But in the context of defense exports, this is an interesting development, "says Adv. Mack, who specializes in what he calls "Israel's arms trade front."

In Mack's opinion, the fact that CRT was established is evidence of a lack of trust in the Ministry of Defense and in the courts. "It means that the court decisions in these cases and the licenses granted to these companies are not enough to protect us abroad, and that is an interesting development."

In his words, the problem is that "Israeli legislation only covers cases where an embargo is imposed by the UN Security Council, but that is a rare occurrence. I maintain that even if there is no embargo, one should check whether the US and Europe ban the sale to a country, such as Myanmar. One can also look into the human rights situation by checking investigations by various organizations."

Mack also believes that there may be a dissonance between what CRT wants to do and the way defense exports actually work. "There are differences between Israeli defense companies, and American and European companies. Israeli companies wishing to obtain licenses and work are dependent on implementation of Ministry of Defense and Ministry of Foreign Affairs policies. If, in the context of Israel's relations with a particular country, Israel has a desire to provide assistance in the field of cyber and surveillance, it is the private companies that will provide those services. If an Israeli company says it is not interested in working in a certain place, that may harm its chances in places where it does want to work, because the Ministry of Defense may prefer to work with companies that are willing to help."

The Ministry of Defense stated in response that "Israel’s oversight policy for defense exports is constantly reviewed by the senior echelons at the Ministry of Defense and the Ministry of Foreign Affairs, and is under the supervision of the Knesset and the courts. Many considerations are taken into account in every application for a defense export license, including protection of human rights, and UN Security Council decisions, as well as political and security considerations. The Defense Export Control Agency (DECA) at the Ministry of Defense works closely with international regulatory bodies and is considered a leader in the field. "

Is this the responsibility of the companies themselves or of the regulator?

CRT anticipates that in the not-too-distant future, the protection of human rights will become binding regulation, as has happened with privacy laws. If so, does it not make sense to impose regulation on those Israeli companies whose technology may be being used in unconscionable ways?

CRT's advisers, who are familiar with the public sector, say no. According to Prof. Shmuel Hauser, "There’s always the possibility of creating another regulatory body. There’s an advantage if that entity specializes in the subject, but sometimes a new regulator has an agenda. Contrary to what people think, regulators don’t like to stick their heads into companies and say 'Let's impose more rules on you.'"

Former State Comptroller Yosef Shapira says, "I liked Cobwebs’ willingness to correct the deficiencies we found. At the State Comptroller’s Office we also had a special department for monitoring the correction of deficiencies pointed out by the State Comptroller. If the entity itself investigates the facts and examines how deficiencies were corrected - is that enough or should the process continue? What we do is basically like an audit report with correction of defects, and without any making allowances, even though it's a private business."

Former Supreme Court Justice Jubran says, "The lack of explicit legislation in a particular area does not mean a lawless world. The activities of technology companies will be examined according to general legal principles such as good faith, fairness, human rights, privacy, public policy, etc. The message is clear: 'Managers, entrepreneurs, and investors - do not wait for a lawsuit or regulatory investigation. Because it may be too late. Take a proactive approach to self-regulation.'"

CRT (CyberRighTech)

Helps companies avoid conflicts between the use of technology and human rights by formulating general rules and procedures that comply with international rules.

Founded in late 2019 by Eli Mersel, former director general of the State Comptroller's Office, and Dr. Matan Gutman, former chief of staff at the State Comptroller's Office

Senior advisers formerly in the public sector: Retired judge Yosef Chaim Shapira; retired Supreme Court justice Salim Joubran; Prof. Shmuel Hauser, former chairman of the Israel Securities Authority and Senior Vice President at ONO Academic College

The company has not raised external capital.

Published by Globes, Israel business news - en.globes.co.il - on August 16, 2020

© Copyright of Globes Publisher Itonut (1983) Ltd. 2020

Standing: CRT founders Elie Mersel and Matan Guttman. Sitting: consultants Yosef Shapira and Shmuel  / Photo: Cadya Levy, Globes
Standing: CRT founders Elie Mersel and Matan Guttman. Sitting: consultants Yosef Shapira and Shmuel / Photo: Cadya Levy, Globes
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018