UK Uses Encryption Controls To Prevent Export of FinSpy Trojan

Posted by at 6:33 pm on September 12, 2012
Category: EncryptionForeign Export Controls

Gamma International HQ
ABOVE: Gamma International
headquarters in Andover, UK

Bloomberg News reported yesterday that the U.K. has imposed export controls on Gamma International’s FinFisher software. FinFisher is commercial trojan software that can take over computers and mobile phones and which the company has marketed to foreign governments anxious to keep really, really close tabs on political dissidents. Reporters and privacy groups have uncovered evidence recently that the nice folks in Bahrain were using this software against political dissidents in that country.

Of particular interest is the rational used by the U.K. to assert export controls over the software. According to a letter sent by the U.K. government, the software required an export license because it uses cryptographic functionality covered by Category 5, Part 2 of the E.U.’s Dual Use Control List:

The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher [sic] portfolio could be controlled for export in the same way.

Of course, the interesting question here is whether the similar controls placed on encryption in Category 5, Part 2 of the Commerce Control List would require an export license if a U.S. company wanted to export similar trojan software for surveillance purposes. More particularly, the issue is whether under License Exception ENC a U.S. company could self-classify the item and export it without license if it had previously registered and received an Encryption Registration Number. It seems to me that it could not because the software at issue falls within 740.17(b)(2)(i)(C)(3) which excludes from self-classification items that have been designed for government end users. It is abundantly clear that Gamma International only sells this trojan software to government end users. Nevertheless, items in this category can be exported immediately upon filing a classification request to countries outside those listed in Supplement 3 to Part 740, e.g., most NATO countries as well as Japan, Switzerland, Malta, Australia and New Zealand. Licenses would be required, however, for exporting the software to countries outside those listed in Supplement 3. The U.K. will apparently require licenses to all destinations.

An additional control on such software in the United States could be found in ECCN 5D980 which controls software “primarily useful for the surreptitious interception of wire, oral, and electronic communications.” However, at least under current policy licenses to export such software to government agencies in countries other than Cuba, Iran, North Korea, Sudan, and Syria are generally approved. Whether that policy will hold given the current publicity over the use of FinFisher by oppressive regimes is another matter.


Bookmark and Share

Copyright © 2012 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


While I don’t have any answer to your US questions, I think they might be a little too complex in the UK analysis. HMG doesn’t need to burrow into purpose or use. If the software has the requisite encryption, it is controlled and licensable. I doubt the issue of the trojan, and whether it could be controlled in its own right, was formally considered. HMG probably wanted to refuse to licence the export to Bahrain, probably under the “regional instability” criteria. All it needed was to find requisite crypto under the hood, and dismiss any application of Note 3 and Note 4, and the “in the public domain” exclusion in the GSN. I think there is an interesting question as to whether the pressure from Privacy International caused HMG to go to the exporter and make enquiries. If it did, it might show a change in the attitude of HMG.

Comment by Ross Denton on September 13th, 2012 @ 3:34 am

Here is a product that cries out to be controlled under the higher-walls-around-fewer-items tenet. Specifically with regards to 5D980, who thought it was a good idea to have a policy of license denial only for the 5T countries for 5D980 items? A policy of denial for all countries—especially in light of the events of the last couple days in Libya and Egypt—makes more sense, with carve-outs only for our trusted allies (maybe country group A:1+NATO?).

Comment by Mark S. on September 13th, 2012 @ 9:11 am