[amsat-bb] AMSAT Open Source Policy
Bruce Perens
bruce at perens.com
Wed Jul 15 18:06:55 UTC 2020
>
>
> I've heard the carve-out mentioned in the past but i'm not entirely
> certain about the details.
Maybe I'm weird, but I found ITAR 120 pretty easy to read. It bothers me
that more people do not read law, since it is a framework they must live
within. Of course there are complications like case law that make this a
never-ending project.
I am going entirely by the published law in ITAR 121. DoD is often loath to
issue determinations, and we continue to work on that, but the law is clear
enough. This is all work I wrote for ORI and is on their web site:
ITAR is the International Trafficking in Arms Regulations. The sections of
ITAR that concern us are 120
<https://www.pmddtc.state.gov/regulations_laws/documents/official_itar/ITAR_Part_120.pdf>
and 121
<https://www.pmddtc.state.gov/regulations_laws/documents/official_itar/ITAR_Part_121.pdf>.
Various
technologies are declared “munitions” which can not be exported to nations
on an “embargoed list”, for example North Korea.
All items which are subject to our international collaborations carried out
over the Internet are technical data under ITAR. This includes software as
well as other information. Our ITAR strategy does not apply to physical
objects such as space satellites, but to their designs and the software
which is part of them, which are techical data under ITAR. We can expect to
deal with ITAR and EAR when physical objects are transferred to individuals
other than U.S. nationals or across national borders.
We must not not provide defense services. Specifically, we do not answer
questions or perform any requested services for individuals who
are identified as asking for information to use for a military purpose for
any nation, including the United States – since we must comply with the
export regulations of many nations other than the U.S.
ITAR includes a carve-out for “Public Domain” which we make use of. First,
let’s look at the ITAR text and how it defines what it restricts:
§ 120.2 Designation of defense articles and defense services.
The Arms Export Control Act (22 U.S.C. 2778(a) and 2794(7)) provides that
the President shall designate the articles and services deemed to be defense
articles and defense services for purposes of this subchapter. The items so
designated constitute the United States Munitions List and are specified in
part 121 of this subchapter.
…
§ 120.6 Defense article. Defense article means any item or technical
data designated
in §121.1 of this subchapter. The policy described in §120.3 is applicable
to designations of additional items. This term includes technical data
recorded or stored in any physical form, models, mockups or other items
that reveal technical data directly relating to items designated in §121.1
of this subchapter.
…
120.10(a) Technical data means, for purposes of this subchapter:
…
120.10(a)(5) This definition does not include information concerning
general scientific, mathematical or engineering principles commonly taught
in schools, colleges and universities *or *information in the public domain
as defined in §120.11.
*…*
§ 120.11 Public domain.
(a) Public domain means information which is published and which is
generally accessible or available to the public:
(1) Through sales at newsstands and bookstores;
(2) Through subscriptions which are available without restriction to any
individual who desires to obtain or purchase the published information;
(3) Through second class mailing privileges granted by the U.S. Government;
(4) At libraries open to the public or from which the public can obtain
documents;
5) Through patents available at any patent office;
(6) Through unlimited distribution at a conference, meeting, seminar,
trade show or exhibition, generally accessible to the public, in the United
States;
(7) Through public release (i.e., unlimited distribution) in any form
(e.g., not necessarily in published form) after approval by the cognizant
U.S. government department or agency (see also §125.4(b)(13) of this
subchapter);
(8) Through fundamental research in science and engineering at accredited
institutions of higher learning in the U.S. where the resulting information
is ordinarily published and shared broadly in the scientific community.
Fundamental research is defined to mean basic and applied research in
science and engineering where the resulting information is ordinarily
published and shared broadly within the scientific community, as
distinguished from research the results of which are restricted for
proprietary reasons or specific U.S. Government access and dissemination
controls.
University research will not be considered fundamental research if:
(i) The University or its researchers accept other restrictions on
publication of scientific and technical information resulting from the
project or activity, or
(ii) The research is funded by the U.S. Government and specific access and
dissemination controls protecting information resulting from the research
are applicable.
—
So, according to ITAR, public knowledge is not subject to regulation under
ITAR. The meaning of the words “Public Domain”, as used in ITAR, is that
knowledge is known to the public, rather than that copyrights have been
abandoned and that material has been dedicated to the public domain in a
copyright sense.
ORI’s general method of making sure that all research and development is
public knowledge is to keep it visible to the public via our web site, both
during and after development. Updates are often on a daily basis, and
developers are instructed not to allow any development to remain invisible
to the public for long. Similarly, the teams collaborate using online
discussion which is archived and available for anyone to read as it happens.
