Blue Coat Appliances Used by Governments to Monitor, Censor Web Traffic

After the discovery that Syria used Blue Coat Systems technology to censor and monitor dissidents, a group of researchers find 61 government networks using the same systems.

A group of researchers urged the United States and the international community to take a close look at technology companies that provide network-filtering appliances to repressive regimes, after an Internet scan showed that 61 countries use one maker's hardware to block or monitor communications.

On Jan. 16, a human-rights-focused technology group at the University of Toronto, known as The Citizen Lab, published a report analyzing Internet data for signs of network appliances built by security and infrastructure firm Blue Coat Systems. The interest in the Sunnyvale, Calif. company followed a 2011 investigation by hacktivists and researchers that found its appliances being used by the Syrian government to monitor and censor its domestic opposition.

The company's products are widely used by governments with known interest in censoring or monitoring their citizens, including China, Egypt, Russia and Venezuela, according to the report.

"The point is not to demonize this technology, but to create a broader discussion about these types of technologies," said Morgan Marquis-Boire, lead technical researcher for the Citizen Lab, which is part of the UT's Munk School of Global Affairs.

The investigation found the devices in 61 countries—including nations in the Gulf Cooperation Council, which favors censoring certain types of Internet content, and in Lebanon, Turkey and Malaysia.

In 2011, researchers discovered that network-infrastructure appliances made by Blue Coat Systems and Network Appliance, which had been sold to a company in the United Arab Emirates, had been trans-shipped to Syria. Extensive logs from the devices, obtained by hacktivists, showed that Syria used the devices to censor and monitor activists. The U.S. government added the company and individuals responsible for delivering the devices to Syrian officials to the Entity List, a compilation of individuals and groups that act against the United States and are prohibited from receiving U.S. products.

"We believe that these logs were obtained by hacking into one or more unsecured third-party servers where the log files were exported and stored," Blue Coat Systems said in a statement at the time. "We have verified that the logs likely were generated by [Blue Coat] ProxySG appliances and that these appliances have IP addresses generally assigned to Syria. We do not know who is using the appliances or exactly how they are being used."

Blue Coat and NetApp devices are considered "dual-use" technologies: They are capable of being used to defend networks, while at the same time, posing the threat of censoring and monitoring individuals. Perhaps the most well-known dual-use digital technology is encryption, the focus of a protracted legal battle between the U.S. and technology companies in the 1990s.

Because the widespread use of encryption can help protect dissidents, most digital-rights activists protested limits on the export of encryption. In the current battle, however, human-rights activists instead support a debate on limiting the use of networking hardware capable of inspecting and blocking traffic.

"One of the key goals of the debates surrounding dual-use technologies is to determine a method of crafting effective controls on such technology that simultaneously limit its sale and deployment for purposes that negatively impact human rights, while protecting those uses that serve legitimate purposes and result in benefits to society," the Citizen Lab report stated.

There is no easy solution to the problem because many countries have legitimate uses for the technology and nations are typically loath to pass judgment on their peers. Instead, the best solution may be for companies to become good corporate citizens and know their customers, said Marquis-Boire.

"Ethical corporate behavior is a pretty mainstream idea these days," he said. "I don't see why a minimum standard of good corporate behavior cannot be expected these days. If the minimum standard is that we won't sell to anyone not explicitly banned—that's a pretty low bar."