US Publishes Proposed Rules Implementing 2013 Wassenaar Agreements

News & Analysis
US Publishes Proposed Rules Implementing 2013 Wassenaar Agreements

UPDATE (21st July 2015): The deadline for submissions was Monday 20 July, 2015. Privacy International has been working hard since the proposed rule was announced to analyse its potential effectiveness and any potential effects the proposed rule could have for security research. 

UPDATE (12th June): The US Bureau of Industry and Security has published (http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200) a clarification of the scope of the proposed rule implementing restrictions on spyware in response to wide concern that the language controls software exploits and legitimate security research activities. As outlined below, the controls do not place restrictions on research into, development, or sale of software exploits, and neither do they mean that researchers would require a license to research or report vulnerabilities, or share malware samples. Some penetration testing products would require a license however if it is not subject to an exception, outlined below. Further, “technology [not subject to exceptions] that is peculiarly responsible for meeting the definition of 'intrusion software’” would also be controlled. As we write up a more in depth analyses of the latest clarification, please email edin@privacyinternational.com with any examples of activities and products that would get restricted under this proposed interpretation, or with any other initial thoughts.

...

The US Bureau of Industry and Security (BIS) has finally published its proposed implementation of multinationally agreed rules aiming to restrict the export of specific surveillance technologies. 

If implemented correctly, the regulations will mean that companies wanting to export internet monitoring centres and spyware will have to apply for a license from US export authorities, who will assess the application according to a range of criteria, including human rights concerns.

While European Union member states implemented the same rules at the beginning of this year, and Israel upon their announcement in 2013, BIS has taken longer to publish its interpretation because of uncertainties relating to the scope of products that the regulations will affect. According to officials, the initial review conducted by BIS has only identified a handful of technologies that would be controlled under the new category relating to spyware. They are therefore looking for comments concerning what products and technology would be considered controlled under the new entries, how this would impact businesses and legitimate vulnerability research, and whether such controls would be effective.

The proposed implementation of the rules, which is highly technical, has caused widespread concern among IT security researchers, wary that the language used by BIS appears to suggest that software exploits would now become subject to restrictions. However, contrary to the vast majority of reporting and online analyses, officials responsible for the drafting of the proposal within US BIS have stressed to Privacy International that controlling exploits is not the intention of the controls, and that the controls do not place restrictions on research into, development, or sale of software exploits.

Nevertheless, the proposed language currently lacks strong and clear protections for such research, and more analysis needs to be undertaken to assess the intended and actual implications. It is therefore essential that the wider technology, academic, legal and NGO community engage in the policy making process by submitting comments through the formal consultation process by 30th July 2015.

Background

In 2013, a group of governments who are members of the Wassenaar Arrangement, a multinational export control regime which includes the US, all the EU states, and Russia, agreed to put internet monitoring centres and targeted surveillance tools referred to as “intrusion software,” (known popularly as “state trojans”, “lawful malware”, or “spyware”) under export licensing restrictions. The move followed a 2011 decision to put mobile phone monitoring equipment under similar restrictions. The decision to include monitoring centres was backed by the French government after evidence emerged a French company was supplying the sophisticated monitoring equipment to the government of Muammar Gadhaffi.  The decision to put products related to “intrusion software” under control was shepherded by the UK amid increasing evidence that companies were selling intrusive spying tools to human rights abusing governments across the world. 

Increased and expanded restrictions on the export of advanced surveillance equipment is a positive recognition that the uncontrolled sale of such items by security vendors for explicit security purposes represents a risk to individual security and to individuals' enjoyment of human rights. These restrictions have been included into the control list in good faith in order to address these and other issues by subjecting their export to licensing restrictions.  

Nevertheless, it is clear that export control policy and international cooperation on export controls has historically stemmed from strategic state decision-making related to national security and foreign policy interests. Further, the core criteria for including an item into the control list is the ability to make a clear and objective specification of the item. This becomes increasingly difficult where technology underpinning surveillance equipment is similar to legitimate commercial and civilian applications and techniques.

While the decision to impose restrictions on items related to “intrusion software” within the Wassenaar Arrangement was cautiously welcomed by Privacy International at the time, it is left to individual states to interpret the agreements. When the controls were announced, Privacy International made it clear that there were ambiguities in the text that could be open to misinterpretation by the various participating states. Since then, we have continuously raised these concerns both in public and directly to the policy makers behind the drafting of the language to ensure that the intrusion software controls are only applied in a manner consistent with their original intended scope and purpose – to prevent the spread of spyware – and not to curtail legitimate network security research or the development of legitimate commercial and civilian technologies.

In the EU, where the changes were implemented at the beginning of this year, high profile vendors of “intrusion software,” such as the Italian company Hacking Team, have said that they are now complying with these exporting restrictions, while the German authorities have also confirmed that they have received requests for licenses to export spyware.

