Re: [Cryptography] Proposed US ITAR changes would require prepublication approval for most crypto research
Snap, from Australia: http://www.smh.com.au/it-pro/security-it/dangerous-minds-are-maths-teachers-... "Australian academics who teach mathematics may need to run new ideas by the Department of Defence before sharing them or risk imprisonment. Some academics are set to become much more familiar with the department's Defence Export Control Office (DECO), a unit that enforces the Defence Trade Control Act 2012, Australia's end of a 2007 pact with the US and UK over defence trade. Until recently, DECO only regulated physically exported weapons and so-called "dual use" items such as encryption, computing hardware and biological matter. However in March the act was updated to include "intangible supply", which is intended to prohibit the transfer of knowledge from Australia that could be used to produce weapons." Alfie On Tue, Jun 9, 2015, at 05:36 PM, pete wrote:
Proposed US ITAR changes. New regs, for comment, not yet in law or in force.
http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened...
www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf
Actually, it says, for the first time explicitly, that publishing widely on the internet would be enough to put data into the public domain [000]. Sounds good?
However, there is a great big kicker: posting ITAR technical data for the first time would be an export, and you wouldn't be allowed to do it without prior authorization [17].
Reposting already-posted technical data is also making it available, and you wouldn't be allowed to do that unless the initial posting was authorised.
Neither would you be allowed to sell a book or magazine or periodical, even within the US, unless it had been made available with an authorisation [23].
Phil Zimmerman's trick, publishing the source to PGP in printed form to put it in the public domain, would no longer work.
There is also some trickery about redefining software as an item, rather than as data; one effect of which is to put software which is the result of fundamental research into the control regime.
Of course, as "fundamental research" only means research done in the US by US centers of learning, or US Government funded ..
I get confused, but it would seem to me that eg if there is a crypto conference in the US with published proceedings, the publishers would need export permission for the work of foreign authors, but not the work of most US authors.
[000] "Public domain" here is not the same thing as "public domain" in copyright law. The use the same words, but they are defined completely differently.
[17] To get pernickity: data which has been made publicly available, including by widespread posting, would be exempt.
However, data which hadn't been made available with proper authorisation would not be exempt. This would apply to data which is now in the public domain too.
If you saw some posted data or data in a book, and you didn't actually know that it hadn't been released with proper authorisation, you couldn't be prosecuted for reposting it, or selling the books it was in. Though you could be prevented from doing it again, if someone told you its initial release has not been authorised.
[23] the relevant bits:
§ 120.11 Public domain.
(a) Except as set forth in paragraph (b) of this section, unclassified information and software are in the public domain, and are thus not technical data or software subject to the ITAR, when they have been made available to the public without restrictions upon their further dissemination such as through any of the following:
(1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form (e.g.,not necessarily in published form), including posting on the Internet on sites available to the public; or
(5) Submission of a written composition, manuscript or presentation to domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications, or to organizers of open conferences or other open gatherings, with the intention that the compositions, manuscripts, or publications will be made publicly available if accepted for publication or presentation.
(b) Technical data or software,whether or not developed with government funding, is not in the public domain if it has been made available to the public without authorization from:
(1) The Directorate of Defense Trade Controls;
(2) The Department of Defense’s Office of Security Review;
(3) The relevant U.S. government contracting entity with authority to allow the technical data or software to be made available to the public; or
(4) Another U.S. government official with authority to allow the technical data or software to be made available to the public.
§ 127.1 Violations. [...] (6) To export, reexport, retransfer, or otherwise make available to the public technical data or software if such person has knowledge that the technical data or software was made publicly available without an authorization described in § 120.11(b) of this subchapter.
ps: there is yet another ITAR change on the way about exploits and technical data concerning security and hacking tools. see eg; http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/
-- Peter Fairbrother
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
-- Alfie John alfiej@fastmail.fm
participants (1)
-
Alfie John