The US hasn't officially adopted its proposed rewrite of the Wassenaar Arrangement, but it looks as though its plan to regulate certain software like guns and bombs is already pushing some businesses to start treating potential users like enemies of national security.
John Leyden at The Register is reporting that one of the site's readers has been denied permission to download Sophos' free antivirus software, apparently because the name "Hasan Ali" is setting off "terrorist" alarms at the software maker's headquarters.
Ali brought the issue to our attention, complaining that Sophos had applied an "anti-Muslim name filter” that places hurdles in the way of his attempts to download the security software firm’s freebie Mac malware detection tool.
of the attempted download shows Sophos asking Ali to jump through a bunch of additional hoops to gain access to the free AV software. According to the text displayed, Sophos "must" conduct further "compliance checks" (which include asking Ali for additional personal information) before allowing him to download the software.
Sophos has confirmed that it does, indeed, block certain users from downloading its software.
We are sorry Mr Ali has had difficulty downloading our free Mac Antivirus software. Like many companies operating on a global scale, Sophos is required to adhere to the export laws and regulations of the United States, European Union, and every country in which it conducts business.
As such, we screen all requests for software downloads in accordance with a number of export lists, such as the US Export Administration Regulations, which affects all companies trading in the US and includes the requirement to ensure that the requester is not included on any US government denied persons list.
Like many companies, we used a third party to check all requests. Because this particular request only included the requester’s name, which matched with a number of names and aliases on the denied persons list, it was flagged as something we needed to check.
Our policy, in accordance with the US Export Regulations and other similar EU and UK regulations, is to ask for additional information to check if it is a true match or if it is, as in almost all cases, a ‘false positive’ match.
At that point we can clear the requester to be able to access the software.
Sophos claims that less than 0.05% of potential users are subjected to these compliance checks, so it's really kind of a non-issue. Not so, claims Ali, who points out his name is extremely common, as would be any number of other "foreign-sounding" names. Running a verification process that starts with only a name is a terribly inefficient way to run a verification process. For that matter, consumer-grade antivirus software really isn't subject to the majority of export restrictions.
On top of that, Ali and The Register point out that downloading this software directly from Sophos isn't the only way to acquire it. Other services provide copies of the AV software, but without all the "compliance" chicanery.
"Sophos also makes its software available on CNET (here), and possibly other download sites without mandating this process," he said.
Sophos responded to this seeming disparity with an answer that only raises further questions… mostly about Sophos' strict adherence to regulations that seems more arbitrary than mandatory.
In response, the company said: "All our download products go through the same screening process as highlighted in our previous statement. We can’t really comment on why Mr Ali doesn’t experience the same situation with other vendors, or when he downloads our software from third party sites such as CNET. Sophos adheres strictly to US, EU and other jurisdictions' export regulations, and complies with all requirements. Companies can be heavily fined for non-compliance."
Ali points out that this verification process -- which asks for information like date of birth and passport numbers -- could be used by third parties as phishing scams. All someone would have to do is host the free software and start asking personal questions via email of the potential downloader. Goodbye, AV protection. Hello, identity theft.
If Sophos is being extra-cautious because of the impending Wassenaar Arrangement adoption, it's somewhat understandable. The proposal by the US government looks to outlaw the export of plenty of security-related software and will turn security researchers' work into regulated "weaponry." But clamping down on downloads of consumer-grade AV software isn't going to do much more than push potential customers away. If the entities targeted by these regulations want security-related software, they'll find a way to get it, and they'll find much more potent stuff. Flagging names from a database that likely sees only occasional vetting (like any "terrorist/criminal
" database the US maintains) does nothing more than irritate legitimate users.