The US Proposal 

The proposed interpretation of the control on IP monitoring centres appears to be non-problematic. This control is very narrow, as it was always intended to control specific systems such as Amesys' Eagle interception systemcurrently subject to a judicial investigation for exports to Gadhaffi's Libya. As a result, US BIS estimates that only five or six systems would actually fall under export licensing requirements. 

The control on items related to “intrusion software,” however, has attracted major concerns and widespread criticism. The control was designed with the intention of catching spyware such as FinFisher, an intrusive spyware which has been identified in a number of countries across the world with a record of human rights abuses. FinFisher has allegedly been used, for example, to target some 77 computers in Bahrain, including those of prominent human rights lawyers, activists, and politicians.  

It is important to reiterate that contrary to many reports, the Wassenaar Arrangement doesn’t purport to place control on the actual “intrusion software”, as it is defined, but rather on the software and technology used to control and to disseminate “intrusion software”. In other words, the controls aren’t aimed at the malware and rootkits that actually infect a device, but on the software used to create, deliver and instruct them.

So, whereas the actual definition of “intrusion software” is fairly broad in the Wassenaar language:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network capable device, and performing any of the following:

a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or

b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

What is being subjected to control is actually:

4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software".

4. D. 4. "Software" specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software".

As is standard throughout all export controls regulations, any enabling infrastructure is also controlled in addition to a finished complete item. For example, it is not only drones that are subject to licensing restrictions, but also “Equipment or components, specially designed to convert a manned "aircraft" or a manned "airship" to a "UAV" or unmanned 'airship'”. As a result, the following categories are also controlled in relation to intrusion software:

4. E. 1. c "Technology" for the "development" of "intrusion software".

4.D.1.a "Software" specially designed or modified for the "development" or "production" of equipment or "software" specified by 4.A. or 4.D.

4.E.1 "Technology" according to the General Technology Note, for the "development", "production" or "use" of equipment or "software" specified by 4.A. or 4.D.

Recognising the risks for legitimate research posed by exporting restrictions, Wassenaar contains a number of exceptions designed to protect research contained within the General Software Note and the General Technology Note: 

GENERAL SOFTWARE NOTE

The Lists do not control "software" which is any of the following:

1. Generally available to the public by being:

a. Sold from stock at retail selling points without restriction, by means of:

     1. Over-the-counter transactions;

     2. Mail order transactions;

     3. Electronic transactions; or

     4. Telephone call transactions; and

 b. Designed for installation by the user without further substantial support by the

supplier;

2. "In the public domain"; or

3. The minimum necessary "object code" for the installation, operation, maintenance

(checking) or repair of those items whose export has been authorised.

Note Entry 3 of the General Software Note does not release "software" controlled by

Category 5 - Part 2 ("Information Security").

GENERAL TECHNOLOGY NOTE 

The export of "technology" which is "required" for the "development", "production" or "use" of items controlled in the Dual-Use List is controlled according to the provisions in each Category. This "technology" remains under control even when applicable to any uncontrolled item. Controls do not apply to that "technology" which is the minimum necessary for the installation, operation, maintenance (checking) or repair of those items which are not controlled or whose export has been authorised. Note This does not release such "technology" controlled in entries 1.E.2.e. & 1.E.2.f. and 8.E.2.a. & 8.E.2.b. Controls do not apply to "technology" "in the public domain", to "basic scientific research" or to the minimum necessary information for patent applications. 

Implications

As security researcher Collin Anderson points out in his paper on the controls, the original language of the controls is specifically aimed at products integrated as components of the intrusion system through proprietary means that should only encounter controls as a part of an Intrusion Software system. For example, FinFisher uses a number of methods to actually install the trojan on a targeted device, including via regular USBs, through the creation of fake websites, and through the dissemination of fake updates and links via emails that surreptitiously install the malware unknown to the target. It is this delivery infrastructure that the controls were aimed at. 

These methods of surreptitiously installing the FinFisher malware can involve using flaws in the software of a device. When a flaw is discovered, code known as an exploit or a zero-day is written that takes advantage of these weaknesses. FinFly exploit portal is a service sold to customers by FinFisher from which they can buy these exploits. There is both an underground market for exploits, as well as registered businesses such as  Vupen that sell exploits to governments authorities, for example for use with products such as FinFisher. 

While subjecting the exploit used in products such as FinFisher to licensing requirements may be attractive from this perspective, and might fall under category 4.E.1.c, to do so fails to take into account wider implications. 

Security researchers, individuals, and companies all rely on developing exploits to test and better understand network, device, and software security. They also need to be able to test the security of systems, known as penetration testing. They further rely on being able to share findings and research over the internet, for example sending research to a colleague working in another country. Even if emailing someone in the same country, it is possible for the packets to actually leave its territory, for example going intermittently to Gmail servers based in the US. For this and a variety of other reasons, leaving aside the impossible nature of actually enforcing any regulations, subjecting exploits to export control doesn't make sense, and has never been advocated for by Privacy International.  

The problem at the moment is that the US BIS proposal has stated that:  

Systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices. 

And that:

Technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.

The proposal also notes “there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities.” 

