Not a day goes by without news about cyber-attacks, failing digital security and hacking operations. Only yesterday, new research revealed the use of some of the most sophisticated intrusion software seen to date.
We would expect companies and governments to work as hard as they can to prevent attacks, to protect their own digital infrastructure and the freedoms of their citizens. Yet it has been shown that European governments and companies actually play a central role in the trade in dangerous technologies that can be used to infiltrate computers, spy on users and gather information in that way. This forms a major threat for human rights and our own security, but can still be exported very easily from the European Union.
Yesterday, the European Parliament debated this with the new Commissioner for Trade, Cecilia Malmström. Please find Marietje Schaake’s speech below and a link to the entire debate here (starting at 20:56).
From 2011 until April of this year, the Member States and the European Parliament were stuck in negotiations about the review of export control policy. The Parliament wanted to make sure dangerous technology was also covered, but the Member States were reluctant to do so. As a compromise, the two sides adopted a joint statement in which they committed themselves to a more thorough review which would also address this issue. I made sure that a number of concrete categories of technologies were named in the statement, including zero-day exploits (named in the text as software vulnerabilities).
Back in late 2012, a report by Marietje Schaake was adopted by Parliament which set out the dangers of the export of technologies. At the beginning of this year, many of these recommendations were also taken up into the European External Action Service guidelines on the freedom of expression online and offline.
The fact that European Member States are finally waking up is also evident from the fact that they chose to update the export control lists that they use within the Wassenaar Arrangement at the end of 2013. These updates already cover a number of technologies. The infamous company VUPEN published a statement on its website that it would only sell its products to certified government services. There are now also reports that the company is moving its offices out of the EU altogether because of changing export control policies. VUPEN’s speciality is exploiting weaknesses in software, so-called zero-day exploits. The changes to Wassenaar are just a first step, more is needed to address the problems coherently in a European-wide approach, especially with regard to zero-day exploits.
In 2013, the European Commission came forward with the results from a public consultation on export control. They show that it is important that export control policy strengthens security, but at the same time does not disrupt trade through unnecessarily complex procedures. When we talk about technologies and the internet we must make sure that the relevant trade is controlled, and that we do not make licences compulsory for products that are not dangerous, or not to prevent researchers from working. Making smart criteria will be key during the upcoming review of the export control policy.
In the run-up to this, the European Commission has adopted a communication which will be the basis for the legislative proposal. The European Council has also come forward with conclusions on this subject. In both documents, explicit reference is made to the problems surrounding dangerous technologies and the implications for human rights. It is especially important that we find ways in which we can harmonise the European export controls systems with each other more, so that the EU can better protect its strategic interests and human rights across the globe. That means we must finally address the unregulated trade in dangerous technologies.