Submitting Code to ITAR for Export?

wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...

BXA (BIS, now) and EAR Part 740

[tachyonflow]

Usual disclaimer: IANAL, and you really should consult a lawyer if you want to be sure about this sort of thing.

However, just to educate yourself, I would recommend sitting down and spending a day combing through the actual laws to get a feel for how they may apply to your situation. Start with the Export Administration Regulations, Part 740:

http://w3.access.gpo.gov/bis/ear/txt/740.txt

Basically, the BIS (Bureau of Industry and Security, formerly the Bureau of Export Administration) divides the world into several categories:

• USA and Canada(?)
• The "EU+8" "friendly" countries
• Other countries that don't fall into the above two categories, but are not considered terrorist countries
• The "T-7" list of terrorist countries

You'll probably be treating each category of country in a different way. Furthermore, restrictions may be slightly different depending on if you are exporting to foreign government users or foreign non-government users. Also, in some circumstances, you may be required to file reports indicating how various customers are using your crypto.

You'll also want to peruse all the relevent web pages at the BIS:

http://www.bxa.doc.gov/

(Hmm, looks like they've recently changed their name to "Bureau of Industry and Security". They were "Bureau of Export Administration" when I looked earlier this year.)

For practically any kind of commercial crypto you are planning to export, you'll need to file some paperwork with the BIS. Fill out a request form on their web site, and they'll send you the paperwork.

One last recommendation I could make would be to occasionally read the talk.politics.crypto newsgroup.

Whenever I talk to people about crypto export regulations, I usually hear "Oh, you must not have heard, crypto regulations are relaxed, now!" I have to explain that dealing with crypto exports still requires, at least, dealing with a ton of bureaucracy and is still a royal pain in the ass.

My experience

[Raiford]

If your application has primarily a commercial focus then EAR restrictions dictate export control. If you were doing something very scientific like electromagnetic scattering codes (like I was) then ITAR will be the controlling broader restriction. The idea behind these export controls is basically to prevent rapid proliferation of codes that could be used by a hostile government. No one even pretends to think that software won't make its way to every stretch of the globe. What you are trying to protect is technology or technology-use lead-time. Even the best kept secrets find their way to the so-called wrong hands eventually. It's more a matter of delaying the process as long as possible.

There is a description of the differences between ITAR and EAR in the following link (note:it is a Powerpoint presentation) --> link