Modern field guide to security and privacy

European Parliament member presses to change spyware export rules

As the European Union invites comments on many of its export regulations, Dutch Member of European Parliament Marietje Schaake wants to change surveillance software trading rules many critics say are too onerous. But some security experts say those changes do not go far enough.

Yves Herman / Reuters
The European Commission is considering changes to controversial export laws for certain security-related products among the European Union nations.

This summer’s cybersecurity cause célèbre is back for a European reboot.

Just a few months ago, the computer security community mobilized to stop US regulators from implementing a multilateral policy meant to stop international sales of military-grade spyware to oppressive regimes. Critics said the plan was so broad it would prevent overseas sales of other security products, too.

Now security professionals are setting their gaze on the European Union as it reviews export laws, including its version of trade limits on spyware, bringing that argument back into the open.  

Both the US and EU are members of the 41-nation Wassenaar Arrangement, an arms trade pact updated in 2013 to include Internet monitoring technologies and so-called "intrusion software." In 2014, well before the planned US implementation inflamed security pros and digital rights activists, the EU passed restrictions on those exports, leaving enforcement in the hands of its member nations.

A prominent member of the European Parliament has submitted a plan that would soften parts of Wassenaar that its critics find the most disagreeable. But many security experts say those changes do not go far enough.

"If you're going to carve out export controls, if you set the scope too broadly, you add bureaucracy, affect businesses that make the security products and the security of those who buy their products, chill research and still run into the gun problem: people who break the law will operate around it," said independent security researcher Meredith Patterson. "And that still seems to be where this is going."

The European Commission, the EU's body that proposes legislation for its other branches of government to vote on, is currently accepting comments on so-called "dual-use" export controls – ones that limit the sale of products that have both military and secondary uses. Dutch Member of European Parliament Marietje Schaake has submitted a plan to the Commission that she claims will better protect human rights while simplifying the regulation.

"We don’t want researchers to be unsure whether or not they can conduct research,” she said.

Due to the international nature of cybersecurity research and development, that was also a chief complaint in the US about the proposed Department of Commerce implementation of Wassenaar.

In fact, MEP Schaake’s plan address several problems raised by Wassenaar critics in the states. For instance, US policymakers had planned to force companies to obtain an export license for any product that ran afoul of Wassenaar's new software rules regardless of its purpose. And it would require a license regardless of the export's final destination. So network-testing equipment sent to England would face the same potentially onerous scrutiny as spyware sent to Syria. Schaake’s proposal calls for requiring export licenses only for continually updated lists of select countries and specific dangerous products. 

If the US rules were too restrictive, Schaake sees the Italian version of Wassenaar as far too lenient. When the Italian surveillance software firm Hacking Team was itself hacked earlier this year, leaked e-mails showed that Italy had issued a near universal license for the company to ship its wares nearly anywhere. That was despite Hacking Team's reputation for selling software to questionable regimes. The rules were implemented, but never used when Schaake says it counted the most.

"The question is, would a Dutch authority do the same?" asked Schaake, whose plan would see the European Union crackdown on overly permissive licensing by individual nations by issuing licenses through a single, continental clearinghouse.

And Schaake said she could save companies from spending the months-long process of applying for an unneeded license by offering a "help desk," to aide companies unsure whether they need to apply. 

"This [plan] may not address every concern that researchers have, but researchers often talk about the risks without trying to help," she said.

Though Schaake is the leading voice for reform of information security export controls, some researchers say their input is landing on deaf ears. 

A common solution to Wassenaar’s woes forwarded by the computer security community, usually attributed to Sergey Bratus, a research associate professor at Dartmouth College, is that most problems would be all but solved with minor adjustments to the definition of intrusion software.

As it stands, intrusion software is defined as software that either surreptitiously spies on data from another computer or changes the processes of another program. If it were only defined as software that steals information, it would still squarely restrict all spyware, but completely avoid adversely affecting research or security software, which don’t need to steal data. 

Ms. Patterson, who is a frequent collaborator of Bratus's, and other researchers say they brought their exfiltration solution to Schaake without much of a response.   

"People say rather than complain, we need to suggest things that will work. We did. She doesn't seem willing to talk about what will work," Patterson said.

Schaake said human rights would be better served with broader laws that could potentially protect more things. She will be holding a round table to discuss her plan on Wednesday in Brussels. 

HackerOne’s Katie Moussouris, who will appear on Schaake’s panel, intends to stress the importance of shifting the regulations from preventing intrusion to preventing data stealing – usually called exfilitation.

"My intention is to provide concrete examples of intrusion technology and zero day sales helping in the defense of the Internet," she said via e-mail. Ms. Moussouris's company helps broker sales of previously unreported vulnerabilities to manufacturers eager to fix them – sales that could be halted by Wassenaar.

"While nation states and criminals certainly are consumers of zero-day vulnerabilities and intrusion tech, they often don't need them to conduct attacks due to so many other attack vectors available, like phishing," she said.

For all the contention, it is a bitter argument where both researchers and Schaake ultimately want the same thing – less malicious spyware and a simpler trading environment.

"Essentially, this is an issue even some of the people who deal exploits controlled by the Arrangement to governments agree about," Patterson said. "No one wants to see spyware in the hands of regimes."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to European Parliament member presses to change spyware export rules
Read this article in
QR Code to Subscription page
Start your subscription today