Re: [Cryptography] Proposed US ITAR changes would require prepublication approval for most crypto research
Thanks for the comments Adrian. What concerns me is that from what I've seen, it only talks about Australian academics publishing novel ideas. What is completely missing is how these ammendments may affect Australian open source developers, who are also non-academics, working on cryptosystems. If they publish a novel cipher on GitHub without getting approval by DECO, is that a GOTO Jail card? Alfie On Wed, Jun 10, 2015, at 04:15 PM, Adrian McCullagh wrote:
Dear All,
I with 4 colleagues of mine (3 at the Queensland University of Technology (Cryptographers all)and one from the University of Queensland (Legal E-commerce researcher) have been working on a paper dealing with the Australian Defence Trade Control Act which corresponds to the proposed US ITAR changes.
Without giving everything away on our forthcoming paper, it appears to me that if this type of regulation had been in place in Germany in 1938, then it is highly likely that Einstein would never have read the Hahn - Strassmann paper dealing with splitting a uranium atom. That paper written in 1938 (December I believe) was read by Einstein in March 1939 and it directly lead to Einstein sending a letter to Roosevelt, which in turn resulted in 1942 to the establishment of the Manhattan project. Now if NAZI Germany had restricted that publication NAZI Germany could have developed the bomb itself which could have completely altered the outcome.
Basically, if regimes like the ITAR rules are expanded then it works both ways and there could be a stifling of publication research due to bureaucratic mishandling. Though it could assist in the spy business as in the cold war.
Dr. Adrian McCullagh Ph.D. LL.B.(Hons) B. App. Sc. (Computing) ODMOB Lawyers Mobile 0401 646 486 Skype. Admac57 E: ajmccullagh57@gmail.com E: amccullagh@live.com The contents of this email are confidential between the sender and the intended recipient. If you are not the intended recipient then no rights are granted to you because of this error and as such you are requested to promptly inform the sender of the error and to promptly destroy all copies of the email in your power, possession or control. The sender reserves all rights concerning this email and its contents including any privilege, copyright and confidentiality associated with this email. Even though an email signature block has been appended to this email, and notwithstanding the Electronic Transactions Act (Qld) or the Electronic Transactions Act (Cth), the signature block does not exhibit the senders intention to be bound by an offer previously sent by the intended recipient, unless the email in its body specifically indicated that the sender hereby accepts such an offer previously sent by the intended recipient.
From: Alfie John Sent: Wednesday, 10 June 2015 1:54 PM To: Cryptography Mailing List, cypherpunks@cpunks.org
Snap, from Australia:
http://www.smh.com.au/it-pro/security-it/dangerous-minds-are-maths-teachers-...
"Australian academics who teach mathematics may need to run new ideas by the Department of Defence before sharing them or risk imprisonment.
Some academics are set to become much more familiar with the department's Defence Export Control Office (DECO), a unit that enforces the Defence Trade Control Act 2012, Australia's end of a 2007 pact with the US and UK over defence trade.
Until recently, DECO only regulated physically exported weapons and so-called "dual use" items such as encryption, computing hardware and biological matter.
However in March the act was updated to include "intangible supply", which is intended to prohibit the transfer of knowledge from Australia that could be used to produce weapons."
Alfie
On Tue, Jun 9, 2015, at 05:36 PM, pete wrote:
Proposed US ITAR changes. New regs, for comment, not yet in law or in force.
http://www.washingtonexaminer.com/nra-gun-blogs-videos-web-forums-threatened...
www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf
Actually, it says, for the first time explicitly, that publishing widely on the internet would be enough to put data into the public domain [000]. Sounds good?
However, there is a great big kicker: posting ITAR technical data for the first time would be an export, and you wouldn't be allowed to do it without prior authorization [17].
Reposting already-posted technical data is also making it available, and you wouldn't be allowed to do that unless the initial posting was authorised.
Neither would you be allowed to sell a book or magazine or periodical, even within the US, unless it had been made available with an authorisation [23].
Phil Zimmerman's trick, publishing the source to PGP in printed form to put it in the public domain, would no longer work.
There is also some trickery about redefining software as an item, rather than as data; one effect of which is to put software which is the result of fundamental research into the control regime.
Of course, as "fundamental research" only means research done in the US by US centers of learning, or US Government funded ..
I get confused, but it would seem to me that eg if there is a crypto conference in the US with published proceedings, the publishers would need export permission for the work of foreign authors, but not the work of most US authors.
[000] "Public domain" here is not the same thing as "public domain" in copyright law. The use the same words, but they are defined completely differently.
[17] To get pernickity: data which has been made publicly available, including by widespread posting, would be exempt.
However, data which hadn't been made available with proper authorisation would not be exempt. This would apply to data which is now in the public domain too.
If you saw some posted data or data in a book, and you didn't actually know that it hadn't been released with proper authorisation, you couldn't be prosecuted for reposting it, or selling the books it was in. Though you could be prevented from doing it again, if someone told you its initial release has not been authorised.
[23] the relevant bits:
§ 120.11 Public domain.
(a) Except as set forth in paragraph (b) of this section, unclassified information and software are in the public domain, and are thus not technical data or software subject to the ITAR, when they have been made available to the public without restrictions upon their further dissemination such as through any of the following:
(1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form (e.g.,not necessarily in published form), including posting on the Internet on sites available to the public; or
(5) Submission of a written composition, manuscript or presentation to domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications, or to organizers of open conferences or other open gatherings, with the intention that the compositions, manuscripts, or publications will be made publicly available if accepted for publication or presentation.
(b) Technical data or software,whether or not developed with government funding, is not in the public domain if it has been made available to the public without authorization from:
(1) The Directorate of Defense Trade Controls;
(2) The Department of Defense’s Office of Security Review;
(3) The relevant U.S. government contracting entity with authority to allow the technical data or software to be made available to the public; or
(4) Another U.S. government official with authority to allow the technical data or software to be made available to the public.
§ 127.1 Violations. [...] (6) To export, reexport, retransfer, or otherwise make available to the public technical data or software if such person has knowledge that the technical data or software was made publicly available without an authorization described in § 120.11(b) of this subchapter.
ps: there is yet another ITAR change on the way about exploits and technical data concerning security and hacking tools. see eg; http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/
-- Peter Fairbrother
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
-- Alfie John alfiej@fastmail.fm _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
-- Alfie John alfiej@fastmail.fm
participants (1)
-
Alfie John