New export controls being considered by the U.S. government as part of a broader effort to prevent sophisticated surveillance software from being sold to rogue foreign governments could end up hurting legitimate vulnerability research efforts, Google warned Monday.
In comments filed with the U.S. Department of Commerce, Google expressed concern over U.S. participation in a multilateral export control agreement called the Wassenaar Arrangement.
"We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community," Google's Export Compliance Counsel Neil Martin and Tim Willis, a member of the company's Chrome security team, wrote in a blog.
The controls would hamper Google's ability to defend itself against malicious attacks and also undermine Web security overall, the two wrote. "It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure," they continued.
The Wassenaar pact was originally designed to give Western nations a tool for exerting greater control over the sale and export of a wide range of dual technologies and arms. It was modified in 2013 to include controls for the export of "intrusion" software that can be used to spy on Internet users.
The Wassenaar update was prompted by concerns over the sale of sophisticated spying software by several companies in Western countries to regimes with dubious human rights records. Many fear that intelligence agencies and law enforcement authorities in repressive governments are using such products to spy on their own people and to monitor the activities of journalists, dissidents and rights activists. The European Union has already moved to implement the Wassenaar Arrangement updates.
But in the United States, there are growing concerns over the Commerce Department's proposals for implementing the export controls. Much of the concerns have to do with the overly broad manner in which the department has chosen to define the software that will be subject to new restrictions.
In the EU, intrusion software that is available in the public domain is not subject to any licensing requirements or control. But in the U.S., that exemption is not available. As a result, software used for legitimate security research purposes, such as penetration testing software, could end up becoming subject to new restrictions and licensing requirements.
If the rules are passed as written, companies that conduct security research and the businesses that benefit from such research would face a completely unreasonable set of requirements, the Google executives wrote.
Last year alone, for instance, Google paid more than $4 million to researchers from around the world who found security problems in its products using a wide range of penetration testing and hacking tools. If the new export controls go into effect, Google would be required to request potentially tens of thousands of export licenses for such research, Martin and Willis said.
"Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities, including: emails, code review systems, bug tracking systems, instant messages—even some in-person conversations," the company said.
If the proposed updates are implemented unchanged, they would also seriously impact the ability of global companies to share vital security information with staff situated in other countries, Google said.
Organizations should never require a license to be able to report a bug that needs to get fixed. Instead, the Commerce Department should have a standing license exemption for anyone who wants to report security problems back to a vendor in order to get the problem fixed, Martin and Willis wrote.
"This would provide protection for security researchers that report vulnerabilities, exploits, or other controlled information to any manufacturer or their agent," they said.