[Cryptography] Proposed US ITAR changes would require prepublication approval for most crypto research

pete peter at m-o-o-t.org
Tue Jun 9 03:36:46 EDT 2015 

Proposed US ITAR changes. New regs, for comment, not yet in law or in force.

http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened-by-new-obama-regulation/article/2565762

www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf


Actually, it says, for the first time explicitly, that publishing widely 
on the internet would be enough to put data into the public domain 
[000]. Sounds good?

However, there is a great big kicker: posting ITAR technical data for 
the first time would be an export, and you wouldn't be allowed to do it 
without prior authorization [17].

Reposting already-posted technical data is also making it available, and 
you wouldn't be allowed to do that unless the initial posting was 
authorised.

Neither would you be allowed to sell a book or magazine or periodical, 
even within the US, unless it had been made available with an 
authorisation [23].

Phil Zimmerman's trick, publishing the source to PGP in printed form to 
put it in the public domain, would no longer work.





There is also some trickery about redefining software as an item, rather 
than as data; one effect of which is to put software which is the result 
of fundamental research into the control regime.

Of course, as "fundamental research" only means research done in the US 
by US centers of learning, or US Government funded ..

I get confused, but it would seem to me that eg if there is a crypto 
conference in the US with published proceedings, the publishers would 
need export permission for the work of foreign authors, but not the work 
of most US authors.





[000] "Public domain" here is not the same thing as "public domain" in 
copyright law. The use the same words, but they are defined completely 
differently.

[17] To get pernickity: data which has been made publicly available, 
including by widespread posting, would be exempt.

However, data which hadn't been made available with proper authorisation 
would not be exempt. This would apply to data which is now in the public 
domain too.

If you saw some posted data or data in a book, and you didn't actually 
know that it hadn't been released with proper authorisation, you 
couldn't be prosecuted for reposting it, or selling the books it was in. 
Though you could be prevented from doing it again, if someone told you 
its initial release has not been authorised.


[23] the relevant bits:


§ 120.11 Public domain.

(a) Except as set forth in paragraph (b) of this section, unclassified 
information and software are in the public domain, and are thus not 
technical data or software subject to the ITAR, when they have been made 
available to the public without restrictions upon their further 
dissemination such as through any of the following:

(1) Subscriptions available without restriction to any individual who 
desires to obtain or purchase the published information;

(2) Libraries or other public collections that are open and available to 
the public, and from which the public can obtain tangible or intangible 
documents;

(3) Unlimited distribution at a conference, meeting, seminar, trade 
show, or exhibition, generally accessible to the interested public;

(4) Public dissemination (i.e., unlimited distribution) in any form 
(e.g.,not necessarily in published form), including posting on the 
Internet on sites available to the public; or

(5) Submission of a written composition, manuscript or presentation to 
domestic or foreign co-authors, editors, or reviewers of journals, 
magazines, newspapers or trade publications, or to organizers of open 
conferences or other open gatherings, with the intention that the 
compositions, manuscripts, or publications will be made publicly 
available if accepted for publication or presentation.


(b) Technical data or software,whether or not developed with government 
funding, is not in the public domain if it has been made available to 
the public without authorization from:

(1) The Directorate of Defense Trade Controls;

(2) The Department of Defense’s Office of Security Review;

(3) The relevant U.S. government contracting entity with authority to 
allow the technical data or software to be made available to the public; or

(4) Another U.S. government official with authority to allow the 
technical data or software to be made available to the public.



§ 127.1 Violations.
[...]
(6) To export, reexport, retransfer, or otherwise make available to the 
public technical data or software if such person has knowledge that the 
technical data or software was made publicly available without an 
authorization described in § 120.11(b) of this subchapter.





ps: there is yet another ITAR change on the way about exploits and 
technical data concerning security and hacking tools.
see eg; http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/

-- Peter Fairbrother

More information about the cryptography mailing list