U.S. Firms Providing Web Hosting & Other Core Website Support to Blacklisted Surveillance Companies

In October 2019, the U.S. government blacklisted 28 Chinese surveillance tech companies due to alleged human rights abuses in Xinjiang, northwest China.^[1]

The dramatically restricts American companies’ ability to legally trade with them.

This investigation aims to shine a spotlight on the corporate relationships between these surveillance companies and US firms that would otherwise go publicly unrecorded.

We identified who has been providing the essential web services required to operate the websites of the newly-blacklisted Chinese surveillance companies. We did the same for a number of other highly-controversial surveillance companies around the world.

Why did we publish this research? Our belief is that it’s in the public interest for consumers to be made aware of how U.S. big tech is doing business with companies whose intrusive surveillance technology is involved an ongoing human rights abuses, along with various breaches of our digital rights.

Not only are U.S. companies working with controversial Chinese firms, they are also helping the notorious NSO Group, as well as 16 other companies that have faced allegations of human rights abuses, stay online.

Through providing essential web services to these controversial companies, US firms are playing a part in the proliferation of highly invasive surveillance products that have the potential to undermine human rights around the world.

Specifically, we reveal which US companies provide the following services for each surveillance company:

• Web hosting
• Content Delivery Networks (CDN)
• Email hosting
• SSL certificates
• Name server
• Content Management System (CMS)

For more information on what these services involve, jump to our core web services explainer section.

Dahua Technology

Headquarters: Hangzhou, China

Core Business:

• Dahua Technology is a leading provider of audio-video surveillance technology.
• It is partially state-owned due to stakes held by Central Huijin Investment (1%), China Galaxy Securities (1.82%) and China Mobile (10.42%).

Controversies:

• Alongside Hikvision, Dahua Technology was specifically mentioned in a letter to the U.S. president’s top advisers in May 2019, signed by over 40 lawmakers.^[2]
• In October 2019, Dahua’s parent company was placed on the Bureau of Industry & Security’s “Entity List”, after it was determined to be “acting contrary to the foreign policy interests of the United States.”
• Dahua released a statement in response to the US’s decision, arguing that it “lacked any factual basis”.

Hikvision

Headquarters: Hangzhou, China

Core Business:

• Hikvision is one of the world’s largest suppliers of video surveillance and security products.
• Together with Dahua Technology, it represents one third of the world’s global market for surveillance technology.^[3]

Controversies:

• In July 2018, the company sold authorities around 1,000 facial recognition cameras to be strategically placed in mosques in Xinjiang province.^[4]
• The company was accused of openly marketing facial recognition technology that could identify Uighurs.^[5] Hikvision declined to comment and the webpage was swiftly removed from their website.
• Hikvision is among the companies named on the US Industry and Security Bureau’s ‘Entity List’.

Huawei

Headquarters: Shenzhen, China

Core Business:

Huawei is a multinational technology company that specializes in telecommunications infrastructure and consumer devices. It has faced controversy due to its potential links to the Chinese state and its prominent role in the roll-out of 5G networks worldwide.

Controversies:

• Huawei is notorious for accusations of being a “gateway for China to spy on Western nations.”^[6]
• US officials have been actively lobbying foreign governments against the implementation of Huawei technology into their national 5G infrastructure.^[7]

iFlytek

Headquarters: Hefei, China

Core Business:

Specializes in voice recognition AI solutions and also offers services analyzing legal documentation and medical imagery.

Controversies:

• Added to the US Department of Commerce “Entity List” in October 2019.^[1]
• iFlytek has been at the center of multiple reports for allegedly providing voice recognition technology that has been used by the government for the oppression of ethnic minorities.^[8][9]

Megvii

Headquarters: Beijing, China

Core Business:

• Backed by Alibaba Group Holding, Megvii is a Chinese AI giant that specializes in image recognition and deep learning software.
• Megvii’s facial recognition technology is known as “Face++” and has been used by over 300,000 popular Chinese app developers such as Meitu and payment platform Alipay.

