It's not just antivirus downloads that have export control screening

Compliance vs security

Sophos said it was complying with the export laws and regulations of the US and EU by using a third party to screen download requests against the US government denied persons list.

The information held on the denied parties list is variable but will usually include name and country, and in some cases date of birth or passport number. Sophos said it delivers millions of software downloads and that its "business export validation alert rate is below 0.05 per cent."

The US "denied persons" list is available online here. A search tool can be found here.

Sophos added that it used both UK and EU lists, adding that it is investigating how to deliver "leaner and smoother compliance checks". The firm operates from a headquarters in Abingdon, Oxfordshire and runs its US operations from a base in Burlington, Massachusetts. Sophos' export control policy is explained here.

"Our compliance checks have made four positive matches on denied individuals since the start of the year," according to a Sophos spokesman, who added that "companies can be heavily fined for non-compliance".

However, another tier-1 security software supplier, F-Secure, which is based in Finland, criticised Sophos' compliance procedures as overblown and unnecessary in the context of consumer technologies.

"It’s crazy to block a download of Mac Antivirus ... especially so if it’s publicly available and free," F-Secure security advisor Sean Sullivan told El Reg. "Requiring registration is fine – but limiting downloads based on third-party information? That’s just a speed bump. It won’t stop anybody who is actually a bad guy, so why do it? It only punishes innocent people and consumers."

None of F-Secure's services should be considered “controlled technologies” in 2015, according to Sullivan.

"F-Secure has more than 200 ISP partners and then there are other resellers – I don’t know how everything is applied everywhere – but in general, I have only seen sales limited to North Korea and Iran in the app stores," he explained.

"In general, we are quite happy not to know who our customers are – that fits our privacy principles which can be found on our website. And there are several anonymous ways to purchase our services. You can purchase a service code voucher with cash for our Freedome VPN at multiple retailers, for example," he continued.

Travis Witteveen, chief exec of Avira, one of the Big Four free-to-consumer and non-commercial use antivirus software firms, said that beyond respecting trade embargoes it tries to make its software as widely available as possible.

As a German company we have very little export controls, regarding limitations to whom and in what countries we can sell and distribute.

Of course, there are certain nations where we receive restriction notices due to trade embargoes, but we have no specific trade controls applied to us.

We have always stated openly as a company, if our host nation would try and reduce our service level or compromise our existing users in any way, we would move our company to another country.

We have seen foreign governments block access to our software/updates for their citizens and we do our best to circumvent those efforts, especially pertaining to the quality of service/protection we provide to our existing users.

El Reg has polled other antivirus businesses and industry insiders on whether they screened downloads against blacklists but few have replied to date. ®