Corporate Name Changes and Other Methods of Avoiding Corporate Accountability in the Surveillance Industry
-Isedua Oribhabor, Esq.* & Shikhar Sharma**
Introduction
In October 2019, on the heels of multiple whistleblower revelations detailing how Facebook prioritized profits over the safety of its users, Facebook Inc, the parent organization of companies such as Facebook, Instagram, and WhatsApp, changed its name to Meta Platforms Ltd. The move was largely understood to be a cosmetic, rebranding effort to convey the company’s expanded ambitions towards building a ‘metaverse’- an immersive mix of augmented and virtual reality.
Facebook/Meta is not the first tech company to rely on a name change to salvage its image and reputation. In 2015, Google changed the name of its parent company to Alphabet, creating a public perception of separation between the company’s traditional products such as search from its riskier ventures. Snapchat similarly changed its name in 2016 to Snap as it made plans to expand its offerings from the chat platform mainly used by teens.
For Big Tech companies constantly in the public eye, a name change does little to hide the company’s past misdeeds. However, for a subsect of technology companies, particularly for surveillance technology companies, a name change is often a method of avoiding accountability altogether. This article explores the ways in which tech companies evade accountability, why it matters, and legal and policy measures to hold companies accountable for human rights abuses.
Methods of avoiding accountability
Time and again, companies have benefited from deliberately creating opaque corporate structures that restrict public scrutiny. By changing names, locations of operations, and creating a complex network of shell and holding companies, companies can avoid public accountability, and in some cases, legal liability, for the human rights harms they have caused. These methods are particularly important for surveillance companies who benefit from operating in the shadows. This section outlines three methods of avoiding corporate accountability, focusing on surveillance companies. It must be noted that while the following methods focus on the prospective corporate actors, they are equally attractive for state actors, particularly, authoritarian ones, to obscure their connections to surveillance firms.
1. Changing names to hide activity/avoid accountability: Some surveillance companies that gained public notoriety sought to escape the stigma by dissolving the company and setting up a new company with the same operations and products, same staff and governance, but with a different name. For example, the surveillance company Saito Tech Ltd. (popularly known as ‘Candiru’) has changed its name five times in the 8 years of its operation. Though its name has changed, Candiru continues its practice of providing spyware to clients that target human rights defenders, dissidents, and journalists. Another example is Cambridge Analytica, the political consulting firm that harvested raw data from up to 87 million Facebook profiles, dissolved itself in 2018 but shortly later its employees regrouped under different names and companies that offer similar services.
2. Opening in jurisdictions with weak regulatory mechanisms: It’s no coincidence that some of the most pervasive surveillance firms such as the NSO Group, Candiru, and Circles, have their headquarters in Israel. Besides the strong state military-private defense nexus in Israel, companies are incentivized to operate from there due to the government’s lax regulatory control. Israel has repeatedly allowed the export of NSO’s Pegasus software to authoritarian regimes, in spite of NSO’s known record of selling its tools to governments who perpetrate human rights abuses. While NSO’s transparency report highlights the regulatory restrictions the company is subject to under the Defense Exports Control Agency (’DECA’), even stating that some of its applications for export licenses have been denied, the reality is that NSO’s tools have been used to target human rights defenders and activists across the globe, in countries with known track records of human rights violations. DECA has approved the export and sale of virtually every transaction, which indicates that the current regulatory mechanisms in the country are lax in their implementation.
3. Separating business operations into different jurisdictions: Many corporations separate their business operations across different jurisdictions usually for tax purposes and to limit liability. Incorporating a subsidiary in a different jurisdiction limits the liability of the parent company for the actions of the subsidiary. Since the parent company possesses a distinct legal personality and does not operate in the subsidiary’s local country, the parent company cannot be subject to the local country’s laws. This arrangement is also known as a “corporate veil” and corporate veils have ‘pierced’ in exceptional cases, generally in the context of commercial law suits and rarely happens in human rights cases. Victims of human rights abuses seeking remedy are forced to rely on the subsidiary which may be poorly funded, uninsured, or wound up, leaving victims without recourse.
Moreover, for surveillance companies, this structure can serve an additional purpose: corporations like NSO group have different subsidiaries that perform different functions in different jurisdictions. Some of those jurisdictions, such as the Cayman Islands, are notorious for the financial secrecy their regulatory regimes offer. Therefore, by dividing their operations into different jurisdictions, especially amongst financially opaque jurisdictions, it becomes difficult for third parties to piece together the true extent of a company’s operations (such as sales, the scale of deployment, further subsidiaries, etc.), which deters attempts for accountability.
Why does this matter?
Evading accountability and liability is not unique to the surveillance technology sector, but the global nature of the tech sector means that one company’s human rights harms can extend throughout the world. Indeed, tools by a company headquartered in Israel can be used to surveil journalists in India.
