The US Bureau of Industry and Security just published an FAQ about the proposed implementation of the Wassenaar Arrangement.
Click here for the FAQ - after checking it out (or the quotes below)…
What are your thoughts on the proposed changes and the clarifications in this FAQ?
Some highlighted sections:
Doesn’t the rule potentially criminalize hacking?
No. The rule would control the export of hardware and software delivery tools, as well as the export of technical data for developing exploits (“intrusion software”). The rule as proposed would not control the export of exploits to a target system since “intrusion software” would not be controlled. Also, the Export Administration Regulations (EAR) do not control services, only the export of commodities, software and technology. Thus, “hacking”, as that term is generally understood, does not fall under the jurisdiction of the EAR, except to the extent there is an associated export of hardware, software, or technical data.
Doesn’t the rule expose researchers to criminal prosecution if they carry information on exploits to a public conference, unless they publish it before the conference?
Under Section 734.7 of the EAR, information that is published, or released at an open conference, is not subject to the EAR. That section also specifies that it would not be an export to transfer the technical data to conference organizers with the intent that it will be published at the conference.
BIS welcomes comments on whether further clarification is needed on when information potentially subject to these rules would be considered “publicly available” and not subject to the EAR.