Teksti Hanna Nikkanen
Iran’s mobile network double-crossed its users in last year’s suppressed revolt. We got our hands on one of the surveillance systems that Nokia Siemens Networks sold to Iran. What’s the connection to Europe’s own gadgets?
”Collecting interception data is a process which takes place in the ’background’, assuring that the intercepted target (end user) is never aware of a possible interception,” the manual describes. ”The maximum number of simultaneous active interception sessions is 50,000.”
This manual has been read by police officers in Tehran. It ended up in my hands through the back door.
”Nokia Lawful Interception Gateway”, reads the cover page. This has been rumoured for a long while. Nokia Siemens Networks has supplied Iran with telesurveillance equipment, the details of which I have tried to track down since last summer. Now, one of the products that NSN supplied to Iran has been leaked to Fifi. This system enables just the type of surveillance that NSN has denied participating in.
It looks bad. The package gives users extensive power to monitor citizen mobile phone as well as mobile internet usage.
But it isn’t illegal. Similar systems monitor our own telecommunications. The question isn’t about Iran, but more broadly about what kind of surveillance is permitted – or mandated – in the networks we use. Who controls them?
”There’s been this perception internationally that we’ve supplied them [Iran] with internet surveillance equipment, but this is not true”, Lauri Kivinen, NSN Head of Corporate Affairs, assured the Finnish daily Helsingin Sanomat on 20 February.
However, the surveillance made possible by the Nokia Lawful Interception Gateway (LIG) extends to mobile internet usage. Either Kivinen was lying or his knowledge of his company’s core competence field isn’t quite adequate.
”It seems to enable the surveillance, storage, replaying and full investigation of all traffic in the network,” commented the IT professional that I invited to look at the NSN software package.
On page 17 of the product description manual, there is a diagram of the surveillance system. Interception points are represented by red squares in the diagram. From those the information is transmitted to the network administration. On one side three clipart characters – a surveillance auditor, judge and police officer – monitor the process.
The judge’s role is to grant a permission for the surveillance. The administrator initiates and stops surveillance processes. The police officer investigates the phone calls, messages and internet traffic that are caught in the process. The surveillance auditor ensures that unlawful usage isn’t conducted.
Nokia products with the built-in surveillance hardware are listed in the product description manuals Nokia 2G/3G SGSN [Serving GPRS Support Node], Nokia GGSN [Gateway GPRS Support Node], Nokia Flexi ISN and Nokia CPS.
When Iran bought the Gateway, the country didn’t have an 3G network. Later, Iran granted the country’s first 3G licence to Zain, a Kuwaiti company. Zain cooperates with NSN on 3G, at least in Saudi Arabia.
At the time of the sale, therefore, LIG could not have been used to monitor the internet. But the capacity was there, ready to be activated in a 3G network once there was one.
”The diagram’s red squares, the interception points, are built into all the Nokia network hardware mentioned,” the IT professional continues. ”No one has to climb an antenna tower to install anything. You only need to start using the software.”
Fifi stumbled upon the news of the Nokia Siemens telesurveillance business in the summer of 2009, when what is suspected to have been a fraudulent election in Iran was followed by massive demonstrations and harsh repression. Activists’ lawyers reported that the police used phone and internet surveillance to track down protestors.
Eventually the protests tapered off when it became clear that the technology that had made them possible had failed its users.
Iranian dissidents appealed to the company for information. Knowledge about the government’s surveillance capacities might have saved lives.
Nokia Siemens Networks refused to reveal what they had sold to Iran. ”Just this small add-on”, the company’s media relations office replied again and again when I questioned them about it. ”I don’t recall its name right now”, said Communications Manager Riitta Mård. ”It has nothing to do with internet surveillance.”
In fact, at least three separate systems were exported to Iran. Nokia built a GSM network; the GSM network was provided with the LIG system that I acquired; and the LIG has been upgraded with the ”add-on” that Mård described. Mård remembers the name of the system now: Monitoring Centre (PDF). It’s a test platform that, according to Mård, only is only suitable for monitoring telephone calls.
The commotion caused by the NSN trading with Iran has been mostly about the Monitoring Centre. The actual problem now seems to be the more extensive LIG.
And this is where it gets interesting, even for the ordinary Western mobile phone user normally untouched by Iran’s political storms. LIG, with its extensive monitoring capabilities, or a comparable system by a different manufacturer, is monitoring all mobile voice and data networks around the world, including here in Finland.
In fact, it is precisely because of us Europeans that these extensive monitoring systems first became legal and then mandatory worldwide. Europe has spearheaded the transition from more restricted surveillance methods to extensive systems like the LIG: systems that store all of the target’s communications data during surveillance for future investigation.
So this is quite a mess. NSN is being reproached for selling the Monitoring Centre to Iran, where the system is undoubtedly being used to harass dissidents. However, the Monitoring Centre seems trivial in comparison to the LIG, which has such an immense surveillance capacity that an oppressive government doesn’t really need to dream about extensions.
NSN doesn’t seem to have broken any laws or export regulations while delivering the LIG to Iran. On the contrary, it has complied with the demands of the European Telecommunications Standards Institute that the potential for surveillance by law enforcement agencies should be expanded. The minimum standards of surveillance capacity that the EU demands from telecommunication carriers are almost as broad as the ones that the Gateway provides.
However, NSN’s conscience doesn’t seem completely clear. Why else would Lauri Kivinen claim that NSN never delivered internet surveillance technology to Iran?
No one knows how many people were arrested in last summer’s protests, how many were wounded and how many died. International media estimated that 150 protesters were killed on the bloodiest day of the demonstrations. That day will continue to claim victims: an unknown number of dissidents now waits for their sentence, death by hanging, to be carried out.
”No one knew beforehand what would happen in that country,” Lauri Kivinen said to Helsingin Sanomat a week ago. The reason for this renewed interest was Kivinen’s new job: he had just been appointed as the next Managing Director of Finland’s public broadcasting company, YLE.
I translated Kivinen’s statement for Twitter user Shariatmadari, a pro-democracy activist and filmmaker, who started investigating the NSN matter in his blog after last summer’s demonstrations.
”Since the ’Islamic revolution’ of 1979 tens of thousands, maybe more than 100,000, people have been executed or disappeared in Iran,” Shariatmadari replies. ”It is very well known that Iran’s oligarchy is one of the cruellest regimes in the world. Is Mr. Kivinen so ignorant that he hasn’t heard of this?”
Shariatmadari is particularly annoyed by Kivinen’s assurances that the sale included no capacity for internet surveillance. First of all, because he doesn’t believe it’s true; secondly, because he doesn’t find phone monitoring any more ethical.
”They are purposely focusing on what they claim they did not do in order to blur what they cannot deny having done. Suppose that they didn’t supply Iran with internet surveillance. What about the surveillance of phone calls? Isn’t this enough to put them in the inhuman corner?”
Which is more important, HS asked Kivinen, business or human rights? ”When we supply Iran with GSM networks, it certainly is good for both business and peace,” Kivinen answered. ”Trade is the best bringer of peace. Where there’s trade, there’s less war.”
”Sure,” Shariatmadari responds. ”You can ask arms traders and their clients. I do not advise you to ask monitoring system traders, because from Mr. Kivinen’s comments it appears that you will not get any logical answers from them.”
Page two: Take a look at the leaked manuals.