Slashdot Mirror

← Back to Stories (view on slashdot.org)

Submitting Code to ITAR for Export?

Posted by michael on from the people-don't-kill-people,-code-kills-people dept.

wowbagger asks: "I have the (mis)fortune to be working on a commercial product that will contain encryption/decryption capability. Since the product is targeted for export as well as use within the US, I get to file with the various TLAs showing my product isn't going to destroy the world. Joy. Does anybody else have experience in this? Yes, the ITAR regs aren't merely a case of 'locking the barn door after the horse has fled', but rather 'locking the barn door after the horse has fled, raised a family, evolved into sentience, developed technology, come back with flamethrowers, burned the barn to the ground, sown the lot with salt, and left for another star system'. But unfortunately I have to comply. So, does anybody else have any experience with this process?" A better place to ask this would be the cypherpunks or wasabisystems.com crypto mailing lists...

7 of 19 comments (clear)

  1. uhh... by ameoba · · Score: 3, Funny
    " A better place to ask this would be the cypherpunks or wasbisystems.com crypto mailing lists..."


    If this is the case then WTF is it getting posted to slashdot? Wouldn't an email make more sense than letting us suboptimal Slashdotters give our uneducated guesses, beowulf jokes & goatse links?
    --
    my sig's at the bottom of the page.
  2. Exporting encryption products... by geoswan · · Score: 3, Interesting
    Weird. Encryption devices are not just controlled, but they are classed as "munitions" under US law.

    Peter Junger, a professor of law, who taught a course, "computers and the law", has an account of the steps he took to make sure he could demonstrate an encryption program to his students -- when he couldn't guarantee that none of them were foreign students. This first article is quite interesting. And there are a number of interesting followups. Go to RISKS search page and search for "Junger".

    And here is another RISKS article entitled My life as an international arms courier . It is quite long -- but it is hilarious. Matt Blaze, the author, worked for AT&T, and wanted to take a new phone scrambler, to show some colleagues on a business trip to Europe. He decided he would try to go through the proper channels to take this device with him. Here are some of his final comments...

    My conclusion from all this is that it just isn't possible for an individual ... Even having gone through the process now, I still have no idea how to obtain, let alone file, the proper forms ... Technically speaking, everyone with a laptop disk encryption program who travels abroad is in violation of the law ... Had I just put my telephone in my suitcase without telling anyone instead of calling attention to myself by trying to follow the rules, chances are no one would have noticed or cared.

    Unfortunately, however, these absurd rules carry the full force of law, and one ignores them only at the risk of being prosecuted for international arms trafficking ... At the same time, anyone who is aware of and who tries to follow the regulations is made to jump through pointless hoops that are so obscure that even the people charged with enforcing them don't know quite what to make of them.

    My memory is playing tricks on me. My memory is that he was quietly lead to cool his heels in a locked holding room, that he described hearing the footfalls of a guy who looked like Joe Friday, whose first words to him were, "So, are you the guy with the bomb?"

    Mind you, these articles are from 1993 and 1995. Will you write up your experiences for us?

  3. Why post this story? -- It's funny. by Louis_Wu · · Score: 2
    then WTF is it getting posted to slashdot?

    Because Michael laughed so hard at the second "locking the barn door after the horse ..." example that he modded the story (+1, Funny), and the only way to do that with a story is to post it. :)

  4. Mod parent up by shoppa · · Score: 2
    Everyone should read the My life as an international arms courier article from the Risks Digest. Please mod the parent up so this gets as wide an acceptance as possible.

    Just coincidentally, I studied nuclear physics in grad schools, and now my former employers are getting barrages of clueless questions from FBI and NSA type people about the security risk I pose. Most of them are along the lines of So, are you the guy with the bomb?!

  5. BXA (BIS, now) and EAR Part 740 by tachyonflow · · Score: 2, Informative
    Usual disclaimer: IANAL, and you really should consult a lawyer if you want to be sure about this sort of thing.

    However, just to educate yourself, I would recommend sitting down and spending a day combing through the actual laws to get a feel for how they may apply to your situation. Start with the Export Administration Regulations, Part 740:

    http://w3.access.gpo.gov/bis/ear/txt/740.txt

    Basically, the BIS (Bureau of Industry and Security, formerly the Bureau of Export Administration) divides the world into several categories:

    • USA and Canada(?)
    • The "EU+8" "friendly" countries
    • Other countries that don't fall into the above two categories, but are not considered terrorist countries
    • The "T-7" list of terrorist countries

    You'll probably be treating each category of country in a different way. Furthermore, restrictions may be slightly different depending on if you are exporting to foreign government users or foreign non-government users. Also, in some circumstances, you may be required to file reports indicating how various customers are using your crypto.

    You'll also want to peruse all the relevent web pages at the BIS:

    http://www.bxa.doc.gov/

    (Hmm, looks like they've recently changed their name to "Bureau of Industry and Security". They were "Bureau of Export Administration" when I looked earlier this year.)

    For practically any kind of commercial crypto you are planning to export, you'll need to file some paperwork with the BIS. Fill out a request form on their web site, and they'll send you the paperwork.

    One last recommendation I could make would be to occasionally read the talk.politics.crypto newsgroup.

    Whenever I talk to people about crypto export regulations, I usually hear "Oh, you must not have heard, crypto regulations are relaxed, now!" I have to explain that dealing with crypto exports still requires, at least, dealing with a ton of bureaucracy and is still a royal pain in the ass.

  6. My experience by Raiford · · Score: 3, Informative
    If your application has primarily a commercial focus then EAR restrictions dictate export control. If you were doing something very scientific like electromagnetic scattering codes (like I was) then ITAR will be the controlling broader restriction. The idea behind these export controls is basically to prevent rapid proliferation of codes that could be used by a hostile government. No one even pretends to think that software won't make its way to every stretch of the globe. What you are trying to protect is technology or technology-use lead-time. Even the best kept secrets find their way to the so-called wrong hands eventually. It's more a matter of delaying the process as long as possible.

    There is a description of the differences between ITAR and EAR in the following link (note:it is a Powerpoint presentation) --> link

    --
    "player 4 hit player 1 with 0 stroms"
  7. Export Control Officer by Detritus · · Score: 2

    Many companies have an export control officer who is responsible for ensuring that the company obeys all of the export control laws and regulations. If you don't have one, the company's legal counsel should be able to tell you what you need to do. Where I work, nothing gets shipped out of the country without the approval of the export control officer. That includes electronic delivery via the Internet.

    --
    Mea navis aericumbens anguillis abundat