I think this regulation is absolutely useless. Imagine that you are a dictator in some dictatorship country.
And now imagine how difficult with a lot of money and your people in many non-dictatorship countries is to buy FinFisher.... :-) (Especially if you can easily buy weapons of mass destruction). Pavol On Mon, Sep 10, 2012 at 09:39:44PM +0000, Danny O'Brien wrote: > Just to add to this: > > It's surprising just how much of the old cryptowar language is still hanging > around ready to trip someone up. The US government is still unwilling to > grant blanket exemptions for classes of crypto-using products, so the only > way you can know whether you're violating the broad language of the law is to > ask very specifically for an export license. And if you ask, they may say > no. This was the issue with much of the United States "Axis of Evil" > (Sudan/Syria/Iran/N. Korea) sanctions too -- Mozilla had to tread very > carefully in order to get a permitted exception before the recent sanctions > rewrite. That rewrite contains no pre-emptive exemptions (you still have to > apply) and other companies still play far too safe WRT offering downloads to > these countries rather than risk asking permission and being turned down. > > As Eric says, the UK is part of Wassenaar, which means public domain and > personal use crypto is okay to export, but various "strongish" crypto > requires a license, at least in theory: > http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#Wassenaar > > > To broaden Wassenaar to include surveillance tech by extending it with regard > to specific categories of use is one approach to attempt to dissuade local > companies from selling mass surveillance tools to repressive regimes. I know > that PI has been thinking and working on this for a very long time, and is > not unaware of the problems of creating well-meaning restrictions that can be > applied overbroadly. Another legislative approach is to prohibit the > distribution of certain tools with certain capabilities to certain target > groups (prohibit sales to law enforcement (or all but certain types of law > enforcement), government actors, blacklist countries). > > I think the real challenge with either strategy is not re-animating the > crypto wars, but preventing a well-meaning effort to control the spread of > tools of mass surveillance becoming an excuse to, in some countries, > investigate or criminalize infosec tool creators and distributors, and in > others to create parallel, extrapolated laws that go after local dissidents > who undermine the local public health and morals of the Net through their use > or possession of dangerous Internet tools -- ie using the language > controlling surveillance tools to also cover circumvention or secure > communication tools. You could already go after distributors of such > well-regarded tools for domestic crypto violations in a disturbingly large > set of countries, though I've not seen anyone do that (partly I think because > the commercial sector's use of crypto is similarly unenforced in most > countries, but mostly because the prosecutors who go after dissident > reporters and technologists aren't particularly au fait with their own crypto > law). > > We all need to tread very carefully here. Legislators can be taught to see > the problem as being rogue states conducting mass surveillance, but closer to > home they will tend to see it as individual criminals using spyware. It makes > sense if you are thinking about limiting the behaviour of foreign governments > to concentrate limiting the local incentives to manufacture and export those > tools; you can't, after all, effectively outlaw the practice of those foreign > governments. But viewing this simplistically as controlling the tool over > controlling the action is a problematic practice if we accept code is > speech. The connection with the crypto-wars is the belief that we should aim > to criminalize bad behavior, not struggle futilely to outlaw the ownership > and distribution of particular programs that can be used in pursuit of that > behavior. > > d. > > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Eric King > [[email protected]] > Sent: Monday, September 10, 2012 16:21 > To: Jacob Appelbaum > Cc: liberationtech > Subject: Re: [liberationtech] FinFisher is now controlled by UK export > controls > > Hi all, > > Apologies, I should have taken longer to explain what we this all means. > > To get the obvious bit out of the way: PI spent the first decade of it's > existence fighting the crypto wars and is against government control of > cryptography. While the governments decision is not the outcome we wanted, as > a temporary measure, we welcome what the British government is trying to do. > > So to clarify some points: > > No new cryptography controls have been put in place. The British government, > in seemly trying to do the right thing for once, has used the only power it > had to control FinFisher immediately. It's reinterpreted the remnants of the > old cryptography controls that were never fully removed and has applied them > to FinFisher. > > We don't feel the success of the crypto wars has been undone in this action. > This is by no means a permanent solution and have said so clearly to the > British government. As a method of controlling FinFisher it's stupid and has > the potential to be easily circumvented. We're calling for export controls on > surveillance technology because of what it is, not because it happens to use > cryptography. > > However this a hell of a lot of grit that has just been thrown into Gamma's > machinery. They will have to