This post is co-authored by Andy Sayler.
Last night, a broad coalition of civil society – including Access, CDT, Collin Anderson, the Electronic Frontier Foundation, Human Rights Watch, and New America’s Open Technology Institute – filed comments with the Bureau of Industry and Security (BIS) in the U.S. Department of Commerce on their proposed implementation of new export control rules for “cybersecurity software”. These rules stem from the a 2013 update to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods Technologies, of which the United States is a member.
The new controls are intended to prevent the export of digital surveillance tools such as those sold by Hacking Team to nation-state-level actors who plan to use them to spy on their citizens. The US has been slow to implement the new controls, lagging behind the EU and other Wassenaar nations who adopted them soon after the conclusion of the 2013 agreement. Collin Anderson has a good primer on Wassenaar and the controls as originally proposed.
While the stated human-rights goals of the proposed rules are important, the security research and practitioner communities have raised a number of legitimate concerns about the potential for the proposed rules to adversely affect efforts such as bug-bounty programs and pentesting operations aimed at improving the security of end-users around the globe. Furthermore, the proposed US implementation of the rules deviates from the original Wassenaar language in a number of ways, triggering additional concerns about the meaning and potential overreach of the controls.
In response, some commenters have called for the abandonment of the rules altogether, arguing that software should never be targeted by export controls. Others call for a range of revisions to the rules to reduce the risk of overreach and adverse effects on good faith security efforts.
In CDT, et. al’s comment, we take a two-prong approach:
- First, the proposed rules should be narrowed and clarified to ensure they only apply to software marketed to nation-state-level customers, exempting mass-market software, software marketed to non-government actors, and security research efforts from control. (Note: Open-source software is already exempt from the new controls.)
- Second, for the small set of items remaining under control, BIS should tailor licensing decisions around the potential of such tools for the abuse of human rights, as well as the human rights record of the intended end-user to whom the items are being sold.
We hope that our comments will help BIS to revise the proposed rules to address the concerns of the security research and practitioner community while maintaining the intended goal of the new rules of reducing the sale of systems designed to spy on citizens to states with dubious human rights records.
Our comments also highlight that the existing restrictions and reporting requirements on the export of software containing strong encryption (unaffected by these rules) are problematic and run counter to the human rights goals of the proposed rules. Encryption is a basic function of all modern computing systems and there is simply no sensible argument that the export of software employing encryption should be restricted or burdened in the slightest. CDT will continue working to eliminate the export control of encryption entirely and to make sure that any new export controls do not burden those working to defend our information systems or perform vital security research.