Wednesday, January 27, 2016

An attempt at fixing Wassenaar

Last year in May, I wrote extensively about the many ways in which the 2013 "intrusion software" amendments to the Wassenaar Arrangement were broken and downright dangerous to all efforts at security the global IT infrastructure. Since then, the debate has heated up from all sides -- extending to a hearing in front of US congress (which was pretty unanimous in condemning these amendments), but also including voices such as James Bamford arguing for these controls in an op-ed. The landscape of the discussion is too complex now to be summarized here (the interested reader can find a partial survey of recent developments here).

Common ground between the different sides of the discussion is not large, but the thing that almost everybody agrees to is "it is bad when despotic regimes that couldn't otherwise get advanced surveillance software purchase sophisticated surveillance software from abroad". How to prevent this is up for discussion, and it is unclear whether export control (and specificially the Wassenaar Arrangement) is the right tool for the task.

To find out whether the export control language can be made to work, my colleagues Mara Tam and Vincenzo Iozzo and me have worked jointly and tried to come up with an amendment to the language of the Wassenaar Arrangement that would satisfy the following criteria:

  • Make sure that click-and-play surveillance frameworks such as the ones marketed by HackingTeam or Gamma are caught and controlled.
  • Make sure that no technology that is required for defending networks (including bugs, proof-of-concept exploits, network scanners etc.) is caught and controlled.
In order to achieve this, we had to depart from the "traditional" Wassenaar language (that is focused on performance metrics and technical properties) and include much greater emphasis on "intent" and especially "informed consent by the user". We draw the line between good and bad if the design intent of the software in question is to be used against people that did not consent.

As of today, we are circulating our draft more widely. We are not 100% sure that our language achieves what we want to achieve, and we are not even sure whether what we want to achieve can be achieved within the language of export control -- but we have made a very thorough effort at testing our language against all scenarios we could come up with, and it worked well.

We are hoping that by circulating our proposal we can somewhat de-polarize the discussion and attempt to find a middle ground that everybody can be happy with -- or, failing that, to show that even with a lot of effort the 2013 amendments may end up being unfixable.

Anyhow, if you are interested in our document, you can download it here. As we get more feedback, the document will be updated and replaced with newer versions.