EFF has long advocated for greater vigilance over the potential sale of specially-developed surveillance tools to oppressive regimes that use technology to commit human rights abuses. We want those countries to be held legally accountable for such conduct, and have rallied tech companies to take steps to prevent their products and services from being used for censorship and/or to target and harm activists.
But when we saw the proposal of the Bureau of Industry and Security (BIS) at the U.S. Commerce Department for implementation of the latest changes to the Wassenaar Arrangement export controls—which would require export licenses for the sale of certain surveillance technology—we saw that the BIS had drafted a vague, overbroad, and contradictory set of rules that have the potential to chill legitimate research into security vulnerabilities that will keep data and devices secure from attacks.
EFF joined a coalition of six advocacy organizations, including Human Rights Watch and the Center for Democracy & Technology, to submit comments this week to BIS urging the government to narrow the rules to focus exclusively on technology designed for government end users or for military or law enforcement end uses, while ensuring that the general-purpose tools we all depend on for our security aren’t swept up in overbroad regulations.
The goal should be to make it tougher for repressive regimes and criminals to get their hands on and use purpose-built surveillance technologies to target activists and interrupt the free flow of information, without harming distribution of penetration testing and network security tools, we told the Commerce Department.
The Wassenaar Arrangement is a multi-national agreement intended to control the export of certain "dual-use" technologies. It's a voluntary agreement among 41 participating states that mostly regulates the export of guns, other weapons (such as landmines), and their components (such as fissile material). In December 2013, the list of controlled technologies was amended to include surveillance systems for the first time, in response to reports linking exports of Western surveillance technologies to human rights abuses in countries such as Bahrain and the UAE, Turkmenistan, and Libya.
In May BIS published its proposed implementation of the 2013 changes, and we were troubled by the vague and overbroad language and definitions of intrusion software that appeared to sweep up many of the common and perfectly legitimate tools used in security research.
BIS last month released a FAQ that addressed some of our concerns about whether the proposed rules incorporate exemptions for technology in the public domain. But the FAQ failed to ease our concerns about whether, under the proposal, companies would be required to share their zero-day exploits with the government in order to get a license.
We have urged the Commerce Department in our joint comment to avoid ambiguity and clearly spell out that cybersecurity software and technology generally available to the public are exempt from licensing and tailor the licensing process specifically to human rights concerns.
“We believe it’s possible for the government to craft a final rule that is narrowly tailored to address the human rights concerns raised by the spread of surveillance technologies without adversely affecting a variety of additional technologies, including important research and testing tools,” we told the government.
EFF submitted a separate comment of its own urging the Commerce Department to take bold action and eliminate encryption items from export regulation before proceeding with implementation of Wassenaar and revise the proposed rules and reopen a second public comment period. We also strongly encourage the agency to carefully consider constitutional due process and First Amendment implications of any vaguely-worded agreement that would act as an illegal prior restraint on the spread of knowledge