EFTA01050331.pdf

From: Vincenzo Iozzo < To: "Jeffrey E." <jeevacation®gmail.com> Cc: Joshua Cooper Ramo <1 Subject: Fwd: Draft Regulation dual use Date: Tue, 04 Apr 2017 21:48:43 +0000 In case either of you is interested in where things are at in terms of regulation of the "offensive side", this is the current state in the EU Sent from my Iphone Begin forwarded message: From: Vincenzo lozzo Date: April 4, 2017 at 22:29:51 GMT+1 To: VERMEULEN Mathias Subject: Re: Draft Regulation ua use Hi Mathias, This is a preliminary review, but given the deadline it's the best I can do. Happy to expand/work more on this after Thursday as well. 1) The definition of "Intrusion software" in my opinion would need to be replaced with something like the following: "Intrusion software": "Software" specially designed or modified to be run or installed without obtaining the authorization of the owner or `administrator' of a computer or network-capable device, and performing the following: a. The unauthorized extraction of data or information from a computer or network-capable device; b. The modification of system or user data to facilitate access to data stored on a computer or network-capable device by parties other than parties authorized by the owner or `administrator' of the computer or network-capable device. Notes 1. "Intrusion software" does not include any of the following: a. Debuggers or Software Reverse Engineering (SRE) tools; b. Digital Rights Management (DRM) "software"; or c. "Software" designed to be installed by administrators or users, for the purposes of asset tracking, asset recovery, or 'ICT security testing'. d. "Software" that is distributed with the express purpose of helping detect, remove, or prevent its execution on computers or network-capable devices of unauthorized parties. 2. Network-capable devices include mobile devices and smart meters. EFTA01050331 2) The paragraph on Page 22 on "Cyber-surveillance technology" should be rephrased as: " Icyber-surveillance technology' shall mean items specifically designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analyzing data without obtaining the authorization of the owner or administration of the system and/or incapacitating or damaging the targeted system." 3) On the definition of "technology" (4E001 e) , I think it's important to specify "technology specifically designed or modified for the development of intrusion software" 4) On the definition of software (4D004) : "Software" specially designed or modified for the operation or communication with, "intrusion software". 5) This is a bit of an aside, but in my opinion the definition of "Internet Protocol (IP) network communications surveillance systems or equipment, and specially designed components therefor, having all of the following" is too lax. I don't want to propose a change without thinking it through but at a minimum I would reconsider all the conditions from "and" to "or" because otherwise that is too stringent of a definition and too easy to evade. I hope I didn't miss anything major, please do let me know if there are specific definitions I should be looking at. I also have a few more comments on the text in general but I think those can wait until after Thursday. I think those 4-5 points are the main one, especially given that the current definition of "intrusion software" in the text is technically inaccurate and absurd. Hope this helps and sorry for the late email, Vincenzo Begin forwarded message: From: VERMEULEN Mathias Date: April 3, 2017 at 16:59:43 GMT+I To: "'Vincenzo Iozzo"' Subject: RE: Draft Regulation dual use Hi Vincenzo, I) Yes, the details are in the annex here: http://trade.ec.europa.eu/doclib/docs/2016/september/ tradoc 154977.pdf 2) Mainly on the definition. Intrusion software could be limited for instance to a. "intrusion software specifically designed to be run or installed without the intended authorisation of the owner or administrator, and modifying or denying access to a system or extracting data without authorisation" b. "intrusion software which is specifically designed to exfiltrate data without the intended authorisation of the owner or administrator" EFTA01050332 Or we can scrap the reference to "intrusion software" alltogether and replace it with by "exfiltration software" in general, which is defined — along the Bratus definition - as "software designed or modified to weaken encryption or facilitate the transmission of data it did not create, or derived from data it did not create, except when any of the following conditions are met: c. The creator of the data provides his explicit consent to transmit the data. d. A user or administrator of the computing system provides his explicit consent to transmit the data. e. Systems software set up by a user or administrator of the computing system provides the data to the software under the design of the computing system as part of routine and expected behavior. 3) Not really! Many thanks! Best, Mathias From: Vincenzo Iozzo [mailto: Sent: 03 April 2017 16:22 To: VERMEULEN Mathias Subject: Re: Draft Regulation dual use Hi Mathias, I skimmed through the document you linked and I have a couple of questions: I) are the definitions in the document vague by design? And if so, where are the various terms properly defined (e.g.: "intrusion software") 2) are you seeking feedback just on the definitions of the controlled items or anything in the proposal? 3) are there other documents that I should be reading to have the full picture? Thanks, EFTA01050333 Vincenzo Sent from my !phone On Mar 31, 2017, at 16:19, VERMEULEN Mathias < wrote: Hi Vincenzo, Great to see you this week at our event. Sorry we couldn't chat longer! As I said we would be most interested in hearing any suggestions for clear textual amendments to the dual use proposal of the Commission: http://trade.ec.europa.euidoclib/docs/2016/september/ tradoc_ I 54976.pdf We have a deadline for amendments on Thursday, so it is quite tight, but we can even take suggestions on board much later in the negotiating phase. Best wishes, Mathias Mathias Vermeulen Policy Advisor MEP Marietje Schaake EFTA01050334