Wassenaar Arrangement Implementation (updated)

The Latest (08.01.2015) – Proposed Rules Pulled for Rewrite:

Pardon the “Intrusion” – Cybersecurity Worries Scuttle Wassenaar Changes – Lexology

Unusual Re-do of US Wassenaar Rules Applauded – Kaspersky Lab Threat Post

The US is Rewriting its Controversial Zero-day Export Policy – The Verge

Proposed Implementation:

Bureau of Industry and Standards’ Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (pdf; 49 pages)

BIS FAQs on the Intrusion and Surveillance Items Implementation

Background:

Wassenaar Arrangement – Wikipedia

The International Rules that Have the Security World on Alert – The Verge

Analysis and Opinion:

Why an Arms Control Pact has Security Experts Up in Arms – Kim Zetter in Wired

Proposed U.S. Export Controls: Implications for Zero-Day Vulnerabilities and Exploits – Mailyn Fidler at LawFare

Changes to Export Control Arrangement Apply to Computer Exploits and More – Jennifer Granick and Mailyn Fidler at JustSecurity

What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It? – EFF

Also from the EFF: Commerce Department FAQ on Proposed Wassenaar Implementation Gives Answers, Raises More Questions

Why Changes to Wassenaar Make Oppression and Surveillance Easier, Not Harder – ADD/XOR/ROL blog

Why You Should Fear the New Regulations More Than You Think – Dave Aitel

Related:

Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis (pdf; 78 pages) – academic paper by Mailyn Fidler forthcoming in “I/S: A Journal of Law and Policy for the Information Society”

Should Twitter, Facebook and Google Executives be the Arbiters of What We See and Read?

“It’s an imperfect analogy, but, given this extraordinary control over the means of global communication, Silicon Valley giants at this point are more akin to public utilities such as telephone companies than they are ordinary private companies when it comes to the dangers of suppressing ideas, groups and opinions. It’s not hard to understand the dangers of allowing, say, AT&T or Verizon to decree that its phone lines may not be used by certain groups or to transmit certain ideas, and the dangers of allowing tech companies to do so are similar. In the digital age, we are nearing the point where an idea banished by Twitter, Facebook and Google all but vanishes from public discourse entirely, and that is only going to become more true as those companies grow even further.” – Glenn Greenwald at The Intercept

“We need, as web inventor Tim Berners-Lee has urged, to re-decentralize the Internet, and restore its promise as a medium where the action takes place at the edges of networks—where we wouldn’t need permission to communicate and innovate. The first way we users of Internet services can re-decentralize is to create—and make use of—our own home base online. In practical terms, this means getting your own domain name and creating, at a minimum, a blog where you establish your own identity. The page you think is yours at LinkedIn, Tumblr, Instagram (Facebook), or any of the other centralized services is emphatically not truly your own; it’s theirs.” – Dan Gillmor at The Atlantic

More Morozov

“A robust privacy debate should ask who needs our data and why, while proposing institutional arrangements for resisting the path offered by Silicon Valley. Instead of bickering over interpretations of Facebook’s privacy policy as if it were the US constitution, why not ask how our sense of who we are is shaped by algorithms, databases and apps, which extend political, commercial and state efforts to make us – as the dystopian Radiohead song has it – ‘fitter, happier, more productive’? This question stands outside the privacy debate, which, in the hands of legal academics, is disconnected from broader political and economic issues. The intellectual ping pong over privacy between corporate counsels and legal academics moonlighting as radicals always avoids the most basic question: why build the ‘private spaces’ celebrated by Mr Zuckerberg if our freedom to behave there as we wish – and not as companies or states nudge us to – is so limited?” — from Evgeny Morozov’s OpEd in the Financial Times

08/11/2014: 

Evgeny Morozov on “Facebook’s Gateway Drug”

“[T]he ‘Internet’ in ‘Internet.org’ is not a natural resource that looks and costs the same everywhere based on its inherent features. It is a result of complex, controversial policy decisions over the use and ownership of communication infrastructure. These decisions follow years of lobbying and clever manipulation of national and international bodies by telecom operators, and are a direct consequence of various privatization and liberalization reforms in those countries. Facebook, because of its own long-term interest in expanding its advertising reach in the developing world, can make that Internet more accessible. But to accept its bargain is to abandon the fight to create different institutional arrangements — say, to rein in the power of telecom operators and provide cheaper, more equitable services.” — from Morozov’s OpEd in The New York Times

08/5/2014: 

Microsoft’s GC on Privacy and Regulation

Brad Smith, executive vice president and general counsel at Microsoft, speaking at the Brookings Institution on “The Future of Global Technology, Privacy and Regulation” in light of the Snowden revelations.

“We need to recognize that we do need, in my opinion, a broad based legal and regulatory model when it comes to company use of personal information . . . . Imagine a bank that doesn’t take good care of its customers’ money. Do you think it has a bright future? What do you think of a tech company that doesn’t take good care of its customers information. I believe that over the long term the world will expect and even insist that we pay as much attention to the personal information of consumers as banks do to their money. And the sooner we get started on that, and the faster we come together to have [a] kind of broad based conversation . . . . . the more successful we will be.”


