By Cristin Goodwin, Senior Attorney, Microsoft
Today I participated in the Center for Strategic and International Studies (CSIS) discussion on “Decoding the BIS Proposed Rule for Intrusion Software Platforms” and the important topic of the Department of Commerce’s Proposed Rule on Intrusion Software under the Wassenaar Arrangement. We agree strongly that the Department of Commerce’s intent to help prevent the misuse of security technologies by those who seek to violate human rights is important. We disagree with the current draft of the Proposed Rule, but believe that the U.S. government can work together with the private sector to bring about positive changes to the Proposed Rule.
While the Wassenaar Arrangement proposes to regulate the export of surveillance systems the same way it regulates traditional weapons, the scope of the proposed rule is overbroad and it would hinder Microsoft’s work to help protect customers. Under the Proposed Rule, Microsoft would no longer have ready, real-time access to help protect its customers as much of the information or tools that it uses to help protect them would now be labeled ”intrusion software,” and considered a potential violation of export control laws. As we stated in our Comments, we strongly urge BIS to fundamentally rethink the scope of the Proposed Rule in coordination with industry and the security community.
In a connected world where technology is deployed in the cloud and protecting customers worldwide, any licensing regime must be simple, scalable, and narrowly tailored, or else it will impact innovation and impede security. Technology should not be used to violate human rights – the original intent of the regulation is admirable. We also believe that goal is harder to ensure with a broad licensing regime that impacts not only security, but the development process itself. The security community must be able to respond, defend, collaborate and innovate in a global, “follow the sun” and real-time manner.
Microsoft is a truly global company, with employees in over 128 countries. We have thousands of employees around the world engaged in product development and security activities that may be impacted by the Proposed Rule. We also need and want to share information and respond to threats with researchers and responders at large companies, as well as academics, small companies, and solo practitioners around the world.
We believe that the Proposed Rule, if implemented, would require hundreds or thousands of export licenses per year – risking delays in responding to security issues – while the Department of Commerce works its way through the many daily, around-the-clock requests that a global company would need.
We believe that the misuse of technology to circumvent security in order to harm human rights is worth fighting to limit. The security community is a robust and creative group, which should be included in this dialogue to help create a new Proposed Rule. Microsoft commits to our continued participation in this important dialogue to help ensure that customers know that their data is secure and private.