Big Tech Supporting Blacklisted Surveillance Companies

In October 2019, the U.S. government blacklisted 28 Chinese companies due to alleged human rights abuses in Xinjiang, northwest China.

Specifically, the companies added to the Industry and Security Bureau’s “Entity List” were accused of “human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high technology surveillance against the Uighurs, Kazakhs, an other members of the Muslim minority groups” in the region.

Their addition to the list dramatically restricts American companies’ ability to trade with the Chinese companies.

Our investigation throws a spotlight on the corporate relationships between these businesses and US companies. We looked at who is providing the core web services required to operate the websites of not only the newly-blacklisted Chinese surveillance companies but also a number of other highly controversial surveillance companies around the world.

Not only are US companies working with controversial Chinese companies, they are also helping the notorious NSO Group, as well as 16 other companies that have faced allegations of human rights abuses, stay online.

Through providing essential web services to these controversial companies, US firms are playing a part in the proliferation of highly invasive surveillance products that have the potential to undermine human rights around the world.

Specifically, we reveal which US companies provide the following services for each surveillance company:

• Web hosting
• Content Delivery Network (CDN)
• Email hosting
• SSL certificate
• Name server
• Content Management System (CMS)

Proponents of increased surveillance have claimed that it has the potential to improve public safety. However, several studies have shown that these sophisticated surveillance technologies have also been used to enable human rights abuses in China.

In Xinjiang, a complex web of surveillance measures has supported the forced imprisonment of an estimated 1 million predominantly Muslim ethnic groups, including the Uighurs.

Despite the Trump administration’s efforts to decouple the American and Chinese technology sectors, the continued presence of American companies in more discreet settings shows that cooperation between the two remains.

Dahua Technology

Headquarters: Hangzhou, China

Core Business:

• Dahua Technology is a leading provider of audio-video surveillance technology.
• State-run Central Huijin Investment has a 1% stake in the company.
• The company has distribution partners in over 180 countries and, in 2017, its total sales amounted to $2.89 billion.

Controversies:

• Alongside Hikvision, Dahua Technology was specifically mentioned in a letter to Trump’s top advisers in May 2019, signed by over 40 lawmakers.
• The letter cited concerns over continued US technological exports potentially assisting the Chinese government’s possible “crimes against humanity” in Xinjiang and urged for stricter export controls.
• In October 2019, Dahua’s parent company was placed on the Bureau of Industry & Security’s “Entity List”, after it was determined to be “acting contrary to the foreign policy interests of the United States.”
• Dahua released a statement in response to the US’s decision, arguing that it “lacked any factual basis”.
• However, the widespread crackdown in the province alongside increased surveillance capabilities have led many to suspect that new technologies have been critical in enabling human rights abuses.

“China’s goal is to use these technologies to suppress dissent, and to predict and snuff out any challenge to the ruling Communist Party’s grip on power. In Xinjiang, surveillance is part of a policy of cultural genocide” – Washington Post

Hikvision

Headquarters: Hangzhou, China

Core Business:

• Hikvision is one of the world’s largest suppliers of video surveillance and security products.
• It supplies hundreds of government-led surveillance projects in China’s major cities such as Shanghai and Hangzhou, and together with Dahua Technology, represents one third of the world’s global market for surveillance technology.
• The international surveillance company also has a large presence across America.

“In July 2018, the company allegedly sold authorities around 1,000 facial recognition cameras to be strategically placed in mosques in Xinjiang province – The Financial Times.

Controversies:

• In July 2018, the company sold authorities around 1,000 facial recognition cameras to be strategically placed in mosques in Xinjiang province.
• The company was accused of openly marketing facial recognition technology that could identify Uighurs. Hikvision declined to comment and the webpage was swiftly removed from their website.
• Hikvision is among the companies named on the US Industry and Security Bureau’s ‘Entity List’.

Huawei

Headquarters: Shenzhen, China

Core Business:

Huawei is a multinational technology company that specialises in telecommunications infrastructure and consumer devices. It has faced controversy due to its potential links to the Chinese state and its prominent role in the roll-out of 5G networks worldwide.

