[liberationtech] FinFisher is now controlled by UK export controls

Danny O'Brien DObrien at cpj.org
Mon Sep 10 14:39:44 PDT 2012

Just to add to this:

It's surprising just how much of the old cryptowar  language is still hanging
around ready to trip someone up. The US government is still unwilling to grant
blanket exemptions for classes of crypto-using products, so the only way you
can know whether you're violating the broad language of the law is to ask very
specifically for an export license.  And if you ask, they may say no. This was
the issue with much of the United States "Axis of Evil" (Sudan/Syria/Iran/N.
Korea) sanctions too  -- Mozilla had to tread very carefully in order to get a
permitted exception before the recent sanctions rewrite. That rewrite contains
no pre-emptive exemptions (you still have to apply)  and other companies still
play far too safe WRT offering downloads to these countries rather than risk
asking permission and being turned down.

As Eric says, the UK is part of Wassenaar, which means public domain and
personal use crypto is okay to export, but various "strongish" crypto requires
a license, at least in theory:

To broaden Wassenaar to include surveillance tech by extending it with regard
to specific categories of use is one approach to attempt to dissuade local
companies from selling mass surveillance tools to repressive regimes. I know
that PI has been thinking and working on this for a very long time, and is not
unaware of the problems of creating well-meaning restrictions that can be
applied overbroadly. Another legislative approach is to prohibit the
distribution of certain tools with certain capabilities to certain target
groups (prohibit sales to law enforcement (or all but certain types of law
enforcement), government actors, blacklist countries).

I think the real challenge with either strategy is not re-animating the crypto
wars, but preventing a well-meaning effort to control the spread of tools of
mass surveillance becoming an excuse to, in some countries, investigate or
criminalize infosec tool creators and distributors, and in others to create
parallel, extrapolated laws that go after  local dissidents who undermine the
local public health and morals of the Net through their use or possession of
dangerous Internet  tools -- ie using the language controlling surveillance
tools  to also  cover circumvention or secure communication tools. You could
already go after distributors of such well-regarded tools for domestic crypto
violations in a disturbingly large set of countries, though I've not seen
anyone do that (partly I think because the commercial sector's use of crypto
is similarly unenforced in most countries, but mostly because the prosecutors
who go after dissident reporters and technologists aren't particularly au fait
with their own crypto law).

We all need to tread very carefully here. Legislators can be taught to see the
problem as being rogue states conducting mass surveillance, but closer to home
they will tend to see it as individual criminals using spyware. It makes sense
if you are thinking about limiting the behaviour of foreign governments to
concentrate limiting the local incentives to manufacture and export those
tools; you can't, after all, effectively outlaw the practice of those foreign
governments. But viewing this simplistically as controlling the tool over
controlling the action is a problematic practice if we accept  code is speech.
The connection with the crypto-wars is the belief that we should aim to
criminalize bad behavior, not struggle futilely to outlaw the ownership and
distribution of particular programs that can be used in pursuit of that


From: liberationtech-bounces at lists.stanford.edu
[liberationtech-bounces at lists.stanford.edu] on behalf of Eric King
[eric at privacy.org]
Sent: Monday, September 10, 2012 16:21
To: Jacob Appelbaum
Cc: liberationtech
Subject: Re: [liberationtech] FinFisher is now controlled by UK export

Hi all,

Apologies, I should have taken longer to explain what we this all means.

To get the obvious bit out of the way:  PI spent the first decade of it's
existence fighting the crypto wars and is against government control of
cryptography. While the governments decision is not the outcome we wanted, as
a temporary measure, we welcome what the British government is trying to do.

So to clarify some points:

No new cryptography controls have been put in place. The British government,
in seemly trying to do the right thing for once, has used the only power it
had to control FinFisher immediately. It's reinterpreted the remnants of the
old cryptography controls that were never fully removed and has applied them
to FinFisher.

