Google has criticised proposed legislation that would let the US government control the export of security research and technologies, saying it will hurt general web users.
Google vulnerability research export compliance counsel Neil Martin and Chrome Security Team hacker philanthropist Tim Willis protested the proposed legislation, known as “the Wassenaar Arrangement,” in a blog post.
What is the Wassenaar arrangement?
The Wassenaar Arrangement is a piece of legislation originally designed to control the export and import of physical weapons and technologies that have potential military applications — referred to in the arrangement as “Dual Use Technologies.”
Cooley LLP partner Kevin M. King explained to Business Insider, in its current form, the arrangement is intended to protect the financial interests of participating arrangement members and ensure rogue states do not develop advanced military capabilities.
“The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is a voluntary, multilateral export control regime whose member states exchange information on transfers of conventional weapons,” he explained.
“Wassenaar establishes lists of items for which member countries are to apply export controls. Member governments implement these controls to ensure that transfers of the controlled items do not contribute to the development or enhancement of military capabilities that undermine the goals of the Arrangement.”
There are 40 countries participating in the arrangement, in addition to the United States.
The proposed change
Google’s complaint relates to changes the US Commerce Department’s Bureau of Industry and Security (BIS) proposed on May 20.
The change would apply Wassenaar Arrangement controls to software and tools commonly used by security researchers and penetration testers. Penetration testers are hackers companies hire to find vulnerabilities in their network and products.
The controls mean companies operating in the US would require a specific licence to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.
This would mean, if the proposed changes are approved, a US security researcher with information on a vulnerability in a European company’s technology would need a licence before they could alert the firm.
Why Google is up in arms and you should care
The proposed changes have caused concerns within the security community with many, including Google, feeling it could hamper security researchers’ ability to to do their job.
Google argues the changes are unworkable as the description of what technologies and data would be controlled is “dangerously vague.”
“Rules are dangerously broad and vague. The proposed rules are not feasible and would require Google to request thousands – maybe even tens of thousands – of export licenses,” explained Google in the blog post.
“Clarity is crucial. We acknowledge that we have a team of lawyers here to help us out, but navigating these controls shouldn’t be that complex and confusing. If BIS is going to implement the proposed controls, we recommend providing a simple, visual flowchart for everyone to easily understand when they need a licence.”
Google is also concerned the legislation would hamper researchers’ ability to share information and delay the discovery of new software vulnerabilities — a development that would leave general web users more vulnerable to attack by hackers.
The firm highlighted the infamous Heartbleed and Poodle security flaws as proof of its claim.
“It’s through diligent research that we uncover and fix bugs — like Heartbleed and Poodle — that can cause serious security issues for web users around the world,” read Google’s statement.
“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit.”
Heartbleed is dangerous flaw OpenSSL that was uncovered in April 2014. OpenSSL is a security protocol used by open source web servers such as Apache and Nginx – which host around 66 per cent of all the world’s sites.
Before being fixed by the OpenSSL Project in 2014 it could be exploited by hackers to steal data, even if it was encrypted, from sites and services using OpenSSL.
Poodle is a separate bug in the Secure Socket Layer (SSL) technology used to secure key services including Apple OS X and Microsoft Outlook. Google uncovered the Poodle flaw it in October 2014.
Far from over
Katie Moussouris, the chief policy officer for HackerOne, an initiative designed to help coordinate security researchers efforts, publically criticised the changes in an article on Wired.
A group of security companies formed a “Coalition for Responsible Cybersecurity” focused on stopping the Wassenaar Arrangement changes becoming official on 14 July.
Business Insider has reached out to BIS for comment on Google and the security community’s criticisms.