Submitting Code to ITAR for Export? 19
wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...
uhh... (Score:3, Funny)
If this is the case then WTF is it getting posted to slashdot? Wouldn't an email make more sense than letting us suboptimal Slashdotters give our uneducated guesses, beowulf jokes & goatse links?
Very good point about the... (Score:1)
It's one thing to say the product doesn't destroy the world, but his company is probably hoping for more than one export, maybe enough exports to make a beowulf cluster!!
It won't be a pretty site to see the world destroyed by a beowulf cluster.
Has anybody made a beowulf cluster of beowulf clusters yet?
Sam
Why post this story? -- It's funny. (Score:2)
Because Michael laughed so hard at the second "locking the barn door after the horse ..." example that he modded the story (+1, Funny), and the only way to do that with a story is to post it. :)
Re:Why post this story? -- It's funny. (Score:1)
And rightly so - It would have been a pity to miss that example.
Exporting encryption products... (Score:3, Interesting)
Peter Junger, a professor of law, who taught a course, "computers and the law", has an account of the steps he took to make sure he could demonstrate an encryption program to his students -- when he couldn't guarantee that none of them were foreign students. This first article [ncl.ac.uk] is quite interesting. And there are a number of interesting followups. Go to RISKS search page and search for "Junger".
And here is another RISKS article entitled My life as an international arms courier [ncl.ac.uk]. It is quite long -- but it is hilarious. Matt Blaze, the author, worked for AT&T, and wanted to take a new phone scrambler, to show some colleagues on a business trip to Europe. He decided he would try to go through the proper channels to take this device with him. Here are some of his final comments...
My memory is playing tricks on me. My memory is that he was quietly lead to cool his heels in a locked holding room, that he described hearing the footfalls of a guy who looked like Joe Friday, whose first words to him were, "So, are you the guy with the bomb?"
Mind you, these articles are from 1993 and 1995. Will you write up your experiences for us?
Mod parent up (Score:2)
Just coincidentally, I studied nuclear physics in grad schools, and now my former employers are getting barrages of clueless questions from FBI and NSA type people about the security risk I pose. Most of them are along the lines of So, are you the guy with the bomb?!
Um, dude, you're out of date (Score:1)
-j
BXA (BIS, now) and EAR Part 740 (Score:2, Informative)
However, just to educate yourself, I would recommend sitting down and spending a day combing through the actual laws to get a feel for how they may apply to your situation. Start with the Export Administration Regulations, Part 740:
http://w3.access.gpo.gov/bis/ear/txt/740.txt [gpo.gov]
Basically, the BIS (Bureau of Industry and Security, formerly the Bureau of Export Administration) divides the world into several categories:
You'll probably be treating each category of country in a different way. Furthermore, restrictions may be slightly different depending on if you are exporting to foreign government users or foreign non-government users. Also, in some circumstances, you may be required to file reports indicating how various customers are using your crypto.
You'll also want to peruse all the relevent web pages at the BIS:
http://www.bxa.doc.gov/ [doc.gov]
(Hmm, looks like they've recently changed their name to "Bureau of Industry and Security". They were "Bureau of Export Administration" when I looked earlier this year.)
For practically any kind of commercial crypto you are planning to export, you'll need to file some paperwork with the BIS. Fill out a request form on their web site, and they'll send you the paperwork.
One last recommendation I could make would be to occasionally read the talk.politics.crypto newsgroup.
Whenever I talk to people about crypto export regulations, I usually hear "Oh, you must not have heard, crypto regulations are relaxed, now!" I have to explain that dealing with crypto exports still requires, at least, dealing with a ton of bureaucracy and is still a royal pain in the ass.
My experience (Score:3, Informative)
There is a description of the differences between ITAR and EAR in the following link (note:it is a Powerpoint presentation) --> link [nasa.gov]
I shipped an IPsec hardware accelerator (Score:1)
That is what you pay these people for, and you will need them. Remember the askslashdot question "How do I know when I need a Lawyer ?". One of the answers should be when your boss asks you to sign something that if you mess it up, you go to jail...
That said there are law firms out there that know what they are doing, have done it before, and know how to deal with the stupid regulations and buracracy so you don't have to waste your time and can get back to doing what you really want to be doing.
Take off... to the Great White North (Score:1)
Export Control Officer (Score:2)
Crypto censorship is back in court (Score:1)
See export.cr.yp.to [cr.yp.to] for the case status, mailing-list information, background documents, where to send descriptions of your experiences, etc.