Kolja Brockmann and Lauriane Héau
For all their legitimate law-enforcement and intelligence-gathering uses, cyber-surveillance tools are prone to abuse. Among other things, they can be used by states to target political opponents or to oppress certain ethnic or religious groups, or to steal an adversary’s data or attack critical infrastructure.
States have increasingly sought to use export controls to help prevent transfers of cyber-surveillance tools, including software, that could enable human rights violations or pose a threat to national security. Controls covering transfers of cybersurveillance hardware, software and technology have been introduced through the Wassenaar Arrangement, the European Union and national control lists and by way of a catch-all control in the EU dual-use regulation.
However, the growing use of the ‘software as a service’ ( SaaS) model—in which a software application is hosted and used on a cloud server but not downloaded by the end-user—poses a particular set of challenges. States differ in how they apply export controls to cloud computing, including SaaS, and their interpretation of relevant legal provisions informs their application of licensing requirements and enforcement measures. This divergence opens potential loopholes and gaps that could be exploited for illicit procurement. It also creates a confusing landscape for companies that want to remain in compliance with the controls on cyber-surveillance tools and other software. This blog aims to highlight the export control compliance and enforcement challenges posed by SaaS and offers some thoughts on how states can close these gaps and achieve more effective oversight of the trade in cyber-surveillance tools.
No comments:
Post a Comment