Surveillance and internet monitoring tools can be “munitions,” and need to be handled properly
The EU is now in talks among its member states to adapt new rules on cyber security and surveillance exports to the Wassenaar Arrangement, a multilateral export system that governs “dual use” technologies whose sale abroad can have national security and human rights implications.
The compromise package put forward for the members to debate domestically would streamline the export licensing process and loosen up rules on encryption technologies while tightening them on tools for intercepting and monitoring phone calls, online messaging services, and email.
Previous efforts at updating the language have stalled over impasses regarding overly broad measures that would impede cyber security research while offering little concrete action on privacy concerns.
The greater worldwide push for privacy tools since the NSA leaks of 2013 drives the decision to show greater leeway on the cryptographic end. This follows the postponement of a reading of the bill earlier in September, and a leak of a draft text over the summer to EurActiv.com.
The Wassenaar Arrangement covers a number of “dual use” items, especially those with military and security applications. It has 41 national signatories, though is voluntary and has no supranational enforcement mechanisms. “Dual use” means that exporters have to account for the sale of machine tools or spare parts that can support a ballistic missile program as easily as commercial satellite programs – or, keeping chemical weapons precursors out of certain hands while recognizing that many of these compounds have agricultural or medical applications.
“Cyberweapons” were added to its dual use lists in 2014.
Over the past several years, a number of EU-based entities have become embroiled in legal proceedings or embarrassing public disclosures of their surveillance sales, especially intrusion software. The core problem arises when these entities take the documentation and training they have received to expand the definition of “counter terrorism” so broadly it no longer has any meaning and primarily functions to repress criticism of officials.
These include large, partially state-owned enterprises such as TeliaSonera, which sold mass interception “black box” technology to the security services of Uzbekistan. The sale to the repressive government was expedited by nearly $400 million in bribes.
Leaks into their operations have also embarrassed smaller entities. From 2011-12, multiple European entities sold equipment to the Libyan government, which used them to harass dissidents and journalists. The most recent controversies have been over the the UK-registered Gamma International and the Milanese-based Hacking Team.
Both firms were hacked and the large amount of material put online illustrated the ease with which the companies sold products to countries implicated in human rights abuses through misuse of the technology they were sold and trained to operate by company representatives. In the case of Hacking Team, the negative exposure in the press led the authorities to rewrite how certain export licenses are now granted to Italian companies.
Trade associations have noted that any EU measures to increase export controls could lead to firms and buyers switching over to the U.S., where export controls are less onerous, or perhaps Russia, Israel or China. The U.S. and Russia are signatories to Wassenaar; Israel and China are not. Russian, Israeli, and Chinese firms already sell heavily to some of the same countries the EU-based firms have come under fire for working in.
Overly broad restrictive measures, though, would also risk slowing down the global ICT industry, costing firms billions of dollars due to new regulations. One of the main concerns is that such limitations and ambiguity would lead to a decline in innovation and risk-taking by entities who do not wish to risk legal liabilities researching cyber security issues.
Communications and surveillance equipment falls into the realm of dual use applications, but the distinctions are not so clear cut as with WMD proliferation concerns. There are some commercial clients who may make use of this gear to research their consumers or monitor their employees, but many customers are in fact police and intelligence agencies who need these systems to carry out their investigations.
One of the biggest complaints about earlier Wassenaar cyber security drafts is that “intrusion software” is too broad a category, encompassing programs that could be used to break into activists’ computers (a.k.a. intrusion malware) as well as programs that ethical hackers use to identify vulnerabilities (a.k.a. intrusion exploits) in systems before hostile actors can take advantage of these faults.
Corporate and government databases also use some of the same equipment to test their own cyber security and privacy measures, reducing the chance of cyberattacks against them that could result in damaging leaks or a hoovering up of citizens’ personal information by hostile hackers. As the Electronic Frontier Foundation noted in February, “The definitions in the Wassenaar control lists which were approved in December 2013 are too vague to be implemented in any fashion without resulting in serious chilling effects on security research.”
According to critics of the old language, some oversight, flawed and abused as it is by companies and governments, is still better than a vacuum of good intentions. Even if export controls are poorly defined, these proponents suggest, they will deter even a half-honest actor from entering the market or conducting important research.
This is a core dilemma of negotiating any dual use controls: Those determined enough to secure the goods can get them by any means they want, including extralegal ones. At least with national oversight in place, a trail of responsibility can be established and the worst offenders (hopefully) interdicted before more harm can be done. Sadly, as shown by recent revelations about surveillance sales, enforcement mechanisms to protect online privacy rights remain the biggest shortcoming of all.