Europe clamps down on cybersurveillance exports, pushes human rights focus

No selling to evil folks albeit with a few big loopholes for some

The European Union has tightened up export rules on cybersurveillance tools in an effort to limit their spread to repressive regimes.

The new rules covering “dual use” products and services – those that can be used in both a civilian and military context – were announced this week and follow years of negotiations. They were necessary, the EU said, because of “technological developments and growing security risks.”

The goods affected will include controls on things like high-end computers and drones, identification software and spyware. The new rules put a stress on human rights as a key criteria for approving or refusing export licenses.

Member states will be required to “consider the risk of use in connection with internal repression or the commission of serious violations of international human rights and international humanitarian law."

In an announcement this week, the EU said: “Parliament negotiators have succeeded in substantially strengthening human rights considerations among those new criteria to avoid that certain surveillance and intrusion technologies exported from the EU contribute to human rights abuses.”

In effect, that means if an EU company wants to export its technology to a country outside Europe, it will face greater hurdles and questions if that country has a history of abusing human rights or limiting political freedom.

The rules have also been redrawn to encompass new and emerging technologies in an effort to stay ahead of future problems since changes to the rules – especially the international Wassenaar agreement – can often take a decade or more.


The rules have been pitched as adding flexibility to the existing setup while also keeping up-to-date with technological advances. That flexibility basically allows the flow of goods and services to continue but puts greater transparency requirements on EU countries: reporting requirements are currently “patchy”, according to the EU itself.

Under the new rules, European governments must either disclose the destination, items and value of any cyber-surveillance exports or publicly disclose that they have decided not to make that information public. That may sound like a cop-out, but the goal is to highlight which countries are selling to repressive regimes and so enables others to exert pressure.

The fact that the rules don’t ban the export of such equipment – hardware or software – is a result of an earlier effort by the United States to put export restrictions on various cybersecurity tools: something that caused uproar in the tech industry and led to a hasty re-evaluation, followed by a collapse in talks. In the end, a few careful changes were made – and government negotiators appear to have learnt from the experience.


Infosec controls relaxed a little after latest Wassenaar meeting


Various people involved in the negotiations have given canned quotes about the end result.

The head of the delegation Bernd Lange said: “The revised regulation updates European export controls and adapts to technological progress, new security risks and information on human rights violations. It is an EU milestone, as export rules for surveillance technologies have been agreed for the first time. Economic interests must not take precedence over human rights.”

Rapporteur Marketa Gregoraova said: “Today is a win for global human rights. We have set an important example for other democracies to follow. We will now have EU-wide transparency on the export of cyber surveillance and will control the export of biometric surveillance. Authoritarian regimes will no longer be able to secretly get their hands on European cyber-surveillance.”

The rules are not law yet. They need to be voted on by Parliament and the Council but they were drawn up by negotiators from both bodies so are expected to pass without much trouble.

It is worth noting though that the rules will only apply to countries within the European Union, so they won’t give a full picture of what is going on globally when it comes to cybersurveillance. ®

Keep Reading

NSO Group: Facebook tried to license our spyware to snoop on its own addicts – the same spyware it's suing us over

Antisocial network sought surveillance tech to boost its creepy Onavo Protect app, it is claimed

Judge green-lights Facebook, WhatsApp hacking lawsuit against spyware biz NSO, unleashing Zuck's lawyers

Legal discovery team could turn up some very interesting, and possibly embarrassing details

Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

Software developers aren't nation states, antisocial giant points out

Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

Mandrake handlers could snoop on whatever victim did with their phone

Israeli spyware maker NSO channels Hollywood spy thrillers in appeal for legal immunity in WhatsApp battle

In latest court bout, snooper biz seems to ask: Are you sure you want to open this can of worms?

Senator demands deep probe into spyware-for-cops after NSO Group touts hacking toolkit to American plod

Updated 'Aggressive oversight' needed, Congress urged

We are shocked to learn oppressive authoritarian surveillance state China injects spyware into foreigners' smartphones

Border cops accused of loading tourists' mobiles up with snoop app in Muslim area

Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services...

Malware maker urges judge to dump lawsuit over WhatsApp phone snooping

Biting the hand that feeds IT © 1998–2020