[ale] export controls?

Michael H. Warfield mhw at linux.vnet.ibm.com
Sun Jan 2 14:19:23 EST 2011


On Sun, 2011-01-02 at 14:40 +0000, Watson, Keith wrote: 
> > -----Original Message-----
> > From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Paul
> > Cartwright
> > Sent: Sunday, January 02, 2011 06:12
> > To: Atlanta Linux Enthusiasts
> > Subject: [ale] export controls?
> > 
> > does this affect linux at all?
> > 
> > http://www.foxnews.com/politics/2011/01/01/immigration-office-eases-
> > foreign-worker-rule-employer-backlash/
> > 
> > U.S. Citizenship and Immigration Services, in pushing the new
> > requirement, is effectively trying to enforce a law that's been on the
> > books for years. Under the "export control" law, employers are
> > prohibited from sharing certain technological data with foreign workers
> > they bring on board without a license from the federal government. It's
> > not a literal export of, say, automobiles or raw sugar. But the
> > government considers it an export all the same, since a foreign worker
> > could look at blueprints or some other technical plan in the United
> > States and then "export" it to his or her country by simply returning
> > home and replicating it.
> > 
> > 
> > --
> > Paul Cartwright
> > Registered Linux user # 367800
> > Registered Ubuntu User #12459
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> 
> This is all part of International Traffic in Arms Regulations (ITAR).
> The article is referring to "Deemed Export" which is allowing a
> foreign national from an export restricted country to have access to
> export controlled material while inside the United States.
> 
> EXPORT LICENSING REQUIREMENTS FOR FOREIGN NATIONALS
> http://www.ailf.org/lac/pa/lac_pa_071703.pdf
> 
> 
> International Traffic in Arms Regulations
> http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations
> 
> 
> This is nothing new (except maybe having to declare up front you are
> in compliance). They have been enforcing deemed export.
> 
> University Professor Gets Severe Sentence For Deemed Export Violations
> http://tradelawyersblog.com/blog/archive/2009/july/article/university-professor-gets-severe-sentence-for-deemed-export-violations/?tx_ttnews[day]=27&cHash=7232ca6273

That particular case quoted is not applicable here.  That case was about
military technology for things like plasma injectors that were being
developed for use in Air Force drones.  Yeah, that's a horse of an
entirely different color and doesn't apply to this community unless
you're into something I'm not.

> http://preview.tinyurl.com/23x8ghy

> I don't think it applies to Linux directly however, getting a clear
> ruling out of ITAR can sometimes be as difficult as getting a clear
> ruling out of the IRS. A good rule to follow is to tread lightly when
> it comes to encryption.

I can't speak to issues regarding anything other than cryptography but
non-military mass-market cryptography (OpenSource or otherwise) has not
been covered by ITAR in over a decade.  Largely because they (the
government) were about to be handed their heads in court over the
Bernstien case, which threatened to invalidate the ITAR regulations on
First Amendment grounds, the feds transferred non-military crypto from
the State Department ITAR over to the Commerce Department under the EAR
regulations.  Because the crypto regs were the only regs under ITAR
which impacted OpenSource, as far as I'm aware, I don't believe there
are any ITAR regulations left which have any impact on the OpenSource
community.  That was done to protect those regulations from freedom of
speech challenges as was happening under the Berstien lawsuit.

This effectively derailed the case for a while.  Back in, oh, somewhere
around 2000 we had a series of relaxations and clarifications to EAR
that make explicit exemptions for OpenSource crypto.  Initially, it
seems that they were only relaxing the regs for the sources (which would
be protected under First Amendment grounds) but a subsequent
clarification exempted both OpenSource sources AND the binaries produced
from them.  The only remaining requirement was that any site acting as a
primary hosting site (this did not include mirror sites) had to notify
BXA of the presence of crypto on the site.  You didn't even have to give
them specific URL's or locations (someone subject to interpretation but
generally accepted).  That's when Linus finally integrated crypto into
the primary kernel sources and released them, eliminating the need for
the kerneli sources (International Kernel sources hosted on a site
outside of the US) and when Eric Raymond and I released my SSL patches
to fetchmail as an official part of his sources on his site.  If you
look at the bottom of www.kernel.org you'll find this little gem:

-- 

Due to U.S. Exports Regulations, all cryptographic software on this site
is subject to the following legal notice:

        This site includes publicly available encryption source code
        which, together with object code resulting from the compiling of
        publicly available source code, may be exported from the United
        States under License Exception "TSU" pursuant to 15 C.F.R.
        Section 740.13(e). 

This legal notice applies to cryptographic software only. Please see the
Bureau of Industry and Security for more information about current U.S.
regulations.

Our servers are located in Corvallis, Oregon, USA; Palo Alto and San
Francisco, California, USA; Amsterdam, Netherlands; and Umeå, Sweden.
Use in violation of any applicable laws is prohibited.

-- 

This is generally accepted as sufficient to amount to meeting the
requirements of the notice provision of the EAR regulations even though
there are still statements to the effect that there are requirements to
send them an E-Mail as well.

http://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States

-- 
US export rules
US non-military exports are controlled by Export Administration
Regulations (EAR), a short name for the US Code of Federal Regulations
(CFR) Title 15 chapter VII, subchapter C.

Encryption items specifically designed, developed, configured, adapted
or modified for military applications ( including command, control and
intelligence applications) are controlled by the Department of State on
the United States Munitions List.
-- 

http://en.wikipedia.org/wiki/Bernstein_v._United_States

-- 
After four years and one regulatory change, the court case won a
landmark decision from the Ninth Circuit Court of Appeals, that software
source code was speech protected by the First Amendment and that the
government's regulations preventing its publication were
unconstitutional.
-- 

That one regulatory change was the change from ITAR to EAR.  By this
time, this ruling did not apply to or threaten ITAR any longer.

Mirror sites have no notice requirements at all.  Primary sites hosting
OpenSource cryptography and their mirror sites are also granted a
safe-harbor exemption from the "know your customer" provisions requiring
you to block and prohibit access to countries on the US terrorist
country list.

If what you are dealing with is NOT OpenSource crypto or is OpenSource
crypto which is substantively modify and for which the sources have not
been released, then there are other, more onerous requirements that
apply to you and you do not have the TSU exemption.  You should probably
consult an attorney who specializes in this area of work in that case.
I am not a lawyer...

> For actual practice here at GT I will have to defer to our campus
> lawyers and information security department.
> 
> keith
> 
> -- 
> 
> Keith R. Watson                        Georgia Institute of Technology
> Systems Support Specialist IV          College of Computing
> keith.watson at cc.gatech.edu             801 Atlantic Drive NW
> (404) 385-7401                         Atlanta, GA 30332-0280

Regards,
Mike
-- 
Michael H. Warfield (AI4NB)  | Desk: (404) 236-2807
Senior Researcher - X-Force  | Cell: (678) 463-0932
IBM Security Services        | mhw at linux.vnet.ibm.com mhw at wittsend.com
6303 Barfield Road           | http://www.iss.net/
Atlanta, Georgia 30328       | http://www.wittsend.com/mhw/
                             | PGP Key: 0x674627FF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110102/4dbc56e4/attachment.bin 


More information about the Ale mailing list