Security Researchers Sound Off on Proposed US Wassenaar Rules

Influential security researchers have begun publishing their comments, objections and concerns regarding the proposed U.S. export control rules under the Wassenaar Arrangement.

With the two-month comment period for the proposed U.S. Wassenaar Arrangement rules barely under way, a cast of influential security researchers has wasted no time preparing and submitting their thoughts on the controversial proposal.

Researchers who seek out vulnerabilities in software—developing exploits as part of the process—are squarely in the crosshairs of the proposed rules. Made public last week by the Commerce Department’s Bureau of Industry and Security (BIS), the rules provide a broad definition of intrusion software that goes beyond the scope of FinFisher, Hacking Team and other spy software, for which the rules and subsequent export controls were written. The definition is as follows:

“Software ‘specially designed’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following:

(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; <em>or</em>

(b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.”

Various interpretations put legitimate vulnerability research and proof-of-concept exploit development under the auspices of Wassenaar, as well as the use of certain dual-use tools that encompass various scanners, forensics, and penetration-testing software. Even submissions to bug bounty programs, which fund many research efforts, would be put in jeopardy under the rules.

The rules require a license for the exporting of intrusion software, meant to curb the sale of spy software to oppressive regimes. Experts believe that even carrying homegrown proof-of-concept exploits internationally for conference presentations, for example, constitutes a violation and could result in heavy fines, or worse.

Thomas Dullien, a noted researcher better known by his handle Halvar Flake, on Tuesday published his comments regarding Wassenaar, pointing out that in his opinion, the rules will ultimately make surveillance easier for governments – even oppressive ones, called them an “egregious mistake.” Flake, who lives in Switzerland, knows of what he speaks given that in 2007 he was detained by U.S. Customs on his way to give a talk at the Black Hat conference; Customs cited issues with his work visa.

Flake makes the argument in his comments that the rules give government a coercive stick over researchers that could allow intelligence agencies, for example, a first look at exploits and vulnerability disclosures details. Collaborative research and international disclosures would suffer, and could inhibit the dissemination of attack tools uncovered on compromised machines, he wrote.

“With friends of such competence, freedom does not need enemies. The changes to Wassenaar need to be repealed, along with their national implementations.”
-Halvar Flake

“It risks fragmenting, balkanizing, and ultimately militarizing the currently existing public security research community,” Flake wrote. “The intention of those that supported the amendment to Wassenaar was to protect freedom of expression and privacy worldwide; unfortunately, their implementation achieved almost the exact opposite.

“With friends of such competence, freedom does not need enemies,” Flake wrote. “The changes to Wassenaar need to be repealed, along with their national implementations.”

Flake makes a thoughtful case as to why the rules are ill conceived. He argues, like others, that the definition of intrusion software is too broad.

“It casts a shadow of uncertainty over all experimentation with software,” Flake wrote. “Nobody can confidently state that he knowns how this will be interpreted in practice.”

Forensics expert and iOS researcher Jonathan Zdziarski on Tuesday also made his comments public. Zdziarski has a solid resume of collaborative research with U.S. and other allied government agencies on iOS forensics in particular, sharing tools and knowledge when contracted. He wrote that since 2008, he has developed numerous tools that extract data from iOS and other devices that have served law enforcement needs. Under the proposed rules, those tools would now require an export license.

“Wassenaar will do little to accomplish the goals it set out to, and instead make it impossible for security researchers like myself to further expand the base of knowledge by contributing openly to the community – which goes far beyond this country’s borders,” Zdziarski wrote. “Had Wassenaar (as it is proposed today) been in place in 2008, I would not have felt as though I could openly share my research publicly without risk of prosecution, which would have deprived the community as a whole – including the United States – of valuable information that has led to the greater good.”

We cannot simply un-invent technologies to prevent their misuse.”
-Jonathan Zdziarski

Zdziarski wrote that the rules’ efforts to control dual-use tools creates a slippery slope.

“We cannot simply un-invent technologies to prevent their misuse, and unlike nuclear weapons, digital goods cannot be effectively regulated; yet this is the tradeoff we make, to create these tools for the greater good, knowing they may be abused,” Zdziarski wrote. “This proposal stands to only damage those looking to contribute to a better and more secure community. Wassenaar has a deterrent component, and at the heart of security research are many independent researchers like myself who will simply stop contributing if there is a fear of prosecution simply for sharing knowledge in the form of code.”

Katie Moussouris, chief policy officer at HackerOne and former lead security strategist at Microsoft, was one of the first to publicly speak out. Moussouris, who developed and launched Microsoft’s first bounty programs, including awards for defensive technologies, said current laws—including the Computer Fraud and Abuse Act—blur the line between “defense and crime.” She called on lawmakers to clarify antiquated, vague laws in order to protect legitimate vulnerability research.

“It is high time for security research to be protected under the law. The hackers with the skills to break into software and networks, who choose to come forward with their knowledge and share their findings, should be legally exempt from criminal prosecution under laws designed to punish crime,” Moussouris wrote. “The war being fought for security and privacy on the Internet needs all hands on deck when it comes to defense. Hackers should find the path of least resistance to be the one that helps defenders; they should not run into trouble with the law when they are trying to help.”

Suggested articles