The United Nations Guiding Principles on Business and Human Rights (‘UNGPs’), which were unanimously endorsed by the UN Human Rights Council in 2011, focus on remedy to the victims of human rights abuses, and not just prevention. The third pillar of the UNGPs focuses on access to effective remedy for victims of human rights abuses by businesses.
Remedy for victims is not possible when we can’t determine who to hold accountable. Identifying the participants in the industry, across corporate hierarchies and jurisdictions is an important step in holding those entities accountable. Therefore, it is necessary to determine the purpose and function of each company and what products and services each of the entities in a conglomerate offer.
Evading accountability also encourages a race to the bottom. When companies are not subject to public scrutiny and other legal and extra-legal consequences for their role in facilitating human rights abuses, they are free to sell and deploy their technology with impunity. This expansion in the potential sellers’ market, facilitated by an effective lack of sanctions or robust export control regimes, results in increased revenues and profits. Consequently, every company, with the aim of increasing their profits, is incentivized to indulge in this accountability evasion, resulting in a spread of bad practices throughout the industry. In the surveillance industry, deliberate opaqueness in business operations is widespread, facilitated by closed door deals with government customers. The few attempts at transparency in the sector, such as NSO’s transparency report, fall far below the mark of true transparency and serve as a mere ‘sales brochure’.
Holding companies accountable
Rule of law: An important avenue of accountability is strengthening domestic and international rule of law. The idea that a company’s only responsibility is to increase its profits has changed over time as more companies voluntarily implement corporate social responsibility (‘CSR’) programs to address their social and environmental impacts. The recent move towards mandatory due diligence promises to solidify these voluntary practices into recognized obligations that require companies to consider human rights impacts in managing their subsidiaries and supply chains. Due diligence frameworks have been heavily inspired by the UNGPs, which frame the responsibility as a ‘social expectation’ rather than a ‘legal’ one for the companies, leading to some criticism about the strength of the UNGPs.
The UNGPs rest on a set of differentiated but complementary responsibilities: the state’s duty to protect, the corporate responsibility to respect, and access to remedy. While the UNGPs are comprehensive, they are principle-oriented and do not readily translate into law within different jurisdictions. They are formulated flexibly so as to allow for adaptability in their implementation and a suitable approach in dynamic contexts. The time is ripe for these normative rules to be converted into binding hard law.
Implementing such legislation would not only strengthen rule of law, but can also extend liability to parent companies for the acts of their subsidiaries in foreign jurisdictions. A binding legislation mandating human rights due diligence for companies across their business operations would also imply that the company has a ‘duty to care’ for its subsidiaries and its actions across its corporate structure.
Individual & corporate criminal liability: Attaching criminal liability to company executives where a company is found to be complicit in human rights abuses is another path forward for expanding corporate accountability. For example, Nexa Technologies Ltd. (formerly known as ‘Amesys’) knowingly sold surveillance software to the Libyan state under the Gaddafi regime, which was then used to target Libyan activists and political actors. The act has been widely alleged to be a crime against humanity and four executives were indicted by a French court for complicity.
Attributing liability to individuals is important in the case of surveillance companies because there are key individuals who dominate the surveillance industry landscape. For instance, Omri Lavie, the key financial backer of Candiru, is also a co-founder of Candiru. Moreover, individual liability can support the claim of corporate liability by attributing the mens rea of the company to its executives who are held to be its ‘directing mind and will’. A contextual and case-by-case approach can help provide relief to victims and hold the companies liable.
The leading international criminal law statute, the Rome Statute, currently doesn’t consider corporations to be within the definition of persons. Article 25(1) of the Rome Statute deals with only ‘natural persons’ and allows for individual liability. However, this solution alone is inadequate, as it leaves companies with considerable resources scot-free, which could hamper the provision of reparations to victims. Article 25(1) should be amended to bring corporations within its ambit, which would bring the Rome Statute in line with most national criminal law legislations that recognize corporate criminal liability, as well as with the Malabo Protocol, governing the African Court of Justice and Human Rights which recognizes the possibility of corporations contributing to human rights abuses (Article 46C).
Conclusion
Corporate accountability requires political will at both the national and international level, as well as a firm commitment to realizing the accountability frameworks outlined in normative guidelines such as the UNGPs. Civil society organizations also have an important role to play – by elevating the stories of victims of human rights abuses, particularly the victims of surveillance, they shed light on an industry that thrives on operating in the shadows.
*Isedua Oribhabor is the Business and Human Rights Lead at Access Now. She works to promote human rights in the digital age, focusing on the responsibility of tech companies to respect human rights. She received her J.D. from Fordham Law School in New York City, as well as an LL.M. in International Business Law from Universidad Pontificia Comillas in Madrid.
**Shikhar Sharma is a second-year student at the National Law School of India University, Bengaluru. He's interested in the role of technology in our everyday lives.