1995-09-11 - Re: itar question

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: Todd Ackman <tka@brutus.bright.net>
Message Hash: d10dea78522de9a4f3286c2bc5d73754a6f7284fba185a2d182c6d798f418940
Message ID: <199509112217.PAA14304@ix4.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-11 22:17:43 UTC
Raw Date: Mon, 11 Sep 95 15:17:43 PDT

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Mon, 11 Sep 95 15:17:43 PDT
To: Todd Ackman <tka@brutus.bright.net>
Subject: Re: itar question
Message-ID: <199509112217.PAA14304@ix4.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 05:08 PM 9/11/95 -0400, you wrote:
>If I create a set of patches to a PD or GNU software package (i.e. telnetd, 
>httpd) to support encryption (in particular SSL), can i put the patches up 
>on an ftp site, Or would i be in violation of itar, and therefore risk 
>getting hauled off by the feds?  (i'm a us citizen living/working in the 
>states).

If you create them in the states, and export them, and they contain crypto,
you can be busted and convicted.

If you put them on an ftp site without preventing or at least discouraging
foreigners from accessing them, you can be busted, but you've at least got 
a potentially interesting court case about freedom of speech and the press,
etc.,
for which you will need _very_ good lawyers unless either 
a) Phil Zimmermann gets indicted and acquitted first or b) you don't mind
losing. 
If you do b) before Phil gets his day in court (as opposed to his 
months and months of grand jury), you risk creating a precedent that
can help the Bad Guys convict him.

If you create them in the states, and they contain hooks to call crypto,
but don't actually contain the crypto themselves, then there's a question
of whether they are components of a munition or technical data therefor,
or whether they're just code that calls subroutines named "SSL_init()",
"DES()", "RSA()", etc., which is behavior that's at least been threatened
with FUD,
but may be defendable in court.  Your case is definitely stronger if your
code is public domain (by the ITAR definitions, which are rather different
than the copyright-related definitions), and of course if it's part of a working
system of purely non-munitions code that just happens to have routines like
"Do_Everything_Slowly()", "Reliability_Supporting_Algorithm(), and
"SUPDUP_Simulation_Library" -- might even be fun to write a library like that,
though I suppose certain companies might be upset if you called your
Really_Special_Arithmetic library RSAREF :-)
#---
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---






Thread