[Cryptography] Proposed US ITAR changes would require prepublication approval for most crypto research
pete
peter at m-o-o-t.org
Tue Jun 9 03:36:46 EDT 2015
Proposed US ITAR changes. New regs, for comment, not yet in law or in force.
http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened-by-new-obama-regulation/article/2565762
www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf
Actually, it says, for the first time explicitly, that publishing widely
on the internet would be enough to put data into the public domain
[000]. Sounds good?
However, there is a great big kicker: posting ITAR technical data for
the first time would be an export, and you wouldn't be allowed to do it
without prior authorization [17].
Reposting already-posted technical data is also making it available, and
you wouldn't be allowed to do that unless the initial posting was
authorised.
Neither would you be allowed to sell a book or magazine or periodical,
even within the US, unless it had been made available with an
authorisation [23].
Phil Zimmerman's trick, publishing the source to PGP in printed form to
put it in the public domain, would no longer work.
There is also some trickery about redefining software as an item, rather
than as data; one effect of which is to put software which is the result
of fundamental research into the control regime.
Of course, as "fundamental research" only means research done in the US
by US centers of learning, or US Government funded ..
I get confused, but it would seem to me that eg if there is a crypto
conference in the US with published proceedings, the publishers would
need export permission for the work of foreign authors, but not the work
of most US authors.
[000] "Public domain" here is not the same thing as "public domain" in
copyright law. The use the same words, but they are defined completely
differently.
[17] To get pernickity: data which has been made publicly available,
including by widespread posting, would be exempt.
However, data which hadn't been made available with proper authorisation
would not be exempt. This would apply to data which is now in the public
domain too.
If you saw some posted data or data in a book, and you didn't actually
know that it hadn't been released with proper authorisation, you
couldn't be prosecuted for reposting it, or selling the books it was in.
Though you could be prevented from doing it again, if someone told you
its initial release has not been authorised.
[23] the relevant bits:
§ 120.11 Public domain.
(a) Except as set forth in paragraph (b) of this section, unclassified
information and software are in the public domain, and are thus not
technical data or software subject to the ITAR, when they have been made
available to the public without restrictions upon their further
dissemination such as through any of the following:
(1) Subscriptions available without restriction to any individual who
desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to
the public, and from which the public can obtain tangible or intangible
documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade
show, or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form
(e.g.,not necessarily in published form), including posting on the
Internet on sites available to the public; or
(5) Submission of a written composition, manuscript or presentation to
domestic or foreign co-authors, editors, or reviewers of journals,
magazines, newspapers or trade publications, or to organizers of open
conferences or other open gatherings, with the intention that the
compositions, manuscripts, or publications will be made publicly
available if accepted for publication or presentation.
(b) Technical data or software,whether or not developed with government
funding, is not in the public domain if it has been made available to
the public without authorization from:
(1) The Directorate of Defense Trade Controls;
(2) The Department of Defense’s Office of Security Review;
(3) The relevant U.S. government contracting entity with authority to
allow the technical data or software to be made available to the public; or
(4) Another U.S. government official with authority to allow the
technical data or software to be made available to the public.
§ 127.1 Violations.
[...]
(6) To export, reexport, retransfer, or otherwise make available to the
public technical data or software if such person has knowledge that the
technical data or software was made publicly available without an
authorization described in § 120.11(b) of this subchapter.
ps: there is yet another ITAR change on the way about exploits and
technical data concerning security and hacking tools.
see eg; http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/
-- Peter Fairbrother
More information about the cryptography
mailing list