Google is deeply concerned by a new set of controversial regulations for software exports, that will at their core, give the government an increased control over software and information; this includes unrestricted control over “intrusion software” that might target the United States population. The internet giant believes that the latest proposal will have a significant negative impact on the open security research community while at the same time harming the overall safety of the web. The Wassenaar Arrangement was made public by the United State’s Department of Commerce and is based on an international agreement written in December 2012 and ever since, it has been greatly criticized by security researchers, as it is directly affecting how the web can respond to potential threats such as Heartbleed and POODLE, which were both fixed with help from the tech community. Google just responded to these new regulations in a rather lengthy post into the company’s online security blog.
Neil Martin (Export Compliance Counsel at Google) and Tim Willis (part of Chrome’s security team), both co-authored the open letter in which it was stated that the current state of the proposed rules will harm the open security research community, essentially limiting the amount of research it could possibly do about a possible security exploit. Martin and Willis also noted how “It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure”, raising a lot of new concerns about how Google itself sees the new Wassenaar Arrangement more as a threat than a way to protect the web’s millions of users. Even if the proposed agreement is intended to make the web a safer place, a great number of users and companies alike have questioned the Wassenaar Arrangement’s main purpose.
Under the Wassenaar Arrangement, intrusion software could only be used under a granted licence in order to limit how cybercriminals find security exploits using said software. While the proposal will essentially limit cyber-criminals, it will also limit well-intended users that alert companies when finding a potential security threat in their software. Google sent the report directly to the Department of Commerce and asked the entity to revise the presented rules hoping that specific regulations are created to allow unrestricted bug reporting for international development teams.