(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


How the United States has just made it illegal for #WhatsApp to contain a Remote Code Execution (RCE) bug, via the Executive Order on Spyware

2023-04-03 08:52:37+00:00

I have spent literally years attempting to explain to civil society and the public at large, that:

…that attempting to regulate software by the “shape” of it (viz: what features it enables or provides) will always lead to ambiguity and almost certainly lead to illiberal or problematic legislation.

Tip: never attempt to regulate the shape of software: peer-to-peer, end-to-end, long keys, short keys, autonomous, viral, agent-based, remote-controlled; all of these are characteristics of software both good and bad. There is never a case where it is helpful to do so.

For clarity: I am one of those people who believes that laws should be considered as they are written, rather than with unwritten codicils along the lines of “…yes but everybody knows that the law is not meant to achieve <that>” — because in my extensive experience most law enforcement officers are more interested in getting a conviction than they are in following the spirit of the law.

And lo!, this brings us to the newly published Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security, where we find this definition of “commercial spyware”:

(b) The term “commercial spyware” means any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to:

(i) access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet;

(ii) record the computer’s audio calls or video calls or use the computer to record audio or video; or

(iii) track the location of the computer.

Clearly this definition is aimed at the likes of Pegasus and other pieces of software which inspired it to be drafted; however let’s read it uncharitably and see what collateral damage we can create — because that’s what lawyers love to do.

There is a class of bug called “remote code execution” (RCE) which can afflict prettymuch any piece of software which takes input from a remote source, either over a network, or via messages passed from other parties. The nature of RCE exploits is that they are an open door which takes an otherwise benign software application, and makes it capable of running any piece of malware whatsoever — typically something like a remote access toolkit (RAT).

Occasionally, you will find an RCE in an application like WhatsApp; and Facebook pay good bug bounties for the discovery of such things, so that they can be fixed.

Returning to the Executive Order, it is clearly meant to be read with something like Pegasus as the subject:

<PEGASUS IS AN> end-to-end software suite that is furnished for commercial purposes … that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to … <DO BAD THINGS>

…but regrettably it can also be read as:

<WHATSAPP WITH AN RCE IS AN> end-to-end software suite that is furnished for commercial purposes … that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to … <DO BAD THINGS>

You can see what they were trying to achieve, but they goofed it; they should have gone with a phrasing with something like:

furnished for commercial purposes, … that provides the user of the software suite <the intended purpose of gaining> remote access to a computer, without the consent of the user, administrator, or owner of the computer

It is doubly tragic because whoever drafted this clearly had a go at the challenge of capturing intent — “…without the consent…” — but they forgot to link that back to the intended purpose of the software.

There is a potential but still ambiguous nitpick / get-out where you could argue that “the user of the software suite” is meant to the User of WhatsApp, who clearly would not be attempting to hack themselves; however this falls when you reconsider it as “the exploiter of the software suite”, and note that there is nothing to link the “user” in the first sense, to the (implicitly different) “user” mentioned in “user, administrator, or owner…”

I will also give them further credit for avoiding the trap which BIS invented in 2015, attempting to capture the problem by talking about “the standard execution path” (a meaningless neologism) of the software:

…but still, this strikes me as a drafting error which should have been avoided, and ideally should be fixed, because in the land of litigation clearly someone will attempt to profit from suing Meta for selling “spyware” next time a RCE “backdoor” is found.

Postscript

I presume it’s obvious, but: this applies to all software applications, not just WhatsApp; however it works better with a concrete example.

Postscript 2

Steven Murdoch suggests that there may be an automatic “mens rea” test under US criminal law which would obviate this risk — which would excellent (if still unclear) if true — but it would be good to know.

Runa is going to try and track it down.

It’s the default for criminal law. For executive orders ? — Steven Murdoch (@sjmurdoch) April 3, 2023

Postscript 3

Runa points out (via DM) that the scope of the Executive Order is to constrain the Federal Government, and is correct in pointing out that for this to go toxic would require a federal agency become actively litigious towards a platform like WhatsApp for accidentally providing a means of remote exploitation.

This greatly reduces the existential risk of this bad drafting causing existential harm, but it does not eliminate it, and moreover the matter remains that this is a poor definition which should not remain unfixed and in circulation, in case others attempt to hold the definition up as an exemplar and reuse it in broader contexts.

Postscript 4

An anonymous friend makes the argument that (to paraphrase)

An RCE in WhatsApp would not constitute an end-to-end software suite (falling within the scope of the Executive Order) unless WhatsApp also provided the necessary client to exploit the RCE and turn it into a means for gaining remote access.

I believe that this argument fails in several ways:

Assume the converse, that a company provides only a client which tickles some WhatsApp feature in such a way (e.g. RCE) that it enables remote access. By providing only a solitary tool for use at one end, is this software somehow not captured under the terms of this executive order regarding spyware, by not being “an end-to-end software suite” — whatever that is supposed to mean within the terms of this executive order? This argument would set a dangerous precedent, because it would suggest that vulnerabilities (which is what we are talking about here) are somehow only concrete when there exists code which actively can exploit them. Such an attitude is heavily frowned-upon in the infosec community: “it’s not surveillance unless someone is looking at the data”

“deanonymisation is illegal so it’s okay for us to publish this dataset”

“it’s okay to have a hardcoded password so long as nobody knows it”

To me this is yet more evidence that the Executive Order drafting is ambiguous and suboptimal and opens many edge cases which should not be there.

Postscript 5

The same anonymous friend:

An RCE is not, prima facie, enough to trigger this definition and therefore require a consideration of intent; the definition of “commercial spyware” refers to the software that exploits a vulnerability to do things like “access or collect content”, not the software itself…

Again I disagree, due to the ambiguity of the drafting; if it were obligatory in the definition that an “end to end software suite” which constituted “commercial spyware” must (beyond “remote access”) perforce supply the means to “access or collect content”, then the definition would not be hung up on the matter of “the capability to gain remote access” and would instead be written like:

…provides the user of the software suite the [DIRECT] capability to access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet; record the computer’s audio calls or video calls or use the computer to record audio or video; or track the location of the computer…

…but it does NOT say that; instead it’s all about the access. The extra level of indirection creates a problem.

This is why the drafting is problematic. Any RCE can satisfy the “in order to” capability to snoop on people in various ways, and much more besides. What would be good is for that to capability to be screwed down onto “intent”.
[END]

[1] URL: https://alecmuffett.com/article/50467
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.