1993-10-02 - (fwd) ITAR registration package

Header Data

From: tcmay@netcom.com (Timothy C. May)
To: cypherpunks@toad.com
Message Hash: 5f92436b1292bc6cc168f1032ac18b890561b0098e5fc7a61381e8f3e66ffeb9
Message ID: <9310021826.AA13664@netcom5.netcom.com>
Reply To: N/A
UTC Datetime: 1993-10-02 18:28:48 UTC
Raw Date: Sat, 2 Oct 93 11:28:48 PDT

Raw message

From: tcmay@netcom.com (Timothy C. May)
Date: Sat, 2 Oct 93 11:28:48 PDT
To: cypherpunks@toad.com
Subject: (fwd) ITAR registration package
Message-ID: <9310021826.AA13664@netcom5.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Cypherpunks,

This is slightly long, but I think it's important for you all to see.

Grady Ward requested the information packet needed to become a
"Munitions Dealer." It seems that nearly all of us are supposed to be
paying a $250 yearly fee and filling out many forms before we post
files to ftp sites (including the "soda" machine), publish chunks of
code on Usenet or on this list, and so on.

The Crypto Crackdown could be messy.

-Tim May


Newsgroups: talk.politics.crypto,comp.org.eff.talk,misc.legal
From: grady@netcom.com (Grady Ward)
Subject: ITAR registration package
Date: Sat, 2 Oct 1993 15:54:14 GMT

(edit followups as appropriate)

I asked the State Department for a "Munitions Manufacturer"
registration package and they promptly sent me three
documents in a 8 1/2 x 11 envelope.
 
The first booklet was a copy of the Federal Register of
22 CFR Part 120, et al. ("ITAR") that is available via
anonymous ftp.  This gives the official 'munitions list'
("USML") and information on registration, licensing,
governing authority and so on.
 
The second enclosed document was a twenty page booklet
titled 'REGISTRATION: the first step in the defense trade'
which gives sample registration forms, fee schedules and
so on. The paperwork for registration is one page to fill
out where you identify the people manufacturing munitions
and pay the yearly $250 fee.
 
The third item was a copy of the "Defense Trade News" a
folksy bulletin produced monthly by the Department of
State to ostensibly clarify points of munitions manufacturing
or export.
 
Reading the January & April 1993 (combined issue) V4,1 & 2
the State Department makes it clear that it considers all
software, including algorithms in any form and source code
to be a munitions items as per 121.8(f) of ITAR.  For example,
 
Software, Using DES for Data Encryption                 USML XIII(b)(1)
 
Software, Using DES for Password Encryption
                  In Object Code                     (Dept of Commerce)
		  In Source Code                        USML XIII(b)(1)
		  
Algorithm, for Data Encryption, not
Incorporated into a Finished Software Product           USML XIII(b)(1)
 
This language makes it clear that at least the State Department
does consider any kind of privacy software description to be a
munition, including pseudocode, block diagrams, etc.
They explicitly deny that software can ever be a 'public domain'
item as per 120.11 ITAR (as D.J. Bernstein has been telling us
all along).
 
Under 122.1(b) of ITAR, people are exempt from registration if
they "engage only in the fabrication of articles for experimental
or scientific purposes, including research and development."
 
This means presumably that while posting code to an ftp site is
still considered 'manufacturing a munition' such a manufacturer
does not have to register as per 122.1(b)(4). But a business such
as Compuserve that has excellent NewDE source code available for
downloading by anyone, the Austin Code Works, or Dr. Dobb's who
is planning a December article on the IDEA algorithm, including
source listing, for example, would definitely have to register,
unless they could argue they are exempt under 122.1(b) as well.

>From my lay perspective, it seems the most fruitful way to attack
the ITAR restriction on dissemination of strong crypto is right
in section 120.3 of ITAR 'Policy on designating and determining
defense articles and services' because it claims that a member of
the USML: '(a) Is specifically designed, adapted, or modified for a
military application, and (i) Does not have predominant civil
application, and (ii) Does not have performance equivalent (defined
by form, fit, and function) to those of an article or service
used for civil applications.'
 
PGP *does*, of course, predominantly has a civil application (privacy)
and certainly was *not* specifically designed for any military application.

 
My conclusion:
 
Crypto software suitable for mass market PCs ought to be removed from the US
Munitions List.


Appendix.  Portions of ITAR.
 
The USML includes:
 121.8 -- End-items, components, accessories, attachments parts,
 firmware, software and systems. 
   (a) An end-item is an assembled article ready for its intended use.
   Only ammunition, fuel or another energy source is required to place
   it in an operating state. 
   (b) A component is an item which is useful only when used in conjunction
   with an end-item. A major component includes any assembled element
   which forms a portion of an end-item without which the end-item is
   inoperable. (Example: Airframes, tail sections, transmissions, tank
   treads, hulls, etc.) A minor component includes any assembled element
   of a major component. 
   (c) Accessories and attachments are associated equipment for any component,
   end-item or system, and which are not necessary for their operation, but
   which enhance their usefulness or effectiveness. (Examples: Military 
riflescopes,
   special paints, etc.) 
   (d) A part is any single unassembled element of a major or a minor component,
   accessory, or attachment which is not normally subject to disassembly without
   the destruction or the impairment of design use. (Examples: Rivets, wire,
   bolts, etc.) 
  (e) Firmware and any related unique support tools (such as computers, linkers,
   editors, test case generators, diagnostic checkers, library of functions and
  ystem test diagnostics) specifically designed for equipment or systems covered
   under any category of the U.S. Munitions List are considered as part of the
   end-item or component. Firmware includes but is not limited to circuits into
   which software has been programmed. 
 (f) Software includes but is not limited to the system functional design, logic
 flow, algorithms, application programs, operating systems and support software
 for design, implementation, test, operation, diagnosis and repair. A person who
 intends to export software only should, unless it is specifically enumerated in
  121.1 (e.g., XIII(b)), apply for a technical data license pursuant to part 125
  of this subchapter. 
   (g) A system is a combination of end-items, components, parts, accessories,
   attachments, firmware or software, specifically designed, modified or adapted
   to operate together to perform a specialized military function. 
 
