This post was authored by independent researcher Collin Anderson.
Today, Access released a white paper that analyzes the role of government export controls in limiting the spread of sophisticated surveillance technologies. Entitled “Considerations on Wassenaar Arrangement Proposals for Surveillance Technologies,” the white paper focuses on the export of these technologies to countries known for violating human rights.
In December 2013, the 41 countries that participate in the multilateral “Wassenaar Arrangement” export control regime agreed to place limitations on the availability of two new classes of items called “Intrusion Software” and “IP Network Surveillance Systems.” The announcement garnered attention, since an institution that was created to control the proliferation of military equipment was now being used to limit the access to high-profile surveillance technology. The Wassenaar Arrangement members — especially the United Kingdom and France — were right to raise concerns, as companies within their jurisdiction were increasingly linked to human rights violations in repressive countries such as Libya and Bahrain.
In our white paper, we utilize publicly available technical documentation for existing products to review two existing export controls. We conclude that both controls are narrowly-tailored to address technologies that have no purpose other than for surveillance regimes, and offer examples of products that would be covered. Since the release of the most recent controls, various communities have expressed concerns about the potential for export regulations to overlap with normal network technologies that they feel should should not be controlled. In order to reduce potential confusion, we offer recommendations on how these controls can more effectively pursue commonly agreed-upon human rights objectives, while not stifling legitimate research.
It is important to keep in mind that the new controls align with a deeper history of national regulation of similar technologies within member states, and these changes are not the first time surveillance technologies have been controlled within the Wassenaar Arrangement. Adoption of these controls has been incremental across the Arrangement’s membership, and even slow in countries that have typically responded quickly to implement them. For example, the United States has yet to codify the controls despite addressing other controls from the 2013 plenary session this August and their adoption in the European Union.
Since the release of the new language, communities that typically do not interact with export control regulations, or the agencies involved in the process, have faced challenging questions about how the changes impact their affairs. Human rights organizations — which have long advocated for controls on a range of privacy-invasive network technologies and other surveillance equipment — have not been given a clear picture of what is now controlled and what remains to be addressed. Computer scientists have a natural aversion to government restrictions on the export of technology because they previously encountered restrictions on cryptography that stifled computer security. These legitimate fears have been exacerbated by the complexity of the controls and misinformation from those who profit from security flaws. As a result, there is a dearth of debate about the Wassenaar Arrangement framework based on real-world examples.
Our white paper attempts to apply the new Wassenaar Agreement controls to information about the digital surveillance trade sourced from marketing materials and research to illustrate how the controls work in context. We believe that the rules are narrowly tailored to a specific set of sophisticated, single-purpose products, and do not control exploitation or security research, contrary to fears expressed by the security community.
As governments adopt the rule and consider applications for export licenses, it is incumbent upon export control authorities to ensure that these new regulations are narrowly applied to control equipment, software, and technologies that are substantially designed for surveillance, while not chilling research and work that is fundamental to the promotion of internet security. Moreover, governments should continue to consult with industry and civil society to promote implementation of “know your customer” policies and red flags that will reduce the potential for approved, or otherwise permissible, exports that can be misappropriated for the abuse of human rights. These discussions will also enable more clear technical expectations about how exempted systems should operate in order to achieve legitimate and narrowly-defined objectives, and how to avoid unintended consequences for security research.
The new Wassenaar Arrangement controls recognize an increasing need for authorities and private industry to limit the proliferation of sensitive technologies to bad-faith actors. Export controls are not a panacea for digital surveillance, nor are the current controls expected to end the lucrative market for government-grade malware or mass surveillance systems. National security priorities routinely come into conflict with human rights values, and for this reason last summer we joined other organizations in strongly urging the United States government to enact the controls under a system that requires explicit evaluation of a human rights impact. Clearly defined and well-enforced intrusion software and IP Network surveillance controls can lay the groundwork for a constructive and expansive role for export controls in the promotion of human rights and cyber security goals.
We hope that this work will contribute to public debate, and we look forward to feedback from all stakeholders.
photo credit: János Balázs