Google just joined the fight against the controversial new export regulations known as the Wassenaar Arrangement. Today, the company posted an open letter raising serious concerns about the security impact of the forthcoming rules, co-authored by Google's export compliance counsel Neil Martin and Tim Willis of the company's Chrome Security Team.
"We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community," Martin and Willis write. "They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
"These proposed rules... would have a significant negative impact on the open security research community."
The new rules are based on an international agreement signed in December 2012, but the Department of Commerce is currently in the process of deciding what they'll mean for US citizens. For months, security researchers have roundly criticized the rules as fundamentally counterproductive to security on the web. The new regulations would particularly target intrusion software, allowing export only under a specifically granted license. In theory, that would help keep security-breaking programs out of the hands of criminals, but researchers say it would also make it harder for software companies to research and defend against those attacks. "It's impossible to build effective defenses without free and open access to the latest techniques of the attackers," developer Marsh Ray told The Verge in May.
Many of Wassenaar's provisions were aimed at spyware vendors, which purchase vulnerabilities, package them for sale, and distribute them to oppressive regimes in countries like Ethiopia and Bahrain. But as the recent Hacking Team leak demonstrated, many of those companies have become adept at working within the export control system, acquiring licenses when possible and otherwise conducting business in secret.
Google has submitted comments to the Department of Commerce asking for specific revisions to the proposed rules, seeking specific carve-outs for bug reporting and international development teams. It remains to be seen how the Department of Commerce will respond to objections, but significant revisions are likely, given the flood of critical comments from Google and others. "We’re committed to working with BIS [Commerce's Bureau of Industry and Security] to make sure that both white hat security researchers’ interests and Google users’ interests are front of mind," Martin and Willis said.