ABOVE: Gamma International
headquarters in Andover, UK
Bloomberg News reported yesterday that the U.K. has imposed export controls on Gamma International’s FinFisher software. FinFisher is commercial trojan software that can take over computers and mobile phones and which the company has marketed to foreign governments anxious to keep really, really close tabs on political dissidents. Reporters and privacy groups have uncovered evidence recently that the nice folks in Bahrain were using this software against political dissidents in that country.
Of particular interest is the rational used by the U.K. to assert export controls over the software. According to a letter sent by the U.K. government, the software required an export license because it uses cryptographic functionality covered by Category 5, Part 2 of the E.U.’s Dual Use Control List:
The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher [sic] portfolio could be controlled for export in the same way.
Of course, the interesting question here is whether the similar controls placed on encryption in Category 5, Part 2 of the Commerce Control List would require an export license if a U.S. company wanted to export similar trojan software for surveillance purposes. More particularly, the issue is whether under License Exception ENC a U.S. company could self-classify the item and export it without license if it had previously registered and received an Encryption Registration Number. It seems to me that it could not because the software at issue falls within 740.17(b)(2)(i)(C)(3) which excludes from self-classification items that have been designed for government end users. It is abundantly clear that Gamma International only sells this trojan software to government end users. Nevertheless, items in this category can be exported immediately upon filing a classification request to countries outside those listed in Supplement 3 to Part 740, e.g., most NATO countries as well as Japan, Switzerland, Malta, Australia and New Zealand. Licenses would be required, however, for exporting the software to countries outside those listed in Supplement 3. The U.K. will apparently require licenses to all destinations.
An additional control on such software in the United States could be found in ECCN 5D980 which controls software “primarily useful for the surreptitious interception of wire, oral, and electronic communications.” However, at least under current policy licenses to export such software to government agencies in countries other than Cuba, Iran, North Korea, Sudan, and Syria are generally approved. Whether that policy will hold given the current publicity over the use of FinFisher by oppressive regimes is another matter.