We don't feel the success of the crypto wars has been undone in this action.
This is by no means a permanent solution and have said so clearly to the
British government. As a method of controlling FinFisher it's stupid and has
the potential to be easily circumvented. We're calling for export controls on
surveillance technology because of what it is, not because it happens to use

However this a hell of a lot of grit that has just been thrown into Gamma's
machinery. They will have to re-configure chunks of FinFisher if they want to
try evade the controls, and even then the control will very likely remain
effective. From this point on it, what this decision means is a little unclear
but the likely scenario is that right now Gamma is being investigated for
records of every location they have shipped FinFisher to. Updates and
technical support should have stopped until licences are granted and while the
British government won't stop exports to all the same countries PI might want
it to - it will be a significant chunk. These licences will then be published
and we'll have some indication as where else FinFisher will be operating.

However there are a hell of a lot of unanswered questions and we've written to
the government asking for urgent clarification on the below points:

        b" When and in what circumstances was the assessment of the FinSpy
system carried out, the conclusion reached and the advice given that a licence
to export was required?
        b" Had Gamma International previously sought advice from your client
as to whether the FinSpy system required export control, when was this and
what was the advice given?
        b" What audit had been carried out of the export of the FinSpy system
to countries outside the EU prior to the advice referred to?
        b" What enforcement action is/will be taken against Gamma
International for previous exports of the FinSpy system without a licence?
        b" Has Gamma International been required to retrospectively apply for
licences for previous exports of the FinSpy system? If not, why not?
        b" Has Gamma International sought any licences to export the FinSpy
system and/or provide technical assistance, and, if so, to which countries and
which licences have been granted and which refused?
        b" Notwithstanding the generality of question 6 above, material in
the public domain suggests that the FinSpy system has been used in Egypt,
Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has
Gamma sought any licences for exports of FinSpy or the provision of technical
assistance to any of these countries? If so, which ones and were licences
granted or refused?
        b" Kindly provide a detailed explanation and supporting documentation
of precisely which components of FinSpy are controlled?

The end goal is a subsection of the Wassenaar technical annex list to be
entitled "Surveillance", and control FinFisher directly within it, not because
it just happens to use cryptography. In the mean time, this doesn't appear to
do any damage elsewhere, but does causes a whole lot of problems for Gamma.

There's more to be said, but as this is part of an ongoing legal action, there
are some things that have to remain confidential for the moment. For those who
have met me, you'll know I'm terrified of my work in this area doing more harm
than good, so I encourage people to call me out on anything you think I've
missed or doesn't make sense.  In the mean time I hope the above will help
dispel some of the concerns, but please ask if things are unclear, either on
or off list.


Eric King
Head of Research, Privacy International
+44 (0) 7986860013   |   skype:blinking81   |   @e3i5

On 10 Sep 2012, at 19:39, Jacob Appelbaum <jacob at appelbaum.net> wrote:

> Eric King:
>> Hi all,
>> I thought this list would be interested to know that the British Government
has decided to place FinFisher under UK export controls. There are a ton of
questions that remain to be answered, and it's only part of the bigger goal to
control the export of surveillance technology, but it's a good first step!
>>> In a letter sent earlier in August to Privacy International's lawyers
Bhatt Murphy, a representative of the Treasury Solicitor stated:
>>> The Secretary of State, having carried out an assessment of the FinSpy
system to which your letter specifically refers, has advised Gamma
International that the system does require a licence to export to all
destinations outside the EU under Category 5, Part 2 (bInformation
Securityb) of Annex I to the Dual-Use Regulation. This is because it is
designed to use controlled cryptography and therefore falls within the scope
of Annex I to the Dual-Use Regulation. The Secretary of State also understands
that other products in the Finfisher portfolio could be controlled for export
in the same way."
>>> Press release is here:
>>> Full copy of the letter:
>> Best,
>> Eric
> This is absolutely fucking horrible. They're controlling it based on
> *cryptography* after we WON the cryptowars? What. The. Fuck. And even
> worse, they must require a license? And they don't state categorically
> that they'll deny it on some kind of humanitarian or anti-crime related
> basis?
> I mean, I am sure this is the result of a lot of hard work by many
> people and I don't mean to imply any disrespect. Did this just undercut
> the work from the 90s? Wany people explicitly fought hard to win the
> decision of having our free speech rights apply to the net for code as
> speech.
> Argh,
> Jake

Unsubscribe, change to digest, or change password at:
Unsubscribe, change to digest, or change password at:

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list