The US is rewriting its controversial zero-day export policy

Experts say the rules would weaken defensive security tools

Jul 29, 2015, 8:15 PM UTC

For two months, security researchers have been fighting a controversial export policy known as the Wassenaar Arrangement — and now it looks like they may have won a crucial battle in that fight. In a closed-door meeting this morning, a Commerce Department representative said the agency's Wassenaar-inspired export controls were currently being rewritten after the comment period ended last week. The new version will be "quite different," according to a Commerce official quoted by PoliticoPro, and will be followed by a second round of public comments.

First laid out in May, the Department of Commerce's new export rules were controversial from the start, with many in the security community saying the rules would make it impossible to develop and deploy benign security tools. Companies also raised concerns that the rules would hamper international bug bounties, which are now a common security practice among software vendors. Commerce held a two-month comment period on the proposed rules, in which time Google, Facebook, and dozens of other companies filed comments critical of the regulations as written. Now that the comment period is closed, it appears Commerce took those criticisms to heart.

But while US regulators have hinted at significant revisions, it's unclear how they'll square the security world's objections with the country's larger international obligations. America signed on to the Wassenaar Arrangement in 2013, and while the exact regulations are open to interpretation, the arrangement obligates some form of new export control on intrusion software. As the latest struggle demonstrates, it will be very difficult to write those controls without causing problems for security researchers unless Wassenaar itself is revised at the annual meeting of the member states in December.

The US is rewriting its controversial zero-day export policy

The US is rewriting its controversial zero-day export policy

Experts say the rules would weaken defensive security tools

Biden signs TikTok ‘ban’ bill into law, starting the clock for ByteDance to divest it

Steam will stop issuing refunds if you play two hours of a game before launch day

What happens after your country runs on 99 percent renewable electricity?

A morning with the Rabbit R1: a fun, funky, unfinished AI gadget

Framework won’t be just a laptop company anymore

More from Policy

The EU’s tough new moderation rules are about to cover a lot more of the internet

Apple unbanned Epic so it can make an iOS games store in the EU

New bill would let defendants inspect algorithms used against them in court

Kids Online Safety Act gains enough supporters to pass the Senate

The US is rewriting its controversial zero-day export policy

The US is rewriting its controversial zero-day export policy

Experts say the rules would weaken defensive security tools

Share this story

Biden signs TikTok ‘ban’ bill into law, starting the clock for ByteDance to divest it

Steam will stop issuing refunds if you play two hours of a game before launch day

What happens after your country runs on 99 percent renewable electricity?

A morning with the Rabbit R1: a fun, funky, unfinished AI gadget

Framework won’t be just a laptop company anymore

More from Policy

The EU’s tough new moderation rules are about to cover a lot more of the internet

Apple unbanned Epic so it can make an iOS games store in the EU

New bill would let defendants inspect algorithms used against them in court

Kids Online Safety Act gains enough supporters to pass the Senate