
Cisco’s Attempt to Dodge Responsibility for Facilitating Human Rights Abuses - DiabloD3
https://www.eff.org/deeplinks/2016/04/ciscos-latest-attempt-dodge-responsibility-facilitating-human-rights-abuses-export
======
squidlogic
Wow, I knew Cisco helped with the GFW, but didn't know they made a module
specifically designed to find and capture Falun Gong participants[0].

Thats ... pretty messed up.

[0][https://www.eff.org/files/2016/01/12/113_second_amended_comp...](https://www.eff.org/files/2016/01/12/113_second_amended_complaint_does_v._cisco_9.18.13.pdf)

~~~
sneak
I think the term is "criminal".

~~~
tptacek
It's not criminal. It could and should be outlawed, but hasn't been.

~~~
JumpCrisscross
> _It could and should be outlawed, but hasn 't been._

I respect your opinion greatly. Why do you disagree with the EFF's assertion
that Cisco's actions violate the Alien Tort Statue (the "ATS") [1]?

If Cisco knew, or should have reasonably known, that the technologies they
were developing for the Chinese government would be used in contravention of
the United Nations Convention Against Torture [2], which the U.S. ratified and
would thus be covered under the ATS, then it would seem like this would fall
under "aiding and abetting.

[1]
[https://www.law.cornell.edu/uscode/text/28/1350](https://www.law.cornell.edu/uscode/text/28/1350)
_28 U.S.C. § 1350_

[2]
[https://en.wikipedia.org/wiki/United_Nations_Convention_agai...](https://en.wikipedia.org/wiki/United_Nations_Convention_against_Torture)

~~~
tptacek
I agree with the EFF. The Alien Tort Statute recognizes _civil_ claims. They
should lose the civil trial.

Separately, we should pass a federal law outlawing the knowing sale of
technology for the purpose of persecuting groups of people based on their
race/ethnicity/religion. Once that law exists, it _will_ be a crime to do what
Cisco did, and I'll be happy about that.

Until then, discussing what Cisco did as "criminal" is dangerous. It should be
harder to stretch our existing laws to make criminal cases, not easier.

~~~
vacri
> _we should pass a federal law outlawing the knowing sale of technology for
> the purpose of persecuting groups of people based on their race
> /ethnicity/religion._

If it had any teeth, such a law would do serious damage to the US arms exports
industry.

------
abpavel
Don't forget that China has a "50-cent army":
[http://www.rfa.org/english/news/china/propaganda-03122014184...](http://www.rfa.org/english/news/china/propaganda-03122014184948.html)
And the "Citizen Score": [https://www.aclu.org/blog/free-future/chinas-
nightmarish-cit...](https://www.aclu.org/blog/free-future/chinas-nightmarish-
citizen-scores-are-warning-americans)

Which is aking of FB/GOOG collecting metadata of your activities and having
"paid likes", but being used in a more specific and direct way.

------
swombat
If they're doing this for China, what do you figure they've been doing for the
US government?

~~~
tptacek
You mean apart from the fact that the US Government doesn't operate a "Great
Firewall of the United States"?

~~~
sitkack
Doesn't it? It is just transparent and the traffic shaping is self enforced.

~~~
tptacek
No, it doesn't.

~~~
peteretep
I sincerely thank you for pushing back on all the crap in this particular
thread. HN seems to have devolved in to "well the world _SHOULD_ work the way
I want it to" recently, and you're doing sterling work here being the voice of
reason.

------
mtgx
Those people who helped increase the quarterly earnings at the time by selling
this tech to the Chinese government must've felt pretty proud of themselves.

------
solotronics
Has anyone heard of similar abuses by Juniper Networks?

~~~
abpavel
I'd focus more towards the merchant silicon of Marvell/Broadcom/Fulcrum

~~~
walrus01
if somebody wants to sue a layer 2 ethernet fabric chip maker they're insane.
any asshole can use a switch to do any sort of terrible thing with their
nation's internet infrastructure.

it's like suing intel because they made the 1GbE NIC in a server seized for
kiddie porn.

~~~
nickpsecurity
Not if they backdoored it for money to aid nation-states in I.P. theft or
murder of innocents. I'm not saying I recall above companies doing that. Just
that it's one legit reason among many to sue or bring charges against a
telecoms, semiconductor company. And we know more than one vendor that
previously did exactly that.

~~~
walrus01
Show me any documentation whatsoever that proves a pure layer 2 Ethernet
switch has been put on a test network and observed (via packet capture on its
upstream) sending data home.

~~~
nickpsecurity
It's not the switch itself. It's the I.P. in the switches. And you've narrowed
the situation enough to ensure nobody could meet your criteria unless
representing the most wreckless spies on Earth.

Note: One fun fact of layer 2 Ethernet is it's insecure enough by itself that
many just tap straight into the lines somewhere. Led to development of MACsec
standard.

~~~
walrus01
Not at all. "Put a suspicious device on an internet connection, let it run,
and capture all packets to see where it phones home" is a fairly basic
process.

