On Export Controls of Surveillance Technologies

On 13. May 2015 Switzerland issued a regulation on the export of internet and mobile phone surveillance products. Export control regulations can be split into application (i.e. who has to apply for a license) and scope of control (i.e. in which cases is export denied).

The scope of application in this case follows the December 2013 decision of the Wassenaar Arrangement on Export Controls. This includes the sale and procurement of intrusion software, IMSI catchers, and carrier class IP surveillance technologies.

The scope of control includes (in addition to the normal export restrictions*), the reason to belief that the exported good will be used by the end-user as a means of repression. This is important, as it introduces a new basis for export denial into substantive law. On this basis, Switzerland will be able to deny the export of technologies to end-users who are suspected of using the technology for repressive purposes. As such, it adds an important legal basis for a policy that is long overdue.

The Debate in the Information Security Community #

The information security community has a rich debate on whether export control is the right tool to address the human right concerns raised by surveillance technologies (see e.g. @botherder, Collin Anderson, or @halvardflake). They raise some important issues that need to be clarified in the application of the new policy:

• How does it affect security researchers?
• How does it affect global bug bounty programs?
• How does it affect the distribution of software intended to test security measures?

The answers to these questions are not easy and will depend on how the Swiss export control authority interprets the new regulation. The most controversial issues revolve around the definition of “intrusion software”, which could include vulnerability research, respectively demonstrable exploits. Thus, the broad inclusion of all intrusion software potentially places duties to file export control applications on people wanting to sell or share their exploits - even, for example, through a bug bounty program. The export control authority is therefore urged to exercise a narrow interpretation of such intrusion software. However, it is also clear that the scope of control does not allow for denying the license for such purposes. (Update: for more information on why exploits are a controversial approach of regulation see Sergey Bratus’ contribution on the matter).

By contrast, the language used in the new U.S. proposal for export control, which checks whether the transaction is “contrary to national security or foreign policy interest of the United States, including the foreign policy interest of promoting the observance of human rights throughout the world”, allows for a much broader spectrum of policy choices for the U.S. export control authority.

Effectiveness versus ethical policy #

The cynics and critics of export control policies lament that the policies are not effective in preventing the sale to the specific end-user, as technology companies can move headquarters to countries without such a control policy. They are right: export control has never been 100% effective. This does not mean though that it is not the right (and ethical) thing to do. The difficulty is to minimize the adverse effects on legitimate exporters whilst shutting down the exports directly supporting documented human rights abuses. In order to do this, it is our responsibility as a security community to support export control authorities in the difficult task of drawing boundaries between who has to file export license applications and who should be denied such licenses. It is in this spirit that I reiterate @botherder’s call to participate in this debate, for example by submitting a comment to the U.S. export control authority before the 20. July 2015.

*normal Swiss export restrictions are: risk of ABC weapon proliferation, export to states covered by an embargo, or the conventional armament of a state with the potential to threaten regional or global security.