"First and foremost, we want to make sure we do not leave activists with fewer tools than they already have. Parliament must be mindful of legislation just based on types of technology because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm very people that the regulations are trying to protect."But that does not stop the EFF from proposing such regulations.
In that same piece, the EFF first proposes rules for transparency. This will not stop the bad companies, but will be a burden on the legitimate companies that have no interesting in dealing with corrupt governments anyway. Most of this stuff is sold by small companies, like FinFisher, who focus on the "corrupt regime" market. They would not be embarrassed by transparency -- indeed it was just serve as advertising. These pieces outing FinFisher, Amesys, Area SpA, and Trovicor are essentially advertisements that help their business.
The EFF next proposes rules for know your customer. This is so burdensome as to effectively be a ban. Products are sold through middlemen, though distributers and resellers. Companies wish they could know their customer, because they'd like to cut out the middleman. But at the same time, the middleman provides access to markets they could not otherwise touch. A know your customer requirement would break most company's marketing and sales channels.
There's no satisfactory way to know a customer. If a small ISP in one of those countries wants to buy my "intrusion prevention" product, in order to defend against intrusion from their own government or the NSA, there is no way I can sell it to them. Intrusion prevention products do deep-packet that is indistinguishable from surveillance products. There is no way they can prove to me that they aren't a front for a government agency that wants to buy my product for surveillance.
The EFF says knowing customers is easy, because companies have to be able to do it already for the Foreign Corrupt Practices Act. This is a misunderstanding -- companies largely bypass that Act by selling through middlemen. India is a huge, but corrupt market. Everyone sells products to India. Nobody does it directly, through, because large sales always require bribes. Therefore, they sell through middlemen, washing their hands clean of corrupt practices. Companies don't always do this intentionally -- if they write off a country because it's too corrupt, some middleman somewhere will buy product and import it to that country anyway. (This has happened to me -- I scan the entire Internet and sometimes find my own product that countries aren't supposed to have).
The point is that the EFF does not stand for the principle that such regulations are bad. Instead, they stand for the principle that there should be proper regulation. This is like getting only a little bit pregnant -- it's not realistic. It's at least better than other privacy organizations, but it's still far from the ideal. The EFF's call for regulation is at least partly responsible for the bad regulations that we get.