Controversies:

• Huawei is notorious for accusations of being a “gateway for China to spy on Western nations.”
• US officials have been actively lobbying foreign governments against the implementation of Huawei technology into their national 5G infrastructure.
• A cross-party group of US senators wrote a letter to British MPs earlier this year that issued a stark warning of “significant security, privacy and economic threats” should Huawei be allowed access to the country’s 5G mobile network, possibly placing transatlantic intelligence sharing at risk.
• Six key officials in the US delegation allegedly found that “Chinese spies, working for the People’s Liberaiton army, also worked simultaneously for Huawei – and that the company ‘had played a role’ in supporting the ‘re-education camps’ for the country’s Muslim Uighur minority.”

iFlytek

Headquarters: Hefei, China

Core Business:

Specializes in voice recognition AI solutions and also offers services analyzing legal documentation and medical imagery.

Controversies:

• Added to the US Department of Commerce “Entity List” in October 2019.
• A key source of revenue has been local police bureaus and local governments. In 2016, the company was accused of selling their technology to police bureaus in Xinjiang.
• iFlytek has been at the center of multiple reports for allegedly providing voice recognition technology that has been used by the government for the oppression of ethnic minorities.
• Human Rights Watch claims that the Chinese government has been working alongside iFlytek to produce a national biometric “voice pattern” database. HRW describes iFlytek as producing 80% of all speech recognition in China, alleging that the company promoted themselves on their website – before removing it – as being the first to establish a “mass automated voice recognition and monitoring system.”

Megvii

Headquarters: Beijing, China

Core Business:

• Backed by Alibaba Group Holding, Megvii is a Chinese AI giant that specializes in image recognition and deep learning software.
• Megvii’s facial recognition technology is known as “Face++” and has been used by over 300,000 popular Chinese app developers such as Meitu and payment platform Alipay.

Controversies:

• Added to the US technology blacklist in October 2019 citing the company’s alleged role in aiding the Xinjiang surveillance state.
• Goldman Sachs was scheduled to be involved in the company’s initial public offering. However, the investment bank later revised its position after Megvii were placed on the US ‘Entity List’.
• The company says it has received funding from the Australian investment bank, Macquarie Group, as well as a wholly owned subsdiary of Abu Dhabi Investment Authority.

SenseTime

Headquarters: Hong Kong

Core Business:

• SenseTime is one of the world’s most valuable AI start-ups, backed by e-commerce giant Alibaba and heavily supported by the Chinese government who has vowed to turn their national AI market into a $150 billion industry by 2030.
• The company provides software to police enforcement to help them identify faces, crowd movement and vehicles in real-time.

Controversies:

• Sensetime CEO Xu Li said in 2018 that 30% of SenseTime’s clients were “government-related.”
• Months before the US Department of Commerce’s ban, SenseTime had already come under intense scrutiny with reports alleging SenseTime’s presence in Xinjiang province.
• The company was found to be a supplier of surveillance technology to officials in Xinjiang, where ethnic minorities were being mass-surveilled, detained, and held in “re-education camps”.
• Microsoft, shortly after, quietly deleted their database dubbed “MS Celeb” which contained data of around 10 million faces. This data set was being used for facial recognition training by militaries around the world and Chinese AI giants such as SenseTime and Megvii.

Xiamen Meiya Pico Information Co

Headquarters: Fujian, China

Core Business:

• The company, also known as Meiya Pico, is principally involved in “digital forensics and cybersecurity in China”. With over 1,800 staff, it “provides solutions and services for law-enforcement and government organizations all over the world.”
• They describe their digital forensic services as identification, extraction and evidence analysis from digital media sources

Controversies:

• Meiya Pico’s MFSocket software was the focus of reports that “Chinese police are installing intrusive data-harvesting software on ordinary citizens’ smartphones” during random security checks. The software provides police with access to images/audio files, location data, call logs, messages and the user’s calendar and contacts.
• Concerns were raised over how the software developed by Meiya Pico may be used in Xinjiang province, after several Chinese netizens took to social media to re-account the software being forcefully installed onto their cell phones.
• Meiya Pico was shortly added to the US ‘Entity List’ in October 2019. The company responded by stating that “overseas sales revenue is small, mainly covers the countries along the “Belt & Road”… The inclusion of the entity list will not have a real impact on the company’s daily operations.”

