[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hacking the ITARs




> This is sick. According to this, I cannot teach
> foreigners about cryptography in the U.S. -- even about
> the open literature. This is a grotesque denial of my
> first amendment rights.
> 

> I wonder if I should hold an open enrollment cryptography
> class for the sake of civil disobediance.
> 

> Perry 


It not as bad as that.  Well, actually, it's hard to say just how bad  
it is because the ITAR regulations regarding cryptography are  
contradictory.  It might depends on whether the class teaches only  
from a book, or actually lets the foreign students write and  
exchanged programs.  Here are the relevant paragraphs from the ITAR:

(the terms to keep track of are - defense article, defense service,  
technical data, and information)


----------------------------------------------
#120.5  Relation to regulations of other agencies.

  If an article or service is covered by the U.S. Munitions List, its  
export is regulated by the Department of State...
  

    

#120.6  Defense article.

  Defense article means any item or technical data designated in  
#121.1 of this subchapter.  The policy described in #120.3 is  
applicable to designations of additional items.  This term includes  
technical data recorded or stored in any physical form, models,  
mockups or other items that reveal technical data directly relating  
to items designed in #121.1 of this subchapter.  It does not include  
basic marketing information on function or purpose or general system  
descriptions.
  


#120.9  Defense service. (already posted this)

  (1) The furnishing of assistance (including training) to foreign  
persons, whether in the United States or abroad in the design,  
development, engineering, manufacture, production, assembly, testing,  
repair, maintenance, modification, operation, demilitarization,  
destruction, processing, or use of defense articles; or
  (2) The furnishing to foreign persons of any technical data  
controlled under this subchapter (see #120.10), whether in the United  
States or abroad.


#120.10  Technical data.

  (1) Information, other than software as defined in #120.10(4),  
which is required for the design development, production,  
manufacture, assembly, operation, repair, testing, maintenance or  
modification of defense articles,  This includes information in the  
form of blueprints, drawings, photographs, plans, instructions and  
documentation.
  (2) Classified information relating to defense articles and defense  
services;
  (3) Information covered by an invention secrecy order;
  (4) Software as defined in #121.8(f) of this subchapter directly  
related to defense articles;
  (5) [** deferred, see below **]


#121.8 (f) Software includes but is not limited to the system  
functional design, logic flow, algorithms, application programs,  
operating systems and support software for design, implementation,  
test, operation, diagnosis and repair.


#121.1  General.  The United States munitions list.

  (a) The following articles, services and related technical data are  
designated as defense articles and defense services pursuant to  
sections 38 and 47(7) of the Arms Export Control Act.
	.
	.
	.
Category XIII -- Auxiliary Military Equipment
	.
	.
  (1)  Cryptographic [ ] systems [ ] or software with the capability  
of maintaining secrecy or confidentiality of information or  
information systems, except cryptographic equipment and software as  
follows:
	.
	.
	.
  (v) Limited to access control, such as...or similar data to prevent  
unauthorized access to facilities but does not allow for encryption  
of files or text, except as directly related to the password or PIN  
protection.
  

  (vi) Limited to data authentication which calculates a Message  
Authentication Code (MAC) or similar result to ensure no alteration  
of text has taken place, or to authenticate users, but does not allow  
for encryption of data, text or other media other than that needed  
for the authentication.


----------------------------------------------

The ITAR sections I just quoted seems to state quite clearly that  
cryptographic information and software systems are export controlled.   


However...the section I deferred.


----------------------------------------------
#120.10  Technical data.
	...
  (5) This definition does not include information concerning general  
scientific, mathematical or engineering principals commonly taught in  
schools, colleges and universities or information in the public  
domain as defined in #120.11.

#121.11  Public domain.

  Public domain means information which is published and which is  
generally accessible or available to the public:
  (1) Through sales at newsstands and bookstores;
  (2) Through subscriptions which are available without restriction  
to any individual who desires to obtain or purchase the published  
information;
  (3) Through second class mailing privileges granted by the U.S.  
Government;
  (4) At libraries open to the public or from which the public can  
obtain documents;
  (5) Through patents available at any patent office;
  (6) Through unlimited distribution at a conference, meeting,  
seminar, trade show or exhibition, generally accessible to the  
public, in the United States;
  (7) Through public release (i.e., unlimited distribution) in any  
form (e.g., not necessarily in published form) after approval by the  
cognizant U.S. government department or agency (see also  
#125.4(b){13} of this subchapter);
  (8) Through fundamental research in science and engineering at  
accredited institutions of higher learning in the U.S., where the  
resulting information is ordinarily published and shared broadly in  
the scientific community.
  Fundamental research is defined to mean basic and applied research  
in science and engineering where the resulting information is  
ordinarily published and shared broadly in the scientific community,  
as distinguished from research the results of which are restricted  
for proprietary reasons or specific U.S. Government access and  
dissemination controls.  University research will not be considered  
fundamental research if:
  (i) The University or its researchers accept other restrictions on  
publication of scientific and technical information resulting from  
the project or activity, or
  (ii) The research is funded by the U.S. Government and specific  
access and dissemination controls protecting information resulting  
from the research are applicable.
  

-----------

These sections seem to state that it is ok to teach about  
cryptography, and distribute information about cryptography, even to  
foreign persons, as long as the information is in the public domain.   
However, these sections do not seem to allow people to freely  
distribute cryptographic software, even if that software is in the  
public domain.  Why?  The ITAR defines software as *technical data*,  
but not *information*.   Only *information* can be in the public  
domain, according to my interpretation of the ITAR.
  

However, according to section #121.8 (f), the term *software*  
includes system functional design, logic flow, algorithms,  
application programs, operating systems and support software for  
design, implementation, test, operation, diagnosis and repair.

I can understand using the term *software* for application programs,  
operating systems and support software.  But it seems ludicrous to  
define system functional design, logic flow, and algorithms as  
*software* and not *information*.

Actually, it seems ludicrous to treat software on a disk as technical  
data subject to export regulations, but treat software printed in a  
book as information in the public domain.

So, can you teach a cryptography class and let your foreign students  
write cryptographic software?  Yes, but only on the first Tuesday  
following the second full moon after the summer solstice, unless its  
a leap year, in which case they can only program in BASIC every other  
Saturday, or until you annoy someone at the State Department,  
whichever comes first.


[email protected]