Why Wassenaar Arrangement's Definitions of "Intrusion Software" and "Controlled Items" Put Security Research and Defense At Risk

In this article we argue that Wassenaar Arrangement, as currently formulated, will have extensive harmful effects on computer security research and defensive software. We propose an alternative formulation that will achieve Wassenaar Arrangement’s goal of protecting activists and dissidents in oppressive regimes without causing these chilling effects. 1 The intent of the Wassenaar Arrangement The Wassenaar Arrangement’s intrusion software clauses are intended to protect the activists and dissidents whose lives are endangered by government surveillance. The body of evidence that links persecution and computer surveillance is growing. The usual pattern of computing technology commoditization implies that this surveillance will grow in footprint and capacity while costs fall. The regulations of the Wassenaar Arrangement are intended to reverse or abate this trend, limiting the availability of computer surveillance to repressive regimes. Unfortunately, as we demonstrate in this article, the Wassenaar definitions of intrusion software are overbroad, applying almost universally to elementary building blocks of security research. Among the unintended effects of the Arrangement’s definitions are chilling effects on the development of antisurveillance measures and on the discovery of existing vulnerabilities—and thus on fixing vulnerable systems. The Arrangement’s definitions will impose a prior restraint on the publication of security research, analogous to the export controls on strong encryption software that were in effect in the 1990s. The language of the Arrangement’s definitions attempts to avoid these unintended effects by using explicit exemptions as well as a two-tiered structure of controls. This article demonstrates that these methods fail to cover the majority of technological artifacts and processes that are crucial to security research and defense, and are therefore insufficient to meet the intent of the Arrangement. The anti-surveillance intent of Wassenaar will, however, be fully fulfilled if surveillance-enabling software and hardware were to be addressed directly. We propose such a direct approach: targeting exfiltration, which is a key part of surveillance, rather than the vague and overbroad intrusion. In addition to the advantage of simplicity, this approach eliminates the potential ambiguity between the singled-out but not directly controlled class of intrusion software and its related classes of controlled items in the current Wassenaar language. This document has the following structure: 1. The conceptual structure of the chilling elements in the current Wassenaar language is discussed in section 2. 2. The overbreadth of these elements is discussed in section 3 and appendices A, B, and C. 3. Section 4 proposes replacing the key concept of intrusion software with exfiltration software. This proposed replacement addresses the Arrangement’s stated intent and avoids the unintended chilling effects. 4. The article concludes with a forward perspective on the regulation of independent security research, and an argument that such regulation must exercise caution in order to preserve the citizens’ science nature of such activity.