For years, activists and governments alike have been lobbying for more controls on spyware and the research that fuels it. At the same time, security researchers have warned that export controls on vulnerability research would mean regulating the flow of information. Now, the first of those regulations are finally reaching America — and the security world couldn't be angrier.

The proposals come out of an international agreement called The Wassenaar Arrangement, laid out in 2013. It covers export rules for all sorts of technologies, providing broad guidelines for how countries should license technology and software as it crosses international borders. The agreement leaves the details of enforcement up to individual nations, and the US Department of Commerce is only now catching up. On Wednesday, the department's Bureau of Industry and Security (BIS) issued proposed rules for how it was planning to implement the information security portions of Wassenaar. The rules will be open for comment for the next two months, allowing anyone with a stake in the matter to have their say.

So far, the comments from the security world have been blistering. Researchers are particularly worried about a measure that would institute new controls on any work related to intrusion software. The measures were proposed by the UK delegation after spyware implants like FinFisher became popular among brutally oppressive regimes abroad. The implants are typically made in Western countries and exported to oppressive governments like Bahrain and Syria, but aside from statutes on encryption, there are no export controls covering the software.

Still, much of the security world sees the Wassenaar rules as a cure that's worse than the disease. Nearly all security research is somehow related to intrusion into a protected system, and it's still unclear what will be restricted by the act. Researchers often develop and sell unpublished vulnerabilities (known as zero-days), and many fear the new regulations could squash that market entirely. Wassenaar's exemptions for scientific research or public domain software also seem to have been stripped out, leaving academic researchers with nowhere to turn.

Marsh Ray, a prominent security software developer, says the controls would change the entire industry, causing problems for even defensive security researchers. "[Intrusion software] is the sword that hones the shield," says Ray. "It's impossible to build effective defenses without free and open access to the latest techniques of the attackers."

There's still a lot of uncertainty on both sides of the issue, which has only heightened fears of overregulation. "Vulnerability research is not controlled," BIS officials said in a call on Wednesday. "What would be controlled is the development, testing, and productizing of an exploit or intrusion software." But many companies don't take a vulnerability seriously until they see proof it can be exploited, which makes it difficult to say precisely where research ends and development begins.

In part, these things are unclear because Commerce simply hasn't decided all the issues yet. BIS officials have left a lot of wiggle room in the recent proposals, and have said outright that a number of issues are still undecided, pending more feedback from the comment period. Collin Anderson, a researcher who's been following the process, says much of the uncertainty is just about Commerce officials looking to find out more. "There's not always a lot of clarity in regards to what's covered under the proposed exploit rules," says Anderson, referring to the recent BIS statements. "What is clear is that there's a lack of information." In part, that's what the comment period is meant to address, but it's easy to see why that uncertainty makes researchers nervous. If the rule-making process breaks the wrong way, it's easy to imagine simple vulnerabilities being subject to the same restrictions as military computers or firearms.

The basic structure of the restrictions is also cause for concern. Even heavily restricted goods will still be exportable with the right license, which gives the licensing system a huge amount of power over the security industry more broadly. But the system is both opaque and potentially inconsistent, leading many to worry that government-friendly vendors and regimes will skate through the system while smaller firms languish.

At the same time, stronger licensing may not affect criminals and oppressive regimes willing to go outside the law. "It simply never happens that government regulation constrains the tools available to the real attackers," Ray says. "The government of Syria was able to obtain sufficient Blue Coat man-in-the-middle TLS interception systems to use against their entire country, and Syria is one of the most heavily export-controlled regimes in the world."

The good news for researchers is that the Department of Commerce seems eager to keep the rule-making process as transparent as possible. A two-month comment period is rare for this kind of measure, and many similar trade agreements are adopted with no comment period at all. The fact that Commerce officials are soliciting comments so actively suggests they understand how complex the issues are, and are leaving the door open for a strong response from researchers. "This is a point where the security community needs to engage in order to get a public policy that doesn't harm them," says Anderson. "BIS needs feedback from the security community, and they're very clearly asking for it."