Invitation to security researchers to make suggestions on export controls

Over the past years I have been in discussion with experts, and the broader public through crowdsourcing, to find workable and precise export controls. These are necessary to end the status quo of an unregulated market of trade in systems that are designed, marketed and sold to harm human rights or our own security of critical infrastructures and vital services. After years of dragging their feet, EU Member State governments have taken initial steps, recognizing the strategic risks of selling intrusion software and mass IP network surveillance systems to states in a conflict (domestic or vis-à-vis the EU). This was done through an update of the Wassenaar Arrangement’s dual use list in December 2013. Although I have welcomed the 2013 update as an initial step, I believe the devil is in the details. My calls for specific EU export controls have always emphasized the human rights consequences, which are not prominently considered in 'Wassenaar'. Authoritarian regimes increasingly use technologies to spy on and repress their population. Human rights defenders deserve EU support and should not be targeted with tools and technologies developed, marketed, sold and exported from within the EU. At the same time I've stressed, immediately after the adoption of the Wassenaar Arrangement, that this agreement requited more work because it lacks precision. The lack of clear definitions may inhibit the transfer of harmless software that helps people defend themselves against attackers, or simply gain access to information or freedom of speech. It is important to stress that when the European Commission amended its list of dual use items to implement the Wassenaar Agreement on 22 October 2014, it explicitly specified that controls on technology transfer do not apply to information "in the public domain", to "basic scientific  research" or to the minimum necessary information for patent applications. It also does not apply to software that is (a) generally available to the public as of the shelve software or when it is "designed for or installation by the user without further substantial support by the supplier" (emphasis added)(b) in the public domain, or (c) the minimum necessary "object code" for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised. The US Bureau of Industry and Security, a bureau under the US Commerce Department, now proposed a definition of intrusion software which lacks similar safeguards. BIS suggests for instance that intrusion software should cover "proprietary research on the vulnerabilities and exploitation of computers and network-capable devices" (p.4). To ensure proper implementation, anyone can now submit comments to the US Bureau of Industry and Security before the 20th of July 2015 regarding its proposed implementation of the 2013 Wassenaar Arrangement rules. The purpose of these implementation rules has never been, and should never be, to restrict legitimate research. However, isolating the unique features of a product is the most challenging aspect of coming up with a definition, and I therefore encourage security researchers that may be affected by the proposed rules to give detailed comments to BIS. Only through their constructive engagement and knowledge sharing, we will achieve smart regulation in the EU and the US, and begin to curb the unregulated black market of intrusion and surveillance systems. Even though the amended Wassenaar Arrangement is binding and directly applicable throughout the EU since 31 December 2014, EU Member States nevertheless can take complementary measures for implementing some of its provisions. More transparency is needed on how EU Member States exactly interpret the scope of the Technology controls, and what licenses were granted of rejected in this context. I urge more harmonized EU level export controls, to avoid different interpretations by Member States. A review assessment of the implementations and the scope of the technology controls in Wassenaar between signatory states (including most EU Members and the US) will help to achieve a harmonized regime. In April 2014 the European Parliament, the Council and the Commission recognized the importance of continuously enhancing the effectiveness and coherence of the EU’s strategic export controls regime. The European Commission is currently initiating an impact assessment to ensure a comprehensive analysis of its ongoing export control policy. This will offer the unique opportunity for specifications and safeguards on the EU level above and beyond the Wassenaar Arrangement. Your suggestions are welcome! Contact me at surveillance3