The European Union has agreed to stricter rules on the sale and export of cyber-surveillance technologies like facial recognition and spyware. After years of negotiations, the new regulation will be announced today in Brussels. Details of the plan were reported in Politico last month.
The regulation requires companies to get a government license to sell technology with military applications; calls for more due diligence on such sales to assess the possible human rights risks; and requires governments to publicly share details of the licenses they grant. These sales are typically cloaked in secrecy, meaning that multibillion-dollar technology is bought and sold with little public scrutiny.
“Today is a win for human rights globally, and we set an important precedent for other democracies to follow suit,” said Markéta Gregorová, a member of the European Parliament who was one of the lead negotiators on the new rules, in a statement. “The world’s authoritarian regimes will not be able to secretly get their hands on European cyber-surveillance anymore.”
Human rights groups have long urged Europe to reform and strengthen the rules on surveillance technology. European-made surveillance tools were used by authoritarian regimes during the 2011 Arab Spring and continue to be sold to dictatorships and democracies around the world today; news headlines and political pressure have had little noticeable impact.
The main thing the new regulation achieves, according to its backers, is more transparency. Governments must either disclose the destination, items, value, and licensing decisions for cyber-surveillance exports or make public the decision not to disclose those details. The goal is to make it easier to publicly shame governments that sell surveillance tools to dictatorships.
The regulation also includes guidance to member states to “consider the risk of use in connection with internal repression or the commission of serious violations of international human rights and international humanitarian law," but that is nonbinding.
It remains to be seen, therefore, how much of a difference the new rules will make. Human rights workers and independent experts have been skeptical, and even some negotiators who hammered out this deal over the course of several years expressed doubts in conversations with MIT Technology Review, though none was willing to speak on the record.
The regulation’s effectiveness will depend on Europe’s national governments, which will be responsible for much of the implementation. Germany currently controls the presidency of the European Council and pushed to have this regulation agreed to before its term is up in December. The country showed how enforcement of these rules could work last month when German authorities raided the offices of the spyware maker FinFisher for allegedly selling surveillance tools to oppressive regimes.
The new regulation mentions some specific surveillance tools, but it’s written to be more flexible and expansive than both Europe’s own previous regulation and even the Wassenaar Arrangement, one of the most important global export control agreements for weapons and dual-use technologies.
The new rules include a “catch-all” provision for cyber-surveillance items even if they’re not explicitly listed. For instance, facial recognition is not mentioned in the regulation but, one negotiator says, clearly falls under it. Still, how the rules are actually applied remains to be seen.
Another obvious weakness of the new regulation is that it only covers EU member states.
Europe does boast some of the most famous surveillance tech companies, including Gamma Group in the United Kingdom and Italy’s Hacking Team, which became Memento Labs. But other countries, including Israel and the United States, have their own thriving surveillance technology industries.
The lawmakers who worked on the new European regulation say they aim to create a global coalition of democracies willing to more tightly control the export of surveillance technologies. It’s widely agreed, even within the spyware industry itself, that reform makes sense—but this regulation is only the beginning.
Everything dies, including information
Digitization can help stem the tide of entropy, but it won’t stop it.
What’s next in cybersecurity
“When it comes to really cutting off ransomware from the source, I think we took a step back.”
Moving money in a digital world
Security is the critical element to expanding digital-first payments.
Cyber resilience melds data security and protection
Organizations face pervasive and sophisticated cyberattacks, but modern data protection techniques can provide a multifaceted defense.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.