~~~
nickpsecurity
The connectors in TAO catalog use RF to make that impossible without unusual
spectrum analyzers. I did that, too. Another trick is covert channels to make
it invisible in network traffic. Covert channel analysis is mandated in high
assurance specs but almost nobody does it.

Anyway, you're not going to see a switch subverted by pro's in action. They
won't blow that cover. They'll use it to facilitate a normal attack and plant
evidence it came through a normal vector. That's how subversion works at pro
level.

------
exolymph
It's disturbing that I didn't even know Cisco was involved until now.

~~~
maxerickson
What's your intended meaning?

~~~
exolymph
A combination of feeling guilty that I haven't been paying more attention to
unethical things that US companies do abroad and being disappointed that this
wasn't bigger news.

------
rm_-rf_slash
So it's wrong to abuse, humiliate, and torture someone in the United States
but if you do it elsewhere it's ok?

Oh wait...

~~~
cloudjacker
this case is about selling an internet filter.

It would not be wrong, as in illegal or subject to any civil penalty, if Cisco
sold that internet filter to the United States' agencies.

so that highlights the delicious irony in your retort

~~~
jonathankoren
First, they built special hardware to target a specific group that is
internationally known to be a frequent target of oppression. So that's going
beyond what they normally provide.

Second, if you're selling something to a known person, and you have a good
reason to know what they're going to do with it. And let's be clear, Cisco
totally knew what they were going to be used for in this case. Then you're an
accessory.

~~~
Swannie
| First, they built special hardware to target a specific group

Is that stated as a fact in the case? I didn't find anything that makes that
suggestion.

~~~
jonathankoren
The article explicitly says, "Cisco built a special Falun Gong module into the
Golden Shield".

Reading the abstract of brief, it looks like "built" is being used to me
"specifically sold and configured hardware." So it's not necessarily some
special asic, but rather machines configured specifically to target and
identify Falun Gong members. Anyway, in the 21st century, the line between
hardware and software that runs on dedicated hardware is pretty ill defined.

~~~
Swannie
I'd encourage you to do more than read an article written by a party with a
vested interest, and critically read the linked legal submission.

When reading such a court document, remember it is written by a lawyer (or
team of laywers) with the intent (explicit or otherwise) of conflating many
ideas.

Creative naming of artefacts, systems, roles, organisations, etc. are all
employed to paint a picture - the most vivid, influential, negative picture
possible - whilst still being technically factually.

Critical reading of the submission, filtering for technical details suggests
that yes, there was indeed integration into existing networks (obviously), and
existing databases/systems of record, maybe related to Falun Gong, but frankly
the majority of the technical data looks like a description of any intercept
network - whether for troubleshooting, traffic analysis, or lawful intercept.

------
abpavel
Well boo hoo, Google is trafficking in human information, Facebook is
trafficking in human information, FourSquare remnants are trafficking in human
information, all realizing Orwell's sweaty nightmares. But a company that is
affecting someone overseas, and not it's own citizens, is in the wrong?

~~~
allisthemoist
Find me a specific incident perpetrated by GOOG/FB that has directly
facilitated human rights abuses. This is not an accusation of a vague misuse
of information. This is a direct action by the company that they _knew_ would
facilitate torture, etc.

~~~
abpavel
That's their business model - people are their product. That's how they make
money. That's the only way they make money. They sell people to advertisers.
What's not wrong with that?

~~~
rosser
"Sell[ing] people to advertisers" != "sell[ing] people to an oppressive
regime."

~~~
abpavel
That's one way to look at it. But Chinese view US regime as oppressive, and
any opinion to the contrary would result in the downvote fairies of the
50-cent army slashing your karma to oblivion, in a similar way I lost about 25
points on this post.

~~~
jessaustin
Wat? Nothing you've said above or below would incite the ire of 50¢A. If
anything they would upvote you.

------
cloudjacker
> Cisco’s attempt to try to leverage the Wassenaar discussions into legal
> immunity for itself is unfounded and should fail.

More like attempts to get a civil penalty in the United States for business in
another country should fail

~~~
devin_lane
Indeed. This is just a business selling a product someone wanted. Cisco is a
multinational company; it makes no more sense to hold them to US law for
products sold in China then to hold a Chinese company to US law for products
sold in China.

~~~
tptacek
You can say the exact same thing about bribing overseas officials, and yet we
have the FCPA.

~~~
cloudjacker
and yet, I feel the same way about the FCPA

bring it up when I run for office

~~~
burkaman
I don't understand the objection. It's not like you suddenly lose all benefits
and protections of US citizenship when you step over the border. If you don't
want to follow these laws, move your company and renounce your citizenship. If
you're not willing to do that then you need to follow the rules.

~~~
cloudjacker
If you would like to talk about the FCPA, I never mentioned my objection.

The objection is that it undermines competitiveness in corrupt business
environments. Business environments that are inherently corrupt whether the US
entity participates or not. Kickbacks are a way of doing business in many
jurisdictions, and then the US government levies a charge against you that is
solved with: YOU GUESSED IT, ANOTHER KICKBACK. But its okay because the SEC
and DOJ call it a settlement.

A totally unnecessary law that is enforced at the discretion of the
administration.

