Google: New export rules could be 'disastrous'

Google is warning that the Commerce Department’s attempt to control the export of hacking tools will “hamper our ability to defend ourselves, our users, and make the web safer.”

“It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure,” the company said late Monday in a blog post.


Google’s remarks align the search engine giant with the cybersecurity community, which has been raising red flags for months about a Commerce Department proposal that would require companies to obtain licenses when exporting technology behind “intrusion software.”

Intrusion software is used to crack into computer networks, pilfer personal data and spy on political dissidents and foreign foes. The government is hoping to staunch the flood of these tools toward cyber crooks and repressive regimes.

But Google and security experts are warning that the requested update is unfeasible and would quash legitimate security research.

Google said the new rules would force the company to seek “thousands — maybe even tens of thousands — of export licenses.”

“Since Google operates in many different countries, the controls could cover our communications about software vulnerabilities,” the company added, including emails, instant messages, potentially even in-person conversations.

“If we have information about intrusion software, we should be able to share that with our engineers, no matter where they physically sit,” Google said.

Google submitted official concerns to Commence shortly before the Monday night deadline.

The digital behemoth is also worried about its long-standing “bug-bounty” program. Google has given out over $4 million to people worldwide who present the company with flaws they’ve discovered in Google’s open-source products.

Under Commerce’s proposal, Google and others fear that this type of “ethical” hacking, where researchers stress test a network as a malicious hacker might, will be chilled.

“You should never need a license when you report a bug to get it fixed,” Google said.

Officials have insisted they have no intention of requiring licenses for above-board security research, only “the development, testing, evaluating and productizing of an exploit or intrusion software,” as Randy Wheeler, who oversees technology controls for the Commerce Department’s Bureau of Industry and Security, said in May.

Researchers say it’s a muddled distinction without a difference

While Google submitted its own comments, a major tech industry trade group also weighed in late Monday against the proposal.

The Internet Association — which represents many of tech’s major players like Amazon, Facebook, reddit, Twitter and Yahoo — also filed comments echoing Google’s concerns.

The group warned that companies could even violate the rules by sharing technology about intrusion software within their own teams.

“It is important that legal frameworks promote legitimate security research,” said Internet Association President Michael Beckerman in a statement. “The proposed rules will have the opposite effect, making it more difficult, not less, to fortify networks and protect end user data.”