> If it's "only" a tool designed to be installed at ISPs, intercept
> communications, and inject malware into target users' systems, to what
> other uses could it be put?
Provided there are no other uses, you could consider them some kind of "weapon". Weapons are strictly regulated. So, regulate all these tools strictly as well. Tie them to a warrant or other authorization that's required for sting operations.
If someone in law enforcement pulls the trigger, there's an investigation afterwards. The manufacturer is *never* investigated; their responsibility probably ends with sticking to the sanctioned distribution channels. And there are cases when use of "lethal force" (ie. use of the "tool") is justified, even when the only purpose of the tool is to do harm.
If this process (or legal framework), which I did a horrible job to describe, works for *real* weapons, it should be good enough for wiretaps. If companies can manufacture arms and governments can sell them abroad, I don't think it would be *proportionate* to hold surveillance equipment manufacturers *more* responsible for 3rd party use of their products, especially if their distribution channels are strictly regulated.