Controversies:

• Added to the US technology blacklist in October 2019.^[1]
• Goldman Sachs was scheduled to be involved in the company’s initial public offering. However, the investment bank later revised its position after Megvii were placed on the US ‘Entity List’.^[20]

SenseTime

Headquarters: Hong Kong

Core Business:

• SenseTime is one of the world’s most valuable AI start-ups,^[11] backed by e-commerce giant Alibaba and heavily supported by the Chinese government.
• The company provides software to police enforcement to help them identify faces, crowd movement and vehicles in real time.

Controversies:

• Sensetime CEO Xu Li said in 2018 that 30% of SenseTime’s clients were government-related.
• Months before the US Department of Commerce’s ban, SenseTime had already come under intense scrutiny with reports alleging SenseTime’s presence in Xinjiang province.^[12][13]

Xiamen Meiya Pico Information Co

Headquarters: Fujian, China

Core Business:

• The company, also known as Meiya Pico, is principally involved in “digital forensics and cybersecurity in China”.^[14]
• The firm describes its digital forensic services as identification, extraction and evidence analysis from digital media sources

Controversies:

• Meiya Pico’s MFSocket software was the focus of reports that “Chinese police are installing intrusive data-harvesting software on ordinary citizens’ smartphones” during random security checks.^[15][16] The software provides police with access to images/audio files, location data, call logs, messages and the user’s calendar and contacts.
• Meiya Pico was added to the US ‘Entity List’ in October 2019.

Yitu Technology

Headquarters: Shanghai, China

Core Business:

Yitu Technology is largely known for their facial scanning platform “Dragonfly Eye System”.^[9] It can identify someone within seconds from a vast database of 2 billion records.

Controversies:

• The company’s software was used by local police to identify residents of Chinese city Sanmenxia over 500,000 times in a single month.^[17] The software’s code contained tags suggesting ethnic profiling of Uighurs.
• Yitu Technologies was added to the US “Entity List” in October 2019.

Yixin Science and Technology

Headquarters: Beijing, China

Core Business:

Yixin Science and Technology, among China’s leading artificial intelligence firms, is a security system developer and nanotechnology start-up based in Beijing.

Controversies:

• Yixin Science and Technology was categorized among the other 28 additions to the Department of Commerce’s “Entity List” on October 7th.^[18]
• The company was also found to be the provider of wireless surveillance systems to the government during the 2008 Beijing Olympics.^[19]

AnyVision

Headquarters: Holon, Israel

Core Business:

• AnyVision is an AI firm that specializes in surveillance solutions for private customers as well as law enforcement agencies.^[20]

Controversies:

• Anyvision reportedly provided Israeli intelligence services with technology that had been purposed for a covert surveillance program targeting Palestinians in the West Bank.^[21]
• Microsoft launched an audit of the company in November 2019, as it participated in a $74 million funding round for Anyvision earlier that year.^[22] Microsoft later announced it had withdrawn all investment from AnyVision.^[23]

NSO

Headquarters: Herzelia, Israel

Core Business:

• NSO Group Technologies is a spyware provider, most known for its Pegasus software that has the ability to capture the contents of a targets’ phone, including encrypted messages in plain text, through remote access.

Controversies:

• The NSO Group has faced multiple accusations that its invasive Pegasus spyware has been used by oppressive regimes to spy on private conversations between innocent civilians,^[24] especially targeting journalists and human rights activists.
• The company faces numerous lawsuits and is reportedly being investigated by the FBI for hacking American citizens’ cell phones and intelligence gathering on government personnel.^[25]
• WhatsApp also is pursuing the NSO in a US court and claim that the company’s spyware gave rise to the hack of 1,400 of its users in 2019.^[26]

Mem3nto Labs

Headquarters: Milan, Italy

Core Business:

Mem3nto Labs primarily specializes in research and development for cyber intelligence solutions and its company mission is the “development of advanced tools and solutions to outperform in the Hybrid warfare era.”^[27]

Controversies:

• Mem3nto Labs has ties to notorious company Hacking Team, which had a global business based their Remote Control System (RCS) technology.^[28]
• Almost five years since the company’s activities were exposed, founder Paolo Lezzi purchased Hacking Team and merged it with his own company to form Mem3nto Labs, in the hopes to revive the disgraced company.^[29]
• Mem3nto’s KRAIT system allows users to “attack any Android device and leave no traces,” providing full control over the end-device.

