European Union plans to extend export controls on so-called “dual-use” technologies to include cyber-surveillance tools could put the brakes on sales of smartphones.
Dual-use technologies are those that can serve civil or military purposes, and some countries impose restrictions on their sale because of fears that they could be used to abuse human rights in the destination country. A draft of new EU export regulations could put smartphones in that category because of their location-tracking capabilities.
The potential for some technologies to be misused has been a concern in the EU since documents leaked following a compromise of Italian company Hacking Team revealed that it had sold its cyber-surveillance tools to repressive regimes.
The person who breached security systems at Hacking Team subsequently wrote that “Hacking gives the underdog a chance to fight and win,” but European Commission officials were concerned that this EU company, and others like it, were not helping the underdog.
In December 2014 they extended existing export controls to cover “intrusion software,” but now plans are in hand to require licensing of a much broader range of technologies, according to a draft regulation “setting up a regime for the control of exports, transfer, brokering, technical assistance, and transit of dual-use items” obtained by news website Euractiv.
The draft regulation is intended to update existing rules dating from 2009 and was prepared following a public consultation held during the third quarter of 2015.
The leaked draft — which could be presented in final form as early as September, according to Euractiv — extends the existing definition of dual-use items to “also include cyber-surveillance technology which can be used for the commission of serious violations of human rights or international humanitarian law, or can pose a threat to international security or the essential security interests of the Union and its member states.”
It also extends the definition of export to include online distribution, not just physical shipments: Yes, military technology can be sold through app stores, too.
The potential difficulty for smart-phone manufacturers and resellers appears on page 20 of the draft, where cyber-surveillance technology is broadly defined as including “mobile telecommunication interception equipment, intrusion software, monitoring centers, lawful interception systems and data retention systems, biometrics, digital forensics, location tracking devices, probes and deep package inspection systems.”
Smartphones could fall foul of that definition because of their location-tracking capabilities — as could dozens of other GPS gadgets with more innocent purposes, such as keeping tabs on your kids or preventing bicycle theft.
Manufacturers of network filtering software relying on deep packet inspection might be in trouble, too, unless the report’s drafters really did intend to include parcel X-ray equipment with their reference to “deep package inspection systems.”
The draft regulation requires that exporters obtain authorization for all exports of items listed in the annexes, and also, for certain destinations, of items not listed in the annexes.
Unless smartphones are specifically excluded from the scope of the regulation, this could add significant overheads and delays for exporters of items that many people consider not a weapon but an everyday necessity.
The European Parliament is already in favor of extending export controls to include surveillance tools, having voted in December 2012 to ban the export of technology that could be used for mass surveillance, tracking people’s movements, or blocking information.