State Department Backs Off Criminalizing Security Research Tools

from the now,-if-it-can-just-get-40-countries-to-agree-with-it... dept

Thu, Mar 3rd 2016 2:00pm — Tim Cushing

Some good news for security researchers: the US government's adoption of the Wassenaar Arrangement will no longer treat the tools of security research like crates of machine guns. While exploits and penetration tools can be used by bad people for bad things, they're also invaluable to security researchers who use these to make the computing world a safer place.

Vague wording in the US government's proposed adoption of the 2013 version of the Wassenaar Arrangement threatened to criminalize the development of security research tools and make any researcher traveling out of the country with a laptop full of exploits an exporter of forbidden weapons.

To its credit, the State Department welcomed comments on its proposal. Even better, it seems to have listened.

It appears that the State Department has heard these concerns loud and clear. Not only has all talk of finalizing the proposed rule as drafted come to halt, but State has put “removal of the technology control” on the agenda for the December 2016 meeting at Wassenaar.

But, as the EFF's Nate Cardozo and Eva Galperin note, the battle isn't over yet. The State Department still has to pitch its amended adoption to the other parties involved in the Wassenaar Arrangement.

Of course, this isn’t the end of the road. There is no guarantee that the 40 other nations who participate in the Wassenaar Arrangement will agree, but for now, we are enjoying this important victory.

Stripping out the criminalizing of security research is a welcome step forward. In a country where researchers are routinely subjected to legal threats and law enforcement scrutiny for reporting security holes and the government always too willing to abuse the broadly-worded CFAA to punish "hackers," the addition of export controls on research tools would only have made the problem worse. And it would have done next to nothing to make general computing/internet usage any safer.

As was noted here last September, updates to the Wassenaar Arrangement were already having a chilling effect. HP pulled its support from Pwn2Own's hacking competition in Japan, citing the "legal uncertainty" surrounding the country's version of the agreement. Had the US government forged ahead with the wording unchanged, this country would have been the next to see major sponsors pull support from security research conferences or other hacking-related events.

For now, US security researchers are as "safe" as they've ever been -- which isn't really all that safe. But the situation could be far worse. The future is now partially in the hands of 40 other countries that may not be as receptive to the State Department's arguments as the agency was to the comments of those its proposal would affect.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: research, security research, state department, wassenaar agreement

5 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 3 Mar 2016 @ 5:03pm

What I've learned about being a security researcher
Under no circumstances should I even attempt to quietly report an operational problem to a corporation, university, or government agency. A much safer course of action is to publish it anonymously, forgoing the credit in favor of a modicum of personal safety.

Congratulations, everyone, you've taught me to avoid -- at all costs -- doing you a favor.
[ link to this | view in chronology ]
- tqk (profile), 4 Mar 2016 @ 3:13pm
  
  Re: What I've learned about being a security researcher
  Congratulations, everyone, you've taught me to avoid -- at all costs -- doing you a favor.
  
  There's been way too many favors going around. It's about time all this altruistic nonsense stopped. Have you all forgotten your predatory instinct?!? It's your nature! Long in tooth and claw!
  
  Oh, and ignorance is bliss.
  [ link to this | view in chronology ]
ECA (profile), 3 Mar 2016 @ 8:08pm

aND
you may wonder why I use a Russian AV tool.

YES, a few have been incarcerated, JUST for notifing the companies that there was a HOLE in the protection..

EVEN our gov. has fired many, responsible for the internet, BECAUSE what they wanted. was UPDATES, changes, MORE SECURITY..
[ link to this | view in chronology ]
- tqk (profile), 4 Mar 2016 @ 3:16pm
  
  Re: aND
  you may wonder why I use a Russian AV tool.
  
  No, I'd wonder why you used any AV tool. Are you using MS Windows? Try Tails Linux.
  [ link to this | view in chronology ]
dak, 4 Mar 2016 @ 8:35am

As they say...
When security research tools are outlawed, only outlaws will have security research tools.
[ link to this | view in chronology ]