UPDATE 2015-12-09: more news regarding the US: The Force Awakens: Dec 8 Wassenaar Meeting Notes.
UPDATE 2015-07-16: on the US implementation that exceeds what was agreed on in the Wassenaar Arrangement: Coalition of Security Companies Forms to Oppose Wassenaar Rules (Threatpost)
UPDATE 2015-06-08: on the US implementation that exceeds what was agreed on in the Wassenaar Arrangement: Bug Bounties in Crosshairs of Proposed US Wassenaar Rules (Threatpost)
UPDATE 2015-05-26: Wassenaar Restrictions on Speech (Adam Shostack)
UPDATE 2015-05-25: Why changes to Wassenaar make oppression and surveillance easier, not harder (Halvar Flake)
UPDATE 2014-11-07: EU catches up, takes steps to control export of intrusion spyware, IP monitoring (Privacy International)
UPDATE 2013-12-13b: Privacy International covered Wassenaar here (Dec 6), here (Dec 9) and here (Dec 9) and published A guide to the Wassenaar Arrangement (Dec 10). Kudos to Eric King (@e3i5) for pointing this out!
UPDATE 2013-12-13: Collin D. Anderson points out that states have to codify the Wassenaar controls, and that “engagement is pretty key to avoiding harm and getting some use out of the regulations”. If you live in one of the 41 states that participate in the Wassenaar Arrangement, perhaps it’s a good idea to get engaged in your government’s codification of the export control on intrusion software. These are the participating states: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom, and the United States.
============ ORIGINAL POST IS BELOW THIS LINE ============
As of December 4th 2013 “intrusion software” is export-controlled as a “dual-use” technology under the Wassenaar Arrangement. “A group of 41 countries, including all EU member states, the US and Russia, has decided to control the export of certain intrusive technologies”, states the blog of MEP Marietje Schaake (D66 party).
The List of Dual-Use Goods and Technologies of December 4th 2013 (.pdf) states that controls do not apply to technology available to the general public or to “basic scientific research” (does anyone know whether this indeed in practice exempts penetration testing and the security research community, academic and non-academic, as we know it today?). The primary aim of the export control is to prevent export to authoritarian regimes of “technology to spy on and repress their population”; the same technology “can also be used against us in a cyber-attack or for corporate espionage”. The blog states:
“That is a crucial first step, but this agreement does require more work. It lacks precision and the terms that are used are open for interpretation. Because of this, some dangerous technologies will not be controlled, whereas other harmless ones might be. We need clear definitions so that we do not inhibit the transfer of harmless software that helps people gain access to information or freedom of speech.”
I first cite some context from page 3, and below that, the parts that cover “intrusion software”:
GENERAL TECHNOLOGY NOTE
The export of “technology” which is “required” for the “development”, “production” or “use” of items controlled in the Dual-Use List is controlled according to the provisions in each Category. This “technology” remains under control even when applicable to any uncontrolled item.
Controls do not apply to that “technology” which is the minimum necessary for the installation, operation, maintenance (checking) or repair of those items which are not controlled or whose export has been authorised.
Controls do not apply to “technology” “in the public domain”, to “basic scientific research” or to the minimum necessary information for patent applications.GENERAL SOFTWARE NOTEThe Lists do not control “software” which is any of the following:1. Generally available to the public by being:
a. Sold from stock at retail selling points without restriction, by means of:
- Over-the-counter transactions;
- Mail order transactions;
- Electronic transactions; or
- Telephone call transactions; and
b. Designed for installation by the user without further substantial support by the supplier;
Note: Entry 1 of the General Software Note does not release “software” controlled by Category 5 – Part 2 (“Information Security”).
2. “In the public domain”; or3. The minimum necessary “object code” for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.
Note: Entry 3 of the General Software Note does not release “software” controlled by Category 5 – Part 2 (“Information Security”).
Page 72-74 mention “intrusion software” on the dual-use list:
DUAL-USE LIST – CATEGORY 4 – COMPUTERS
4.A SYSTEMS, EQUIPMENT AND COMPONENTS
4.A.5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software“.
Note: The status of “software” for equipment described in other Categories is dealt with in the appropriate Category.
4.D.1. “Software” as follows:
a. “Software” specially designed or modified for the “development” or “production” of equipment or “software” specified by 4.A. or 4.D.
4.D.2. “Software” specially designed or modified to support “technology” specified by 4.E.
4.D 4. “Software” specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software“.
4. E. TECHNOLOGY
4. E. 1. “Technology” as follows:
1. “Technology” according to the General Technology Note, for the “development”, “production” or “use” of equipment or “software” specified by 4.A. or 4.D.
c. “Technology” for the “development” of “intrusion software“.
Page 209 defines “intrusion software” :
Cat 4 “Intrusion software“: “Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network- capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network- capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.Notes:
- “Intrusion software” does not include any of the following:
a. Hypervisors, debuggers or Software Reverse Engineering (SRE) tools;
b. Digital Rights Management (DRM) “software”; or
c. “Software” designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery.
- Network-capable devices include mobile devices and smart meters.Technical Notes
1. ‘Monitoring tools’: “software” or hardware devices, that monitor system behaviours or processes running on a device. This includes antivirus (AV) products, end point security products, Personal Security Products (PSP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or firewalls.
2. ‘Protective countermeasures’: techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) or sandboxing.