Re: [liberationtech] FinFisher is now controlled by UK export controls
, and is not unaware of the problems of creating well-meaning restrictions that can be applied overbroadly. Another legislative approach is to prohibit the distribution of certain tools with certain capabilities to certain target groups (prohibit sales to law enforcement (or all but certain types of law enforcement), government actors, blacklist countries). I think the real challenge with either strategy is not re-animating the crypto wars, but preventing a well-meaning effort to control the spread of tools of mass surveillance becoming an excuse to, in some countries, investigate or criminalize infosec tool creators and distributors, and in others to create parallel, extrapolated laws that go after local dissidents who undermine the local public health and morals of the Net through their use or possession of dangerous Internet tools -- ie using the language controlling surveillance tools to also cover circumvention or secure communication tools. You could already go after distributors of such well-regarded tools for domestic crypto violations in a disturbingly large set of countries, though I've not seen anyone do that (partly I think because the commercial sector's use of crypto is similarly unenforced in most countries, but mostly because the prosecutors who go after dissident reporters and technologists aren't particularly au fait with their own crypto law). We all need to tread very carefully here. Legislators can be taught to see the problem as being rogue states conducting mass surveillance, but closer to home they will tend to see it as individual criminals using spyware. It makes sense if you are thinking about limiting the behaviour of foreign governments to concentrate limiting the local incentives to manufacture and export those tools; you can't, after all, effectively outlaw the practice of those foreign governments. But viewing this simplistically as controlling the tool over controlling the action is a problematic practice if we accept code is speech. The connection with the crypto-wars is the belief that we should aim to criminalize bad behavior, not struggle futilely to outlaw the ownership and distribution of particular programs that can be used in pursuit of that behavior. d. From: liberationtech-boun...@lists.stanford.edu [liberationtech-boun...@lists.stanford.edu] on behalf of Eric King [e...@privacy.org] Sent: Monday, September 10, 2012 16:21 To: Jacob Appelbaum Cc: liberationtech Subject: Re: [liberationtech] FinFisher is now controlled by UK export controls Hi all, Apologies, I should have taken longer to explain what we this all means. To get the obvious bit out of the way: PI spent the first decade of it's existence fighting the crypto wars and is against government control of cryptography. While the governments decision is not the outcome we wanted, as a temporary measure, we welcome what the British government is trying to do. So to clarify some points: No new cryptography controls have been put in place. The British government, in seemly trying to do the right thing for once, has used the only power it had to control FinFisher immediately. It's reinterpreted the remnants of the old cryptography controls that were never fully removed and has applied them to FinFisher. We don't feel the success of the crypto wars has been undone in this action. This is by no means a permanent solution and have said so clearly to the British government. As a method of controlling FinFisher it's stupid and has the potential to be easily circumvented. We're calling for export controls on surveillance technology because of what it is, not because it happens to use cryptography. However this a hell of a lot of grit that has just been thrown into Gamma's machinery. They will have to re-configure chunks of FinFisher if they want to try evade the controls, and even then the control will very likely remain effective. From this point on it, what this decision means is a little unclear but the likely scenario is that right now Gamma is being investigated for records of every location they have shipped FinFisher to. Updates and technical support should have stopped until licences are granted and while the British government won't stop exports to all the same countries PI might want it to - it will be a significant chunk. These licences will then be published and we'll have some indication as where else FinFisher will be operating. However there are a hell of a lot of unanswered questions and we've written to the government asking for urgent clarification on the below points: • When and in what circumstances was the assessment of the FinSpy system carried out, the conclusion reached and the advice given that a licence to export was required? • Had Gamma International previously sought advice
Re: [liberationtech] FinFisher is now controlled by UK export controls