Yitu Technology

Headquarters: Shanghai, China

Core Business:

Yitu Technology is largely known for their facial scanning platform “Dragon Eye System”. It can identify someone from a vast database of 2 billion within seconds.

Controversies:

• The company’s software was used by local police to identify residents of Chinese city Sanmenxia over 500,000 times in a single month. The software’s code contained tags suggesting ethnic profiling of Uighurs.
• As many as 24 police bureaus across 16 provinces have sought out Yitu’s profiling technology since 2018.
• Yitu Technologies was added to the US “Entity List” in October 2019, due to its alleged assistance in China’s architecture of control against ethnic minorities.

Yixin Science and Technology

Headquarters: Beijing, China

Core Business:

Yixin Science and Technology, amongst China’s leading artificial intelligence firms, is a security system developer and nanotechnology start-up based in Beijing.

Controversies:

• Yixin Science and Technology was categorized amongst the other 28 additions to the Department of Commerce’s “Entity List” October 7th. The company is alleged to be implicated in human rights violations through the use of high-technology surveillance for the identification and detention of Muslim minority groups in China.
• The company was also found to be the provider of wireless surveillance systems to the government, to “monitor for terrorist attacks” during the 2008 Beijing Olympics.

AnyVision

Headquarters: Holon, Israel

Core Business:

• AnyVision is an AI firm that specializes in surveillance solutions for private customers as well as law enforcement agencies.
• Their website offers real-world applications for face, body and object recognition, touting “real-time, actionable analytics.”

Controversies:

• Anyvision reportedly provided Israeli intelligence services with technology that had been purposed for a covert surveillance program targeting Palestinians in the West Bank.
• Anyvision initially strongly denied the alleged claims and company CEO Eylon Etshtein was cited by reporters as claiming that Anyvision was “the most ethical company known to man.”
• The company revised its position on the damning reports, stating that “As a private company, we are not in a position to speak on behalf of any country, company or institution” as it came to light that earlier that year the company had confirmed the use of their technology at military checkpoints along the military borders with the occupied territories.
• Microsoft launched an audit of the company in November 2019, as it participated in a $74 million funding round for Anyvision earlier that year. Microsoft later announced it had withdrawn all investment from AnyVision.

NSO

Headquarters: Herzelia, Israel

Core Business:

• NSO Group Technologies is a spyware provider, most known for its Pegasus software that has the ability to capture the contents of a targets’ phone, including encrypted messages in plain text, through remote access.
• The company claims to create “technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe” by allowing “government intelligence and law enforcement agencies to use technology to meet the challenges of encryption.”

Controversies:

• The NSO Group has faced multiple accusations that its invasive Pegasus spyware has been used by oppressive regimes to spy on private conversations between innocent civilians, especially targeting journalists and human rights activists.
• The company faces numerous lawsuits and is reportedly being investigated by the FBI for hacking American citizen’s cell phones and intelligence gathering on government personnel.
• A notable complainant is a Saudi dissident who alleges that his conversations with Jamal Kashoggi were intercepted by the Pegasus software.
• WhatsApp also is pursuing the NSO in a US court and claim that the company’s spyware gave rise to the hack of 1,400 of its users in 2019.
• NSO maintains that its technology does not have the ability to target US phone numbers, however some cybersecurity experts have challenged that.

Mem3nto Labs

Headquarters: Milan, Italy

Core Business:

Mem3nto Labs primarily specialize in research and development for cyber intelligence solutions and their company mission is the “development of advanced tools and solutions to outperform in the Hybrid warfare era.

Controversies:

• Mem3nto Labs has ties to notorious company Hacking Team, which had a global business based their Remote Control System (RCS) technology.
• RCS was sold to numerous governments, with a clientele inclusive of the world’s most oppressive dictatorships who allegedly used the technology to target human rights activists and journalists.
• Almost five years since the company’s activities were exposed, founder Paolo Lezzi purchased Hacking Team and merged it with his own company to form Mem3nto Labs, in the hopes to revive the disgraced company.
• Mem3nto’s KRAIT system allows users to “attack any Android device and leave no traces,” providing full control over the end-device.

