The European Union has tightened up export rules on cybersurveillance tools in an effort to limit their spread to repressive regimes.
The new rules covering “dual use” products and services – those that can be used in both a civilian and military context – were announced this week and follow years of negotiations. They were necessary, the EU said, because of “technological developments and growing security risks.”
The goods affected will include controls on things like high-end computers and drones, identification software and spyware. The new rules put a stress on human rights as a key criteria for approving or refusing export licenses.
Member states will be required to “consider the risk of use in connection with internal repression or the commission of serious violations of international human rights and international humanitarian law.”
In an announcement this week, the EU said: “Parliament negotiators have succeeded in substantially strengthening human rights considerations among those new criteria to avoid that certain surveillance and intrusion technologies exported from the EU contribute to human rights abuses.”
In effect, that means if an EU company wants to export its technology to a country outside Europe, it will face greater hurdles and questions if that country has a history of abusing human rights or limiting political freedom.
The rules have also been redrawn to encompass new and emerging technologies in an effort to stay ahead of future problems since changes to the rules – especially the international Wassenaar agreement – can often take a decade or more.
The rules have been pitched as adding flexibility to the existing setup while also keeping up-to-date with technological advances. That flexibility basically allows the flow of goods and services to continue but puts greater transparency requirements on EU countries: reporting requirements are currently “patchy”, according to the EU itself.
Under the new rules, European governments must either disclose the destination, items and value of any cyber-surveillance exports or publicly disclose that they have decided not to make that information public. That may sound like a cop-out, but the goal is to highlight which countries are selling to repressive regimes and so enables others to exert pressure.
The fact that the rules don’t ban the export of such equipment – hardware or software – is a result of an earlier effort by the United States to put export restrictions on various cybersecurity tools: something that caused uproar in the tech industry and led to a hasty re-evaluation, followed by a collapse in talks. In the end, a few careful changes were made – and government negotiators appear to have learnt from the experience.
Infosec controls relaxed a little after latest Wassenaar meeting
Various people involved in the negotiations have given canned quotes about the end result.
The head of the delegation Bernd Lange said: “The revised regulation updates European export controls and adapts to technological progress, new security risks and information on human rights violations. It is an EU milestone, as export rules for surveillance technologies have been agreed for the first time. Economic interests must not take precedence over human rights.”
Rapporteur Marketa Gregoraova said: “Today is a win for global human rights. We have set an important example for other democracies to follow. We will now have EU-wide transparency on the export of cyber surveillance and will control the export of biometric surveillance. Authoritarian regimes will no longer be able to secretly get their hands on European cyber-surveillance.”
The rules are not law yet. They need to be voted on by Parliament and the Council but they were drawn up by negotiators from both bodies so are expected to pass without much trouble.
It is worth noting though that the rules will only apply to countries within the European Union, so they won’t give a full picture of what is going on globally when it comes to cybersurveillance. ®