The proposition of the United Kingdom and like-minded governments to harness the Wassenaar agreement in order to control exports of cyber security software is addressing different groups of products. The way they can be categorized reflects the challenge that proponents of this attempt are facing: the revision of the pre-cyber arms control regime needs to sort out encryption, surveillance, and hacking software, and determine, which products qualify as arms or dual-use goods as provided by the agreement.
As we blogged yesterday, one of the reported concerns of the Wassenaar attempt is to restrict the export of “strong crypto”, a set of tools that “enables states, businesses, and private citizens to impede surveillance that is currently in place for law enforcement and national security purposes”.
In sharp contrast to regulate the export of encryption tools, the French government has implemented export controls on surveillance software. Last week, its official gazette announced the new clause, due to which the export of “all equipment with the purpose of surveilling cell phone and Internet communications” is now subject to authorization by the ministry of industry. The new regulation looks back at the French software company Amesys, which sold its deep packet inspection (DPI) based EAGLE spyware to Gaddafi, when we was still in power, as covered by Reporters without Borders.
While the regulation of encryption and surveillance software is covering seemingly contradictory purposes, the boundaries between surveillance and hacking software are blurring. Often, surveillance tools are designed in a way that requires targeted computers to be hacked for their implementation. This exceeds merely passive surveillance measures, allowing to log keystrokes, control webcams, or “raid” PCs through remote online searches. German software developer Gamma International has distributed such an intrusive set of tools known as Finfisher to several authoritarian regimes, as researchers of the Citizen Lab at the University of Toronto have evidenced.
1 Pingback