~~~
burkaman
I understand your point about lawsuit settlements being useless and
hypocritical, but your main point about competitiveness is obviously not
really relevant. There are tons of laws that undermine US business
competitiveness in global markets. There are tons of laws that undermine
domestic competitiveness too, that's just how our society is set up. Profit is
not our first priority.

Anyway, when I referred to your "objection", it seemed like you were saying
any laws affecting business outside the country are pointless and wrong. I
don't think I know enough about the FCPA to discuss it specifically.

------
abpavel
Cisco provides Internet Protocol services, not what is being done with them.
If Electricity from France is exported through Russia to China, can they be
held responsible too? And what about the oxygen produced by the US flowers?
Are US farmers responsible for providing oxygen supplying the evil Communist
regime with oxygen? That electricity was as crucial to conducting the dreadful
things just like IP, and just like oxygen. This logic has no bounds.

~~~
ng12
Did you even read the article? Cisco (allegedly) built custom software to
persecute a religion.

~~~
abpavel
Yes, the article, yes, but I've also been a part of too many projects like
this, when a technological marvel is being developed for a number of years,
creating new capabilities, technology innovations, and driving efficiencies.
Thousands of American man-hours were spent in creating this marvel, only for
someone to summarily judge on a whim of what was that effort was about. It
wasn't about what EFF said. That just simply wasn't in the RFP/RFC/RFWhatever.

~~~
jonathankoren
Throwing up your hands and saying, "I just built it! It's not my job to think
about how it's used!" is a cop out. It's also against the ACM Code of Ethics
and Professional Conduct[0].

[0] [https://www.acm.org/about-acm/acm-code-of-ethics-and-
profess...](https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-
conduct)

~~~
ultramancool
How about "it's just a tool"? You could say the same thing about knives, cars,
Tor, Bitcoin or the Internet itself if you wanted.

You can't blame a creator for how a finished product is used. Their vision
might greatly differ or it might not exist at all.

~~~
djrogers
In this case though, the tool only had one purpose, and the creator knew
exactly what the buyer would be doing with it.

~~~
ultramancool
They knew they'd use it to torture? I highly doubt that.

Monitor, perhaps. But that's very different. It's also not exactly specified
what they built - was it generic and something they might be able to sell to
corporations or other governments who want traffic monitoring or something
designed only for this purpose?

~~~
jonathankoren
> They knew they'd use it to torture? I highly doubt that.

Well them they've been living under a rock. It's been officially banned for 17
years, and there's literally a wikipedia article about it.
[https://en.wikipedia.org/wiki/Persecution_of_Falun_Gong](https://en.wikipedia.org/wiki/Persecution_of_Falun_Gong)

~~~
ultramancool
It's entirely possible they assumed otherwise. Are you trying to say you must
assume the worst possible intentions from your customers and that anything
less should be illegal?

Surely Tor developers could have guessed it would be used for child
pornography - should that have stopped them?

~~~
jonathankoren
You're dealing with a known actor with a known track record against a known
target. It's completely different. At this point it's being willfully
ignorant[0] and you're being intentionally obtuse.

[0]
[https://en.wikipedia.org/wiki/Willful_blindness](https://en.wikipedia.org/wiki/Willful_blindness)

~~~
ultramancool
> You're dealing with a known actor with a known track record against a known
> target.

People with anonymity aren't "known actors"?

You could just as easily argue willful blindness with Tor or end to end
cryptography devs. And that's how I'm worried that a case like this will be
used if it's successful.

------
ultramancool
Yeah guys, sue the firewall vendor for your unencrypted internet traffic
getting you fucked.

Are we supposed to forbid companies from complying with customer requests,
even if they're unaware or just don't really care how those will be ultimately
used? I know I'd implement similar things if it were requested of me.

I doubt this will be a popular opinion on HN, but I don't think Cisco was in
the wrong here. Once traffic crosses your network boundary, it's fair game.

~~~
PhasmaFelis
What is it with all the "yes of course you should help torture people if it's
good for your business" in this thread? Hacker News is usually pretty laissez-
faire, but this isn't the normal tone here.

~~~
jessaustin
_Hacker News is usually pretty laissez-faire, but this isn 't the normal tone
here._

I think one can distinguish between _laissez-faire_ that amounts to "leave
human beings to live as they will" and another concept that is "everything is
permitted to the powerful". Actually IMHO it is a corruption to consider the
latter to even be related to _laissez-faire_. However, many people conflate
the two propositions, and would like the rest of us to conflate them as well.

