It's my pleasure. You're getting a real stack of attorneys today. We had alley in here and he was a attorney and then a panel of a bunch of them this is going to be a really interesting set about the weaponization and regulation of security research. Something that is pretty important to a lot of us here. I'm not going to introduce everybody individually. I'll probably let Jim take care of that. So, let's give our panel a big hand. (Applause) >> JIM DENARO: Thank you for coming to our panel. This is licensed to own. The weaponization of security research. We appreciate you taking the time to explore this important issue with us. This is a unique time for the entire information security community. And shear why. The U.S. government is implementing rules that could change the way that information security is practiced in the United States. And more than that, it could even affect the way that we talk about information security. The way information is exchanged among us here. And if that sounds like a big deal, it is. And that's not an overstatement at all of the situation that we are currently looking at. Specifically, some new regulations are being proposed by the Bureau of Industry and security, also known as BIS as what we will refer to it here. That's within the U.S. Department of Commerce. Stated mission of BIS is to administer and enforce dual use export controls on various technologies. Such as body armor, bulletproof windshield glass, encryption, most relevant to what we're doing, and those charges are now being expanded to cover some technologies that we are seeing more often here in this room, even. So this is an opportunity for us to organize and to present a coherent explanation of our concerns with respect to the regulations that are being proposed. So, with that, let me introduce our fantastic panel that we have here. In alphabetical order, for the folks that are here at the table first. Dave Aitel is an offensive security expert whose company, immunity is hired by major companies to try to hack their computer networks to find and fix as a result vulnerabilities that hackers and adversaries could use. The company is well-known for the developing several advanced hacking tools used by the security industry such as Swarm, canvass, Accomplice, Spike and Unmask and Innuendo. >> Matt Blaze is a Professor at the University of Pennsylvania and his research focuses on architecture and design of secure systems based on crypt graphic techniques and finding new crypto graphic techniques as you surely mist know, he discovered a serious flaw in the U.S. government's cliprer encryption system. He is interested in the use of encryption in various security systems and controlled an attack against virtually all mechanical blocks. Nate Cardozo is a Staff Attorney with the Electronic Frontier Foundation. He focuses on the intersection of technology privacy through expression. Defended the right to blog and sued the U.S. government and lobby Congressed for American surveillance flaws and in addition he works on the E if. F Coder's Rights Project counseling hackers academics and security professionals at all stages of research. Mara Tam is a researcher and historian of policy justice, culture and security authored and coauthored and contributed research for technical policy papers in arms control and security. After earning a degree in art history, she works in bilateral negotiations between the United States and India and has been a panelist academic conferences and language and history including the security initiative convened by NATO and the European Science Foundation. And today we have with us also by remote presence, very special guest, Catherine Wheeler of the Bureau of Industry and Security. We are momentarily challenged with the AV. We'll see her later. But she is with us and we can see her and she can hear us and she will be able to hear you. So, I can tell you about her. She has served as the Director of The information technology control division of the Bureau of Industry and securities Office of National security and technology transfer control since 2006. She is in charge of this. This is great. She was detailed to serve as acting Chair of the Operating Committee, reviews agencies. And her experience here is incredibly relevant for this task that we should here of trying to get to rules that our community can live with and that also is also forward missions of the BIS. So, we can't thank her enough for taking the time to be with us today. And I'm Moderator for this lovely panel, I'm Jim Denaro, data security and intellectual property attorney and advise hackers in how to stay out of trouble or get in less trouble. So, with that said, let's dive into the meat of this. This is really about export control. And it's a really kind of in the weeds subject. And to really understand the significance of the rulings that are being proposed and how they would affect the community in such a fundamental way, is worth taking a moment to explore what is export control? How does it apply to you? How could it apply to you and why does it matter? So a few notes of background before we get into the meat of this particular situation here. So, the U.S. government controls the exports of sensitive equipment, software and technology as a means of promoting national security interests and informed policy objectives. This controls achieved by requiring people and companies to apply for licensing before exporting articles that are covered by the rules. So the question is, what is covered by export control? That is really what the debate is here. So, at a high level, we can break it into two categories. Favorite additional defense articles that is not at issue here, but they have their own licensing regime. Things that have no commercial application. They are covered by the International traffic and arms regulations. These include for example, armored combat ground vehicles, tanks, as well as something more relevant for us here, computers that are specifically designed or developed for military applications. Second, our space here, we have items that are considered to have both commercial and military application. These are considered to be dual use items and that is a term of art. And they are controlled by the Export Administration regulations for software and technology. Including things such as high performance computers and encryption which many of you have probably come across already. Infarcux the schedule of controlled goods has a schedule titled, information security. So you already kind of in range here. But those rules are really about photography and that's what you see the most. So, for these dual use licenses, the U.S. Department of Commerce receives somewhere between 12,000 to 14,000 applications a year for this type of export activity. And compliance matters. For these dual use export control violations, criminal penalties can reach a maximum of $500,000 per violation and an individual person can get up to 10 years in prison. They can also be the subject of civil fines up to 12,000 dollars per violation and denial of export privileges. And some cases both and I have criminal cases can be brought. So -- both and I have criminal cases -- so the steaks are fairly high at this point. So far, in the world we live in, nobody in the community has been concerned that exploits or zero days or even things like the hacking team system, were the subject of much export control if any at all. So, there was no concern there. But, that is changing. That brings us to today and what you may have heard of as the Wassenaar Arrangement. The Wassenaar Arrangement is 41 countries that agreed to control certain dual use items. The U.S. participates in this group and the list of controlled goods is updated every year. Here is where it gets interesting N2013, the Wassenaar Arrangement agreed to add certain things to the list. And this is the text of the Wassenaar Arrangement. You wouldn't expect you to read this now and it's too small anyway, but the key here, the language is that intrusion software will be regulated as a dual use item and as you can, I'm sure 1000 questions occur to you. What is intrusion software? And so on. So that is really the item here that we are interested in. So, the U.S. has committed to implementing Wassenaar Arrangement agreement at the national level here in the U.S so, rules will have to be written and enforced here for all of us in the U.S. that regulate this. And on may 20, 2015, the VIS published the proposed rules for implementing this Wassenaar Arrangement locally and most notably and of particular concern to those in the information security and research community, these rules seemed to go beyond the Barry acquirements of this -- bare requirements of this simple statement here, and that is cause of much concern that we'll be addressing in particular here. So comments were taken on the proposed rules and in light of those comments, some things are happening and we'll hear about what the response to those comments has been. So that is the broad outline what have it is we are talking about and why we are here today and why it matters. So, here is the plan. We are going to go forward on the panel, each panelist here comes from a different perspective and has some brief opening remarks. So, we are going to hear