[Cryptography] Proposed US ITAR changes would require prepublication approval for most crypto research

Alfie John alfiej at fastmail.fm
Tue Jun 9 23:31:09 EDT 2015 

Snap, from Australia:

    http://www.smh.com.au/it-pro/security-it/dangerous-minds-are-maths-teachers-australias-newest-threat-20150608-ghira9.html

    "Australian academics who teach mathematics may need to run new
    ideas by the Department of Defence before sharing them or risk
    imprisonment.

    Some academics are set to become much more familiar with the
    department's Defence Export Control Office (DECO), a unit that
    enforces the Defence Trade Control Act 2012, Australia's end of a
    2007 pact with the US and UK over defence trade.

    Until recently, DECO only regulated physically exported weapons and
    so-called "dual use" items such as encryption, computing hardware
    and biological matter.

    However in March the act was updated to include "intangible supply",
    which is intended to prohibit the transfer of knowledge from
    Australia that could be used to produce weapons."

Alfie

On Tue, Jun 9, 2015, at 05:36 PM, pete wrote:
> Proposed US ITAR changes. New regs, for comment, not yet in law or
> in force.
>
> http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened-by-new-obama-regulation/article/2565762
>
> www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf
>
>
> Actually, it says, for the first time explicitly, that publishing
> widely on the internet would be enough to put data into the
> public domain
> [000]. Sounds good?
>
> However, there is a great big kicker: posting ITAR technical data for
> the first time would be an export, and you wouldn't be allowed to do
> it without prior authorization [17].
>
> Reposting already-posted technical data is also making it available,
> and you wouldn't be allowed to do that unless the initial posting was
> authorised.
>
> Neither would you be allowed to sell a book or magazine or periodical,
> even within the US, unless it had been made available with an
> authorisation [23].
>
> Phil Zimmerman's trick, publishing the source to PGP in printed form
> to put it in the public domain, would no longer work.
>
>
>
>
>
> There is also some trickery about redefining software as an item,
> rather than as data; one effect of which is to put software which is
> the result of fundamental research into the control regime.
>
> Of course, as "fundamental research" only means research done in the
> US by US centers of learning, or US Government funded ..
>
> I get confused, but it would seem to me that eg if there is a crypto
> conference in the US with published proceedings, the publishers would
> need export permission for the work of foreign authors, but not the
> work of most US authors.
>
>
>
>
>
> [000] "Public domain" here is not the same thing as "public domain" in
>       copyright law. The use the same words, but they are defined
>       completely differently.
>
>  [17] To get pernickity: data which has been made publicly available,
>       including by widespread posting, would be exempt.
>
> However, data which hadn't been made available with proper
> authorisation would not be exempt. This would apply to data which is
> now in the public domain too.
>
> If you saw some posted data or data in a book, and you didn't actually
> know that it hadn't been released with proper authorisation, you
> couldn't be prosecuted for reposting it, or selling the books it was
> in. Though you could be prevented from doing it again, if someone told
> you its initial release has not been authorised.
>
>
>  [23] the relevant bits:
>
>
> § 120.11 Public domain.
>
> (a) Except as set forth in paragraph (b) of this section, unclassified
>     information and software are in the public domain, and are thus
>     not technical data or software subject to the ITAR, when they have
>     been made available to the public without restrictions upon their
>     further dissemination such as through any of the following:
>
> (1) Subscriptions available without restriction to any individual who
>     desires to obtain or purchase the published information;
>
> (2) Libraries or other public collections that are open and available
>     to the public, and from which the public can obtain tangible or
>     intangible documents;
>
> (3) Unlimited distribution at a conference, meeting, seminar, trade
>     show, or exhibition, generally accessible to the interested
>     public;
>
> (4) Public dissemination (i.e., unlimited distribution) in any form
>     (e.g.,not necessarily in published form), including posting on the
>     Internet on sites available to the public; or
>
> (5) Submission of a written composition, manuscript or presentation to
>     domestic or foreign co-authors, editors, or reviewers of journals,
>     magazines, newspapers or trade publications, or to organizers of
>     open conferences or other open gatherings, with the intention that
>     the compositions, manuscripts, or publications will be made
>     publicly available if accepted for publication or presentation.
>
>
> (b) Technical data or software,whether or not developed with
>     government funding, is not in the public domain if it has been
>     made available to the public without authorization from:
>
> (1) The Directorate of Defense Trade Controls;
>
> (2) The Department of Defense’s Office of Security Review;
>
> (3) The relevant U.S. government contracting entity with authority to
>     allow the technical data or software to be made available to the
>     public; or
>
> (4) Another U.S. government official with authority to allow the
>     technical data or software to be made available to the public.
>
>
>
> § 127.1 Violations. [...]
> (6) To export, reexport, retransfer, or otherwise make available to
>     the public technical data or software if such person has knowledge
>     that the technical data or software was made publicly available
>     without an authorization described in § 120.11(b) of this
>     subchapter.
>
>
>
>
>
> ps: there is yet another ITAR change on the way about exploits and
>     technical data concerning security and hacking tools. see eg;
>     http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/
>
> -- Peter Fairbrother
>
> _______________________________________________
> The cryptography mailing list cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography


-- 
  Alfie John
  alfiej at fastmail.fm

More information about the cryptography mailing list