Tuesday, May 26, 2015

EFF and intrusion software regulation

To its credit, the EFF is better than a lot of other privacy groups like the ACLU or Privacy International. It at least acknowledges that regulating "evil" software can have unintended consequences on "good" software, that preventing corrupt governments from buying software also means blocking their dissidents from buying software to protect themselves. An example is this piece from several years ago that says:
"First and foremost, we want to make sure we do not leave activists with fewer tools than they already have. Parliament must be mindful of legislation just based on types of technology because broadly written regulations could have a net negative effect on the availability of many general-purpose technologies and could easily harm very people that the regulations are trying to protect."
But that does not stop the EFF from proposing such regulations.

In that same piece, the EFF first proposes rules for transparency. This will not stop the bad companies, but will be a burden on the legitimate companies that have no interesting in dealing with corrupt governments anyway. Most of this stuff is sold by small companies, like FinFisher, who focus on the "corrupt regime" market. They would not be embarrassed by transparency -- indeed it was just serve as advertising. These pieces outing FinFisher, Amesys, Area SpA, and Trovicor are essentially advertisements that help their business.

The EFF next proposes rules for know your customer. This is so burdensome as to effectively be a ban. Products are sold through middlemen, though distributers and resellers. Companies wish they could know their customer, because they'd like to cut out the middleman. But at the same time, the middleman provides access to markets they could not otherwise touch. A know your customer requirement would break most company's marketing and sales channels.

There's no satisfactory way to know a customer. If a small ISP in one of those countries wants to buy my "intrusion prevention" product, in order to defend against intrusion from their own government or the NSA, there is no way I can sell it to them.  Intrusion prevention products do deep-packet that is indistinguishable from surveillance products. There is no way they can prove to me that they aren't a front for a government agency that wants to buy my product for surveillance.

The EFF says knowing customers is easy, because companies have to be able to do it already for the Foreign Corrupt Practices Act. This is a misunderstanding -- companies largely bypass that Act by selling through middlemen. India is a huge, but corrupt market. Everyone sells products to India. Nobody does it directly, through, because large sales always require bribes. Therefore, they sell through middlemen, washing their hands clean of corrupt practices. Companies don't always do this intentionally -- if they write off a country because it's too corrupt, some middleman somewhere will buy product and import it to that country anyway. (This has happened to me -- I scan the entire Internet and sometimes find my own product that countries aren't supposed to have).

The point is that the EFF does not stand for the principle that such regulations are bad. Instead, they stand for the principle that there should be proper regulation. This is like getting only a little bit pregnant -- it's not realistic. It's at least better than other privacy organizations, but it's still far from the ideal. The EFF's call for regulation is at least partly responsible for the bad regulations that we get.


4nc4p said...

Great thanks - that reflects exactly my own stance on government regulation.
I believe that the Internet has become such an enormous and successful environment because of its anarchic and free market character caused by the absence of any government regulation.

Simon said...

Yep, EFF is a bunch of statists. They demand central power, they demand violence.

There is a great gif about that but I can't post it here (want more governement/more government).