ITAR and EAR Strategy

ITAR Strategy

Also see Developer and Participant Policies, specifically the sections on No National Defense Participation, Keep it Public, and Transfer of Physical Objects Restricted Under ITAR or EAR.

ITAR is the International Trafficking in Arms Regulations. The sections of ITAR that concern us are 120 and 121. Various technologies are declared “munitions” which can not be exported to nations on an “embargoed list”, for example North Korea.

All items which are subject to ORI’s international collaborations carried out over the Internet are technical data under ITAR. This includes software as well as other information. Our ITAR strategy does not apply to physical objects such as space satellites, but to their designs and the software which is part of them, which are techical data under ITAR. We can expect to deal with ITAR and EAR when physical objects are transferred to individuals other than U.S. nationals or across national borders.

ORI does not provide defense services. Specifically, we do not answer questions or perform any requested services for individuals who are identified as asking for information to use for a military purpose for any nation, including the United States – since we must comply with the export regulations of many nations other than the U.S. Where such individuals are identified, we ask them to refrain from posting to discussion lists or we bar their email address from writing to such lists. They may still read the list and ORI’s web site, thus their access to our work is not barred.

ITAR includes a carve-out for “Public Domain” which we make use of. First, let’s look at the ITAR text and how it defines what it restricts:

§ 120.2 Designation of defense articles and defense services.

The Arms Export Control Act (22 U.S.C. 2778(a) and 2794(7)) provides that the President shall designate the articles and services deemed to be defense articles and defense services for purposes of this subchapter. The items so designated constitute the United States Munitions List and are specified in part 121 of this subchapter.

§ 120.6 Defense article. Defense article means any item or technical data designated in §121.1 of this subchapter. The policy described in §120.3 is applicable to designations of additional items. This term includes technical data recorded or stored in any physical form, models, mockups or other items that reveal technical data directly relating to items designated in §121.1 of this subchapter.

120.10(a) Technical data means, for purposes of this subchapter:

120.10(a)(5) This definition does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain as defined in §120.11.

§ 120.11 Public domain.

(a) Public domain means information which is published and which is generally accessible or available to the public:

(1) Through sales at newsstands and bookstores;

(2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;

(3) Through second class mailing privileges granted by the U.S. Government;

(4) At libraries open to the public or from which the public can obtain documents;

5) Through patents available at any patent office;

(6) Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;

(7) Through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency (see also §125.4(b)(13) of this subchapter);

(8) Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community. Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls.

University research will not be considered fundamental research if:

(i) The University or its researchers accept other restrictions on publication of scientific and technical information resulting from the project or activity, or

(ii) The research is funded by the U.S. Government and specific access and dissemination controls protecting information resulting from the research are applicable.

So, according to ITAR, public knowledge is not subject to regulation under ITAR. The meaning of the words “Public Domain”, as used in ITAR, is that knowledge is known to the public, rather than that copyrights have been abandoned and that material has been dedicated to the public domain in a copyright sense.

ORI’s general method of making sure that all research and development is public knowledge is to keep it visible to the public via our web site, both during and after development. Updates are often on a daily basis, and developers are instructed not to allow any development to remain invisible to the public for long. Similarly, the teams collaborate using online discussion which is archived and available for anyone to read as it happens.

However, ITAR 120.11 doesn’t explicitly include publication on a web site as a means of assuring knowledge is in the public domain (EAR does). ITAR specifies a list of activities which make knowledge public, many of which we can perform.

Let’s look at the individual means of placing technical information in the public domain as spelled out in ITAR 120.11. Consider that we make a physical distribution, say a Blu-Ray disc or USB stick, of all of our software and other content. ITAR then allows us to make this public domain:

(1) Through sales at newsstands and bookstores;

If we sell (or give away) our physical distribution through a newsstand or a bookstore, we are in compliance with ITAR 120.11(a)(1). The material in the distribution is considered to be in the public domain under ITAR 120.11, and is not subject to regulation under ITAR. Amazon.com is a bookstore, perhaps the world’s most popular. So, we could make our physical distribution available for sale by Amazon.

(2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;

I would argue that subscriptions to access our web site satisfy this term. However, we can also take the physical distribution and send it to subscribers who have paid a fee for that service.

(3) Through second class mailing privileges granted by the U.S. Government;

Why won’t first-class mail work? Because second-class mail was used for periodical publications and the United States Postal Service has a qualification process to allow periodicals to make use of it.

