Wednesday, May 20, 2015

Designed to Fail: US to Classify 'Surveillance Capable' Software as Weapons

This one will blow your mind. The retard level of this proposed law is stratospheric. In countries like France, internet entrepreneurship has suffered because of lame regulations that are supposed to protect their citizens from 'unfairness'. One great example is when Uber started gaining traction in France. Suddenly, the French Taxi market began to expand, as normal people were using Uber to make some money giving rides. The French bureaucracies did not like that, claiming that it was 'unfair to licensed Taxi drivers' who are trying to make a living. Rather than let capitalism do it's job (which would have forced the Taxi companies to innovate or lower they're rates), they just banned apps like Uber. So it's no wonder that none of the Google's and Apple's of the world are French. Innovating in a place like that would be impossible. I suppose this is one reason why so many people have come to America seeking better lives, because here in America, whoever does the best job wins. We know that when government interferes with business, it's usually a very bad thing. Of course there are times when regulations are necessary, but those occasions are rare, and when they do occur, the will of the people is usually taken into consideration.

When the world found out that the NSA was stealing the entire world's meta-data, business in tech industries suffered. Hell, even I stopped doing business with American cloud computing service providers, and switched to overseas providers instead. That's the way of the universe, and the way of capitalism. Edward Snowden once said that the British intelligence agencies are worse than the NSA, and that Great Britain is the most surveyed state in the world. I guess it's not surprising that I can't think of one British tech company that is doing well either.
Today I found out that the United States intends to classify software with surveillance capabilities as weapons, and to place export restrictions of such software, so that it is illegal to 'export' such software to anywhere but Canada. These proposed regulations are completely ridiculous, and if they become law, than it will seriously stall research and development in the computer security field. Here is the summary of the proposal:


"The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013 with regard to systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; software specially designed or modified for the development or production of such systems, equipment or components; software specially designed for the generation, operation or delivery of, or communication with, intrusion software; technology required  for  the  development  of  intrusion software; Internet Protoco (IP) network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and developmen  and production software and technology therefor.
BIS proposes a license requirement for the export, reexport, or transfer (in-country) of these cybersecurity items to all destinations, except Canada.Although these cybersecurity capabilities were not previously designated for export control, many of these items have been controlled for their “information security” functionality, including encrpytion and cryptanalysis. This rule thus continues applicable Encryption Items (EI) registration and review requirements, while setting forth proposed license review policies and special submission requirements to address the new cybersecurity controls, including submission of a letter of explanation with regard to the technical capabilities of the cybersecurity items."
[1]

You can read more about it here. So basically, the Burea of Industry and Security wants to classify software with 'intrusive' capabilities as weapons, and wants to require people to be licensed to export it out the country. This is definitively somewhere in between the first and tenth worst ideas I've ever heard. Being a developer myself, I often exchange code and work with people from all over the world.  
This is the way that the open source community works, and a law like this has the potential to completely destroy the open source cybersecurity community. Much of the software that we are working on could definitively be considered to have 'intrusive capabilities'. This is also how the computing industry works. In order to develop software to defend yourself from cyber threats, you need to get your hands dirty and exploit your own network, computer, or programs the same way that an attack would happen in the real world. If you are going to do that, than you need access to tools that could be considered malicious. If we start putting export regulations on that kind of software, than the open source community will be the first to suffer. The big businesses will be able to afford the licenses, and the little guys like me will not.  Some of the worst security vulnerabilities out there were discovered by people overseas, using software developed here in America. It seems that this law is designed to fail, and to weaken our cyber security systems. It will also effectively consolidate the computer security industries into a few giants, squelching creativity and innovation, and add just one more roadblock for entrepreneurs in the digital world.

If this becomes law, than in the near future I may not be able to legally continue exchanging certain code on Github with my friends in Europe. And who will be in charge of deciding what software is considered a weapon? How will that process work? I don't even want to know. A law like this would also create serious headaches for people that run communities like Github, as they will likely be held responsible for the content other people upload to their site. So is Github supposed to block access to certain code with geographic restrictions? How the hell will that work? Everyone knows that content censorship attempts are some of the most failed undertakings in human history.

You don't see laws preventing the exportation of Swiss Army Knives or rat poison because they have the potential to kill people if used incorrectly. Ultimately, the way a piece of software or physical object is used depends completely on what the user chooses to do with it. Oh, and let's not forget that the biggest surveillance perpetrators are in fact our governments, and not black hat hackers in foreign counties.

These laws are currently open for public debate, and I suggest that if this news angered you as it did me, that you submit a comment to BIS explaining what a horrible idea this is. Remember, the government that governs least governs best.

No comments:

Post a Comment