European Parliament member presses to change spyware export rules

As the European Union invites comments on many of its export regulations, Dutch Member of European Parliament Marietje Schaake wants to change surveillance software trading rules many critics say are too onerous. But some security experts say those changes do not go far enough.

This summer’s cybersecurity cause célèbre is back for a European reboot.

Just a few months ago, the computer security community mobilized to stop US regulators from implementing a multilateral policy meant to stop international sales of military-grade spyware to oppressive regimes. Critics said the plan was so broad it would prevent overseas sales of other security products, too.

Now security professionals are setting their gaze on the European Union as it reviews export laws, including its version of trade limits on spyware, bringing that argument back into the open.  

Both the US and EU are members of the 41-nation Wassenaar Arrangement, an arms trade pact updated in 2013 to include Internet monitoring technologies and so-called "intrusion software." In 2014, well before the planned US implementation inflamed security pros and digital rights activists, the EU passed restrictions on those exports, leaving enforcement in the hands of its member nations.

A prominent member of the European Parliament has submitted a plan that would soften parts of Wassenaar that its critics find the most disagreeable. But many security experts say those changes do not go far enough.

"If you're going to carve out export controls, if you set the scope too broadly, you add bureaucracy, affect businesses that make the security products and the security of those who buy their products, chill research and still run into the gun problem: people who break the law will operate around it," said independent security researcher Meredith Patterson. "And that still seems to be where this is going."

The European Commission, the EU's body that proposes legislation for its other branches of government to vote on, is currently accepting comments on so-called "dual-use" export controls – ones that limit the sale of products that have both military and secondary uses. Dutch Member of European Parliament Marietje Schaake has submitted a plan to the Commission that she claims will better protect human rights while simplifying the regulation.

"We don’t want researchers to be unsure whether or not they can conduct research,” she said.

Due to the international nature of cybersecurity research and development, that was also a chief complaint in the US about the proposed Department of Commerce implementation of Wassenaar.

In fact, MEP Schaake’s plan address several problems raised by Wassenaar critics in the states. For instance, US policymakers had planned to force companies to obtain an export license for any product that ran afoul of Wassenaar's new software rules regardless of its purpose. And it would require a license regardless of the export's final destination. So network-testing equipment sent to England would face the same potentially onerous scrutiny as spyware sent to Syria. Schaake’s proposal calls for requiring export licenses only for continually updated lists of select countries and specific dangerous products. 

If the US rules were too restrictive, Schaake sees the Italian version of Wassenaar as far too lenient. When the Italian surveillance software firm Hacking Team was itself hacked earlier this year, leaked e-mails showed that Italy had issued a near universal license for the company to ship its wares nearly anywhere. That was despite Hacking Team's reputation for selling software to questionable regimes. The rules were implemented, but never used when Schaake says it counted the most.

"The question is, would a Dutch authority do the same?" asked Schaake, whose plan would see the European Union crackdown on overly permissive licensing by individual nations by issuing licenses through a single, continental clearinghouse.

And Schaake said she could save companies from spending the months-long process of applying for an unneeded license by offering a "help desk," to aide companies unsure whether they need to apply. 

"This [plan] may not address every concern that researchers have, but researchers often talk about the risks without trying to help," she said.

Though Schaake is the leading voice for reform of information security export controls, some researchers say their input is landing on deaf ears. 

A common solution to Wassenaar’s woes forwarded by the computer security community, usually attributed to Sergey Bratus, a research associate professor at Dartmouth College, is that most problems would be all but solved with minor adjustments to the definition of intrusion software.

As it stands, intrusion software is defined as software that either surreptitiously spies on data from another computer or changes the processes of another program. If it were only defined as software that steals information, it would still squarely restrict all spyware, but completely avoid adversely affecting research or security software, which don’t need to steal data. 

Ms. Patterson, who is a frequent collaborator of Bratus's, and other researchers say they brought their exfiltration solution to Schaake without much of a response.   

"People say rather than complain, we need to suggest things that will work. We did. She doesn't seem willing to talk about what will work," Patterson said.

Schaake said human rights would be better served with broader laws that could potentially protect more things. She will be holding a round table to discuss her plan on Wednesday in Brussels. 

HackerOne’s Katie Moussouris, who will appear on Schaake’s panel, intends to stress the importance of shifting the regulations from preventing intrusion to preventing data stealing – usually called exfilitation.

"My intention is to provide concrete examples of intrusion technology and zero day sales helping in the defense of the Internet," she said via e-mail. Ms. Moussouris's company helps broker sales of previously unreported vulnerabilities to manufacturers eager to fix them – sales that could be halted by Wassenaar.

"While nation states and criminals certainly are consumers of zero-day vulnerabilities and intrusion tech, they often don't need them to conduct attacks due to so many other attack vectors available, like phishing," she said.

For all the contention, it is a bitter argument where both researchers and Schaake ultimately want the same thing – less malicious spyware and a simpler trading environment.

"Essentially, this is an issue even some of the people who deal exploits controlled by the Arrangement to governments agree about," Patterson said. "No one wants to see spyware in the hands of regimes."