The Postal Service is an “establishment of the executive branch of the Government of the United States”, under 39 U.S.C. § 201, as it is controlled by Presidential appointees and the Postmaster General (a federal appointee).

Today the name “second-class mail” has changed to “periodical mail”. Periodical mail requires printed material, and a schedule at least quarterly, an application fee and some forms (some of which must be filed periodically). It does allow incidental material to be in another medium such as a Blu-Ray disc or USB stick. So, we could send out a quarterly journal with printed papers, including our physical distribution as above.

(4) At libraries open to the public or from which the public can obtain documents;

We could fulfill this requirement by submitting our physical distribution to the Library of Congress, and arranging for it to be distributed by other libraries.

But arguably, if a library offers access to the web, and can thus access our web site, that would fulfill this requirement.

(6) Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;

This applies to our technical presentations. Perhaps we could also arrange to distribute our physical distribution to all of the attendees of such a conference.

And this section could also apply to online meetings, seminars, and exhibitions, as long as they are available in the United States.

So, this gives us five methods through which we can easily place our work formally in the Public Domain, as defined by ITAR, as well as the continual publication of our technical data on our web site. If we do these things periodically, publish new material on our web site as close to instantly as possible, follow a policy not to perform defense services or distribute physical objects to certain people or nations, we can operate an Open Source collaboration internationally for information that would otherwise be restricted under ITAR.

EAR Strategy

The text of the Export Administration Regulations is here. We are concerned with keeping our work out of EAR definition “subject to the EAR”, which covers all things which are regulated under EAR. Here are the regulations concerning “subject to the EAR” and published material. They contain a similar carve-out to ITAR regarding published material.

§ 734.2 SUBJECT TO THE EAR
(a) Subject to the EAR – Definition
(1) “Subject to the EAR” is a term used in the EAR to describe those items and activities over which BIS exercises regulatory jurisdiction under the EAR. Conversely, items and activities that are not subject to the EAR are outside the regulatory jurisdiction of the EAR and are not affected by these regulations. The items and activities subject to the EAR are described in §734.2 through §734.5 of this part. You should review the Commerce Control List (CCL) and any applicable parts of the EAR to determine whether an item or activity is subject to the EAR. However, if you need help in determining whether an item or activity is subject to the EAR, see §734.6 of this part. Publicly available technology and software not subject to the EAR are described in §734.7 through §734.11 and Supplement No. 1 to this part.
§ 734.7 PUBLISHED
(a) Except as set forth in paragraph (b) of this section, unclassified “technology” or “software” is “published,” and is thus not “technology” or “software” subject to the EAR, when it has been made available to the public without restrictions upon its further dissemination such as through any of the following:
(1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public; or
(5) Submission of a written composition, manuscript, presentation, computer-readable dataset, formula, imagery, algorithms, or some other representation of knowledge with the intention that such information will be made
publicly available if accepted for publication or presentation:
(i) To domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications;
(ii) To researchers conducting fundamental research; or
(iii) To organizers of open conferences or other open gatherings.
(b) Published encryption software classified under ECCN 5D002 remains subject to the EAR unless it is publicly available encryption object code software classified under ECCN 5D002 and the corresponding source code meets the criteria specified in § 742.15(b) of the EAR.
742.15(b) Publicly available encryption source code
(1) Scope and eligibility.
Subject to the notification requirements of paragraph (b)(2) of
this section, publicly available (see § 734.3(b)(3) of the EAR) encryption source code classified under ECCN 5D002 is not subject to the EAR.
Such source code is publicly available even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code.
(2) Notification requirement. You must notify BIS and the ENC Encryption RequestCoordinator via e-mail of the Internet location
(e.g., URL or Internet address) of the publicly available encryption source code classified under ECCN 5D002 or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location. In all instances, submit the notification or copy to [email protected] and to [email protected]
Since EAR allows publication on a web site under 734.7(a)(4), we can easily make sure that all of our work but cryptographic software is not subject to the EAR. Development of cryptography is not specifically a goal of ORI, and is being carried out well by other Open Source projects, for example OpenSSL and GNU TLS. However, it is expected that such software will be included in our projects. The main reason is that all popular web browsers are being programmed to deprecate or reject unencrypted web sites for ample security reasons. And of course our software can be expected to make use of authorization, authentication, and communication facilities for which encryption is useful for critical.

 

In order to make sure that our encryption software qualifies as not subject to the EAR, we will make the email notifications required under 742.15(b)(2).