Monday, May 9, 2016

A Civil Libertarian Argument against Wassenaar

I'm writing this just for one person who happened to give a quick talk at the last Commerce Dept ISTAC meeting, but it is applicable perhaps to other people, such as the German Government.

First of all, there is an element of cognitive dissonance in that some civil libertarians would agree that restrictions on cryptography are technically undoable and counterproductive and then turn around and say that restrictions on offensive information technology (aka "Intrusion software" as Wassenaar would call it), must be done to protect the "poor journalists and dissidents in Egypt!"

But what the Government would have to do to regulate Penetration Testing Software is the exact same thing they would have to do to regulate encryption! All of your programs would have to go before the NSA who would get to choose who you gave them to. From a civil libertarian perspective, how about we don't make the NSA the Rabbi in charge of choosing which programs are kosher and not? The technical argument against that has been well documented as well - no clear definition of kosher information can be written.

And of course the argument may be that you can draw a clear line between "really offensive technology" and "harmless penetration testing" technology, but this is harder technically to do than building a scalable key escrow system for all of cryptography, as the Governments would prefer to have to solve the "going dark" problem.

Not only are programs controlled under the proposed regulations, but any discussion of offensive information technology. You would limit all discussion of hacking to behind classified walls, changing the balance of power far in favor of the very governments you fear. And by having governments regulate this community with criminal law, you get a chilling effect, you get differential treatment to people who agree to backdoor software, you get all the things that a government can do with coercion when the law is so vague that everyone is in legal jeopardy.

In other words, despite wanting to protect dissidents, the civil rights argument that we should therefor regulate penetration testing technology and all related work runs into the exact same issues that the cryptowars have already fought! We would be back to printing Perl code on shirts!

And the cat is already out of the bag. Export control is a hammer you use when you have some ability to limit the spread of information. But the Internet age makes that a thousand times harder for everything, and for this sector almost all work is done globally already. It would be the wrong tool for the job even if everything else was right about it.

So in any case, a better solution to protecting dissidents would involve perhaps two other things:

  1. Pressuring governments to not assassinate and imprison journalists, especially governments we give billions of dollars to using traditional State Department means.
  2. Teaching Dissidents Operational Security. Keep in mind none of what Gamma Group and Hacking Team was selling would have worked against a non-Jailbroken iPhone. That said, nothing is going to protect you from your local government if they want you bad enough. 
I tried to keep this argument concise and from a civil liberties perspective. If you want another take, I'd recommend Thomas Dullian's more EU-centric approach. And of course, if you want to discuss this at length, you can subscribe to the DailyDave email list, which is often used for such things.

No comments:

Post a Comment