those remarks by various panelists and then we'll dive into some more questions and hopefully things will get pretty engaging. So with that, Mara is going to kick it off >> MARA TAM: So this is a quick and dirty introduction to dual use export controls. What are they for? Basically to avoid this. They are controls designed to monitor and regulate the ecosystems around weapons of mass destruction or at least that is where we get our modern export control regimes from. Here is some of the stuff that export control is supposed to regulate. Weapons of mass casualty, weapons of mass destruction, which probably doesn't mean what you think it means. Disruption means something a lot worse than the Uber definition. A puppy. So, the core logic of export control is nonproliferation. It is controlling the spread of dangerous technologies and this is done through a couple of mechanisms. One of them is through knowledge, which is deemed export this is going to be of concern to a lot of people in this room and then the transfer of stuff or required stuff. And this is where we get into dual use. And we identify choke point technologies for this. We want to find something where if you control it, you can control further progress in the development cycle. These are difficult identify. They have to be rare and conspicuous because you need to be able to control every iteration of it or close to it. So you can see why for intrusion and surveillance software, that principle sort of falls a part immediately. Command and delivery platforms just, they are too ubiquitous they don't -- that doesn't work. So here is a short history of the sort of dual-use we have to work with and the International agreements for export control that have happened sort of in the modern era. We started off with the OEC, which this was an off shoot of marshal plan and, they turned into the OECD. And their counterpart is the council for mutually economic assistance, CME, because we are adults, decided to call ComiCon. So arms exports to ComiCon remember controlled under CoCom. These are the original CoCom countries. So this is what he we had from about just after the second World War until the Mid 90s. And successor to CoCOm is the Wassenaar Arrangement which mashes together Comiconn and OECD in this lovely mix and this is what we are stuck with now. And these are all of the U.S. task force agencies tasked with export control reforms like all great bureaucratic disasters, this one was inherited from the Cold War and this is one of the issues that we have right now is that there are so many people involved in this process that getting good regulation is really hard. So, the question I want to leave you with is, why is a bug like a bomb? What is it about intrusion and surveillance software and exploits that lends them or does not lend them to regulations under a dual-use export control regime? >> With that, we'll switch to Randy Wheeler. So let's see how we are going to take this. >> Randy can you say something? >> RANDY WHEELER: Yes, I can say something. Can everybody hear me? >> She doesn't look like a dog. She is a human being. >> RANDY WHEELER: I can hear lots of people. (Applause) What just happened? >> MARA TAM: We finally got through to you >> RANDY WHEELER: Me personally or both? >> MARA TAM: You, yourself. >> RANDY WHEELER: Oh, my goodness. >> MARA TAM: I realize you can't see everybody but wave hello to DEF CON. >> RANDY WHEELER: Hello DEF CON 23. >> Don't turn it around. Bad idea. (Laughs) >> So, technical issues, we cannot see randy and her slides at the same time. So now that we all had a chance to or at least you had a chance to say hi to her, we are going to have to switch over to her slides so you'll hear her. You'll hear her but not see her. >> This is a two-hour meeting for obvious reasons ( Laughs ) >> RANDY WHEELER: All set? Thank you very much for inviting me to participate in this panel. I really appreciate the opportunity to address folks at DEF CON. And I'm going to give a very, very brief overview of the proposed controls on intrusion software items and IP network systems and the Export Administration regulations that Nate mentioned earlier. Next slide. So, my next slide isn't working. So as Nate mention the in the Export Administration regulations, we have national security controls on computers, telecommunications and information security. These listed items appear in the commerce control list, which is part of the Export Administration regulations. And there are other categories as well. The category 4 by part one and two controls are a responsibility in my division, information technology controls division. We process approximately 2500 export license applications and also 2000 commodity classification requests per year. To date, most of our work has been in the encryption area in the category 5 Part II. Partly because over the past several years, as everybody knows, everything has encryption in it and so, items that would have been in the category 4 or category 5 part one, have moved over into the encryption control section. Within each category, as Nate mentioned, for commodity, test equipment and software and technology. The information technology controls division comprises 9 licensing officers, including myself, and we have three electronics engineers on the staff and six export policy analysts. Next slide, please. The new control entries, the subject of the proposed rule, are three related list entries in category 4, Nate said system, equipment, software, components, especially designed modified for the generation or operation of or communication with intrusion software. We also have a separate technology control or technology required by the development of said intrusion software. And then, the proposed rule also includes a definition of intrusion software. There is also a separate entry for the network communications surveillance system in category 5 part one, telecommunications. Next slide, please. As Nate noted, the control list entries were proposed in the Wassenaar Arrangement in 200013, and they were adopted by the Plenary in December, 2013. It is worth noting that the category 4 and category 5 proposals were submitted by two different countries aimed at covering two different types of products. And the interesting thing about them that was they both had an element of human rights in the purpose of the control, the category 4 controls were aimed at offensive systems that are being sold not on the commercial market but directly to governments, potentially repressive regimes to be used against their citizens. And the same element was present in the proposal for the category 5 part 1 monitoring surveillance systems. Once the Wassenaar Arrangement agrees to a new Creole list entry, it's added to the multi-lateral Wassenaar control list. And then it is up to each member country to implement the control in its own list pursuant to its own statutory and regulatory authorities. In the United States, the dual use list for national security product is implemented in the commerce control list so the process is to draft a rule and to issue the rule, usually as a final rule usually in the may or June timeframe in a year following the adoption on the Wassenaar list. Between December 2013 and may 2015, there was a great deal of interagency discussion on how to implement these new control list entrees. In the administration regulations, we have a reason for control for several reasons for control for the same item. We need to determine the licensing policy, license exceptions that may apply, and in this case, we needed to consider that there was overlap with existing encryption controls. As I mentioned earlier, a lot of products moved over into category 5 Part II over the past years because they have added encryption N this cases, we already had controls on penetration testing products that included encryption and at times cryptanalytic functionality, and have been licensing them under category 5 part 2. So part of the question was, what do we do with those products? Do we change the treatment of them? And in the proposed rule, there is a much tighter restriction on the export of all products that could be described under the new control list entrees, including the penetration testing products. We published the proposed rule in may 2015 with the request for public comments. And boy did we receive comments. We had received almost 300 comments totaling some almost 1000 pages. Many of them were very thoughtful. Before the comment period was over, we received many requests to meet with various groups and industry coalitions and so forth. We were very, very grateful that there was such interest in talking to us and explaining the issues that the proposed rule raises. There are three areas that the comments have greatest. The first was the implementation in the proposed rule and as I mentioned, the restrictive license requirements and no availability of license exceptions which places expert license requirement on all destinations except Canada, and all government and non-government end users and would require an export license for intra-company and internal use in companies for technology and software, and it would also impose a license requirement on deemed exports, as Nate mentioned very briefly. The release of technology or source code, to