FindFace

Headquarters: Moscow, Russia

Core Business:

Findface is facial recognition technology based on AI and neural networks developed by Russian company NTechLab. They provide services for the Russian state as well as the private sector.^[30]

Controversies:

• The company boasts the ability to perform real-time facial recognition in a split-second, supported by a database of over 1.5 billion entries.^[31]
• Earlier this year, the company revealed that it has secured a 200 million rouble contract with the Russian Department of Technology for a roll-out of this technology across Moscow.^[32]

Vision Labs

Headquarters: Amsterdam, The Netherlands

Core Business:

• VisionLabs is a “team of Computer Vision and Machine Learning experts” specializing in products and solutions in facial recognition, augmented and virtual reality.^[33]

Controversies:

• The company’s primary software, dubbed “Luna”, allows users to “verify and identify customers instantly” based on a database of photos and video images.^[34] VisionLabs applies this software to its Smart city projects to collect and analyze data from surveillance cameras.
• VisionLab’s other major technology, Face_IS, was created to controversially allow retailers to make personalized and targeted ads to customers whose faces have been recognized.

Mollitiam Industries

Headquarters: Toledo, Spain

Core Business:

• Mollitiam describes its services as the “development of solutions and software technology, cybersecurity and cyberdefense.”^[35]

Controversies:

• Reporters Without Borders recently included Mollitiam Industries in its 20/2020 List of Press Freedom’s Digital Predators report for selling its surveillance technology to the Colombian armed forces, who used it to illegally spy on politicians, supreme court judges, journalists and journalists’ sources.
• Social media monitoring solutions have been identified as a key cause in the decline of internet freedoms in 2019.

ClearView

Headquarters: New York, US

Core Business:

In the company’s own words, “Clearview AI is a new research tool used by law enforcement agencies to identify perpetrators and victims of crimes.”^[36]

Controversies:

• Clearview gained widespread attention for its facial recognition app, which can identify anyone within a database of more than 3 billion photos lifted from major social media platforms.^[37]
• The company faced widespread criticism as the act of scraping such images and selling them was in breach of the terms of service of the social media platforms from where the photos were taken.

Zerodium

Headquarters: Washington, D.C., US

Core Business:

Zerodium is a US startup, which offers bounties for hackers to access rare vulnerabilities in operating systems, web browsers and mobile phones named “zero-days” which remain unknown to the company which would patch them.

Controversies:

• Details of Zerodium’s ventures remain murky as founder, Chauki Bekrar, declines to say whether such exploits are sold to intelligence agencies around the world as a surveillance tool, as opposed to the vendor or company of the vulnerable system.^[38]
• Bekrar’s companies have been criticized for doing controversial work that privacy advocates argue “contribute to the spread of cyberwar and wrongful surveillance.”^[39]
• The company is also on Reporters Without Borders’ list of digital privacy abusers.^[40]

ZTE Corp.

Headquarters: Shenzhen, China

Core Business:

ZTE is a Chinese telecom and information technology giant providing its services to consumers, carriers, businesses and government from “over 160 countries around the world.”^[41]

Controversies:

• Similar to Huawei, the company has faced intense scrutiny over surveillance fears due to its close ties to the Chinese government.
• The company was placed under a trade ban for seven years by the Department of Commerce in April 2018 when the company failed to hold employees involved in illegal exports to Iran and North Korea to account. In addition, the company was fined a record-breaking US$1.19 billion for export control violations.^[42]
• While the ban has now been lifted, we have found that the web services provided by NTT America (Hosting: Nov 2014 – April 2019), Akamai (Hosting: May 2014 – July 2018), COM.CN DNS (Name Server: May 2014 – May 2014) and Sitecore (CMS: May 2016 – Dec 2019) all supported ZTE’s website throughout the duration of the ban.

