(Mike Lewis’s “Filling A Gap” from his blog site on April 25, 2021.)
Earlier this month the New York Times, using budget
documents obtained by the campaign group Justice for Myanmar, listed a series
of digital forensics tools that Myanmar’s home affairs ministry has allegedly
sought to purchase: software and hardware used to extract data from suspects’
cellphones, computers and other devices.
Some are familiar from previous reporting, particularly around the 2018 trial of the two Reuters journalists Wa Lone and Kyaw Soe Oo, which heard communications evidence that investigators had extracted from their cellphones using a Cellebrite UFED device.
(There’s an
important functional distinction between digital forensics tools, intended to
crack open and extract data from seized devices; and wider surveillance
technologies intended to gather data remotely on people, their devices and
their data. Recent commentary on Myanmar has often swept them up in the same
generic ‘spyware’ category. That’s for another post.)
Budgeting to
procure something doesn’t prove that the Myanmar government actually ended up
buying it. Several suppliers listed by Justice for Myanmar and the New York
Times insist that high-profile acts of repression made them refuse or
discontinue sales in Myanmar.
One company
listed in the budget documents has said that although it received a request to
supply its product to Myanmar, it turned it down, citing the military
operations against the Rohingya. Similarly Cellebrite, and its Myanmar
distributor, have both insisted that Cellebrite cancelled licences for its
products in Myanmar in late 2018, in response to the furore around their use in
the Wa Lone/Kyaw Soe Oo case.
At least one US
company, however, seems to have stepped into that market gap. Oxygen Forensics LLC (company tagline: “Helping Good People Make This World Safer”) produces a
suite of software, supplied on a dongle,
“built to extract, decode, and analyze data from
multiple digital sources: mobile and IoT devices, device backups, UICC and
media cards, drones, and cloud services. Oxygen Forensic® Detective can also
find and extract a vast range of artifacts, system files as well as credentials
from Windows, macOS, and Linux machines. The cutting edge and innovative
technologies deployed in Oxygen Forensic® Detective include, but are not
limited to, bypassing screen locks, locating passwords to encrypted backups,
extracting and parsing data from secure applications and uncovering deleted
data.”
Oxygen Forensics is essentially in the same data extraction/digital forensics market as Cellebrite, though not as well-known. Oxygen Forensics wasn’t listed in the New York Times article, but it does appear in the Ministry of Home Affairs budget documents for 2018-19 obtained by Justice for Myanmar.
Importantly, though, it’s clear that Oxygen
Forensics has indeed supplied their product to Myanmar. Records of export
manifests from India, which are available through several online data
providers, show that in June and September 2020, Oxygen Forensics’ Indian
reseller, 3rd Eye Techno Solutions Pvt Ltd, shipped an Oxygen Forensic®
Detective dongle and several cable sets by air from Delhi to Yangon, consigned
to a Myanmar company, MySpace International Co Ltd.
MySpace International, owned by former Tatmadaw
officer Kyaw Kyaw Htun, was also reportedly Cellebrite’s reseller in Myanmar.
The New York Times claimed earlier this month that “two people with knowledge
of police procurements said that Dr. Kyaw Kyaw Htun’s companies supply most of
the imported Western surveillance technology for the Myanmar police.“
Oxygen Forensics
LLC told me that “our records indicate the sale of only one license (in Jan
2019) to organisations in Myanmar.” This would have been immediately after
Cellebrite claims that they stopped business in Myanmar and cancelled their
products’ licences there, though there is no evidence of a direct connection.
Oxygen Forensics
declined to respond to a follow-up question about whether their Myanmar
end-user was a government or private-sector organisation. They also said that
“we are unable to monitor the use of our technology but when we are made aware
of its use in a way which does not conform to our EULA, international law, or
Oxygen Forensic ideals, these licenses are noted, as are the end users, and
they cannot be renewed.” They declined to say whether they had done this with
their Myanmar customer.
3rd Eye Techno Solutions requested questions in writing, but has declined to respond so far.
MySpace International has not responded to phone calls or emails.
There are growing trade controls on this kind of hardware and software. In December 2019, forty-two countries from Russia to the USA, meeting under the Wassenaar Arrangement, agreed to add a range of communications monitoring technologies, digital investigative and digital forensics tools to their export controls, requiring licences for their international transfer.
Since October
2020, therefore, the US has duly required export licences for “Systems,
Equipment and Components for Defeating, Weakening or Bypassing Information
Security“. (This rule came into force after the Oxygen Forensics exports for
which there is public evidence. There’s no suggestion that any of the companies
named in this post have acted unlawfully, or are guilty of any other
wrongdoing. And there’s no evidence so far about how Oxygen Forensics’ products
may have been used or misused in Myanmar).
The EU is seeking to regulate trading of digital forensics tools too: the European Parliament agreed new export control rules in March 2021, which still need to be signed off by the Council.