Total time: 1 hour, 30 minutes.
Brad Smith’s main presentation: 03:50 to 48:35
Moderator questions: 49:47 to 1.05:11
Audience questions: beginning 1.05:50

Related: Personal Privacy Is Only One of the Costs of NSA Surveillance — Wired:

“American firms in the cloud computing sector are feeling the pressure as consumers and corporate clients reconsider using third-party storage companies in the U.S. for their data. Companies like Dropbox and Amazon Web Services reportedly have lost business to overseas competitors like Artmotion, a Swiss hosting provider. The CEO of the European firm reported that within a month after the first revelations of NSA spying went public, his company’s business jumped 45 percent. Similarly, 25 percent of respondents in a survey of 300 British and Canadian businesses earlier this year said they were moving their data outside the US as a result of NSA spying. The Information Technology and Innovation Foundation has estimated that repercussions from the spying could cost the U.S. cloud computing industry some $22 to $35 billion over the next few years in lost business.”

08/1/2014: 

Recommended:

Cyber Law, Tech and Policy

“Arnbak and Goldberg said that the NSA could increase its surveillance of Americans by modifying overseas communications networks so that they would intercept data being transmitted between destinations inside the United States. As soon as the data passes through a foreign server, the NSA could legally monitor it, they said. ‘There are all sorts of things you can do to change the flow of traffic,’ Goldberg said.”

Internet traffic rerouting, swaps and sharing of intelligence with foreign intelligence services, etc. – all these loopholes serve to make vigorous Congressional and judicial oversight of permitted U.S. intelligence activities of prime importance. See also, by the paper’s authors, ‘Loopholes for Circumventing the Constitution’, the NSA Statement, and Our Response at Freedom to Tinker.

“’You should presume that someday, we will be able to make machines that can reason, think and do things better than we can,’ Google co-founder Sergey Brin said in a conversation with Khosla Ventures founder Vinod Khosla. To someone as smart as Brin, that comment is as normal as sipping on his super-green juice, but to someone who is not from this landmass we call Silicon Valley or part of the tech-set, that comment is about the futility of their future . . . . [T]he new machine age is already underway, unseen by us. ‘It is not really just a human world,’ said Sean Gourley, cofounder and CTO of Quid who points out that our connected world is producing so much data that it is beyond human cognitive abilities and machines are going to be part of making sense of it all. So the real question is what will we do and what should we — the technology industry and we the people do?”

General Interest

07/14/2014: 

Essential Reading

“Recall that advertising is when someone pays you to tell your users they’ll be happy if they buy a product or service . . . . Investor storytime is when someone pays you to tell them how rich they’ll get when you finally put ads on your site . . . . Most startups run on investor storytime. Investor storytime is not exactly advertising, but it is related to advertising. Think of it as an advertising future, or perhaps the world’s most targeted ad. Both business models involve persuasion. In one of them, you’re asking millions of listeners to hand over a little bit of money. In the other, you’re persuading one or two listeners to hand over millions of money . . . But investor storytime is a cancer on our industry. Because to make it work, to keep the edifice of promises from tumbling down, companies have to constantly find ways to make advertising more invasive and ubiquitous. Investor storytime only works if you can argue that advertising in the future is going to be effective and lucrative in ways it just isn’t today. If the investors stop believing this, the money will dry up. And that’s the motor destroying our online privacy.”

“We need to decentralize the data, you understand. If we keep it all in one great big pile—if there’s one guy who keeps all the email and another guy who does all the social sharing about getting laid—then there isn’t really any way to be any safer than the weakest link in the fence around that pile. But if every single person is keeping her and his own, then the weak links on the outside of that fence get the attacker exactly one person’s stuff. Which, in a world governed by the rule of law, might be exactly optimal: one person is the person you can spy on because you’ve got probable cause. Email scales beautifully without anybody at the center keeping all of it. We need to make a mail server for people that costs five bucks and sits on the kitchen counter where the telephone answering machine used to be, and that’s the end of it. If it breaks you throw it away. Decentralized social sharing is harder, but not so hard that we can’t do it. Three years ago I called for it. Wonderful work has been done that didn’t produce stuff everybody is using, but it’s still there: it can’t go away, it’s free software, it will achieve its full meaning yet.”

“As our desires conflict with the [intelligence community], we become less and less worthy of rights and considerations in the eyes of the [intelligence community]. When the NSA hoards exploits and interferes with cryptographic protection for our infrastructure, it means using exploits against people who aren’t part of the NSA just doesn’t count as much. Securing us comes after securing themselves. In theory, the reason we’re so nice to soldiers, that we have customs around honoring and thanking them, is that they’re supposed to be sacrificing themselves for the good of the people. In the case of the NSA, this has been reversed. Our wellbeing is sacrificed to make their job of monitoring the world easier. When this is part of the culture of power, it is well on its way to being capable of any abuse.”

06/14/2014: