Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] FinFisher is now controlled by UK export controls

Collin Anderson collin at
Mon Sep 10 13:35:30 PDT 2012


Thank you for the clarification, I think it is important to point people to
the standing regulations that matter most, Wassenaar Category 5 Part 2, and
the exemption for FOSS in the control list (which, again, exists for BIS as
§740.13). It seems clear from the government's response that the prima
facie issue isn't encryption, but its *dual use* for non-consumer --
specifically, military or police -- purposes.

Regarding the application for FOSS software, to steal Apache's language:

In the current Wassenaar List of Dual Use Goods and Technologies And
> Munitions, under GENERAL SOFTWARE NOTE (GSN) it says The Lists do not
> control "software" which is either: 1. [...] 2. "in the public domain". And
> under DEFINITIONS OF TERMS USED IN THESE LISTS we find In the public domain
> defined as "technology" or "software" which has been made available without
> restrictions upon its further dissemination. Note: Copyright restrictions
> do not remove "technology" or "software" from being "in the public domain".

Google Doc link to 5.2, because the Wassenaar page only releases .doc
copies of the control list.

Congratulations PI, I think this was a big win.


On Mon, Sep 10, 2012 at 4:21 PM, Eric King <eric at> wrote:

> Hi all,
> Apologies, I should have taken longer to explain what we this all means.
> To get the obvious bit out of the way:  PI spent the first decade of it's
> existence fighting the crypto wars and is against government control of
> cryptography. While the governments decision is not the outcome we wanted,
> as a temporary measure, we welcome what the British government is trying to
> do.
> So to clarify some points:
> No new cryptography controls have been put in place. The British
> government, in seemly trying to do the right thing for once, has used the
> only power it had to control FinFisher immediately. It's reinterpreted the
> remnants of the old cryptography controls that were never fully removed and
> has applied them to FinFisher.
> We don't feel the success of the crypto wars has been undone in this
> action. This is by no means a permanent solution and have said so clearly
> to the British government. As a method of controlling FinFisher it's stupid
> and has the potential to be easily circumvented. We're calling for export
> controls on surveillance technology because of what it is, not because it
> happens to use cryptography.
> However this a hell of a lot of grit that has just been thrown into
> Gamma's machinery. They will have to re-configure chunks of FinFisher if
> they want to try evade the controls, and even then the control will very
> likely remain effective. From this point on it, what this decision means is
> a little unclear but the likely scenario is that right now Gamma is being
> investigated for records of every location they have shipped FinFisher to.
> Updates and technical support should have stopped until licences are
> granted and while the British government won't stop exports to all the same
> countries PI might want it to - it will be a significant chunk. These
> licences will then be published and we'll have some indication as where
> else FinFisher will be operating.
> However there are a hell of a lot of unanswered questions and we've
> written to the government asking for urgent clarification on the below
> points:
>         • When and in what circumstances was the assessment of the FinSpy
> system carried out, the conclusion reached and the advice given that a
> licence to export was required?
>         • Had Gamma International previously sought advice from your
> client as to whether the FinSpy system required export control, when was
> this and what was the advice given?
>         • What audit had been carried out of the export of the FinSpy
> system to countries outside the EU prior to the advice referred to?
>         • What enforcement action is/will be taken against Gamma
> International for previous exports of the FinSpy system without a licence?
>         • Has Gamma International been required to retrospectively apply
> for licences for previous exports of the FinSpy system? If not, why not?
>         • Has Gamma International sought any licences to export the FinSpy
> system and/or provide technical assistance, and, if so, to which countries
> and which licences have been granted and which refused?
>         • Notwithstanding the generality of question 6 above, material in
> the public domain suggests that the FinSpy system has been used in Egypt,
> Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has
> Gamma sought any licences for exports of FinSpy or the provision of
> technical assistance to any of these countries? If so, which ones and were
> licences granted or refused?
>         • Kindly provide a detailed explanation and supporting
> documentation of precisely which components of FinSpy are controlled?
> The end goal is a subsection of the Wassenaar technical annex list to be
> entitled "Surveillance", and control FinFisher directly within it, not
> because it just happens to use cryptography. In the mean time, this doesn't
> appear to do any damage elsewhere, but does causes a whole lot of problems
> for Gamma.
> There's more to be said, but as this is part of an ongoing legal action,
> there are some things that have to remain confidential for the moment. For
> those who have met me, you'll know I'm terrified of my work in this area
> doing more harm than good, so I encourage people to call me out on anything
> you think I've missed or doesn't make sense.  In the mean time I hope the
> above will help dispel some of the concerns, but please ask if things are
> unclear, either on or off list.
> Best,
> Eric
> --
> Eric King
> Head of Research, Privacy International
> +44 (0) 7986860013   |   skype:blinking81   |   @e3i5
> On 10 Sep 2012, at 19:39, Jacob Appelbaum <jacob at> wrote:
> > Eric King:
> >> Hi all,
> >>
> >> I thought this list would be interested to know that the British
> Government has decided to place FinFisher under UK export controls. There
> are a ton of questions that remain to be answered, and it's only part of
> the bigger goal to control the export of surveillance technology, but it's
> a good first step!
> >>
> >>> In a letter sent earlier in August to Privacy International's lawyers
> Bhatt Murphy, a representative of the Treasury Solicitor stated:
> >>>
> >>> The Secretary of State, having carried out an assessment of the FinSpy
> system to which your letter specifically refers, has advised Gamma
> International that the system does require a licence to export to all
> destinations outside the EU under Category 5, Part 2 (‘Information
> Security’) of Annex I to the Dual-Use Regulation. This is because it is
> designed to use controlled cryptography and therefore falls within the
> scope of Annex I to the Dual-Use Regulation. The Secretary of State also
> understands that other products in the Finfisher portfolio could be
> controlled for export in the same way."
> >>>
> >>> Press release is here:
> >>>
> >>>
> >>> Full copy of the letter:
> >> Best,
> >>
> >> Eric
> >
> > This is absolutely fucking horrible. They're controlling it based on
> > *cryptography* after we WON the cryptowars? What. The. Fuck. And even
> > worse, they must require a license? And they don't state categorically
> > that they'll deny it on some kind of humanitarian or anti-crime related
> > basis?
> >
> > I mean, I am sure this is the result of a lot of hard work by many
> > people and I don't mean to imply any disrespect. Did this just undercut
> > the work from the 90s? Wany people explicitly fought hard to win the
> > decision of having our free speech rights apply to the net for code as
> > speech.
> >
> > Argh,
> > Jake
> --
> Unsubscribe, change to digest, or change password at:

*Collin David Anderson* | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list