a foreign national in the United States is considered to be an extra to the home country of the foreign national, and we do receive a fairly large number of deemed expert license applications each year by companies who want to release technology to employees who are not U.S. nationals. And these export license requirements would apply to the new control list entrees without any exception. The proposed rule also is set forth a very restrictive licensing policy with approval only to poor countries and case-by-case to all other destinations, in addition to the national security reason for control, it imposed a regional stability reason for control, which is very restrictive and it set forth a licensing policy under the regional stability provisions of regulations. Finally, the proposed rule set forth a denial policy for products with zero day or route kit functionality. These terms did not appear in the Wassenaar text. This is in addition on a licensing policy basis in the proposed rule. Second, and we were expecting the comments on the restrictive proposed implementation, but we also received a very large set of comments on the text of the Wassenaar control list entries as well, in particular the definition of intrusion software raises many questions and issues and the other panelists will address some of those and their many concerns about the scope of control on technology for the development of intrusion software as defined. Finally, there were other issues raised even beyond the Wassenaar text that are very important to consider. The likelihood that the imposition of these controls would achieve the purpose of addressing Human Rights and the likelihood that they would even cause more harm to security research generally. In addition, there are a number of comments that noted that the restriction on sharing of technology on cybersecurity research appears to be at cross purposes with other government initiatives, including pending legislation to encourage the sharing of such information. I forgot to tell you to change the slide. I'm sorry. So, we are now at the very last slide that says, next steps. The next steps in the regulatory process, we are in the process of reviewing the comments and again, we do appreciate all the time and effort that all types of companies and researchers and industry representatives and industry coalitions took to put their thoughts down on paper. We are planning to discuss the comments, the issues raised in the comments in a series of technical Advisory Committee meetings in the rest of the calendar year, and although Mara mentioned that there are so many government agencies involved in export control, we found that in this process, there were a number of government agencies who are working with expertise in the cybersecurity area who were not involved in the development of the rule. And we hope to have them participate with us in the open discussions with the constituencies who are interested in the issue in the open meetings in the text call advisory committees for the rest of the calendar year. Also, given the issues raised, we will consult with our Wassenaar partners a number of the other member countries have already implemented these control list entries from their national control lists and apparently, without some of the reaction that we have received when we published the proposed rule. So, we would like to talk to them about the entrees and find out how the implementation is affecting their industries and research communities as well. Following these three steps, we intend to draft a revised proposed rule and again we would have opportunities for public comments before we would publish a final rule that would go into affect. Thank you for inviting me to participate and I look forward to hearing the other panel member's presentations. (Applause) >> Thank you for that. That was a helpful explanation and thank you to the members of the audience also for staying with us for this explanation of what if is we are talking about and what the rules are and how this process moves forward this is a back and forth process between research community and many other stakeholders that are interested in how the technologies that are used in surveillance software may be regulated on a global scale. So this is the framework. These are the parameters that we are working with and with that, we can take a deeper dive into how the proposed rules are going to potentially have some very significant impacts on the various interests. So with that, Nate, take it away >> NATE CARDOZO: Sure. Thank you. I'm a Staff Attorney with the Electronic Frontier Foundation. As Jim mentioned earlier, I love technology so I'm going pull up my notes a phone and do the slides from the computer. Because we can't do both. John Gilmore in 1993 or there about, told us that the net interpret censorship and damaging routes around it. That statement is as true today as it was more than 20 years ago when Gilmore told us and it is far more true today than it was then. Back in the 90s, the export of -- and this is a gross over simple indication of the expert of cryptography was controlled under itar, under the United States munitions list. As a weapon. So this slide could not be exported from the United States. Nowadays, we are left with the Wassenaar Arrangement. EFF sued on behalf of Dan Bernstein in the 90s. We won. We got a ruling that said, code is speech. And cryptography was moved out of I tar and into the EAR. Export Administration regulations. Now of course we are dealing with Wassenaar. Why? This is the problem that Wassenaar was designed to solve. That is enigma machine designed to protect German banking. It was a commercial encryption device that was of course repurposed during the war at first to great affect. This is also the problem that Wassenaar was designed to solve. Not really of course. The maker bot is not controlled under Wassenaar. But guns are. Not guns, per se but nerve gas and precursors, et cetera. But what about information? How do you control the export of information? And I would propose that it's not going to work any better this time than it did the last time. Because we have things like this. I can export information very, very easily. But what do we do? There is an actual problem smear it's a significant one. What do woo do about things like this? Packing team, these are pieces of software that I really don't want in the hands of repressive regimes around the world. What do we do about it? As Randy said, one of the things about the way that export controls work especially in the United States and the way the proposed rule that we are talking about today works, is that it controls exports period to anyone talking to your coworker who is not a U.S. person, that is controlled it doesn't matter if you're selling thin fisher to the government in Ethiopia or selling medicine to a pin tester in Chile. Those are both controlled. One of those uses I'm fine with. The other one, I'm not so happy about. But there are already tools available I would suggest that going to end use or end user control is a lot better, right? This is an actual Cisco slide talking about how Cisco is going to help the Chinese government build a golden firewall to combat evil religion and other hostilities. This kind of thing is what we should be worried about. We should be worried about our technology companies building the tools as Human Rights abuse. The Wassenaar Arrangement is intended to control things like this but it ends up sweeping way too much. Because it doesn't take an end user control. Here is another thing that I'm worried about this is a hacking team e-mail talking about sales to the government in Ethiopia. I feel - Electronic Frontier Foundation and representing Ethiopian suing the government for wiretapping his Skype calls. So I would propose to you that there are other tools besides a blanket export control regime that are better suited to holding companies responsible for doing things like building the great firewall of China in the specific evil religion plug in that Cisco built or thin fisher selling to the government of Ethiopia with full knowledge that it was being used against journalists activists, dissidents and -- so that is where I come from. And I'll turn it over to -- who goes next? Matt? David? (Applause) >> DAVID: I'm going to start off real quick with, I guess, a bio, in case you forgot who I am and why I'm here talking to you guys. And the reason for that is that my first employer out of -- well, during college, was the National Security Agency. And I since started immunity, which is a company many of you know of because we have a free debugger, which is surprising to me but that shows how awesome my marketing skills are. I also have a mailing list called daily Dave, which is discussing a lot of this Wassenaar. I can't pronounce it properly. Activity. And we became very concerned when we first saw it coming down the pike. In particular, because we sell to the general public 3 or 4 major tools. We have canvass, which competes with -- and core impact and I assume many of you have used one of these tools to do operational penetration testing, which is something that is required by PCI or required by HIPPA or almost everything that is security related. Of course we also sell Silica, which does