On Mon, Sep 10, 2012 at 08:17:37PM +0100, Ryan Gallagher wrote: Export controls on cryptographic items is not a new development in the UK or anywhere else - https://www.gov.uk/specialist/export-of-cryptographic-items The question in the case of FinSpy was whether it was to be classed as a Dual Use item. The UK government appears to now be recognising that FinSpy is indeed a Dual Use item and falls under Annex I of EC export regulations. Annex I is designed to control exports of goods (cryptographic or otherwise) designed or modified for military use. So what the UK government is implicitly recognising here is that FinSpy can be used as a military tool -- a bit like a weapon -- and should be subject to the same controls. If they implement this, it will mean Gamma will have to make an application for every sale it wants to make outside of the EU, and this will have to be assessed with the Dual Use criteria in mind. So any export will have to be considered in terms of the respect of human rights and fundamental freedoms in the country of final destination. If the UK government suspects it could be used for internal repression in the country of final destination, for example, they will (theoretically at least) refuse the export. Any reason why should Gamma International (UK) Ltd. stay in the UK and respect this funny regulation? There so many countries in the world where they can do a business with no such regulations and really low taxes... :-) And of course - all economical regulations will just support these countries (including offshores..) Pavol -- ___ [wil...@trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] FinFisher is now controlled by UK export controls
Hi, On Mon, Sep 10 2012, Eric King wrote: The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher portfolio could be controlled for export in the same way. Are privacy-enhancing technologies subject to the same restrictions? Controlled cryptography seems very broad. Thanks, - Chris. -- Chris Ball c...@laptop.org http://printf.net/ One Laptop Per Child -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] FinFisher is now controlled by UK export controls
Eric King: Hi all, I thought this list would be interested to know that the British Government has decided to place FinFisher under UK export controls. There are a ton of questions that remain to be answered, and it's only part of the bigger goal to control the export of surveillance technology, but it's a good first step! In a letter sent earlier in August to Privacy International's lawyers Bhatt Murphy, a representative of the Treasury Solicitor stated: The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher portfolio could be controlled for export in the same way. Press release is here: https://www.privacyinternational.org/press-releases/british-government-admits-it-has-already-started-controlling-exports-of-gamma Full copy of the letter: https://www.privacyinternational.org/sites/privacyinternational.org/files/downloads/press-releases/2012_08_08_response_from_tsol.pdf Best, Eric This is absolutely fucking horrible. They're controlling it based on *cryptography* after we WON the cryptowars? What. The. Fuck. And even worse, they must require a license? And they don't state categorically that they'll deny it on some kind of humanitarian or anti-crime related basis? I mean, I am sure this is the result of a lot of hard work by many people and I don't mean to imply any disrespect. Did this just undercut the work from the 90s? Wany people explicitly fought hard to win the decision of having our free speech rights apply to the net for code as speech. Argh, Jake -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] FinFisher is now controlled by UK export controls
Hi all, Apologies, I should have taken longer to explain what we this all means. To get the obvious bit out of the way: PI spent the first decade of it's existence fighting the crypto wars and is against government control of cryptography. While the governments decision is not the outcome we wanted, as a temporary measure, we welcome what the British government is trying to do. So to clarify some points: No new cryptography controls have been put in place. The British government, in seemly trying to do the right thing for once, has used the only power it had to control FinFisher immediately. It's reinterpreted the remnants of the old cryptography controls that were never fully removed and has applied them to FinFisher. We don't feel the success of the crypto wars has been undone in this action. This is by no means a permanent solution and have said so clearly to the British government. As a method of controlling FinFisher it's stupid and has the potential to be easily circumvented. We're calling for export controls on surveillance technology because of what it is, not because it happens to use cryptography. However this a hell of a lot of grit that has just been thrown into Gamma's machinery. They will have to re-configure chunks of FinFisher if they want to try evade the controls, and even then the control will very likely remain effective. From this point on it, what this decision means is a little unclear but the likely scenario is that right now Gamma is being investigated for records of every location they have shipped FinFisher to. Updates and technical support should have stopped until licences are granted and while the British government won't stop exports to all the same countries PI might want it to - it will be a significant chunk. These licences will then be published and we'll have some indication as where else FinFisher will be operating. However there are a hell of a lot of unanswered questions and we've written to the government asking for urgent clarification on the below points: • When and in what circumstances was the assessment of the FinSpy system carried out, the conclusion reached and the advice given that a licence to export was required? • Had Gamma International previously sought advice from your client as to whether the FinSpy system required export control, when was this and what was the