Rights Organisations Urge Export Control Body to Change Control List

Rights organisations from around the world have sent a joint letter to all participating states of a major international export controls coordination body urging its participants to update rules to protect human rights and security research.

The Wassenaar Arrangement, an international coordination body in which participating states decide what technologies should be made subject to exporting restrictions, has since its beginning in the early 90s had an important impact on privacy and other human rights.

As a result of decisions taken within the body, its members, which includes Russia, the US, and EU states, agree to control the export of specific technologies within their national legislation. These technologies can include military items and items which can be used for both civilian and military purposes, known as “dual-use” items, such as some Unmanned Aerial Vehicles.

Since the 1990s, governments have used the body’s list of controlled items to restrict the international free flow of cryptography by placing restrictions on the export of items employing specific levels of encryption, placing significant burdens on and undermining the security of devices and networks — the effects of which are still felt to this day.

More recently, the body has included other items within its control list which can be used for electronic communications surveillance, effectively placing restrictions on their export and in some cases providing greater transparency over the trade. For example, since 2012, mobile and satellite phone interception equipment, known as IMSI catchers or Stingrays, which can be used to identify mobile phones and intercept content, for example during demonstrations, have been on the list.

In 2013, the body decided to place what it publicly described as “surveillance and law enforcement/intelligence gathering tools” to the list, which included mass internet monitoring systems. One key example of such a tool is the surveillance product sold by French company Amesys, resulting in data that was allegedly used in torture interrogations in Gadhafi’s Libya.

Controversially, the list also included “intrusion software”. This type of software includes spyware sold by notorious vendors such as Hacking Team and FinFisher to authoritarian regimes around the world. While surveillance companies such as Hacking Team have become subject to restriction, and who as a result of export control regulations are currently unable to export outside of the EU, the control has led to significant and legitimate concerns about its broadness, and its potential impact on the ability for the information security community to conduct research.

As we say in our letter, “the consequence of hindering the exchange of vulnerability information poses a risk to all Internet users, and subsequently creates meaningful human rights concerns.”

Further, it has also been rumoured that the members last year discussed including IT ‘forensic tools’ to the list, some of which can presumably be used for surveillance by law enforcement and security agencies, but which can also be used to improve the security of devices and networks.

Privacy International is very concerned that the export of the very systems we need to understand and improve the security of the systems that are increasingly essential to our lives are going to be regulated and necessary research will be limited. That’s why we wrote this letter with other rights organisations.

Without change, we will continue to have a world where companies are reluctant to admit their products are unsafe; governments don’t want to tell us where we are vulnerable so they can exploit those vulnerabilities against whoever they choose. Building an effective framework where offensive and defensive strategies and tools work hand in hand is essential as the complexity of our systems increases and we build on top of existing systems we assume to be secure.

Rather, we all urgently need to promote and support open and transparent security research because it is generative of defences. Hidden research is something harmful. Exploits shouldn’t be prevented, they should be exposed. While we need to prevent them from being used, we must not restrain their generation. We also need to be careful not to give governments the power to drive exploit research into secret domains.

The organisations are as a result writing to the participating bodies to urge them to update the list with these goals in mind. The letter is available here.