wireless penetration testing which qualifies as a crypto analytic tool under the BIS regulations. We also have a conference called infiltrate which focuses on offensive and attack technologies and offers people a way to be very honest about what it is we do. And so, my whole life has been spent building command and delivery platforms essentially and that is the exact sort of behavior that these people, some people find uncomfortable which is a necessary part of our existence in order to understand and secure ourselves. It's been said that pressie won't come up on his laptop but also been said that defense is the child of offense and so, for those of us in this room who work on offensive things, I think we can all spend one hour of our time to reply to the simple to use website and it surprised me more than anybody, that BIS has an amazingly easy to use website for submitting comments. You can read the regulation about 15 minutes. You'll never understand it so don't even try. But you can read it and then you can write comments on it that say what or how it would affect your daily life and it will take but an hour. You can do it during Simpons reruns or something. So make it funny. Just don't include curse words or anything crazy. And I think the next round for comments should not be 1000 pages. I think it should be 100,000 pages. I think that Randy would very much enjoy having everyone at this conference, everyone here is impacted by this rule in a major way. The only reason I'm involved is because we pay our lawyers a lot of money to keep us out of trouble. But no one in this room wants to pay these lawyers all that mon-- they do. The lawyers do. I'm not a lawyer. But the lawyers would enjoy that. And I don't think you should have to. And I think it's a uniquely-unAmerican thing to control the export of information, which in a sense, the human voice is the original export technology for information, and I think we should try to keep that voice free from any kind of overbearing regulation as a matter of course. We almost have pressie. It's amazing. I can go on for hours. So here is my per suspect. And it's your perspective at the end of my 5 minutes. Which is that export control is a bad idea for anything in this area and we are talking a lot about the intrusion software part of it. Let me say it is already trying to frame the discussion because when they say intrusion software, they mean anything that does anything useful in security. When they say surveillance software, they also link in anything that does intrusion detection and anticrime wear on any scale. And I'm going to talk more about that. But this, I believe, it should be and is difficulty -- Randy can't see it. I'm sorry. It says here, you can see it? No? She seen it already. Okay. So Thomas Jefferson, among many things should be our guiding light when it comes to protecting ourselves against attorney and we should avoid ourselves becoming the form of tyranny. And that is what they are doing us to do. And if you read the definitions in the thing, it should scare you not that the definitions are there, but that they were ever allowed to be put into the regulation at all. Something went horribly wrong with the whole process. And I'm going give you an example that no one talked about yet, which is carrier grade. Forever those who have ever worked in telecommunications, which is a lot of you, carrier grade by definition means reliable. It's a marketing term. And how I think it got in the regulations is that I think privacy International used it in a random report. They are like, we are scared of anything carrier grade. But carrier grade is not a metric for speed, yet if you -- if I made you zoom in on this thing, in the actual defense of the regulation that BIS had, they said, well, we think it's anything fast enough for a city or a country but we won't put an actual number on it. And the reason for that is because there is no number. And if you did put a number on it, it would have to go up exponentially over time. I love in south beach. Not that I'm recruiting because my company awesome. But you shouldn't move to it for south beach. But south beach has like every apartment can get 500 megabytes your door via a mesh network someone set up. You can do the same thing in New York and San Francisco. And at what speed is carrier class? We are a small city. So, I don't understand what the bar is. There is no bar what they mean is, we mean what we mean when we say what we mean. Right? And that is, this should scare you because the penalties are so high for all of us, for breaking these regulations, that you're guaranteed to break them and you're guaranteed to be under that own us. What is a route kit? The it's not in there. This was a program -- if this was a program, this document would have never compiled. Support zero to exploitation. First of all, zero day is not a term you can define because it means something you don't know. And everyone has different amounts of knowledge so things that one of you knows may not be a zero day to me. They may be something I have sitting around that I don't think is important. And so to support zero day, simply means you can run a program. So everything that qualifies as a command and delivery platform can in fact be modular and run programs this is an extremely low bar and yet it is under the default denial section of the regulation, which means that at some point, they thought this will be fine. And that is just the beginning. Here is what is going to happen with the next regulation they come out with. There will be a million more examples just like this. We have a process that is creating programs that cannot compile and making them with laws with hew ming us penalties. That's what is broken here. And the overreach in this area has massive, massive dangerous implications. Deemed exports alone means those who have H1Bs are cast out of our community as per eyas. Technical data is something that you, as a human being, cannot understand but the lawyers among us will argue about for years at 1000 dollars an hour to tell you if you're allowed to open your mouth and talk not person next to you. Required for -- again, some of these phrases should scare you because if you as a person, can't understand if what you're creating and exporting is required for the building and delivery of command and delivery systems, then you're at risk no matter what you do. And that is what this regulation does. It puts all of us under this giant sword so the people who knock on your door, can say by the way, I noticed you were violating the law. We love to you cooperate on something else. That would be awesome. I can make this stuff go away. And there was a very bizarre section in the regulation when they went to defend it on their phone calls as they started getting some heat, which said that if you release it to the public or vendor you're okay. But if you release it to just private industry, you're not okay. And we are talking about some value decisions in the disclosure arguments that don't reflect this community at all and don't reflect the industry at all. And again, just to nail this point down, penetration testing software, which is this current regulation would have been restricted as much as a nuclear bomb, is a required operational practice for every company in America. And I think we talked briefly, especially Mara did, that export control if you're going to apply it, should at least have some hope of accomplishing the desired goals. I don't believe that the desired goals are worth accomplishing but I want to run this down here. Here is how you protect those poor journalists and activist against thin fisher and gamma. Give them an iPad. Because neither can attack unpatched iPads. So that is cheap. I'm willing to donate iPads to these people to avoid regulation because I think it is a cheap way to do it. Here is what you don't do. Ban all software that makes you uncomfortable at great costs to the rest of the world. And I think we should talk a little bit about licensing because even permissive licensing kills sales and retards innovation. Because in order to go through the encryption controls, you currently have to wait one month after developing your software and this is almost all software because the rule is, anything that links the live SSV under this rule. And if you do anything to your crip tow that changes your crypto or how to use your crip tow, you're supposed to send them a note and explain it and describe it and wait 30 days and then you can do a release. And so if you wondered why core impact and canvass are on a monthly release cycle, this is why. And it's extremely difficult to innovate under this kind of condition. And of course, anyone actually malicious f there was a malicious Ethiopian person that Nate doesn't like for some reason, then they could always get a account. That's what they are going to do. Even at the best chances, there is no way export control could work even if it was meant to work, which it is not. So, I think this community, all 700 people in here, are largely of the opinion that code is not a weapon. Code is speech. And I think part of the reason of that is, we understand something at a much more basic level, which is that you can break down any fact into an infinite number of smaller facts, which you can