These statements are extremely broad and have alarmed the research community because of the belief that the regulation is subjecting the research into and development of exploits to licensing restrictions. However, speaking to Privacy International, BIS has maintained that it is not the intention of the controls and nor do they place restrictions on research into, development, or sale of software exploits. Further, they have stated that the language does not mean that you now need a license to report a vulnerability. Malware samples shared among researchers would similarly not be controlled, and nor would, for example, a US researcher need to apply for a license if they were to attend a conference in Germany showcasing their research into and development of an exploit. 

Comparative interpretation

The intention of the language is therefore similar to the interpretation of UK authorities behind the formulation of the control within the Wassenaar negotiations, who have been controlling the new categories since the start of this year. According to correspondence with Privacy International, the UK department responsible has said that the structure of the language is aimed specifically at protecting security research: it does not attempt to control the "intrusion software" itself because it would act as a barrier to the sharing of malware sample between researchers, and potentially mean that anyone with "intrusion software" on their device crossing a border would require an export license. 

Further, according to UK BIS, the language does not put any restrictions on vulnerability research, meaning that there is no need to obtain a license if reporting a vulnerability, regardless of whether or not the vulnerability has already been reported. This means that zero days are not controlled in the UK, because merely having the potential to fulfil the requirements of the control does not mean that all of them need a license. Under similar reasoning, vulnerability reporting would not be caught and neither would such things as software used to jailbreak iOS devices. Further, products such as those produced by Nessus or items such as fuzzers, are not subject to licensing.

However, surveillance companies such as Vupen have for long contended that all exploits and trojans are now subject to licensing because of these new rules, although they have failed to offer Privacy International any justification or comments on their claims despite receiving multiple letters asking them to do so. 

Exceptions 

An absolutely essential component of export regulations to ensure that controls aren't over-reaching are the general exceptions, as outlined above. Numerous people have already pointed out that the main flaw with the US implementation is the sidelining of specific exemptions that are present within Wassenaar designed to protect research within the General Notes. 

In the US, the General Notes are implemented through license exceptions; specifically in the case of the General Software Note, there is an unrestricted exception for mass-market products. 

Because BIS's initial review of what items were likely to now require an export license found that most of them do in fact already require one because of their level of encryption, to which the exception does not apply, it is proposed that the exception does not in fact apply to the two new categories of items. In its proposal therefore BIS has stated that the categories do not include mass market exceptions. However, they have stated to Privacy International that the open-source exception applies to category 4E001c, technology for the development of intrusion software. This is one of the most crucial areas which needs to be clarified and better understood.

Nothing new on encryption

It is also important to note that the references to controls on encryption present throughout the proposal have nothing to do with the new controls. They are a result of previous language and their inclusion is simply an advisory note to exporters. This US policy to retain restrictions on the export and development of cryptography continues to undermine the development and proliferation of security tools and services, something that Privacy International continues to argue curtails individual liberties as well as running contrary to US long term commercial interests.

Need for engagement

It is clear that US BIS is still at an early stage within its law making process. The fact that they have asked for comments on the proposal, and have taken so long to implement the laws, is telling. BIS Director, Randy Wheeler, has already stated publicly that BIS is still uncertain as to the scope of the Technology subparagraph, and that it did not include guidance on how this will be viewed. She has also stated that “Vulnerability research is not controlled nor would the technology related to choosing, finding, targeting, studying and testing a vulnerability be controlled”.

Increasingly, export restrictions are being used to protect human rights and to stop the export of a range of items facilitating human rights abuses, such as small arms, chemical weapons, and drones. It is therefore right that the sale of modern technologies which represent a significant risk to individual human rights and security be restricted, and that in so doing a level of transparency and accountability be brought to the commercial and government security and arms trade. 

Privacy International has throughout its history proactively engaged with and rigorously campaigned on issues relating to export restrictions. Throughout the 1990s, when governments were trying to restrict individuals' access to encryption, together with the wider privacy community we fought against such restrictions, and we won. More recently, we have campaigned for export restrictions to apply to surveillance technologies which represent a fundamental risk to privacy and a range of other human rights. 

We believe that surveillance technologies should not be put in the hands of governments who will use them to violate human rights, be it by surveillance, intimation, harassment, censorship or torture. Export controls have proven to be effective in stopping surveillance companies from selling invasive spying tools to the world's most repressive regimes. Of course, they must be designed and implemented in a manner that preserves the ability of the wider technology community to engaging in legitimate security research and the development of essential communications tools. The current BIS proposal requires work to ensure the final regulations do not have the unintended impact of chilling free speech and stifling research. 

There are still many uncertainties and questions in the proposal. As a result, Privacy International will be vigorously consulting government authorities, experts, industry, and lawyers to better understand the potential implications of this proposal before submitting our comment to BIS, and will be updating this page to help inform and better guide the review process.

Law-making is never easy, and no law is ever entirely free from unintended consequences and risks. But it is only through careful and well calculated decision making and engagement in the policy making process by all stakeholders that laws become better. 

The closing date for submission of comments is July 20th.