re-configure chunks of FinFisher if they want to > try evade the controls, and even then the control will very likely remain > effective. From this point on it, what this decision means is a little > unclear but the likely scenario is that right now Gamma is being investigated > for records of every location they have shipped FinFisher to. Updates and > technical support should have stopped until licences are granted and while > the British government won't stop exports to all the same countries PI might > want it to - it will be a significant chunk. These licences will then be > published and we'll have some indication as where else FinFisher will be > operating. > > However there are a hell of a lot of unanswered questions and we've written > to the government asking for urgent clarification on the below points: > > • When and in what circumstances was the assessment of the FinSpy > system carried out, the conclusion reached and the advice given that a > licence to export was required? > • Had Gamma International previously sought advice from your client > as to whether the FinSpy system required export control, when was this and > what was the advice given? > • What audit had been carried out of the export of the FinSpy system > to countries outside the EU prior to the advice referred to? > • What enforcement action is/will be taken against Gamma > International for previous exports of the FinSpy system without a licence? > • Has Gamma International been required to retrospectively apply for > licences for previous exports of the FinSpy system? If not, why not? > • Has Gamma International sought any licences to export the FinSpy > system and/or provide technical assistance, and, if so, to which countries > and which licences have been granted and which refused? > • Notwithstanding the generality of question 6 above, material in the > public domain suggests that the FinSpy system has been used in Egypt, > Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has > Gamma sought any licences for exports of FinSpy or the provision of technical > assistance to any of these countries? If so, which ones and were licences > granted or refused? > • Kindly provide a detailed explanation and supporting documentation > of precisely which components of FinSpy are controlled? > > The end goal is a subsection of the Wassenaar technical annex list to be > entitled "Surveillance", and control FinFisher directly within it, not > because it just happens to use cryptography. In the mean time, this doesn't > appear to do any damage elsewhere, but does causes a whole lot of problems > for Gamma. > > There's more to be said, but as this is part of an ongoing legal action, > there are some things that have to remain confidential for the moment. For > those who have met me, you'll know I'm terrified of my work in this area > doing more harm than good, so I encourage people to call me out on anything > you think I've missed or doesn't make sense. In the mean time I hope the > above will help dispel some of the concerns, but please ask if things are > unclear, either on or off list. > > Best, > Eric > > > -- > Eric King > Head of Research, Privacy International > +44 (0) 7986860013 | skype:blinking81 | @e3i5 > > On 10 Sep 2012, at 19:39, Jacob Appelbaum <[email protected]> wrote: > > > Eric King: > >> Hi all, > >> > >> I thought this list would be interested to know that the British > >> Government has decided to place FinFisher under UK export controls. There > >> are a ton of questions that remain to be answered, and it's only part of > >> the bigger goal to control the export of surveillance technology, but it's > >> a good first step! > >> > >>> In a letter sent earlier in August to Privacy International's lawyers > >>> Bhatt Murphy, a representative of the Treasury Solicitor stated: > >>> > >>> The Secretary of State, having carried out an assessment of the FinSpy > >>> system to which your letter specifically refers, has advised Gamma > >>> International that the system does require a licence to export to all > >>> destinations outside the EU under Category 5, Part 2 (‘Information > >>> Security’) of Annex I to the Dual-Use Regulation. This is because it is > >>> designed to use controlled cryptography and therefore falls within the > >>> scope of Annex I to the Dual-Use Regulation. The Secretary of State also > >>> understands that other products in the Finfisher portfolio could be > >>> controlled for export in the same way." > >>> > >>> Press release is here: > >>> https://www.privacyinternational.org/press-releases/british-government-admits-it-has-already-started-controlling-exports-of-gamma > >>> > >>> Full copy of the letter: > >>> https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/2012_08_08_response_from_tsol.pdf > >> Best, > >> > >> Eric > > > > This is absolutely fucking horrible. They're controlling it based on > > *cryptography* after we WON the cryptowars? What. The. Fuck. And even > > worse, they must require a license? And they don't state categorically > > that they'll deny it on some kind of humanitarian or anti-crime related > > basis? > > > > I mean, I am sure this is the result of a lot of hard work by many > > people and I don't mean to imply any disrespect. Did this just undercut > > the work from the 90s? Wany people explicitly fought hard to win the > > decision of having our free speech rights apply to the net for code as > > speech. > > > > Argh, > > Jake > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- ______________________________________________________________________________ [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
