[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hacking the ITARs
> This is sick. According to this, I cannot teach
> foreigners about cryptography in the U.S. -- even about
> the open literature. This is a grotesque denial of my
> first amendment rights.
>
> I wonder if I should hold an open enrollment cryptography
> class for the sake of civil disobediance.
>
> Perry
It not as bad as that. Well, actually, it's hard to say just how bad
it is because the ITAR regulations regarding cryptography are
contradictory. It might depends on whether the class teaches only
from a book, or actually lets the foreign students write and
exchanged programs. Here are the relevant paragraphs from the ITAR:
(the terms to keep track of are - defense article, defense service,
technical data, and information)
----------------------------------------------
#120.5 Relation to regulations of other agencies.
If an article or service is covered by the U.S. Munitions List, its
export is regulated by the Department of State...
#120.6 Defense article.
Defense article means any item or technical data designated in
#121.1 of this subchapter. The policy described in #120.3 is
applicable to designations of additional items. This term includes
technical data recorded or stored in any physical form, models,
mockups or other items that reveal technical data directly relating
to items designed in #121.1 of this subchapter. It does not include
basic marketing information on function or purpose or general system
descriptions.
#120.9 Defense service. (already posted this)
(1) The furnishing of assistance (including training) to foreign
persons, whether in the United States or abroad in the design,
development, engineering, manufacture, production, assembly, testing,
repair, maintenance, modification, operation, demilitarization,
destruction, processing, or use of defense articles; or
(2) The furnishing to foreign persons of any technical data
controlled under this subchapter (see #120.10), whether in the United
States or abroad.
#120.10 Technical data.
(1) Information, other than software as defined in #120.10(4),
which is required for the design development, production,
manufacture, assembly, operation, repair, testing, maintenance or
modification of defense articles, This includes information in the
form of blueprints, drawings, photographs, plans, instructions and
documentation.
(2) Classified information relating to defense articles and defense
services;
(3) Information covered by an invention secrecy order;
(4) Software as defined in #121.8(f) of this subchapter directly
related to defense articles;
(5) [** deferred, see below **]
#121.8 (f) Software includes but is not limited to the system
functional design, logic flow, algorithms, application programs,
operating systems and support software for design, implementation,
test, operation, diagnosis and repair.
#121.1 General. The United States munitions list.
(a) The following articles, services and related technical data are
designated as defense articles and defense services pursuant to
sections 38 and 47(7) of the Arms Export Control Act.
.
.
.
Category XIII -- Auxiliary Military Equipment
.
.
(1) Cryptographic [ ] systems [ ] or software with the capability
of maintaining secrecy or confidentiality of information or
information systems, except cryptographic equipment and software as
follows:
.
.
.
(v) Limited to access control, such as...or similar data to prevent
unauthorized access to facilities but does not allow for encryption
of files or text, except as directly related to the password or PIN
protection.
(vi) Limited to data authentication which calculates a Message
Authentication Code (MAC) or similar result to ensure no alteration
of text has taken place, or to authenticate users, but does not allow
for encryption of data, text or other media other than that needed
for the authentication.
----------------------------------------------
The ITAR sections I just quoted seems to state quite clearly that
cryptographic information and software systems are export controlled.
However...the section I deferred.
----------------------------------------------
#120.10 Technical data.
...
(5) This definition does not include information concerning general
scientific, mathematical or engineering principals commonly taught in
schools, colleges and universities or information in the public
domain as defined in #120.11.
#121.11 Public domain.
Public domain means information which is published and which is
generally accessible or available to the public:
(1) Through sales at newsstands and bookstores;
(2) Through subscriptions which are available without restriction
to any individual who desires to obtain or purchase the published
information;
(3) Through second class mailing privileges granted by the U.S.
Government;
(4) At libraries open to the public or from which the public can
obtain documents;
(5) Through patents available at any patent office;
(6) Through unlimited distribution at a conference, meeting,
seminar, trade show or exhibition, generally accessible to the
public, in the United States;
(7) Through public release (i.e., unlimited distribution) in any
form (e.g., not necessarily in published form) after approval by the
cognizant U.S. government department or agency (see also
#125.4(b){13} of this subchapter);
(8) Through fundamental research in science and engineering at
accredited institutions of higher learning in the U.S., where the
resulting information is ordinarily published and shared broadly in
the scientific community.
Fundamental research is defined to mean basic and applied research
in science and engineering where the resulting information is
ordinarily published and shared broadly in the scientific community,
as distinguished from research the results of which are restricted
for proprietary reasons or specific U.S. Government access and
dissemination controls. University research will not be considered
fundamental research if:
(i) The University or its researchers accept other restrictions on
publication of scientific and technical information resulting from
the project or activity, or
(ii) The research is funded by the U.S. Government and specific
access and dissemination controls protecting information resulting
from the research are applicable.
-----------
These sections seem to state that it is ok to teach about
cryptography, and distribute information about cryptography, even to
foreign persons, as long as the information is in the public domain.
However, these sections do not seem to allow people to freely
distribute cryptographic software, even if that software is in the
public domain. Why? The ITAR defines software as *technical data*,
but not *information*. Only *information* can be in the public
domain, according to my interpretation of the ITAR.
However, according to section #121.8 (f), the term *software*
includes system functional design, logic flow, algorithms,
application programs, operating systems and support software for
design, implementation, test, operation, diagnosis and repair.
I can understand using the term *software* for application programs,
operating systems and support software. But it seems ludicrous to
define system functional design, logic flow, and algorithms as
*software* and not *information*.
Actually, it seems ludicrous to treat software on a disk as technical
data subject to export regulations, but treat software printed in a
book as information in the public domain.
So, can you teach a cryptography class and let your foreign students
write cryptographic software? Yes, but only on the first Tuesday
following the second full moon after the summer solstice, unless its
a leap year, in which case they can only program in BASIC every other
Saturday, or until you annoy someone at the State Department,
whichever comes first.
[email protected]