Archive for September, 2012


Sep

12

UK Uses Encryption Controls To Prevent Export of FinSpy Trojan


Posted by at 6:33 pm on September 12, 2012
Category: EncryptionForeign Export Controls

Gamma International HQ
ABOVE: Gamma International
headquarters in Andover, UK


Bloomberg News reported yesterday that the U.K. has imposed export controls on Gamma International’s FinFisher software. FinFisher is commercial trojan software that can take over computers and mobile phones and which the company has marketed to foreign governments anxious to keep really, really close tabs on political dissidents. Reporters and privacy groups have uncovered evidence recently that the nice folks in Bahrain were using this software against political dissidents in that country.

Of particular interest is the rational used by the U.K. to assert export controls over the software. According to a letter sent by the U.K. government, the software required an export license because it uses cryptographic functionality covered by Category 5, Part 2 of the E.U.’s Dual Use Control List:

The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher [sic] portfolio could be controlled for export in the same way.

Of course, the interesting question here is whether the similar controls placed on encryption in Category 5, Part 2 of the Commerce Control List would require an export license if a U.S. company wanted to export similar trojan software for surveillance purposes. More particularly, the issue is whether under License Exception ENC a U.S. company could self-classify the item and export it without license if it had previously registered and received an Encryption Registration Number. It seems to me that it could not because the software at issue falls within 740.17(b)(2)(i)(C)(3) which excludes from self-classification items that have been designed for government end users. It is abundantly clear that Gamma International only sells this trojan software to government end users. Nevertheless, items in this category can be exported immediately upon filing a classification request to countries outside those listed in Supplement 3 to Part 740, e.g., most NATO countries as well as Japan, Switzerland, Malta, Australia and New Zealand. Licenses would be required, however, for exporting the software to countries outside those listed in Supplement 3. The U.K. will apparently require licenses to all destinations.

An additional control on such software in the United States could be found in ECCN 5D980 which controls software “primarily useful for the surreptitious interception of wire, oral, and electronic communications.” However, at least under current policy licenses to export such software to government agencies in countries other than Cuba, Iran, North Korea, Sudan, and Syria are generally approved. Whether that policy will hold given the current publicity over the use of FinFisher by oppressive regimes is another matter.

Permalink Comments (2)

Bookmark and Share


Copyright © 2012 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Sep

6

U.S. Sanctions on Iran Hit Health Care


Posted by at 6:06 pm on September 6, 2012
Category: Iran SanctionsOFAC

Imam
ABOVE: Pharmacy in Iran

The Washington Post reprinted on Tuesday a Financial Times report that indicated that U.S. sanctions on Iran were making it difficult for Iranian doctors and hospitals to provide health care to sick patients.

The tightening of U.S. banking sanctions against Iran over its nuclear program has had an impact on all sectors of the economy but is increasingly hitting vulnerable medical patients as deliveries of medicine and raw materials for Iranian pharmaceutical companies are either stopped or delayed, according to medical experts.

But, but, you ask, how can that be? Doesn’t U.S. law permit exports of medicine to Iran even under the new sanctions? Well, yes, in theory, but in practice, maybe not. The article points out difficulty in delivering raw materials to pharmaceutical factories in Iran as one factor, but U.S. law has only permitted exports of medicines, not raw products for medicines, so there’s nothing new here.

Perhaps it’s this:

“We hold a license from the OFAC, but our imports have dropped by more than half while we pay much more than before,” one importer said.

“The exemption of medicine from sanctions is only in theory,” said another. “International banks do not accept Iran’s money for fear of facing U.S. punishment.”

It seems reasonable to conclude that U.S. sanctions have a chilling effect which extends beyond their actual scope. Even if banks might be permitted under General License A to deal with certain Iranian financial institutions in connection with exports of medicine, banks may well decide that parsing the General License, and the risk of punishment if mistakes are made, makes the enterprise more trouble than it’s worth. Not to mention, of course, that this General License would only cover licensed exports of medicine from the U.S. to Iran and not exports of medicine to Iran from other destinations.

And even if the sanctions that can be imposed on foreign banks under the Comprehensive Iran Sanctions, Accountability and Divestment Act of 2010 (“CISADA”) seem limited to specific situations that don’t involve financing medical exports, the recent action by OFAC in blocking two foreign banks for their dealings with Iran may make banks worry about the risk. In that instance, OFAC appeared to be saying that transactions in the petroleum sector could be seen as aiding Iran’s nuclear program, which is one of the bases for imposing CISADA sanctions. By that logic, all transactions with Iran might be seen as aiding the nuclear program, so what bank is going to want to run the risk of financing any exports to Iran?

Permalink Comments (3)

Bookmark and Share


Copyright © 2012 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Sep

5

What an Uncool Thing To Do!


Posted by at 6:58 pm on September 5, 2012
Category: BISCCLDDTCUSML

Sonel Uncooled Thermal ImagerAccording to an article last week in Bloomberg Businessweek, the Pentagon is seeking to add uncooled thermal imaging devices to the United States Munitions List. Putting that technology on the USML, as opposed to the Commerce Control List administered by the Bureau of Industry and Security (“BIS”), would require licenses for all exports of such technology and would prohibit exports to countries, such as China, subject to U.S. arms embargos.

Thermal imaging devices typically have to be cooled to prevent them from being “blinded” by their own internal circuitry. This results in more expensive devices as well as devices that need to warm up (or more accurately cool down) before they can function. Uncooled thermal imaging, while offering lower resolution under current technology than cooled thermal sensors, are less expensive and easier to operate. Uncooled thermal imaging has a number of non-military applications, such as collision-avoidance cameras used in new automobiles and investigation of heat leaks in homes. A contractor investigating leaks from exterior walls into my house used one. (Useless application: the camera viewfinder showed thermal paw prints left by my dog several minutes earlier!)

As the Bloomberg article points out, uncooled thermal imaging devices are produced by companies outside the United States, including Ulis in France; SemiConductor Devices in Israel; NEC Avio Infrared Technologies Co. in Japan; and Zhejiang Dali Technology Co. in China. The uncooled thermal imaging camera used by my contractor was made by Sonel in Poland (a similar model of which is pictured at right.)

The proposal to add uncooled thermal imaging to the USML is currently undergoing interagency review. A revised USML including that technology could appear as early as this month according to an anonymous DOD source cited by the Bloomberg Businessweek report.

Permalink Comments (2)

Bookmark and Share


Copyright © 2012 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)