The day after we first published this report, the US Department of Commerce announced the addition of 33 new organizations to its blacklist on 22 May.^[43]

These new inclusions were announced in two distinct groups:

• 24 Chinese governmental and commercial organizations with ties to WMD and military activities
• Nine Chinese entities related to human rights abuses in the Xinjiang Uighur Autonomous Region<

The nature of these new companies is very different to those we analyzed in the main body of this report. Rather than slick multinational companies, such as Huawei or Hikvision, the fresh inclusions are typically much smaller organizations. Most are specialized manufacturers with minimal online presence, or research organizations.

As a result, the websites we analyzed were unsurprisingly often very basic and lacking in the latest web technology.

Only one newly blacklisted company had significant support from a US web service provider, while a further six had limited support in the form of SSL certification from a US provider.

• Cloudmind:^[44] GoDaddy (Web Hosting, CDN, SSL Certification)
• Beijing Computational Science Research Center:^[45] DigiCert SSL (SSL Certification)
• Harbin Institute of Technology:^[46] DigiCert SSL (SSL Certification)
• CloudWalk Technology:^[47] DigiCert SSL (SSL Certification)
• NetPosa:^[48] DigiCert SSL (SSL Certification)
• SenseNets (Subsidary of NetPosa):^[49] DigiCert SSL (SSL Certification)
• Intellifusion:^[50] DigiCert SSL (SSL Certification)

The digital surveillance companies included in our investigation were selected on the basis of their inclusion on the US Entity List, or if they had been embroiled in recent public controversy regarding the nature and application of their digital surveillance products.

We identified the providers of the essential website services that power these companies’ websites, using a combination of public tools, such as builtwith.com, examining the source code of websites and analysing their HTTP traffic.

We only included those where some kind of active relationship was involved, ignoring the use of products such as Operating Systems or open source platforms for example.

About Top10VPN.com

We specialize in testing and reviewing VPN services. We recommend the best VPNs to our readers in order to help them safeguard their online privacy and security. We also carry out in-depth research and investigations into digital rights and security risks that affect the general public.

Additional research by Christine O’Donnell

^{[1] https://www.federalregister.gov/documents/2019/08/21/2019-17921/addition-of-certain-entities-to-the-entity-list-and-revision-of-entries-on-the-entity-list ↩}

^{[2] https://www.cnbc.com/2019/05/22/us-reportedly-considering-blacklisting-chinas-hikvision.html ↩}

^{[3] https://www.bloomberg.com/news/articles/2019-05-22/china-s-hikvision-weighed-for-u-s-ban-has-probably-filmed-you ↩}

^{[4] https://www.ft.com/content/c610c88a-8a57-11e8-bf9e-8771d5404543 ↩}

^{[5] https://ipvm.com/reports/hikvision-uyghur ↩}

^{[6] https://www.bbc.co.uk/news/resources/idt-sh/Huawei ↩}

^{[7] https://www.ft.com/content/6853f24e-5e0e-11ea-8033-fa40a0d65a98 ↩}

^{[8] https://www.wired.com/story/mit-cuts-ties-chinese-ai-firm-human-rights/ ↩}

^{[9] https://www.cnbc.com/2019/05/16/this-chinese-facial-recognition-start-up-can-id-a-person-in-seconds.html ↩}

^{[10] https://www.cnbc.com/2019/10/09/goldman-evaluating-role-in-chinas-megvii-ipo-after-us-blacklist.html ↩}

^{[11] https://qz.com/1248493/sensetime-the-billion-dollar-alibaba-backed-ai-company-thats-quietly-watching-everyone-in-china/ ↩}

^{[12] https://www.bloomberg.com/news/articles/2019-10-09/chinese-ai-project-is-under-review-at-mit-after-u-s-blacklists-company ↩}

^{[13] https://www.ft.com/content/7d3e0d6a-87a0-11e9-a028-86cea8523dc2 ↩}

^{[14] https://web.archive.org/web/20210122230614/https://www.meiyapico.com/ ↩}

^{[15] https://www.ft.com/content/73aebaaa-98a9-11e9-8cfb-30c211dcd229 ↩}

^{[16] https://www.scmp.com/tech/start-ups/article/3017688/what-you-need-know-about-meiya-pico-chinas-low-profile-forensics ↩}