advice given? • What audit had been carried out of the export of the FinSpy system to countries outside the EU prior to the advice referred to? • What enforcement action is/will be taken against Gamma International for previous exports of the FinSpy system without a licence? • Has Gamma International been required to retrospectively apply for licences for previous exports of the FinSpy system? If not, why not? • Has Gamma International sought any licences to export the FinSpy system and/or provide technical assistance, and, if so, to which countries and which licences have been granted and which refused? • Notwithstanding the generality of question 6 above, material in the public domain suggests that the FinSpy system has been used in Egypt, Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has Gamma sought any licences for exports of FinSpy or the provision of technical assistance to any of these countries? If so, which ones and were licences granted or refused? • Kindly provide a detailed explanation and supporting documentation of precisely which components of FinSpy are controlled? The end goal is a subsection of the Wassenaar technical annex list to be entitled Surveillance, and control FinFisher directly within it, not because it just happens to use cryptography. In the mean time, this doesn't appear to do any damage elsewhere, but does causes a whole lot of problems for Gamma. There's more to be said, but as this is part of an ongoing legal action, there are some things that have to remain confidential for the moment. For those who have met me, you'll know I'm terrified of my work in this area doing more harm than good, so I encourage people to call me out on anything you think I've missed or doesn't make sense. In the mean time I hope the above will help dispel some of the concerns, but please ask if things are unclear, either on or off list. Best, Eric -- Eric King Head of Research, Privacy International +44 (0) 7986860013 | skype:blinking81 | @e3i5 On 10 Sep 2012, at 19:39, Jacob Appelbaum ja...@appelbaum.net wrote: Eric King: Hi all, I thought this list would be interested to know that the British Government has decided to place FinFisher under UK export controls. There are a ton of questions that remain to be answered, and it's only part of the bigger goal to control the export of surveillance technology, but it's a good first step! In a letter sent earlier in August to Privacy International's lawyers
Re: [liberationtech] FinFisher is now controlled by UK export controls
Eric, Thank you for the clarification, I think it is important to point people to the standing regulations that matter most, Wassenaar Category 5 Part 2, and the exemption for FOSS in the control list (which, again, exists for BIS as §740.13). It seems clear from the government's response that the prima facie issue isn't encryption, but its *dual use* for non-consumer -- specifically, military or police -- purposes. Regarding the application for FOSS software, to steal Apache's language: In the current Wassenaar List of Dual Use Goods and Technologies And Munitions, under GENERAL SOFTWARE NOTE (GSN) it says The Lists do not control software which is either: 1. [...] 2. in the public domain. And under DEFINITIONS OF TERMS USED IN THESE LISTS we find In the public domain defined as technology or software which has been made available without restrictions upon its further dissemination. Note: Copyright restrictions do not remove technology or software from being in the public domain. Google Doc link to 5.2, because the Wassenaar page only releases .doc copies of the control list. https://docs.google.com/viewer?a=vq=cache:mGQFIbSZdJoJ:www.wassenaar.org/controllists/2010/WA-LIST%2520(10)%25201%2520Corr/08%2520-%2520WA-LIST%2520(10)%25201%2520Corr.%2520-%2520Cat%25205P2.doc+hl=engl=uspid=blsrcid=ADGEESjATC3wqzjGrqIuI2Cbc_rROXwuyNb7AxAV3ZdgUdZvcirGGtOzBVrN8DjTRdxQhZOeZWm6gMLxDuxCcW4-5kllLJf6Stir0cSzzF-W5GcfPwSCCzb8-hWwbyBCz4K2tbkEzvKDsig=AHIEtbSpiAvXJ6FHFkDLbrWhnYrEGhR5Pw Congratulations PI, I think this was a big win. Cordially, Collin On Mon, Sep 10, 2012 at 4:21 PM, Eric King e...@privacy.org wrote: Hi all, Apologies, I should have taken longer to explain what we this all means. To get the obvious bit out of the way: PI spent the first decade of it's existence fighting the crypto wars and is against government control of cryptography. While the governments decision is not the outcome we wanted, as a temporary measure, we welcome what the British government is trying to do. So to clarify some points: No new cryptography controls have been put in place. The British government, in seemly trying to do the right thing for once, has used the only power it had to control FinFisher immediately. It's reinterpreted the remnants of the old cryptography controls that were never fully removed and has applied them to FinFisher. We don't feel the success of the crypto wars has been undone in this action. This is by no means a permanent solution and have said so clearly to the British government. As a method of controlling FinFisher it's stupid and has the potential to be easily circumvented. We're calling for export controls on surveillance technology because of what it is, not because it happens to use cryptography. However this a hell of a lot of grit that has just been thrown into Gamma's machinery. They will have to re-configure chunks of FinFisher if they want to try evade the controls, and even then the control will very likely remain effective. From