A new proposal in the European Union would locally address many of the controversies over an international export control agreement that includes the United States.
The European Council proposed updates to the European Union’s export controls of militarized spyware on Wednesday. Those controls were a widely derided result of the annual 41-nation Wassenaar Arrangement of which the United States is part.
Wassenaar covers dual-use technologies – those with military and civilian uses. In 2013, the list of controlled products expanded to include surveillance software that member nations wanted to keep out of the hands of authoritarian states.
The Arrangement tasks each country to develop its own implementation – the EU operates as a bloc – and, though many nations had already passed their own implementations, when the U.S. announced its own implementation, it was met with international panic.
The U.S. is home to the lion's share of the cybersecurity industry and it became clear that any faithful implementation of the Wassenaar Arrangement terms would slow or even prevent the export of legitimate, critical network security testing products, stifle international presentations of research and, in general, hinder necessary cybersecurity practices worldwide. The U.S. is now trying to renegotiate the terms.
Meanwhile, after a data breach at the Italian military contractor Hacking Team, emails showed that Italy had issued a nearly unrestricted license for the company to ship its surveillance software to the kinds of regimes Wassenaar intended to thwart, including Bahrain, Morocco and Uzbekistan.
The new legislation creates stricter criteria for EU countries to issue licenses.
“In the past, we have too often seen how intrusive exfiltration technologies were exported to countries with a proven track record of human rights violations. National export control authorities must do serious assessments and not rubber stamp applications for a license,” Dutch Member of European Parliament Marietje Schaake said in a press release celebrating the proposal.
The proposal would also to carve out an exemption for exports made with “legitimate purposes, including law enforcement and internet security research.”
The proposal was made through the European Commission, the proposal generating body of the E.U., and will now be amended and argued by the Parliament and Council, which adopt the rules.