While the military coup and deadly crackdown in Myanmar has drawn European condemnation, EU funds and technology have secretly aided the junta in spying on its own population
WHY IT MATTERS
Being tracked can be a matter of life and death in Myanmar. Detainees who we spoke to witnessed student union leaders having their heads hooded and being separated from the others. They did not come back.
This investigation shows that the efforts of the Tatmadaw, the brutal Myanmar military, to surveil its own population were aided by Western companies and EU subsidies. The deals were made when Myanmar was still had at least the appearance of civilian government but the role of the military was well documented: from an ongoing genocide, to the violent suppression of activists and journalists.
So when the generals staged a coup on February 1 and mass protests spread throughout Myanmar, hundreds of thousands demonstrators feared they were facing a military with profoundly enhanced technological capabilities. A violent crackdown followed, with more than 800 protesters killed, thousands injured and political prisoners severely tortured. The internet was restricted, Facebook, WhatsApp, Twitter and Instagram blocked and scraped smartphone data used as evidence in arrests.
The regulation of surveillance and forensic technology in Europe, as in much of the Western world, is complicated and slow compared to the development of new technology. In an attempt to limit the sale of surveillance, hacking and exfiltration technologies the European parliament turned to the Wassenaar Arrangement, a European treaty that governs the export of dual-use items, as well as conventional arms. Dual-use products are those that have legitimate civilian applications but can also be used for military purposes.
But the Wassenaar Arrangement does not dictate what member states do in practice. EU members have their own national bodies that approve or deny export licenses for dual-use technology. In a replication of the faults of the arms industry the system gives lax or cynical member states a competitive advantage.
This investigation shows what can happen without serious oversight and begs the question of how Europe should regulate the export of surveillance and forensic technology to places where there is a high risk of abuse, especially when that technology was built with public funds.
HOW WE FOUND THIS
We identified some 40 Western manufactures and developers of surveillance and digital forensic technology whose equipment was listed in Myanmar’s leaked budget allocations. The most interesting of these companies were then cross-checked against databases from seven other significant financial and company registration sources for Myanmar, compiled by the Organized Crime and Corruption Reporting Project (OCCRP). Myanmar government websites were trawled for tender documents and we examined the public-facing online presence of specific companies and their employees.
Lighthouse also sourced sophisticated mobile endpoint security from the cybersecurity firm, Lookout, in order to scan the phones of individuals in Myanmar whose devices were seized after being detained by Myanmar police or military. This way we were able to check for the installation of malware. The findings of this exercise did not result in the direct detection of any mal- or spyware but did detect a vulnerability in an app many protesters used.
Lighthouse interviewed multiple individuals from Myanmar as well. From released detainees to military defectors and former employees of Burmese companies functioning as middlemen. Other relevant sources to build up a picture from the inside of how Myanmar’s surveillance state now operates.
To keep up to date with Lighthouse investigations sign up for our monthly newsletter