Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] FinFisher is now controlled by UK export controls

Joss Wright joss-liberationtech at
Mon Sep 10 14:07:10 PDT 2012

On Mon, Sep 10, 2012 at 06:39:51PM +0000, Jacob Appelbaum wrote:
> Eric King:
> > Hi all,   
> > 
> > I thought this list would be interested to know that the British
> > Government has decided to place FinFisher under UK export controls.
> > There are a ton of questions that remain to be answered, and it's
> > only part of the bigger goal to control the export of surveillance
> > technology, but it's a good first step!
> > 

Hooray! Well done!

> This is absolutely fucking horrible. They're controlling it based on
> *cryptography* after we WON the cryptowars? What. The. Fuck. And even
> worse, they must require a license? And they don't state categorically
> that they'll deny it on some kind of humanitarian or anti-crime
> related basis?
> I mean, I am sure this is the result of a lot of hard work by many
> people and I don't mean to imply any disrespect. Did this just
> undercut the work from the 90s? Wany people explicitly fought hard to
> win the decision of having our free speech rights apply to the net for
> code as speech.

I agree that it's sad not to have a response along the lines of `this is
violating human rights, so we'll stop it for that reason', but I've
rarely seen such an honest and principled response. :)

Export control regulation is not my area of expertise, but it seems to
me that the more general humanitarian stance will come from restricting
to whom they will sell evil stuff -- this acknowledgement is simply that
FinFisher falls under the `evil stuff' category. All this does is place
FinFisher in a position where it can't be sold to horrible regimes with

The specific crypto wars point is worth digging into, though. I've had a
brief look at the relevant sections of the referenced Strategic Export
Controls list:

The first meaningful match for `Category 5' (page 42 - "General Software
Note") does appear to make this less worrying on that front:

``Categories 0 to 9 of this list do not control "software" which is

a. Generally available to the public by being:
	1. Sold from stock at retail selling points, without restriction, by means
		a. Over-the-counter transactions;
		b. Mail order transactions;
		c. Electronic transactions; or
		d. Telephone order transactions; and

	2. Designed for installation by the user without further substantial
	support by the supplier; or

	N.B. Entry a. of the General Software Note does not release
	"software" specified in Category 5 - Part 2 ("Information Security").

b. "In the public domain".''

So, public domain software is exempt. Over-the-counter software is
usually exempt, unless specifically fitting their category for
`information security' that refers you to Category 5 - Section 2. That
section has a `cryptography note':

``Note 3: Cryptography Note

5A002 and 5D002 do not control goods that meet all of the following:

a. Generally available to the public by being sold, without restriction,
from  stock at retail selling points by means of any of the following:

	1. Over-the-counter transactions;
	2. Mail order transactions;
	3. Electronic transactions; or
	4. Telephone call transactions;

b. The cryptographic functionality cannot easily be changed by the user;

c. Designed for installation by the user without further substantial
support by the supplier; and

d. When necessary, details of the goods are accessible and will be
provided, upon request, to the competent authorities of the Member State
in which the exporter is established in order to ascertain compliance
with conditions described in paragraphs a. to c. above.''

This doesn't resolve the problem of cryptography in general being
treated as munitions, even if it's in a very restricted sense, but it
seems that the result of the crypto wars was more complex than simply
setting crypto free.


Joss Wright | @JossWright

More information about the liberationtech mailing list