“These products are a match made in heaven for human rights abusers, who are looking for tools to attack an increasingly vigilant civil society.” – Bill Marczak, Citizen Lab

• RCS X, Mem3nto’s flagship spyware product is the latest version of Hacking Group’s RCS, offering the “invisible” infection of “99% of the most used platforms in the world.”

FindFace

Headquarters: Moscow, Russia

Core Business:

Findface is facial recognition technology based on AI and neural networks developed by Russian company NTechLab. They provide services for the Russian state as well as the private sector.

Controversies:

• The company boasts the ability to perform real-time facial recognition in a split-second, supported by a database of over 1.5 billion entries.
• Findface is notorious for being the product that could bring an end to public anonymity, following its launch as an app in the mid 2010s. The app enabled photographs taken by users to be matched against images on popular Russian social media network site Vkontakte (VK).
• The app has since been shut down as the company pivoted to offering services to government agencies as their main source of revenue.
• Earlier this year, the company revealed that it has secured a 200 million rouble contract with the Russian Department of Technology for a roll-out of this technology across Moscow. This capability, combined with Russia’s poor human rights record, has caused heightened privacy fears in Russia.

Vision Labs

Headquarters: Amsterdam, The Netherlands

Core Business:

• VisionLabs is a “team of Computer Vision and Machine Learning experts” specializing in products and solutions in facial recognition, augmented and virtual reality.
• VisionLabs moved its headquarters from Russia to the Netherlands, “to ensure further successful growth” according to the company’s founder, Alexander Khanin.

Controversies:

• Their primary software, dubbed “Luna”, allows users to “verify and identify customers instantly” based on a database of photos and video images. They apply this software to their Smart city projects to collect and analyze data from surveillance cameras.
• VisionLab’s other major technology, Face_IS, was created to controversially allow retailers to make personalized and targeted ads to customers whose faces have been recognized.
• Russia’s two leading facial recognition companies, VisionLabs and NTechLab, have recently been linked to the deployment of mass facial recognition programmes across Russia.
• The company receives help from major state-owned companies such as Sberbank, who purchased 25% of VisionLabs in 2017, and plays a huge role in the expansion of the Russian surveillance apparatus.

“At first the Moscow authorities said it was strictly about public safety… but now they’re not even hiding what it’s all about – they want to use it to track and identify protestors,” Moscow lawyer and human rights activist Sarkis Darbinyan

Mollitiam Industries

Headquarters: Toledo, Spain

Core Business:

• Mollitiam describes its services as the “development of solutions and software technology, cybersecurity and cyberdefense.”
• The company offers authorities access to tools that capture information from networks and other sources in order to generate intelligence which can be used as a basis for decision making.

Controversies:

• Reporters Without Borders recently included Mollitiam Industries in their 20/2020 List of Press Freedom’s Digital Predators report for selling its surveillance technology to the Colombian armed forces, who used it to illegally spy on politicians, supreme court judges, journalists and journalists’ sources.
• Social media monitoring solutions have been identified as a key cause in the decline of internet freedoms in 2019.

ClearView

Headquarters: New York, US

Core Business:

In the company’s own words, “Clearview AI is a new research tool used by law enforcement agencies to identify perpetrators and victims of crimes.”

Controversies:

• Clearview gained widespread attention for the facial recognition app they built, which can identify anyone within a database of more than 3 billion photos lifted from major social media platforms.
• Leaked documents emerged which suggested that Clearview had been selling this service to over 2,200 law enforcement agencies from 27 countries.
• Despite Clearview CEO Hoan Ton’s claims that their services were “strictly for law enforcement”, the leaked documents also revealed that they had been selling their services to a wider range of clients, including ICE, Macy’s, Walmart and the NBA.
• The company faced wide criticism as the act of scraping such images and selling them was in breach of the terms of service of the social media platforms’ from where the photos were taken.

