Exclusive Software export controls are being applied to blacklisted people as well as countries: and these controls apply to routine security packages such as freebie antivirus scanning software, as well as more sensitive technologies, El Reg has concluded.
We've come to this way of thinking after investigating why Reg reader Hasan Ali was blocked from downloading Sophos AV for Mac. A screenshot of the "computer says no" message can be seen below.
Ali brought the issue to our attention, complaining that Sophos had applied an "anti-Muslim name filter” that places hurdles in the way of his attempts to download the security software firm’s freebie Mac malware detection tool.
In response, Sophos said the filter was based on the International Denied Persons List and its use was routine procedure that it needed to follow in order to comply with various international export laws. It added:
We are sorry Mr Ali has had difficulty downloading our free Mac Antivirus software. Like many companies operating on a global scale, Sophos is required to adhere to the export laws and regulations of the United States, European Union, and every country in which it conducts business.
As such, we screen all requests for software downloads in accordance with a number of export lists, such as the US Export Administration Regulations, which affects all companies trading in the US and includes the requirement to ensure that the requester is not included on any US government denied persons list.
Like many companies, we used a third party to check all requests. Because this particular request only included the requester’s name, which matched with a number of names and aliases on the denied persons list, it was flagged as something we needed to check.
Our policy, in accordance with the US Export Regulations and other similar EU and UK regulations, is to ask for additional information to check if it is a true match or if it is, as in almost all cases, a ‘false positive’ match.
At that point we can clear the requester to be able to access the software.
The company added, in a subsequent statement provided to El Reg: "Sophos does not have any name filters that we apply to our product downloads. As required by law, we adhere to US and EU regulations by using a third party to check download requests against the denied persons list. That list contains many names in many different languages."
Sophos errs on the side of extreme and possibly excessive caution
These secondary screening checks involved requesting that Ali send Sophos his date of birth and passport number by return of email, a step he baulked at, pointed out that this was just the sort of trick a fraudster bent on phishing would attempt.
It seems that a number of other “Hasan Alis” complied with requests from the security firm, which operates from a headquarters in Abingdon, Oxfordshire and runs its US operations from a base in Burlington, Massachusetts.
We have quite a number of other individuals of the same name who have been cleared through the process and went on to download our software. There are a wide number of names in all languages on these lists.
Sophos’s full legal export definitions are openly published on it website here. The security firm expressed a willingness to offer Ali its software, suggesting that he rang up to sort through the impasse.