then combine in combinations to produce the original fact. So for example, if I was going to write a paper on if you have the extended instruction pointer, then you can use a certain technique to by pass ASLR and then I would write a separate paper on, here is how I would get the IP using adobe reader and a particular technique. And if I could bind those things up, those are controllable. But if you I don't, they are not controllable. That's the key problem with regulation in any space where we are trying to regulate speech in this way. And of course, the irony in this is that when you see people who are privacy activists, a spousing these kinds of controls, they are not looking forward to the obvious next step, which is to enforce them, you need a global surveillance network, which is a horrible thing to have to put in to their hats. So in summary, their idea is bad and they should feel bad. And in the end, what is going do happen if this stuff goes through as is, or even close to as is, is it that all of you are going to feel bad. So I'm hoping that everyone takes that hour to comment on the next one and we can further influence it by means of killing it. And that's what I have got. And hopefully everyone agrees with me and we can all go. (Applause) >> So, I'm Matt and I should say in spite of the introduction, I'm not a lawyer. Though I do occasionally impersonate one. I'm a Computer Science Professor. And one question is, what am I doing here? I am working in this abstract field and I'm not directly a target of these regulations in the sense that nobody thinks that what I do and what people like me do is bad and needs to be regulated. I mean, the worst people say about what I do is that it is useless and stupid. But I don't think anybody says that what I do is harmful. And I don't think even the Wassenaar advocates think that academic published research in this area is something that is supposed to be regulated or at least that's not a particularly common feeling. So, it would be very easy for me as an academic to say this is something that I should sit out and watch and let people with the vested interest like Dave, fight this out for their interests. And in particular, the work that I do, when you look a little closer at how it actually gets done and how these regulations to be implemented, particularly over time I start to become a lot more worried. And one reason is that, my job is to think of things and publish papers for the greater good and I publish things and fundamentally that's a defensive activity. The more we learn about what to do, its more robust systems we can build. But at the level of work that we are doing, the distinction is meaningless. We can't study defense without studying offense and in fact if you look at the papers that we publish, we tend to flip around between defense work and overtly defense, overtly offense back and forth. Somebody publishes defense, and then attack and at the end of that arms race we end up with something a little bit stronger. So fundamentally, I'm in the offense business as much as I'm in the defense business. Another thing that should reassure me is I don't produce products or export things or sell things. But it is true that fundamentally what we are doing is not producing in the academic research world. We are not producing code that we are selling to people or code we are incorporating into attack products. But when you look at the process, there is quite a bit of code exchanged and there is quite a bit of exporting going on. About half depending on your institution, will go up or down but it's certainly in the ballpark. About half of our graduate students are foreign nationals and that's generally true at any research oriented University. People come to the United States to study this stuff. We have colleagues in another countries that we collaborate with and the process of producing research is often involved with a process of experimentation exchanging code and working on things. The export regulations, effectively limit what I can say privately with my colleagues prior to publication, and that means essentially it's not regulating the output of my work, it's regulating the process of doing my work in order to produce that output. So people who say, you don't have to worry because you're papers are published by the first amendment, you don't have to worry because this only affects attack tools and you're not selling attack tools. And you're not exporting things over -- that's true about the output but not true about the process necessarily. So even though there are many reassuring reasons to think that this is work that shouldn't or that I and people like me shouldn't worry about, when we drill down to the actuality process, this is something that me and my colleagues have to be worried about every day. Now I'm lucky that I work for a big fancy pants institution that can afford lawyers. And fortunately, at my institution, the lawyers that we employ generally, see as their job finding ways for me to do my work instead of finding ways to stop me from doing work. And as soon as -- but as soon as I talk to them about export rules, that flips. The answer tends to be, you're taking some risk here. You need to worry about that. We better go and get a license to do this before you do that. Unfortunately, I have the support where they will help me with this, but these are extremely difficult rules to comply with even in the easy case where you know that you don't have to make an argument, where you just have to go through the motion. Many people who are doing research of the -- at the same caliber or higher than people like me at universities, aren't affiliated with universities and don't have that kind of institutional support. So for me, with institutional support, it's hard. Somebody without institutional support, it becomes kind of a death nail. Now the last thing I worry about is, as a Veteran of cryptowars 1 in the 1990s before we needed to number the cryptowars, the primary thing we were talking about was export law. Cryptography was covered under ITAR and the lever the government had to regulate cryptography was not that there were rules about using cryptography domestically, but that there were rules about using cryptography Internationally. And that was what we were talking about in the first cryptowars. Now we won that and now we -- largely deregulated most consumer-grade and research-grade crypt oh, but what that illustrates to me is the way that regulations that are intended to accomplish one set of policy goals here when they are implemented, in the future, can be used to accomplish other policy goals that weren't even on the table or being considered by the people proposing them. And I worry here, that today we look at this and we say, nobody is meaning to regulate academic inquiry into computer security. That may not be true 10 years from now under the trump administration or what have you. And, these rules may change in the regulatory tone may change later. So, this is something that I find worth engaging in and I think you need to consider whether it is something that you need to engage in as well. So thanks. (Applause) >> So I also note that we have these little buzzers that make funny noises and we were supposed to press them if anybody disagrees with each other. And nobody seems to disagree with anything any of us said. >> I disagree we won the cryptowar. I think we actually lost. So two of you said we won. But when you sell software, anywhere, in the country externally, bays every piece of software uses crypto in some way, you're under very strict regulatory frameworks and as much as like you're going to get a license, the fact is, you're sales process is going to be pretty messed up. You're sending away to the government a list of all of your customers, which some of you may feel uncomfortable with and many other regulatory issues with even understanding. These are not simple. These are some of the most complex convoluted laws on the planet that you, as a simple researcher, are now being required to understand or else be under severe penalty. The same thing true of kepto. I think we lost. That's my personal opinion >> Let me jump on something that Dave just said. The rules are very difficult to understand. And I'm a lawyer so I'm going to look at this through a U.S. constitutional law perspective. And this is again, going to be a gross over simple indication. In constitutional law in the U.S., we have a doctrine called, void for vagueness. If a criminal law is vague enough that an average person of ordinary intelligence can't tell whether their conduct would be criminalized or not, that law fails constitutional scrutiny. We have seen that it is most common in hate speech or in excitement context. But it works here too. If an ordinary person of average intelligence reads the Wassenaar control list and can't understand them, then the implementation of those control list would be denial of due process and unconstitutional >> And that gets to one of the sort of core issues about export control which is like I said earlier, you can't control something if it is -- you can't choose a choke point technology if it is ubiquitous. So when something is omnipresent liken corruption like the command and delivery platforms, you run into the same