Zerodium

Headquarters: Washington, D.C., US

Core Business:

Zerodium is a US startup, which offers bounties for hackers to access rare vulnerabilities in operating systems, web browsers and mobile phones named “zero-days” which remain unknown to the company which would patch them.

Controversies:

• Details of Zerodium’s ventures remain murky as founder, Chauki Bekrar, declines to say whether such exploits are sold to intelligence agencies around the world as a surveillance tool, as opposed to the vendor or company of the vulnerable system.
• In 2016, Zerodium announced a bug bounty of $1.5 million for a zero-day exploit of Apple’s new iOS 10. This was an increase of 50% from previous year’s bounty of 1 million.
• This came as Apple’s iOS was widely being featured in the news due to the company’s public dispute with the FBI.
• Bekrar’s companies have been criticised as doing controversial work that privacy advocates argue “contribute to the spread of cyberwar and wrongful surveillance.”
• Zerodium now offers $2.5 million per submission.
• The company is also on Reporters Without Borders’ list of digital privacy abusers.

ZTE Corp.

Headquarters: Shenzhen, China

Core Business:

ZTE is a Chinese telecom and information technology giant providing its services to consumers, carriers, businesses and government from “over 160 countries around the world.”

Controversies:

• Similar to Huawei, the company has faced intense scrutiny over surveillance fears due to its close ties to the Chinese government.
• ZTE was exposed for illegally exporting American technology to North Korea and Iran in 2017, violating economic sanctions imposed by the Trump administration.
• The company was placed under a trade ban for 7 years by the Department of Commerce in April 2018 when the company failed to hold involved employees to account. In addition, the company was fined a record-breaking $1.19 billion for export control violations.
• ZTE was taken off the US “Entity List” in July 2018 after the company conceded to paying additional fines and making substantial changes to their management team.
• While the ban has now been lifted, we have found that the web services provided by NTT America (Hosting: Nov 2014 – April 2019), Amakai (Hosting: May 2014 – July 2018), COM.CN DNS (Name Server: May 2014 – May 2014) and Sitecore (CMS: May 2016 – Dec 2019) all supported ZTE’s website throughout the duration of the ban.

The day after we first published this report, the US Department of Commerce announced the addition of 33 new organizations to its blacklist on 22 May.

These new inclusions were announced in two distinct groups:

• 24 Chinese governmental and commercial organizations with ties to WMD and military activities
• Nine Chinese entities related to human rights abuses in the Xinjiang Uighur Autonomous Region

The nature of these new companies is very different to those we analyzed in the main body of this report. Rather than slick multinational companies, such as Huawei or Hikvision, the fresh inclusions are typically much smaller organizations. Most are specialized manufacturers with minimal online presence, or research organizations.

As a result, the websites we analyzed were unsurprisingly often very basic and lacking in the latest web technology.

Only one newly blacklisted company had significant support from a US web service provider, while a further six had limited support in the form of SSL certification from a US provider.

• Cloudmind: GoDaddy (Web Hosting, CDN, SSL Certification)
• Beijing Computational Science Research Center – DigiCert SSL (SSL Certification)
• Harbin Institute of Technology – DigiCert SSL (SSL Certification)
• CloudWalk Technology – DigiCert SSL (SSL Certification)
• NetPosa – DigiCert SSL (SSL Certification)
• SenseNets (Subsidary of NetPosa) – DigiCert SSL (SSL Certification)
• Intellifusion – DigiCert SSL (SSL Certification)

The surveillance companies included in our investigation were selected on the basis of their inclusion on the US Entity List, or if they had been embroiled in recent public controversy regarding the nature and application of their surveillance products.

We identified the providers of the essential web services that power these companies’ websites, using a combination of public tools, such as builtwith.com, examining the source code of websites and analysing their HTTP traffic.

We only included those where some kind of active relationship was involved, ignoring the use of products such as Operating Systems or open source platforms for example.

About Top10VPN.com

We specialize in testing and reviewing VPN services. We recommend the best VPNs to our readers in order to help them safeguard their online privacy and security. We also carry out in-depth research and investigations into digital rights and security risks that affect the general public.

Additional research by Christine O’Donnell