^{[17] https://www.nytimes.com/2019/04/14/technology/china-surveillance-artificial-intelligence-racial-profiling.html ↩}

^{[18] https://www.spglobal.com/marketintelligence/en/news-insights/trending/l7v_-Y5cOvD2pO4qQJJGJg2 ↩}

^{[19] https://www.bangkokpost.com/business/1771179/chinas-blacklisted-ai-firms-what-you-should-know ↩}

^{[20] https://web.archive.org/web/20200530051856/https://www.anyvision.co/ ↩}

^{[21] https://www.nbcnews.com/news/all/why-did-microsoft-fund-israeli-firm-surveils-west-bank-palestinians-n1072116 ↩}

^{[22] https://www.nbcnews.com/tech/security/microsoft-hires-eric-holder-audit-anyvision-over-use-facial-recognition-n1083911 ↩}

^{[23] https://www.cnet.com/news/microsoft-pulls-out-of-facial-recognition-startup-anyvision/ ↩}

^{[24] https://www.theguardian.com/world/2020/feb/06/uk-to-host-spyware-firm-accused-of-aiding-human-rights-abuses ↩}

^{[25] https://uk.reuters.com/article/uk-usa-cyber-nso-exclusive/exclusive-fbi-probes-use-of-israeli-firms-spyware-in-personal-and-government-hacks-sources-idUKKBN1ZT38F ↩}

^{[26] https://www.theguardian.com/world/2020/feb/04/ex-obama-official-juliette-kayyem-quits-israeli-spyware-firm-amid-press-freedom-row ↩}

^{[27] https://web.archive.org/web/20210308124246/https://www.mem3nt0.com/about.php ↩}

^{[28] https://www.technologyreview.com/2019/11/29/131803/the-fall-and-rise-of-a-spyware-empire/ ↩}

^{[29] https://www.vice.com/en_us/article/neavnm/hacking-team-new-owner-starting-from-scratch ↩}

^{[30] https://web.archive.org/web/20200522075259/https://findface.pro/en/success-stories/urban-security/ ↩}

^{[31] https://web.archive.org/web/20200524172300/https://findface.pro/en/about/ ↩}

^{[32] https://www.reuters.com/article/us-russia-technology-facialrecognition/moscow-court-case-challenges-citys-facial-recognition-use-after-launch-idUSKBN1ZU1HJ ↩}

^{[33] https://web.archive.org/web/20200703091434/https://visionlabs.ai/company/about-us ↩}

^{[34] https://venturebeat.com/2016/07/07/russian-facial-recognition-startup-visionlabs-raises-5-5m-after-partnering-with-facebook-and-google/ ↩}

^{[35] https://web.archive.org/web/20200619222053/https://www.mollitiamindustries.com/en/#etical ↩}

^{[36] https://web.archive.org/web/20200525112640/https://clearview.ai/ ↩}

^{[37] https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html ↩}

^{[38] https://www.vice.com/en_us/article/bmje7d/controversial-zero-day-exploits-seller-launches-new-premium-bug-bounty-program ↩}

^{[39] https://www.wired.com/2016/09/top-shelf-iphone-hack-now-goes-1-5-million/ ↩}

^{[40] https://rsf.org/en/news/rsf-unveils-202020-list-press-freedoms-digital-predators ↩}

^{[41] https://web.archive.org/web/20200526102231/https://www.zte.com.cn/global/about/corporate_information ↩}

^{[42] https://uk.pcmag.com/smartphones/88214/zte-will-pay-record-fine-for-sales-to-iran-north-korea ↩}

^{[43] https://www.commerce.gov/news/press-releases/2020/05/commerce-department-add-two-dozen-chinese-companies-ties-wmd-and ↩}

^{[44] https://www.en.cloudminds.com/ ↩}

^{[45] https://www.csrc.ac.cn/en/ ↩}

^{[46] http://www.hit.edu.cn/ ↩}

^{[47] https://www.cloudwalk.cn/ ↩}

^{[48] https://www.netposa.com/ ↩}

^{[49] https://www.sensenets.com/ ↩}

^{[50] https://www.intellif.com/ ↩}