problem. You don't know. And therefore the control fails. >> I think it is telling that in fact, BIS has on their website web applications that run you through an expert system to determine if certain phrases apply to you. Such as required for, or as needed by. There are little phrases in the regulation that you cannot understand. Only the expert system can understand. And I think they are minute to help you but they design -- meant to help you but they demonstrate the design of the arguments is already vague and if you talk to your local export control individual, which unfortunately immunity gets the privilege of doing a lot, they will tell you as well that even the lawyers underbuys don't really have a clear understanding of it. That they can explain to you, for example, what soft swear meant to be old and what is not. Because these issues are so complex and they are rarely going to court it's been really rare to see the crypto stuff result in a penalty against a company. But that's not as important as whether or not it is used as a hammer in general, which I think should scare you more. >> It's pretty well established that the rules are intended to prevent the availability of surveillance software to repressive regimes. But there are questions about whether or not these rules are effective in doing that and whether they would also sweep in lots of legitimate software at the same time, if we could use that term. So, I'd like to give Randy an opportunity to respond to that and sort of give more context into how the rules are being tailored to cover just what the original intent was. >> RANDY WHEELER: I think the comments are right on point, that the Wassenaar control list attempts to describe particular products, particular functionalities, and the in stent to narrowly define what was going to be controlled, but in fact, what we have learned from the public comment process, is that either the language is not well stated so that reasonable people with potentially different vocabularies are reading the language differently, and as well a number of unknown or unexpected products or activities are being swept into the control and that's we want to address going forward. Is there a way to capture only the products that we are interested in captureing and only licensing those exports that are of concern. Certainly from an administrative law perspective, and as a regulator, I think it's poor use of government resources and a very poor use of company and industry and researcher resources to -- (Broken audio) >> She is gone. We lost her. Network resources, too. >> Who wants to say something controversial? >> I think she might be back. Hold on. Are you back? >> RANDY WHEELER: I'm back >> You said resources and then you disappeared >> RANDY WHEELER: Sorry. I just meant that I think it is a poor use of everybody's resources, both the government resources and industry or researchers resources to spend time worrying about transactions, export transactions, or deemed export transactions, that are subject to a policy of approval. There is no point in requiring licenses for those types of activities and so we should work to only cover those transaction that is would be of concern >> So in order to cover just those certain transactions, it seems like it is a project of definitions. And, a lot of what the concern is, how intrusion software is being defined and I think there is a bigger question as to whether or not intrusion software is -- of any kind of meaningful definition. So, I'd like to open that up to Randy first, and also I'd like to hear from the rest of the panel about if there is anything to be had there. >> RANDY WHEELER: I would quickly agree with you from the comments we received. It is problematic definition. Again, the people who are in -- we have government regulators trying to define this and then when people who actually deal in the products and technology that look up the definition, it either doesn't -- they don't understand it what it was intended to do or they used the vocabulary differently and that is up for regulation then if there is lack of understanding of what it covers. And particularly if it is understood to be broader than it was supposed to be, then it needs to be revised. The frequently asked questions were an attempt to address that but we got to the point where even in the answers to the questions, that we posted our website, we were referring back to the regulatory language, and we just kind of got stuck because we didn't have the correct vocab layer tow address the issues that were being raised. So that is what we hope to look into in the next step of the discussions. Thank you. >> So one of the things that we asked in our comments to BIS, which was also echoed by Google among others, is that congress department and I guess, the State Department, go back to the Wassenaar Arrangement itself. The next meeting is at the end of this year and work on clarifying Americans through BIS but working with the 41 member states of the Wassenaar Arrangements to add clarity to the control list there. Software that modifies the standard execution path of a program. What does that mean? Why are we focusing on that? And that is not something that BIS can do alone. That is something that needs to go back to the Wassenaar Arrangement itself. So that is our best case scenario if BIS didn't just do a revised proposed rule and open it back up for comments but that BIS and State Department go to Wassenaar and change the control list there to make it better and then do revised proposed ruling >> And by make them better, he means let's just remove this. Because there is no good way to do this. What you hear from people -- he doesn't agree but he's wrong. If I agreed with him we would both be wrong and that would be terrible. And here is the thing. They would say regulation in this space is inevitable so you might as well as an industry feel free to come up with language you're willing to be bound by. And I will tell you this, that is a fool's errand. And it is a trap you should not fall into and I think even if you could describe all of today's software you found, the reality is, you're also describing software that in the next generation is going to be required for normal operational business. Because is this say community that moves far faster than regulation and always will and always should if we are going to survive. And I think that when they say please describe some language that works for us today, you should say, I need language that works for us forever and it's not possible and therefore we should not do it. >> MARA TAM: Also worth noting the convolution actioner rising from the Wassenaar language is due in large part to the fact that Wassenaar was never designed for Human Rights purposes. I mean, this was a - auto export control regime that Wassenaar inherited was all about controlling arms. And several advocacy groups, namely International end cause, decision E. decision to get these category 4 and 5 entries added and they were successful. One of the irritating things about that is they knew that Wassenaar was not fit for purchases. They knew that export control would not work for these items. But they persisted. And unfortunately, we are dealing with that right now and goods intentions and all of that but this was not the right way to go about it. >> From my perspective, it's not the software that is a problem. What hacking team does, what thin fishy do, it's a standard remote administration tool. You can use any of the remote administration tools would have worked just as well to spy on my client in the Ethiopia lawsuit. What we care about, what matters isn't the tool itself it's the service support and most importantly training that comes along with it. Thin fisher doesn't cost very much but getting your intelligence agency all strained up to use it and the ongoing support contract is what gamma makes its money on. That's the problem. These tools -- it's not the tool. It's what goes -- it's the infrastructure surrounding it. The Wassenaar Arrangement was -- sort of designed to take that into account. Intrusion software is not controlled under the Wassenaar Arrangement it's the infra structure around intrusion software that is controlled. Technology required for this et cetera. But without tailoring it specifically to state uses. And it is those state uses that we see causing significant harm out there in the real world. >> Keep in mind, under U.S. law f I'm correct, anything that is designed specifically for U.S. government or military use would be controlled under ITAR and the same -- this is something that no one mentioned is that actually half of the team was perfectly well regulated under the Wassenaar and they went to the government and said can I have a license? The government says yes you can for anyone you want. So even if under the most strict interpretation of thieves regulations, the reality is those chomps operated out of smaller countries, which would be every company in this business if U.S. decides to implement these regulations, can easily go to their government and ask for an out anyway. So even if there was a perfect language that applied only tow really bad things, which we don't know what are, but if there was perfect language, it still wouldn't work because you would have every company