EU Prepares to Restrict Spyware ExportsAdvocates Says New Rules Will Help Protect Human Rights
Citing human rights concerns, the European Parliament is moving toward tightening export rules for companies that sell so-called dual-use technologies, such as spyware, in countries outside the EU's 27 member countries
See Also: OnDemand | The State of Security 2021
Although lawmakers announced a preliminary agreement on the rules this week, they won't go into effect until final approval by the Parliament, the EU's International Trade Committee and the European Council.
The proposed new rules for exporting dual-use technologies are designed to curb the sale of spyware and other cyber surveillance tools that could violate the rights of citizens in countries outside the EU, according to this week's announcement from the parliament. Besides software, the export rules would also pertain to technologies such as high-performance computers, drones and certain chemicals.
Once enacted, the new rules would require EU-based companies that want to sell spyware and other types of dual-use cyber surveillance tools outside the EU to apply for a special license. To obtain a license, companies would need to show that their technology would not be used to violate the rights of citizens in countries outside the EU - including use by government agencies to collect data on nongovernment organizations or political parties, says Markétka Gregorová, a member of the European Parliament who pushed for the changes to the export laws after years of negotiating.
"Authoritarian regimes will no longer be able to secretly get their hands on European cyber surveillance,” she says. “We still do not have a level playing field among EU countries, but several new provisions allow for autonomous controls, better enforcement and coordination.”
Other proposed changes to EU export laws for dual-use technologies include:
- Creating new reporting obligations for member states on export controls of dual-use technologies to allow for more transparency;
- Increasing the importance of human rights protections as an export licensing criteria;
- Spelling out rules for the exporting of emerging technologies that have dual uses.
Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, says the proposed rules are a good move.
"Surveillance technology can be easily abused by regimes and rogue organizations, so it is essential that this type of technology is controlled in an appropriate manner," Honan says.
Updating Export Control Rules
In 2016, the European Commission tabled an update of export rules to control how licensed EU companies sell dual-use goods, software and technology to countries outside the EU.
Then, in 2018, the European Commission started to consider amending the EU's export rules to include cyber surveillance technologies as dual-use products. As part of this update, dual-use cyber surveillance tools were defined as any telecommunication equipment used for interception; intrusion and monitoring software; data retention systems; tools used for decryption, circumvention of passwords and the analysis of biometric data; as well as IP network surveillance systems.
The pending new rules announced this week “update European export controls and adapt to technological progress, new security risks and information on human rights violations, says Bernd Lange, a European Parliament member.
"The revised regulation is an EU milestone, as export rules for surveillance technologies have been agreed to for the first time,” he says. “Economic interests must not take precedence over human rights.”
Companies around the world are increasingly selling spyware and other cyber surveillance tools to countries that spy on political opponents, journalists and human rights groups.
Human rights organization Amnesty International, whose employees have been victims of cyber surveillance attacks, has been pushing for reforms to revoke the selling license of Israel-based cyber intelligence firm NSO Group, which has been accused of providing technology to governments looking to crack down on journalists, activists and protesters.
In 2018, the rights group filed a petition with a Tel Aviv district court against the NSO Group, alleging the company's Pegasus spyware was used to target Amnesty International employees and others. In July, however, an Israeli court dismissed the petition (see: Israeli Court Dismisses Complaint Against NSO Group )