Google: Changes to Treaty Could Dismantle Security Research Collaborations
What is commonly called the Wassenaar Arrangement, a less-than-formal agreement between the United States and 40 other armed nations, including Russia, has Google up in arms.
The primary problem? Wassenaar effectively makes it illegal for a researcher in a Wassenaar zone to inform a company based in a non-Wassenaar country of a security vulnerability. Or, worse, in the case of regular exports, the researcher may not be able to disclose quickly flaws evenly to those who are using the software.
Also read: Is Google Stealing Your Phone Photos?
Google security researchers Neil Martin and Tim Willis have fleshed out Google’s position in a recent blog post.
We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users, and make the web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.
The list of Google’s complaints focuses on a lack of clarity. In their words, “you should never need a license when you report a bug to get it fixed.” Companies like Google pride themselves on compliance and they also aim to be global. It could become quite difficult for them to be globally compliant if a treaty made it illegal to disclose vulnerabilities and bugs, and provide a very uneven experience depending on where in the user’s nationality.
Featured image from public domain (Pixabay), modified by phm.link. In-text image from Shutterstock.