Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Europe Cracks Down on Export of Surveillance Technologies

The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods.

The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods. The primary purpose is to overhaul and simplify the existing controls that were designed to limit the proliferation of weapons of mass destruction (WMDs); but it also introduces new controls over the export of cyber surveillance and computer intrusion tools.

More explicitly, it aims at preventing “the misuse of digital surveillance and intrusion systems that results in human rights violations” in line with the 2015 Human Rights Action Plan and the EU Guidelines for Freedom of Expression. New laws are necessary because existing legislation does not provide sufficient control over cyber-surveillance technologies.

It is a difficult area since cyber-surveillance and intrusion are both recognized as legitimate practices for some governments and some law enforcement agencies (especially in the name of national security). The problem is to allow and even simplify sales and exports to acceptable companies and governments while restricting it from those companies and countries that might use it to abuse the human rights that are protected by the EU constitution.

Misuse of these technologies can have — and have had — dire effects; and this is explicitly acknowledged by the EU. These technologies, notes the Introductory Memorandum, have “been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death.” Under such circumstances, it goes on, continued export of cyber-surveillance runs counter to the EU’s own human rights requirements, “such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life.”

The EU’s proposed solution “sets out a two-fold approach, combining detailed controls of a few specific listed items with a ‘targeted catch-all clause’ to act as an ’emergency brake’ in case where there is evidence of a risk of misuse. The precise design of those new controls would ensure that negative economic impact will be strictly limited and will only affect a very small trade volume.”

Privacy International (PI) is one of the organizations that has long campaigned for stricter rules on the export of surveillance technologies. In a recent report (PDF) published in August 2016, it called for a new approach combining corporate social responsibility with export restrictions. “While pro-active due diligence on the behalf of companies is a necessary start,” it suggests, “without instruments capable of restricting transfers and shining a light on the companies and the trade, surveillance technologies developed in and traded from the West will further undermine privacy and facilitate other abuses.”

The export of encryption technologies is also covered in the new proposal. Encryption is considered ‘dual use’ and therefore regulated by many countries. However, different countries have different standards, and the EU has concluded that this gives those countries an unfair trading advantage.

The proposal is expected, says the Memorandum, “to improve the international competitiveness of EU operators as certain provisions – e.g. on technology transfers, on the export of encryption – will facilitate controls in areas where third countries have already introduced more flexible control modalities. The proposal’s new chapter on cooperation with third countries is also expected to promote the convergence of controls with key trade partners and a global level-playing field, and thus to have a positive impact on international trade.”

Advertisement. Scroll to continue reading.

Details of the new Regulation were leaked in July. Since that time PI has lobbied the EU for additional improvements. In a statement sent to SecurityWeek, PI comments, “The eventual proposals only differ slightly however, with the main change being that the definition of ‘cyber-surveillance’ technology has been narrowed. The actual annex which contains a detailed list of what technology has been subject to control has also been published. In addition to spyware used to infect devices, mobile phone interception tech, and mass internet monitoring centres, the Commission has proposed to add unilateral EU categories. Currently these are listed as telecommunications monitoring centres and lawful interception retention systems.”

While PI welcomes the new regulation, it believes it could be better and should have been done much sooner. It points out that more than half of the world’s surveillance companies that it has identified are based in the EU, and that it has been known since 1979 that “a UK company had provided the necessary wiretapping technology to the genocidal regime of Idi Amin in Uganda.” 

The proposals, says PI, “encapsulate the best and worst aspects of the European Union. Their stated intent reflects Europe’s commitment to fundamental rights, and – as a regulation – it will be binding on all member states, massively magnifying the effect of any legislation. But it adds, “The policy making process has been marked by technical and bureaucratic complexities detached from individuals, making it vulnerable to the interests of industry, powerful national governments, and civil society.”

FinFisher GmBH and the Hacking Team are two EU companies that are likely to be affected by the new regulation. This would also have included Vupen if it had not closed down and resurrected itself as Zerodium in the US.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.