European companies in the business of selling spyware and exploits to international governments and law enforcement will need a special licence from 31 December 2014.
The new requirement for a licence to export “intrusion software” from Europe is part of a European Commission decision in October to add spyware its dual-use list of export controls which cover products that might have a military application or contribute to the spread of weapons of mass destruction.
As the Commission noted in October, the updated dual-use control list “reflects growing security concerns regarding the use of surveillance technology and cybertools that could be misused in violation of human rights or against the EU's security.”
The new controls cover spyware, telecommunication and internet surveillance equipment, and exploits for flaws in software.
The UK Department for Business Innovation and Skills (BIS) published a reminder on Thursday that intrusion software vendors will need the licence if they want to legally export their wares from December 31, 2014.
Europe was late to the party on clamping down on spyware exports, which have come under increasing public scrutiny over the past three years with the discovery that European-based firms had sold spyware to repressive governments that used those products to commit human rights abuses.
One of the first instances a European spyware vendor was accused of facilitating human rights violations surfaced after the Arab Spring fall of the Egyptian government in 2011. British firm Gamma International UK Limited was found to have sold its now notorious “FinSpy” product to the Egyptian government in 2010. Another company that has come under fire for similar products is Italian firm, Hacking Team.
The EU was criticised by human rights activists for dragging its heals on implementing controls for dual-use software exports. The controls it implemented in October harmonised its regulations with the Wassenaar Arrangement, which added intrusion software to its export-control list in December 2013.
The controlled software would also perform “extraction of data or information, from a computer or network-capable device, or the modification of system or user data”; or modify “the standard execution path of a program or process in order to allow the execution of externally provided instructions.”
That last definition — modifying the standard execution path — means vendors of other products in the intrusion chain are also required to get a dual-use export licence, such as companies that sell exploits for flaws in software for which there is no fix, otherwise known as “zero day” exploits.
According to Chaouki Bekram, CEO of Vupen, a security firm based in France that sells zero day exploits, companies like his will need a licence to export these.
This article is brought to you by Enex TestLab, content directors for CSO Australia.