Submitting Code to ITAR for Export?

wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...

Exporting encryption products...

[geoswan]

Weird. Encryption devices are not just controlled, but they are classed as "munitions" under US law.

Peter Junger, a professor of law, who taught a course, "computers and the law", has an account of the steps he took to make sure he could demonstrate an encryption program to his students -- when he couldn't guarantee that none of them were foreign students. This first article is quite interesting. And there are a number of interesting followups. Go to RISKS search page and search for "Junger".

And here is another RISKS article entitled My life as an international arms courier . It is quite long -- but it is hilarious. Matt Blaze, the author, worked for AT&T, and wanted to take a new phone scrambler, to show some colleagues on a business trip to Europe. He decided he would try to go through the proper channels to take this device with him. Here are some of his final comments...

My conclusion from all this is that it just isn't possible for an individual ... Even having gone through the process now, I still have no idea how to obtain, let alone file, the proper forms ... Technically speaking, everyone with a laptop disk encryption program who travels abroad is in violation of the law ... Had I just put my telephone in my suitcase without telling anyone instead of calling attention to myself by trying to follow the rules, chances are no one would have noticed or cared.

Unfortunately, however, these absurd rules carry the full force of law, and one ignores them only at the risk of being prosecuted for international arms trafficking ... At the same time, anyone who is aware of and who tries to follow the regulations is made to jump through pointless hoops that are so obscure that even the people charged with enforcing them don't know quite what to make of them.

My memory is playing tricks on me. My memory is that he was quietly lead to cool his heels in a locked holding room, that he described hearing the footfalls of a guy who looked like Joe Friday, whose first words to him were, "So, are you the guy with the bomb?"

Mind you, these articles are from 1993 and 1995. Will you write up your experiences for us?