this point on it, what this decision means is a little unclear but the likely scenario is that right now Gamma is being investigated for records of every location they have shipped FinFisher to. Updates and technical support should have stopped until licences are granted and while the British government won't stop exports to all the same countries PI might want it to - it will be a significant chunk. These licences will then be published and we'll have some indication as where else FinFisher will be operating. However there are a hell of a lot of unanswered questions and we've written to the government asking for urgent clarification on the below points: • When and in what circumstances was the assessment of the FinSpy system carried out, the conclusion reached and the advice given that a licence to export was required? • Had Gamma International previously sought advice from your client as to whether the FinSpy system required export control, when was this and what was the advice given? • What audit had been carried out of the export of the FinSpy system to countries outside the EU prior to the advice referred to? • What enforcement action is/will be taken against Gamma International for previous exports of the FinSpy system without a licence? • Has Gamma International been required to retrospectively apply for licences for previous exports of the FinSpy system? If not, why not? • Has Gamma International sought any licences to export the FinSpy system and/or provide technical assistance, and, if so, to which countries and which licences have been granted and which refused? • Notwithstanding the generality of question 6 above, material in the public domain suggests that the FinSpy system has been used in Egypt, Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has Gamma sought any licences for exports of FinSpy or the
Re: [liberationtech] FinFisher is now controlled by UK export controls
On Mon, Sep 10, 2012 at 06:39:51PM +, Jacob Appelbaum wrote: Eric King: Hi all, I thought this list would be interested to know that the British Government has decided to place FinFisher under UK export controls. There are a ton of questions that remain to be answered, and it's only part of the bigger goal to control the export of surveillance technology, but it's a good first step! Hooray! Well done! This is absolutely fucking horrible. They're controlling it based on *cryptography* after we WON the cryptowars? What. The. Fuck. And even worse, they must require a license? And they don't state categorically that they'll deny it on some kind of humanitarian or anti-crime related basis? I mean, I am sure this is the result of a lot of hard work by many people and I don't mean to imply any disrespect. Did this just undercut the work from the 90s? Wany people explicitly fought hard to win the decision of having our free speech rights apply to the net for code as speech. I agree that it's sad not to have a response along the lines of `this is violating human rights, so we'll stop it for that reason', but I've rarely seen such an honest and principled response. :) Export control regulation is not my area of expertise, but it seems to me that the more general humanitarian stance will come from restricting to whom they will sell evil stuff -- this acknowledgement is simply that FinFisher falls under the `evil stuff' category. All this does is place FinFisher in a position where it can't be sold to horrible regimes with impunity. The specific crypto wars point is worth digging into, though. I've had a brief look at the relevant sections of the referenced Strategic Export Controls list: http://www.bis.gov.uk/assets/biscore/eco/docs/control-lists/12-1014-uk-strategic-export-control-list-consolidated.pdf The first meaningful match for `Category 5' (page 42 - General Software Note) does appear to make this less worrying on that front: ``Categories 0 to 9 of this list do not control software which is either: a. Generally available to the public by being: 1. Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; c. Electronic transactions; or d. Telephone order transactions; and 2. Designed for installation by the user without further substantial support by the supplier; or N.B. Entry a. of the General Software Note does not release software specified in Category 5 - Part 2 (Information Security). b. In the public domain.'' So, public domain software is exempt. Over-the-counter software is usually exempt, unless specifically fitting their category for `information security' that refers you to Category 5 - Section 2. That section has a `cryptography note': ``Note 3: Cryptography Note 5A002 and 5D002 do not control goods that meet all of the following: a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot easily be changed by the user; c. Designed for installation by the user without further substantial support by the supplier; and d. When necessary, details of the goods are accessible and will be provided, upon request, to the competent authorities of the Member State in which the exporter is established in order to ascertain compliance with conditions described in paragraphs a. to c. above.'' This doesn't resolve the problem of cryptography in general being treated as munitions, even if it's in a very restricted sense, but it seems that the result of the crypto wars was more complex than simply setting crypto free. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net/~joss -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech