970x125
The modern Internet is built on vast computing backbones that a very small number of companies control. Among them, Microsoft has become indispensable to governments worldwide. But when its infrastructure was used to deepen Israel’s repression of Palestinians, the episode raised difficult questions about how export regimes can govern services they may never have imagined when those rules were drafted. Export regimes are international agreements between supplier countries to control the export of sensitive goods and technologies to prevent the proliferation of weapons of mass destruction.
970x125
The Wassenaar Arrangement
A particularly important instrument is the Wassenaar Arrangement, a multilateral “export control regime” for conventional arms and dual-use goods and technologies. In a voluntary coordination framework, its participating states commit to control lists and exchange information while allowing each government to retain its discretion on licensing, implementation, and enforcement.
In 2013, the Arrangement expanded to include controls on “intrusion software”, that is, software designed to bypass or defeat security protections of networks and certain surveillance or cyber-surveillance systems. The structure of the Arrangement was however conceived in an era when control meant physical exports of devices, chips, hardware modules, etc., and software transfers were written off as incidental.
As a result, many technology and information flows related to cloud services fall in grey areas. For example, the Arrangement doesn’t always treat the access, use or administration of software to be an export in every context, and allows countries to differ on how they interpret a technology transfer. The software-as-a-service (SaaS) model in particular complicates matters because here the user remotely invokes a functionality instead of installing it locally, and the Arrangement can’t say whether that’s an export of a controlled technology.
Moreover, as the Arrangement is based on consensus, any member can block modifications. And even when a technology is controlled, the Arrangement requires individual countries to implement controls as per their domestic export control legislation, which often differs in ambition and political will. As a result, the Arrangement’s coverage is patchy and many states have loopholes to allow “defensive security research” and internal technology transfers.
A need to re-evaluate
India joined the Wassenaar Arrangement in 2017 and incorporated its lists into its Special Chemicals, Organisms, Materials, Equipment, and Technologies framework. Yet like many participating states, its engagement has largely been about securing legitimacy in global export-control regimes rather than pressing for the Arrangement to adapt to the era of the cloud. As a result, even as membership of the forum has been widening, the regime remains unable to address the technologies most likely to be misused for surveillance and repression.
To bring the Arrangement into operational relevance, its scope needs to expand significantly. For example, its list of controlled technologies should explicitly include infrastructure and services that enable large scale surveillance, profiling, discrimination, and real-time control and systems that break national boundaries (for example, regional biometric systems or cross-border data transfers linked to policing). Including such technologies in the control lists would require devising criteria for capacity thresholds and carving out defensive, benign uses under strict safeguards and licensing.
Second, a major obstacle is that many control regimes still conceptualise ‘export’ as physical transfer or download. In the cloud, an export can also be remotely executed or invoked in API calls. The Arrangement thus needs binding guidance that treats remote enablement, authorisation, and granting administration rights as equivalent to export if they provide access to a controlled technology. The Arrangement should also embed end-use controls more systematically. While classical export control is about military use or the proliferation of weapons of mass destruction, for cloud services and digital surveillance the risk is mass human rights abuses. For instance, the license to use some technology should depend on the item’s technical specs as well as on the identity of the user, the jurisdiction, the oversight regime, the legal mandate, and the risk of misuse.
Third, the Arrangement’s voluntary nature is a weakness in high-risk settings. States should instead adopt a binding treaty or framework with obligations that include mandatory minimum standards for licensing, mandatory export denial in atrocity-prone jurisdictions, and supervision by peer review.
Fourth, cloud services are global: a user in one country can trigger concerns in another. National licensing authorities must share information and align their policy decisions. To this end, the Arrangement should include technical interoperability standards, a shared watchlist of flagged customers or entities, and exchange red alerts in real-time, for example, when a cloud provider offers certain services to a blacklisted state.
Fifth, cloud and AI technology move at high velocity, and the Arrangement needs to be equally agile. This can be facilitated by a specialised technical committee or secretariat that’s empowered to propose interim updates, fast-track high priority controls, and receive inputs from independent experts. The Arrangement should consider adopting a sunset mechanism that causes items to fall out of the control list unless their inclusion is renewed. In fact, given the additional challenge of global consensus, the Arrangement may also consider hosting a domain-specific control regime for AI, digital surveillance, cyber weapons, etc. which aligns with the overall regime while possessing the ability to evolve faster.
Is such reform realistic?
Some powerful states may resist stricter controls of cloud services by arguing it would stifle innovation, sovereignty and/or impose undue regulations on private industry. A small number of holdouts can still block changes to the Arrangement as it exists, especially those that benefit from providing surveillance technologies abroad. Further, mapping cloud systems to control categories; define thresholds; distinguishing benign versus malign use, and implementing cross-border licensing is an extremely intricate enterprise.
Still, a pragmatic path is possible — and perhaps necessarily under the Arrangement. Some states, especially in the EU, are already pushing national export controls on ‘high technologies’ currently beyond the Arrangement’s reach. The EU’s dual-use regulation now treats the transmission of cloud services as potentially subject to rules that apply to dual-use technologies.
There’s also leverage, as specified under the UN Guiding Principles, because cloud providers are large and interconnected.
Stricter export controls could join corporate human rights duty frameworks and limits on public procurement to reinforce incentives on providers to refuse certain customers.
At present, the Arrangement still retains normative weight, with many national export control systems, but especially the U.S. Export Administration Regulations and the EU dual-use rules, drawing from it.
Microsoft’s own whitepaper on export controls refers to such regimes as part of its compliance framework. In practice, however, the realities of cloud services and SaaS expose significant gaps, rendering the Arrangement incapable of being a credible shield against the misuse of cloud services.
Published – September 30, 2025 08:30 am IST
970x125
