[liberationtech] Finfisher Spy Kit Revealed in Bahrain
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Sat Jul 28 03:07:43 PDT 2012
On 7/27/12 11:54 PM, Andre Rebentisch wrote:
> The common denominator of my campaigning on the EU level is reduction of
> legal risks for software development. We both know that even
> general-purpose equipment and operating systems could be "dual use".
> It's tricky from a regulatory perspective, but the cases are
> crystal-clear. An applicable line is to put citizens and export nations
> on equal footing. Tools where use is unlawful for citizens under our
> jurisdiction should also be controlled for service export to external
> parties.
I have to deal with export control stuff for my daily job, but for
what's related to the Waseenaar Arrangement Control List
(http://www.wassenaar.org/controllists/index.html).
The one of my high interests is related to Cryptography where software
it's explicitly cited:
https://docs.google.com/viewer?url=http://www.wassenaar.org/controllists/2011/WA-LIST%2520%252811%2529%25201%2520Corr/08%2520-%2520WA-LIST%2520%252811%2529%25201%2520Corr.%2520-%2520Cat%25205P2.doc
Basically you can "avoid" the control if and only if the items meet all
of the following:
======================================================================
"Generally available to the public by being sold, without restriction,
from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
* The cryptographic functionality cannot easily be changed by the user;
* Designed for installation by the user without further substantial
support by the supplier; and
* Not used since 2000
* When necessary, details of the items are accessible and will be
provided, upon request, to the appropriate authority in the exporter's
country in order to ascertain compliance with conditions described in
paragraphs a. to c. above."
======================================================================
So the general concept for crypto-exports on dual-use is that:
- if it's a standard tool
- that you sell to anyone
- that the customer can install on it's own (because it's not a
customized, developed ad-hoc for the customer)
then no export control apply.
Still i generally think that if a western country company don't sell
something to a regime, other companies from regimes will do:
www.iranascience.com/1-home/newsletters/21-Web%2520Filters.pdf
-naif
More information about the liberationtech
mailing list