 
USML XIII:
Category XIII-Auxiliary Military Equipment 
   (a) Cameras [including space cameras] and specialized processing equipment
   therefor, photointerpretation, stereoscopic plotting, and photogrammetry
   equipment which are specifically designed or modified for military purposes,
   and components specifically designed or modified therefor; 
(b) Information Security Systems and equipment, cryptographic devices, software,
   and components specifically designed or modified therefor, including: 
   (1) Cryptographic (including key management) systems, equipment, assemblies,
   modules, integrated circuits, components or software with the capability of
   maintaining secrecy or confidentiality of information or information systems,
   except cryptographic equipment and software as follows: 
   (i) Restricted to decryption functions specifically designed to allow the execution
   of copy protected software, provided the decryption functions are not user-
accessible. 
(ii) Specially designed, developed or modified for use in machines for banking or
   money transactions, and restricted to use only in such transactions. Machines for
   banking or money transactions include automatic teller machines, self-service
  statement printers, point of sale terminals or equipment for the encryption of
   interbanking transactions. 
  (iii) Employing only analog techniques to provide the cryptographic processing
   that ensures information security in the following applications: 
   (A) Fixed (defined below) band scrambling not exceeding 8 bands and in which the
   transpositions change not more frequently than once every second; 
   (B) Fixed (defined below) band scrambling exceeding 8 bands and in which the
   transpositions change not more frequently than once every ten seconds; 
   (C) Fixed (defined below) frequency inversion and in which the transpositions
   change not more frequently than once every second; 
   (D) Facsimile equipment; 
   (E) Restricted audience broadcast equipment; 
   (F) Civil television equipment. 
   Note: Special Definition. For purposes of this subparagraph, fixed means that
the coding or compression algorithm cannot accept externally supplied parameters
   (e.g., cryptographic or key variables) and cannot be modified by the user. 
   (iv) Personalized smart cards using cryptography restricted for use only in
   equipment or systems exempted from the controls of the USML. 
  (v) Limited to access control, such as automatic teller machines, self-service
statement printers or point of sale terminals, which protects password or personal
 identification numbers (PIN) or similar data to prevent unauthorized access to
  facilities but does not allow for encryption of files or text, except as directly
   related to the password of PIN protection. 
   (vi) Limited to data authentication which calculates a Message Authentication Code
  (MAC) or similar result to ensure no alteration of text has taken place, or to
   authenticate users, but does not allow for encryption of data, text or other media
   other than that needed for the authentication. 
   (vii) Restricted to fixed data compression or coding techniques. 
   (viii) Limited to receiving for radio broadcast, pay television or similar
 restricted audience television of the consumer type, without digital encryption
   and where digital decryption is limited to the video, audio or management functions. 
(ix) Software designed or modified to protect against malicious computer damage,
   (e.g., viruses). 
 
Registration and exemptions:
 122.1 -- Registration requirements. 
   (a) Any person who engages in the United States in the business of either
   manufacturing or exporting defense articles or furnishing defense services
   is required to register with the Office of Defense Trade Controls. Manufacturers
   who do not engage in exporting must nevertheless register. 
   (b) Exemptions. Registration is not required for: 
   (1) Officers and employees of the United States Government acting in an official
   capacity. 
  (2) Persons whose pertinent business activity is confined to the production of
   unclassified technical data only. 
 (3) Persons all of whose manufacturing and export activities are licensed under
   the Atomic Energy Act of 1954, as amended. 
  (4) Persons who engage only in the fabrication of articles for experimental or
   scientific purpose, including research and development. 
   (c) Purpose. Registration is primarily a means to provide the U.S. Government
   with necessary information on who is involved in certain manufacturing and
   exporting activities. Registration does not confer any export rights or privileges.
 It is generally a precondition to the issuance of any license or other approval
   under this subchapter. 
 
-------------------------------
 
(Note: order copies of the ITAR for $4.50 a copy
from the GPO at +1 202 783 3238, or FAX +1 202 512 2250.
Order stock number 069-001-000-58-1.
 
Or get your 'Munitions Manufacturer' registration package
free from the State Dept by calling (703) 875-6650
or writing Dept. State, PM/DTC Rm. 200 SA-6,
Washington, D.C. 20522-0602)
 


-- 
Grady Ward                                         grady@netcom.com
3449 Martha Ct.                           compiler of Moby lexicons
Arcata, CA  95521-4884            e-mail or finger grady@netcom.com
(707) 826-7715  (voice/24hr FAX)               for more information

--





Thread