Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

Submitting Code to ITAR for Export? 19

Posted by michael from the people-don't-kill-people,-code-kills-people dept.
wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...
This discussion has been archived. No new comments can be posted.

Submitting Code to ITAR for Export? More

Submitting Code to ITAR for Export?

Comments Filter:

  • uhh... (Score:3, Funny)

    by ameoba ( 173803 ) on Wednesday October 02, 2002 @08:49AM (#4372744)
    "
    A better place to ask this would be the cypherpunks [google.com] or wasbisystems.com [wasabisystems.com] crypto mailing lists..."


    If this is the case then WTF is it getting posted to slashdot? Wouldn't an email make more sense than letting us suboptimal Slashdotters give our uneducated guesses, beowulf jokes & goatse links?
    • ...beowulf cluster, do the ITAR regulations cover whether or not it would be possible to make a beowulf cluster of this product?

      It's one thing to say the product doesn't destroy the world, but his company is probably hoping for more than one export, maybe enough exports to make a beowulf cluster!!

      It won't be a pretty site to see the world destroyed by a beowulf cluster.

      Has anybody made a beowulf cluster of beowulf clusters yet?

      Sam
    • then WTF is it getting posted to slashdot?

      Because Michael laughed so hard at the second "locking the barn door after the horse ..." example that he modded the story (+1, Funny), and the only way to do that with a story is to post it. :)

  • Exporting encryption products... (Score:3, Interesting)

    by geoswan ( 316494 ) on Wednesday October 02, 2002 @10:13AM (#4373263) Journal
    Weird. Encryption devices are not just controlled, but they are classed as "munitions" under US law.

    Peter Junger, a professor of law, who taught a course, "computers and the law", has an account of the steps he took to make sure he could demonstrate an encryption program to his students -- when he couldn't guarantee that none of them were foreign students. This first article [ncl.ac.uk] is quite interesting. And there are a number of interesting followups. Go to RISKS search page and search for "Junger".

    And here is another RISKS article entitled My life as an international arms courier [ncl.ac.uk]. It is quite long -- but it is hilarious. Matt Blaze, the author, worked for AT&T, and wanted to take a new phone scrambler, to show some colleagues on a business trip to Europe. He decided he would try to go through the proper channels to take this device with him. Here are some of his final comments...

    My conclusion from all this is that it just isn't possible for an individual ... Even having gone through the process now, I still have no idea how to obtain, let alone file, the proper forms ... Technically speaking, everyone with a laptop disk encryption program who travels abroad is in violation of the law ... Had I just put my telephone in my suitcase without telling anyone instead of calling attention to myself by trying to follow the rules, chances are no one would have noticed or cared.

    Unfortunately, however, these absurd rules carry the full force of law, and one ignores them only at the risk of being prosecuted for international arms trafficking ... At the same time, anyone who is aware of and who tries to follow the regulations is made to jump through pointless hoops that are so obscure that even the people charged with enforcing them don't know quite what to make of them.

    My memory is playing tricks on me. My memory is that he was quietly lead to cool his heels in a locked holding room, that he described hearing the footfalls of a guy who looked like Joe Friday, whose first words to him were, "So, are you the guy with the bomb?"

    Mind you, these articles are from 1993 and 1995. Will you write up your experiences for us?

    • Everyone should read the My life as an international arms courier [ncl.ac.uk] article from the Risks Digest [ncl.ac.uk]. Please mod the parent up so this gets as wide an acceptance as possible.

      Just coincidentally, I studied nuclear physics in grad schools, and now my former employers are getting barrages of clueless questions from FBI and NSA type people about the security risk I pose. Most of them are along the lines of So, are you the guy with the bomb?!

  • ITAR does not apply anymore. EAR is the currently governing US policy on this. You should probably have your company talk to a laywer in the know. A good place to start looking, if you insist on doing this yourself, is the Export control reference materials site [dtic.mil]

    -j

  • Usual disclaimer: IANAL, and you really should consult a lawyer if you want to be sure about this sort of thing.

    However, just to educate yourself, I would recommend sitting down and spending a day combing through the actual laws to get a feel for how they may apply to your situation. Start with the Export Administration Regulations, Part 740:

    http://w3.access.gpo.gov/bis/ear/txt/740.txt [gpo.gov]

    Basically, the BIS (Bureau of Industry and Security, formerly the Bureau of Export Administration) divides the world into several categories:

    • USA and Canada(?)
    • The "EU+8" "friendly" countries
    • Other countries that don't fall into the above two categories, but are not considered terrorist countries
    • The "T-7" list of terrorist countries

    You'll probably be treating each category of country in a different way. Furthermore, restrictions may be slightly different depending on if you are exporting to foreign government users or foreign non-government users. Also, in some circumstances, you may be required to file reports indicating how various customers are using your crypto.

    You'll also want to peruse all the relevent web pages at the BIS:

    http://www.bxa.doc.gov/ [doc.gov]

    (Hmm, looks like they've recently changed their name to "Bureau of Industry and Security". They were "Bureau of Export Administration" when I looked earlier this year.)

    For practically any kind of commercial crypto you are planning to export, you'll need to file some paperwork with the BIS. Fill out a request form on their web site, and they'll send you the paperwork.

    One last recommendation I could make would be to occasionally read the talk.politics.crypto newsgroup.

    Whenever I talk to people about crypto export regulations, I usually hear "Oh, you must not have heard, crypto regulations are relaxed, now!" I have to explain that dealing with crypto exports still requires, at least, dealing with a ton of bureaucracy and is still a royal pain in the ass.

  • My experience (Score:3, Informative)

    by Raiford ( 599622 ) on Wednesday October 02, 2002 @01:07PM (#4374467) Journal
    If your application has primarily a commercial focus then EAR restrictions dictate export control. If you were doing something very scientific like electromagnetic scattering codes (like I was) then ITAR will be the controlling broader restriction. The idea behind these export controls is basically to prevent rapid proliferation of codes that could be used by a hostile government. No one even pretends to think that software won't make its way to every stretch of the globe. What you are trying to protect is technology or technology-use lead-time. Even the best kept secrets find their way to the so-called wrong hands eventually. It's more a matter of delaying the process as long as possible.

    There is a description of the differences between ITAR and EAR in the following link (note:it is a Powerpoint presentation) --> link [nasa.gov]

  • Not too hard to handle ITAR, just get the company lawyers in a room, say "We have to do this" and let them deal with it...

    That is what you pay these people for, and you will need them. Remember the askslashdot question "How do I know when I need a Lawyer ?". One of the answers should be when your boss asks you to sign something that if you mess it up, you go to jail...

    That said there are law firms out there that know what they are doing, have done it before, and know how to deal with the stupid regulations and buracracy so you don't have to waste your time and can get back to doing what you really want to be doing.

  • Sounds like it's time to move to Canada... Just like openBSD, openSSH, etc.
  • Many companies have an export control officer who is responsible for ensuring that the company obeys all of the export control laws and regulations. If you don't have one, the company's legal counsel should be able to tell you what you need to do. Where I work, nothing gets shipped out of the country without the approval of the export control officer. That includes electronic delivery via the Internet.
  • Not everyone has heard that I'm still challenging the export regulations under the First Amendment. The next round of oral argument is scheduled for Friday 18 October 2002 in San Francisco.

    See export.cr.yp.to [cr.yp.to] for the case status, mailing-list information, background documents, where to send descriptions of your experiences, etc.

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close