going to their government saying, I want an out >> An alternative you have to worry about pushing these governments into capabilities developments and I think Nate raises a good point which is it is the back end support which leads these technologies to be so harmful in those context. But if these states surveillance agencies are no longer to buy off the rack, they will move to capabilities development for themselves and that is a very serious problem. There is no unwritten law of cyber cyb that says Bahrainian engineers couldn't come up with an equivalent of packing teams RCS especially now the source code is leaked. So controlling this from the Tom down simply will not work. >> Especially when we are talking about activities that are done by 10 people with computers you can buy off the shelf. I think that is -- the inefficiency of regulation in this space can't be overstated. >> So we are getting a good sense of what the objectives are. It would be great if you could fill us in on where these objectives come from. I think a lot of people might make the criticism that it may be -- or ask the question as to whether or not it is properly within the scope of the mission of BIS or commerce or the government to be taking the position as to what types of software should be made available to any particular regime. So the question is, where does these regulations of course don't say on their face, you can't sell to a particular repressive regime and doesn't define who they are. It defines the thing. So if you can give us insight into where the input on these particular sets of regulations are coming from within the U.S >> >> So, there isn't an export control of community involved with the Export Administration regulation prescribed by statute. State Department, defense department, and Department of Commerce. And we all provide expert group members to attend the Wassenaar discussions. The consensuses? 2013, that -- the consensus was in 2013 there was a set of products that was of concern within the scope of the Wassenaar man date, that addresses dual use products that can be used by the military or by civilian agencies for civilian uses and so that is how the language was added to the Wassenaar list. And then I think that it is fair to say that immediately, even though we have the understanding at the time, what the products were described in the language that that was not perhaps a good understanding and the public comments certainly born that out that there are many products in this space that could be considered to be described in the language that were not intended to be controlled under the controllist entrees. So we don't have a disagreement here. There was an intent to control certain products but a good number of products were then swept in the technical description and that is what we are dealing with now. And all of the comments so far have echoed the comments we received in the public process and we'll be certainly taken seriously under consideration going forward. >> So speaking of -- thank you for that answer. So, speaking of the public process, we'd like to open up the floor here just to audience questions. So they'll have to -- we don't have a mic for the audience so we'll have to make do and repeat the questions and we would love to hear your input and of course panelists, feel free to jump in. Line up behind Joe. >> AUDIENCE MEMBER: (Off mic) >> So the question was, is the only reason we control crypt oh, the Wassenaar Arrangement? And then the second part is, is there any good reason to control the export of crypt analysis? So the answer to the first question is, no. We have controlled crypto since -- that's a pre-Wassenaar thing. And then the second half of it is, why do we still? >> MARA TAM: So cryptography was controlled under CoCom, the predecessor to the Wassenaar arrangement and it's worth noting when encryption came first came under export control, it was not as sort of insane as it sounds now. I mean, encryption was a big boy toy. It was something that nation states did. It was not -- in the era before personal computing it was not ubiquitous. So, export control might have made sense at some point. I don't think it still does. >> And that was another thing which I, in the comment section after the Electronic Frontier Foundation said, is before we attempted to do anything more in surveillance software, let's decontrol encryption entirely. I'm not sure they will do that but that was what I asked for >> And crypto export controls are perfect examples of one policy goal when the regulations were originally enacted to keep crypto boxes out of the hands of military adversaries. Perfectly good public policy goal if there are crypto boxes and military adversaries that might be able to exploit them. And then software got invented. And suddenly, we are now worrying about law enforcement domestically and these regulations that were enacted for a purpose completely different from what they are being enforced for >> So Randy, just quickly on the crypto subject, that is obviously not part of Wassenaar, crypto has been regulated more tightly in the past and the regulations we have now are relatively now more relaxed. Can you give us insight into any trends that BIS with respect to how crypto might be regulated going forward >> RANDY WHEELER: Certainly a lot of changes to the encryption entrees T is a Wassenaar control under category 5 part two. I have been involved in the program, unfortunately we had a series of de-controls in the encryption provisions. But in the same way that we have the technical description issues in the proposed control list entrees, we have them in the encryption provisions as well. For example, I would point to a couple of new decontrol notes, L and M, that we just implemented in the regulations this May and again, they are technical descriptions that are not exactly product descriptions and we are in my office still trying to work through exactly what product these de-control notes cover and don't cover. And these are decontrol notes L and M so that means there are several others starting with A. And we go through all of this and it's a very broad control with many different carve outs and notes and so forth. We have limited the encryption controls to products whose primary function is communications computing networking or information security, which makes refrigerators not subject, that have the alarm system that is have encryption. And that is a good thing that didn't happen until 2010. We are still working on that. We still would like to have a positive list. We would welcome public participation in that process as well to try to make the rules more concise, and more understandable. There are many permissive provisions in the encryption area. Many license exceptions that is very broad and for example, it applies to almost all deemed exports of technology. So, we have a very permissive regime in the end but a lot of text to get there. And certainly it could use a lot of improvement. I could talk about the encryption controls all day. I have a day-long seminar that goes from soup to nuts. And we would like to continue to improve them and again, we welcome public participation through the Advisory Committee process for that purpose >> Perhaps one day there will be day-long seminars what intrusion software is. So, we have got -- we have a line up of questions. So we should take the next one. >> AUDIENCE MEMBER: (Off mic) >> I think the question is -- sorry if I'm paraphrasing. I didn't hear the whole thing. I think you're getting as, technology changed and the sues of technology changed, are the regulations still relevant or are the regulations following the technology in an appropriate way? >> I think he is almost saying as well that did we tell the NSA. This metadata might be more important than data by allowing people to export crypto because PGP uses rare. Anyone using PGP therefore needs to be looked at. And when we deregulate a little bit but not too much, it's not everywhere, it's not omnipresent so you can do a sort and select on people just using crypto for targeting. That's a good question and no one here has the answer >> That's not why crypto moved out of ITAR. Because we won our case >> Or he has the answer >> We got the stronger crypto controls that resulted in export grade encryption back in the 90s. We got those controls deemed unconstitutional. That's why it was -- that's why those controls are slightly less. So the question is, was the value of meat data part of the reason that national security establishment in the United States was okay with that? I think that they weren't quite thinking along those lines at that time. >> Next question, colin? >> AUDIENCE MEMBER: (Off mic) >> Someone has to repeat that >> Let me just paraphrase into a couple -- how did the crypto regulations affect you, me, in my daily work? And the short answer is, the crypto regulations probably don't hurt my daily work that much because I have already spent enormous investment in figuring out where those boundaries are and I'm really comfortable with where -- knowing at least where some of the bright lines are and how I do my work without crossing them. When it comes to intrusion software, those lines are inherently a lot more blurry and I think what it will sheen I spend a lot more time