[liberationtech] FinFisher is now controlled by UK export controls

Mon Sep 10 12:59:52 PDT 2012

>
> Did this just undercut the work from the 90s? Wany people explicitly
> fought hard to win the decision of having our free speech rights apply to
> the net for code as speech.

While I am by no means an expert on encryption export policy, and what I
know is limited to the United States, I believe that the common perception
that Cryptowars led to complete deregulation is false. While there is a
very relaxed set of exemptions and registration requirements, particularly
for mass market and open source encryption, licensing rules still exist
under Commerce's BIS and under the framework of Wassenaar. Even despite
these allowances, in theory, all software exports still require email
notification or review by BIS before export.
http://www.bis.doc.gov/encryption/encfaqs6_17_02.html#6

Here is a really good, succinct primer presentation on
regulatory jurisdictions:
http://www.gibsondunn.com/publications/Documents/WebcastSlides-EncryptionExportControls-02-21-2012.pdf

I would also point out that no cryptography software is allowed to be
exported to "Terrorist Supporting Countries," to the extent that Firefox
was advised a few years ago that it could not export to Syria, et al unless
it opted to not track download locations.

On Mon, Sep 10, 2012 at 2:39 PM, Jacob Appelbaum <jacob at appelbaum.net>wrote:

> Eric King:
> > Hi all,
> >
> > I thought this list would be interested to know that the British
> Government has decided to place FinFisher under UK export controls. There
> are a ton of questions that remain to be answered, and it's only part of
> the bigger goal to control the export of surveillance technology, but it's
> a good first step!
> >
> >> In a letter sent earlier in August to Privacy International's lawyers
> Bhatt Murphy, a representative of the Treasury Solicitor stated:
> >>
> >> The Secretary of State, having carried out an assessment of the FinSpy
> system to which your letter specifically refers, has advised Gamma
> International that the system does require a licence to export to all
> destinations outside the EU under Category 5, Part 2 (‘Information
> Security’) of Annex I to the Dual-Use Regulation. This is because it is
> designed to use controlled cryptography and therefore falls within the
> scope of Annex I to the Dual-Use Regulation. The Secretary of State also
> understands that other products in the Finfisher portfolio could be
> controlled for export in the same way."
> >>
> >> Press release is here:
> >>
> https://www.privacyinternational.org/press-releases/british-government-admits-it-has-already-started-controlling-exports-of-gamma
> >>
> >> Full copy of the letter:
> https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/2012_08_08_response_from_tsol.pdf
> > Best,
> >
> > Eric
>
> This is absolutely fucking horrible. They're controlling it based on
> *cryptography* after we WON the cryptowars? What. The. Fuck. And even
> worse, they must require a license? And they don't state categorically
> that they'll deny it on some kind of humanitarian or anti-crime related
> basis?
>
> I mean, I am sure this is the result of a lot of hard work by many
> people and I don't mean to imply any disrespect. Did this just undercut
> the work from the 90s? Wany people explicitly fought hard to win the
> decision of having our free speech rights apply to the net for code as
> speech.
>
> Argh,
> Jake
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120910/c07803d1/attachment.html>