The DSGL contains detailed technical specifications. Very roughly, it covers encryption above a certain “strength” level, as measured by technical parameters such as “key length” or “field size”.
The practical question is how high the bar is set: how powerful must encryption be in order to be classified as dual-use?
The bar is currently set low. For instance, software engineers debate whether they should use 2,048 or 4,096 bits for the RSA algorithm. But the DSGL classifies anything over 512 bits as dual-use. In reality, the only cryptography not covered by the DSGL is cryptography so weak that it would be imprudent to use.
Moreover, the DSGL doesn’t just cover encryption software: it also covers systems, electronics and equipment used to implement, develop, produce or test it.
In short, the DSGL casts an extremely wide net, potentially catching open source privacy software, information security research and education, and the entire computer security industry in its snare.
Most ridiculous, though, are some badly flawed technicalities. As I have argued before, the specifications are so imprecise that they potentially include a little algorithm you learned at primary school called division. If so, then division has become a potential weapon, and your calculator (or smartphone, computer, or any electronic device) is a potential delivery system for it.
Outsouring over time starts to create its own bureaucracy bloat. It’s the modern corporate version of one of the observations of C. Northcote Parkinson: “Officials make work for each other.” As Clive describes, the first response to the problems resulting from outsourcing is to try to bury them, since outsourcing is a corporate religion and thus cannot be reversed even when the evidence comes in against it. And then when those costs start becoming more visible, the response is to try to manage them, which means more work (more managerial cost!) and/or hiring more outside specialists (another transfer to highly-paid individuals).
The unnoticed rewriting of a key clause of the Computer Misuse Act has exempted law enforcement officials from the prohibition on breaking into other people’s laptops, databases, mobile phones or digital systems. It came into force in May.
The amended clause 10, entitled somewhat misleadingly “Savings”, is designed to prevent officers from committing a crime when they remotely access computers of suspected criminals. It is not known what category of offences are covered.
I would love to know how much malware is government sponsored.
Though perfect transcription of natural conversation apparently remains the Intelligence Community’s “holy grail,” the Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and “extract” the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest.
I am torn between admiration of the technical brilliance of building software like this and horror as to how it is being used.
For God's sake, stop researching for a while and begin to think!