Now Can We Please Just Stop Trying to Ban Software?

Regular readers of this blog will likely be familiar with the Wassenaar Arrangement, a 41-nation agreement intended to regulate the export of certain “dual-use” technologies, such as guns and fissile material. In December 2013, the list of controlled technologies was amended to include surveillance systems for the first time and the participating countries have slowly been rolling out their implementations ever since. Today, news outlets in Washington, D.C. are reporting that the State Department has finally agreed to try to renegotiate the language of the Wassenaar Arrangement to eliminate the 2013 changes.

Nowhere has the implementation of the Wassenaar Arrangement’s new language been more problematic than in the United States. After the Commerce Department released its proposed implementation of the Wassenaar definitions for inclusion into U.S. law (an implementation that included dangerously vague language about regulating the export of software used to create exploits), all hell broke loose. Countless security companies, as well as EFF, pointed out that the proposed rule would have had dire and far-reaching consequences for the infosec industry.

But the problems that we pointed out weren’t limited to the U.S. proposed rule; we remain concerned that the definitions in the Wassenaar control lists which were approved in December 2013 are too vague to be implemented in any fashion without resulting in serious chilling effects on security research. In our formal comments to the Commerce Department last summer, we urged a return to Wassenaar to renegotiate the control lists to fix the problem at its source. We met in person with officials from both the Commerce Department and the Department of Homeland Security and lobbied them to push the diplomats at the State Department to go back and undo the damage by simply eliminating the intrusion software controls altogether. At the time, we felt that this was an important goal, but not a realistic one. We could not be more delighted to have been proven wrong.

The inclusion of intrusion software on the Wassenaar control list was done with good intentions. Human rights advocates have recognized that surveillance software designed and sold by companies in Western countries has been responsible for serious abuses around the world. We at EFF have long fought such abuses in court. For instance, just last month we filed an amicus brief urging a federal appeals court to hold Cisco accountable for aiding China’s persecution of Falun Gong. We also represent Mr. Kidane, an Ethiopian-American who was targeted with FinSpy, a variety of malware sold by a British/German company.

We believe strongly that this is a fight worth having, but export controls are simply the wrong tool for the job.

It appears that the State Department has heard these concerns loud and clear. Not only has all talk of finalizing the proposed rule as drafted come to halt, but State has put “removal of the technology control” on the agenda for the December 2016 meeting at Wassenaar. Of course, this isn’t the end of the road. There is no guarantee that the 40 other nations who participate in the Wassenaar Arrangement will agree, but for now, we are enjoying this important victory.