[Cryptography] proposed ITAR changes

ianG iang at iang.org
Thu Jun 11 20:40:28 EDT 2015 

(second of two that Peter wanted forward, words his)




Second issue, proposed US ITAR changes. New regs, for comment, not yet 
in law or in force.

http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened-by-new-obama-regulation/article/2565762

www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf


Actually, it says, for the first time explicitly, that publishing widely 
on the internet would be enough to put data into the public domain. 
Sounds good?

However, there is a great big kicker: posting technical data for the 
first time would be an export, and you wouldn't be allowed to do it 
without prior authorization [17].

Reposting already-posted technical data is also making it available, and 
you wouldn't be allowed to do that unless the initial posting was 
authorised.

Neither would you be allowed to sell a book or magazine or periodical, 
even within the US, unless it had been made available with an 
authorisation [23].


So, in the US people wouldn't be allowed to make technical data 
available even by publishing technical data in book form without prior 
authorisation. Phil Zimmerman's trick, publishing the source to PGP in 
printed form to put it in the public domain, would no longer work.

In fact, you wouldn't be able to send 100-year-old science textbooks 
overseas unless you knew that they have been authorised. Nor could you 
sell them in the US if/once you had been reliably informed that they had 
not been authorised.

Talk about wildly overinclusive laws ..



There is also some trickery about redefining software as an item, rather 
than as data; one effect of which is to put software which is the result 
of fundamental research into the control regime.

Of course, as "fundamental research" only means research done in the US 
by US centers of learning, or US Government funded ..

I get confused, but it would seem to me that eg if there is a crypto 
conference in the US with published proceedings, the publishers would 
need export permission for the work of foreign authors, but not the work 
of most US authors.




[17] To get pernickity: data which has been made publicly available, 
including by widespread posting, would be exempt.

However, data which hadn't been made available with proper authorisation 
would not be exempt.

If you saw some posted data or data in a book, and you didn't actually 
know that it hadn't been released with proper authorisation, you 
couldn't be prosecuted for reposting it, or selling the books it was in. 
Though you could be prevented from doing it again, if someone told you 
its initial release has not been authorised.


[123]

§ 127.1
Violations.
(a) * * *
(6) To export, reexport, retransfer, or otherwise make available to the 
public technical data or software if such person has knowledge that the 
technical data or software was made publicly available without an 
authorization described in § 120.11(b) of this subchapter.

-- Peter Fairbrother

More information about the cryptography mailing list