This week, the U.S. Department of State’s Defense Trade Advisory Group (DTAG) met to decide whether to classify “cyber products” as munitions, placing them in the same export control regime as hand grenades and fighter planes. Thankfully, common sense won out and the DTAG recommended that “cyber products” not be added to the control list. EFF and Access Now filed a brief joint statement with the DTAG urging this outcome and we applaud the DTAG’s decision.
There were a number of problems with the proposal to place “cyber products” on the U.S. Munitions List, but most importantly, no one knows how “cyber products” would be defined. As we’ve long argued in other contexts, trying to draw definitions around “defensive” and “offensive” tools is essentially impossible and any vagueness would have significant chilling effects on the security community. In essence, we think that the threshold problem of defining which “cyber products” are subject to control is likely an insurmountable obstacle to effective regulation.
But beyond the definitional problem, we fundamentally disagree with the idea of classifying any computer security tools as weapons. Until the late 1990s, encryption itself was included on the U.S. Munitions List. Indeed, one of EFF’s flagship cases from that era was a constitutional challenge to that listing. We won, and cryptographic tools are no longer legally defined as “munitions” in the United States.
Export controls on software, as we told the DTAG, have in the past had serious unintended consequences. Previous export controls on software have resulted in widespread risk to all Internet users. For example, the inclusion of encryption technology on the Munitions List led to deployment of an “export grade” standard to avoid the export controls. As it turned out, that persistent “export grade” standard, even 20 years after encryption controls were lifted, left millions of users susceptible to the “FREAK” and “Logjam” attacks used to monitor and modify website browsing data.
We strongly oppose the use of surveillance and other technologies to facilitate human rights abuses. We think countries should be held accountable when they use malware to spy on political opponents, and have gone to court saying so. We also think that companies should similarly be held liable for knowingly facilitating violations of human rights. But export controls on “cyber products” aren’t the solution and we’re happy that the DTAG recommended against moving forward with regulating them.
In the export control wars, this is a rare victory for common sense.