The European Union has published its proposal (PDF) for a revised Regulation on the export of dual use goods. The primary purpose is to overhaul and simplify the existing controls that were designed to limit the proliferation of weapons of mass destruction (WMDs); but it also introduces new controls over the export of cyber surveillance and computer intrusion tools.
More explicitly, it aims at preventing “the misuse of digital surveillance and intrusion systems that results in human rights violations” in line with the 2015 Human Rights Action Plan and the EU Guidelines for Freedom of Expression. New laws are necessary because existing legislation does not provide sufficient control over cyber-surveillance technologies.
It is a difficult area since cyber-surveillance and intrusion are both recognized as legitimate practices for some governments and some law enforcement agencies (especially in the name of national security). The problem is to allow and even simplify sales and exports to acceptable companies and governments while restricting it from those companies and countries that might use it to abuse the human rights that are protected by the EU constitution.
Misuse of these technologies can have — and have had — dire effects; and this is explicitly acknowledged by the EU. These technologies, notes the Introductory Memorandum, have “been misused for internal repression by authoritarian or repressive governments to infiltrate computer systems of dissidents and human rights activists, at times resulting in their imprisonment or even death.” Under such circumstances, it goes on, continued export of cyber-surveillance runs counter to the EU’s own human rights requirements, “such as the right to privacy and the protection of personal data, freedom of expression, freedom of association, as well as, indirectly, freedom from arbitrary arrest and detention, or the right to life.”
The EU’s proposed solution “sets out a two-fold approach, combining detailed controls of a few specific listed items with a ‘targeted catch-all clause’ to act as an ’emergency brake’ in case where there is evidence of a risk of misuse. The precise design of those new controls would ensure that negative economic impact will be strictly limited and will only affect a very small trade volume.”
Privacy International (PI) is one of the organizations that has long campaigned for stricter rules on the export of surveillance technologies. In a recent report (PDF) published in August 2016, it called for a new approach combining corporate social responsibility with export restrictions. “While pro-active due diligence on the behalf of companies is a necessary start,” it suggests, “without instruments capable of restricting transfers and shining a light on the companies and the trade, surveillance technologies developed in and traded from the West will further undermine privacy and facilitate other abuses.”
The export of encryption technologies is also covered in the new proposal. Encryption is considered ‘dual use’ and therefore regulated by many countries. However, different countries have different standards, and the EU has concluded that this gives those countries an unfair trading advantage.
The proposal is expected, says the Memorandum, “to improve the international competitiveness of EU operators as certain provisions – e.g. on technology transfers, on the export of encryption – will facilitate controls in areas where third countries have already introduced more flexible control modalities. The proposal’s new chapter on cooperation with third countries is also expected to promote the convergence of controls with key trade partners and a global level-playing field, and thus to have a positive impact on international trade.”
Details of the new Regulation were leaked in July. Since that time PI has lobbied the EU for additional improvements. In a statement sent to SecurityWeek, PI comments, “The eventual proposals only differ slightly however, with the main change being that the definition of ‘cyber-surveillance’ technology has been narrowed. The actual annex which contains a detailed list of what technology has been subject to control has also been published. In addition to spyware used to infect devices, mobile phone interception tech, and mass internet monitoring centres, the Commission has proposed to add unilateral EU categories. Currently these are listed as telecommunications monitoring centres and lawful interception retention systems.”
While PI welcomes the new regulation, it believes it could be better and should have been done much sooner. It points out that more than half of the world’s surveillance companies that it has identified are based in the EU, and that it has been known since 1979 that “a UK company had provided the necessary wiretapping technology to the genocidal regime of Idi Amin in Uganda.”
The proposals, says PI, “encapsulate the best and worst aspects of the European Union. Their stated intent reflects Europe’s commitment to fundamental rights, and – as a regulation – it will be binding on all member states, massively magnifying the effect of any legislation. But it adds, “The policy making process has been marked by technical and bureaucratic complexities detached from individuals, making it vulnerable to the interests of industry, powerful national governments, and civil society.”
FinFisher GmBH and the Hacking Team are two EU companies that are likely to be affected by the new regulation. This would also have included Vupen if it had not closed down and resurrected itself as Zerodium in the US.