Google has slammed proposals for the extension of a controversial trade pact designed to control the export of hacking tools, claiming it will negatively impact the security research community.
Export compliance counsel, Neil Martin, and hacker philanthropist, Tim Willis, took to the web to complain about the Wassenaar Arrangement – a multilateral export control association which was recently extended to include ‘intrusion software’.
They argued:
“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.”
Google’s beef with the US Commerce Department’s Bureau of Industry and Security (BIS) – echoed by many others in the cybersecurity industry – is that the rules are simply too broad and vague.
The firm claimed that, as it currently stands, it would be forced to request tens of thousands of licenses.
“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages – even some in-person conversations,” it added.
“BIS’s own FAQ states that information about a vulnerability, including its causes, wouldn’t be controlled, but we believe that it sometimes actually could be controlled information.”
Google also argued that multi-nationals should be able to share info on intrusion software with their engineers globally without the need for licenses, and that where information is fed back to manufacturers in order to fix a vulnerability, there should be license exceptions.
“This would provide protection for security researchers that report vulnerabilities, exploits, or other controlled information to any manufacturer or their agent,” it added.
Willis and Martin continued that BIS should simplify its explanation of the controls so they can be understood by everyone, not just legal experts.
Google has passed on its concerns to the US BIS and is pushing for amendments to the scope of the intrusion software controls at the next Wassenaar Arrangement meeting in December.