British government admits it has already started controlling exports of Gamma International's FinSpy
In a letter sent earlier in August to Privacy International's lawyers Bhatt Murphy, a representative of the Treasury Solicitor stated:
The Secretary of State, having carried out an assessment of the FinSpy system to which your letter specifically refers, has advised Gamma International that the system does require a licence to export to all destinations outside the EU under Category 5, Part 2 (‘Information Security’) of Annex I to the Dual-Use Regulation. This is because it is designed to use controlled cryptography and therefore falls within the scope of Annex I to the Dual-Use Regulation. The Secretary of State also understands that other products in the Finfisher portfolio could be controlled for export in the same way."
Privacy International is delighted that the government has recognised the necessity of controlling exports of Gamma International's technologies. However, there are still important questions about the government's initial failure to regulate the sale of FinSpy to abusive foreign regimes, what action (if any) is being taken to control other FinFisher products, and the extent to which the control now exercised over Gamma also applies to other surveillance technologies and companies. Controlling a single product - or even a single company - is a short-term solution that will not prevent British complicity in human rights abuses and repression abroad.
On receipt of the government's letter, Privacy International immediately responded asking the following questions:
- When and in what circumstances was the assessment of the FinSpy system carried out, the conclusion reached and the advice given that a licence to export was required?
- Had Gamma International previously sought advice from your client as to whether the FinSpy system required export control, when was this and what was the advice given?
- What audit had been carried out of the export of the FinSpy system to countries outside the EU prior to the advice referred to?
- What enforcement action is/will be taken against Gamma International for previous exports of the FinSpy system without a licence?
- Has Gamma International been required to retrospectively apply for licences for previous exports of the FinSpy system? If not, why not?
- Has Gamma International sought any licences to export the FinSpy system and/or provide technical assistance, and, if so, to which countries and which licences have been granted and which refused?
- Notwithstanding the generality of question 6 above, material in the public domain suggests that the FinSpy system has been used in Egypt, Turkmenistan, Bahrain, Dubai, Ethiopia, Indonesia, Mongolia and Qatar. Has Gamma sought any licences for exports of FinSpy or the provision of technical assistance to any of these countries? If so, which ones and were licences granted or refused?
- Kindly provide a detailed explanation and supporting documentation of precisely which components of FinSpy are controlled?
Privacy International will continue to push for a comprehensive solution to the problem of British surveillance technologies being exported to non-democratic countries where they are used to facilitate torture, unlawful detention and execution. Whether it is ultimately necessary to take the matter to the courts will depend on the government's willingness to effectively address our remaining concerns.
Eric King, Head of Research at Privacy International, said:
"We welcome the government's decision to start controlling exports of FinSpy, and it is certainly a step in the right direction. However, without swift further action to bring other unethical British companies under the export licensing regime, it's just a sticking plaster on a bullet wound, and there are a number of pressing questions about the circumstances surrounding the government's abrupt volte-face that remain unanswered."