Cloud-based spyware poses export control challenge, experts warn
Gaps in export controls for ‘software as a service’ (‘SaaS’) cyber-surveillance tools could enable human rights violations and security threats, according to a new analysis published on 17 February by the Stockholm Peace Research Institute (‘SIPRI’).
‘The growing use of the ‘software as a service’ (SaaS) model-in which a software ap ication is hosted and used on a cloud server but not downloaded by the end-user-poses a particular set of challenges,’ said the report, published 17 February.
‘States differ in how they apply export controls to cloud computing, including Saas, and their interpretation of relevant legal provisions informs their ap ication of licensing requirements and enforcement measures,’ wrote researchers Kolja Brockmann and Lauriane Heau.
The experts noted that the German export licensing authority BAFA requires licensing when controlled software is uploaded to servers outside the EU, while ‘the Netherlands and the United Kingdom focus instead on the location of the person or entity accessing the software.’
The United States exempts some cloud-based software from export controls if it uses end-to-end encryption ‘that prevents the cloud service provider or any of its agents (for example those performing maintenance on the server infrastructure) from accessing the software,’ though this does not apply to entities on restricted lists or servers in embargoed countries.
‘Considering the threat that cyber-surveillance tools may pose to civic freedoms, open societies should strive to ensure, despite the technical and legal difficulties, that cyber-surveillance tools do not fall into the hands of actors who seek to misuse them,’ the researchers concluded.
