As the clock winds down on the comment period for the United States government’s proposed implementation of the Wassenaar Arrangement export controls for intrusion software, Google officials say that the rules would have a “significant negative impact” on security research.
The Department of Commerce’s Bureau of Industry and Security has proposed a set of regulations that would implement Wassenaar’s export controls on so-called intrusion software. The proposal’s definition of intrusion software is what worries many security researchers, who say that it is overly broad and would have the effect of preventing much discussion and sharing of vulnerability information. The intent of the regulations is to control the sale and use of exploits, but experts, including some at Google, say that BIS’s rules would have broad implications for legitimate security researchers.
“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” Neil Martin, export compliance counsel at Google, and Tim Willis of the Google Chrome security team, wrote in a post today.
The open comment period on the BIS proposal ends today and Google has submitted what Martin and Willis called lengthy comments. Among the points they raised is the vagueness about what constitutes sharing information and what activities would require an export license.
“The proposed rules are not feasible and would require Google to request thousands – maybe even tens of thousands – of export licenses. Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations!” Martin and Willis said.
Google’s officials also said that there should be a standing exemption to the export license requirement for researchers who report bugs to software vendors.
“This would provide protection for security researchers that report vulnerabilities, exploits, or other controlled information to any manufacturer or their agent,” Martin and Willis said.