I don't understand this argument. If you build and sell tools that enable online surveillance, you bear a special responsibility not to sell them to people who will abuse them. Building surveillance tools and selling them to repressive governments is blameworthy.
Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.
How do we apply that special responsibility to open source software? Say, Metasploit.
I'm proficient with both commercial and open source tools, and in most cases the open source ones are more powerful.
Not saying enabling isn't a shameful act, but it is a slippery slope. As you pointed out, at what point does AWS need to start investigating customer workloads.
The only solution then is not to sell them at all because a government that can't gain the tools directly will simply set up a blind to do the procurement and there is only so much research you can do on your customers before you start to lose money on a sale.
I don't agree that that's the only option, but I think selling offensive security technology is so complicated and fraught that I'll never do it myself. So, "don't sell to governments" is definitely one viable option.
> Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.
Truly, Linus Torvalds is a monster for enabling the NSA.
Equally blameworthy, but rarely remarked upon, is the practice of selling generic computing infrastructure that you know will be used to build surveillance infrastructure.