talking to our lawyers at my very generous University and less time doing my day job, which is filing grant applications. >> So for Randy, I think the question -- I don't know if you heard all of that. But I think there is -- we have a lingerie question as to what kind of exceptions are there or would there be for research use perhaps, on unintrusion software and those technologies required to build intrusion software? >> RANDY WHEELER: We are starting at the point with everything being controlled under the proposed rule. The possibilities going forward are from my point of view, endless. They could be certainly a broad license exception this could be changes to the control language. So it really depends how the discussion proceeds over the next few months. >> Thank you >> I'll just add a quick -- even academics occasionally end up finding themselves on the wrong end of export control investigation. And it doesn't happen that often. But it does happen in very significant ways. In physics and in bio and to a lesser extent information systems. I don't think you can paint it with that specific a brush. >> Colin is the one person on earth who likes this thing. So if you want to know more about that position, I recommend you listen to his Twitter. I think we have time for one more question. There is two. Two more questions. >> Make it quick. >> AUDIENCE MEMBER: (Off mic) >> Colin is speaking on a different Wassenaar panel tomorrow, I think. Tomorrow? Tomorrow morning. >> You might want to ask why they didn't invite any of you guys to comment before they put this regulation down your throats. >> AUDIENCE MEMBER: (Off mic) >> I don't know if you noticed the presence of Randy Wheeler on the panel. So the question was, are any of us in favor of regulation at all? And if not, why don't we have a balanced panel and of course we have Randy who is the Director of Export. >> But there is a long discussion about this stuff. Feel free to post to daily Dave column if you wish to propose things. >> I think that the point is a valid one that as the software industry continues to mature, and as a world where we transition more towards a future cyber war, these technologies are going to or will become more and more relevant on the battlefield and there will be increasing government interest not just in the U.S. but increasing government interest globally in setting up some kind of regulatory regime. So it shouldn't come as a surprised we are here today and I think this is probably the first of quite a few discussions like this we will have >> I'll say I'm not -- I'm not sure that I would make a broad statement saying that no, none of this should ever be regulated in any way. I can imagine all sorts of bad thing that could be done with the kinds of software being discussed here that may well deserve regulation. I don't know how to draft regulations without enormous collateral damage. >> And I would be in favor of regulation that controls the provision of support for these kinds of technologies to government end users. That would be a regulation I would get behind. So, I don't care about -- I don't care about a remote administration tool. What I care about is the provision of support to the domestic version of NSA all across the world. That should require a license. The tool itself, the technology behind it, you just go and get that >> Maybe not an export license. Maybe it should just be something you can sue people in U.S. court about like we're doing already and it shouldn't be done in export control at >> so with respect to who is for regulation. It's worth pointing out as Randy noted earlier, there will be another round of proposed rules and another comment period. And I know that the BIS is very interested in hearing comments from everybody who may be interested in submitting them and she referenced the number of them earlier today. So, I'd like to hear her advice on what kind of comments are most helpful to BIS in figuring out how to do this. But with the comment about who is for regulation, BIS is not in the business of making value judgments about whether or not certain things should be regulated or not it's there to fulfill the mission and do the best job it can so comments in general that are directed to, this is really horrible, go away, you're idiots, this is dumb. That kind of thing is not really helpful obviously. So if you could provide something more helpful than that to guiding us how to move forward with the comments. >> RANDY WHEELER: Well, again, the public comment period for the proposed rule has closed. We certainly will accept additional public comments but they won't necessarily be in the record. But we do want to identify specific issues from the comments that we received the most important ones, and to try to flush those out and have all interested parties issues the ecosystem, the constituencies, including government agencies, that are involved in cybersecurity, to weigh in and help us, the inner agency, go forward as appropriate. Beyond that, I'm not sure that there will be another proposed rule. It will not be a final rule based on this proposed rule so there will be an opportunity for more public comments. We do have the technical Advisory Committee meetings which we will advertise published in the Federal Register and we can have open sessions where interested parties can discuss the issues that have been identified and we do hope to have broad participation in that process during the rest of the calendar year. Thank you. >> I have one more question. >> Hi. There seems to be pretty good consensus among the panelists on the definitions being not the best, and ubiquity of some tools and so forth. I wanted to follow-up on the issue of service being a service provider and support and the sort of customer that you're selling these tools to or people selling the tools to. Nate, one of his first slide, is it a government enduser or somebody else? Is there a different regulatory approach that would conceivably work to focus on who are the buyers and what are they doing with it? Or do you lose it because if you sell to like an Ethiopian small businessman that eventually -- would be in the hands of the Ethiopian government? >> That's a good point. >> So I think it's a good question for Randy. If I understand the question correctly, under a licensing regime, how do you discern who the end customer is as part of a licensing process? So if someone is selling to a oppressive regime or just selling to random interested perhaps researchers in that same country? Is there any way to distinguish that as part of the process? >> So the answer is, yes. And we have a white paper on how to do it. Companies should Intuit a know your customer policy. We saw this illustrated very nicely in the hacking team document from metro guard sold to a hacking team and we saw an e-mail from him to hacking team saying, I know who your customers are and I'm okay with it. So, that's the sort of thing which I would love to bring a lawsuit about. But yes, a robust know your customer scheme, I think is the best way to determine it. >> Flowcharts are magic. Have magic powers. >> Randy, do you have any further comment on know your customer? >> RANDY WHEELER: That's just right that is certainly a provision already in the regulations, the know your customer, in a licensing process. The end user at times a statement is required and certainly in a license exception situation or no license required situation, the know your customer requirement still applies to ensure a license is not required. Thanks >> Just one more thing there. I think honestly, the EFF is going down the wrong path. I'm going to get him drunk and we'll correct it. And I'll tell you why. And it's pretty simple, which is that the Wong Wong technology corporation calls you up and says they want a copy of a random thing, some gadget ear widget. Now under the current rule set, you're supposed to find out if they are owned or mostly owned or controlled by the Chinese government. But in reality, no U.S. company can ever really know. There is it no way to know. So even if you have perfect, and I think immunity has perfect know your customer abilities, and you have a flowchart on your wall which explains it to your admin, keep in mind it's not a lawyer figuring this out. It's your admin. The same person who answers the phone. And they go through the flowchart and they go, you have a web page. Your web page looks good. It's all in Chinese but I don't know. Whatever. So I would say dividing a regulatory framework against this when anyone in China is very difficult to determine if they are a government-owned, government-controlled corporation or not is probably not the right direction to go. >> But the tools we are concerned about are tools that are sold only tow Governments. Hacking team and gamma only sell to Governments. So they certainly know who their customers are >> With that, unfortunately, we are out of time. The next panel is dying to get in and play with the AV equipment. So, just want to extend some recognition here to Mara Tam who did some amazing things behind-the-scenes to make this panel happen. And also thank you certainly to Randy Wheeler for really this unique opportunity I to discuss these proposals with you. And thank you to all of you for coming in to this talk today. (Applause)