However, ITAR 120.11 doesn’t explicitly include publication on a web site
as a means of assuring knowledge is in the public domain (EAR does). ITAR
specifies a list of activities which make knowledge public, many of which
we can perform.
Let’s look at the individual means of placing technical information in the
public domain as spelled out in ITAR 120.11. Consider that we make a physical
distribution, say a Blu-Ray disc or USB stick, of all of our software and
other content. ITAR then allows us to make this public domain:
(1) Through sales at newsstands and bookstores;
If we sell (or give away) our physical distribution through a newsstand or
a bookstore, we are in compliance with ITAR 120.11(a)(1). The material in
the distribution is considered to be in the public domain under ITAR
120.11, and is not subject to regulation under ITAR. Amazon.com is a
bookstore, perhaps the world’s most popular. So, we could make our physical
distribution available for sale by Amazon.
(2) Through subscriptions which are available without restriction to any
individual who desires to obtain or purchase the published information;
I would argue that subscriptions to access our web site satisfy this term.
However, we can also take the physical distribution and send it to
subscribers who have paid a fee for that service.
(3) Through second class mailing privileges granted by the U.S. Government;
Why won’t first-class mail work? Because second-class mail was used for
periodical publications and the United States Postal Service has a
qualification process to allow periodicals to make use of it.
The Postal Service is an “establishment of the executive branch of
the Government of the United States”, under 39 U.S.C. § 201, as it is
controlled by Presidential appointees and the Postmaster General (a federal
appointee).
Today the name “second-class mail” has changed to “periodical mail”.
Periodical mail requires printed material, and a schedule at least
quarterly, an application fee and some forms (some of which must be filed
periodically). It does allow incidental material to be in another medium
such as a Blu-Ray disc or USB stick. So, we could send out a quarterly
journal with printed papers, including our physical distribution as above.
(4) At libraries open to the public or from which the public can obtain
documents;
We could fulfill this requirement by submitting our physical distribution
to the *Library of Congress, *and arranging for it to be distributed by
other libraries.
But arguably, if a library offers access to the web, and can thus access
our web site, that would fulfill this requirement.
…
(6) Through unlimited distribution at a conference, meeting, seminar,
trade show or exhibition, generally accessible to the public, in the United
States;
This applies to our technical presentations. Perhaps we could also arrange
to distribute our physical distribution to all of the attendees of such a
conference.
And this section could also apply to *online *meetings, seminars, and
exhibitions, as long as they are available in the United States.
—
So, this gives us five methods through which we can easily place our work
formally in the Public Domain, as defined by ITAR, as well as the continual
publication of our technical data on our web site. If we do these things
periodically, publish new material on our web site as close to instantly as
possible, follow a policy not to perform defense services or distribute
physical objects to certain people or nations, we can operate an Open
Source collaboration internationally for information that would otherwise
be restricted under ITAR.
EAR Strategy
The text of the Export Administration Regulations is here
<https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear>.
We are concerned with keeping our work out of EAR definition “subject to
the EAR”, which covers all things which are regulated under EAR. Here are
the regulations concerning “subject to the EAR” and published material.
They contain a similar carve-out to ITAR regarding published material.
§ 734.2 SUBJECT TO THE EAR
(a) Subject to the EAR – Definition
(1) “Subject to the EAR” is a term used in the EAR to describe those items
and activities over which BIS exercises regulatory jurisdiction under the
EAR. Conversely, items and activities that are not subject to the EAR are
outside the regulatory jurisdiction of the EAR and are not affected by
these regulations. The items and activities subject to the EAR are
described in §734.2 through §734.5 of this part. You should review the
Commerce Control List (CCL) and any applicable parts of the EAR to
determine whether an item or activity is subject to the EAR. However, if
you need help in determining whether an item or activity is subject to the
EAR, see §734.6 of this part. Publicly available technology and software
not subject to the EAR are described in §734.7 through §734.11 and
Supplement No. 1 to this part.
…
§ 734.7 PUBLISHED
(a) Except as set forth in paragraph (b) of this section, unclassified
“technology” or “software” is “published,” and is thus not “technology” or
“software” subject to the EAR, when it has been made available to the
public without restrictions upon its further dissemination such as through
any of the following:
(1) Subscriptions available without restriction to any individual who
desires to obtain or purchase the published information;
(2) Libraries or other public collections that are open and available to
the public, and from which the public can obtain tangible or intangible
documents;
(3) Unlimited distribution at a conference, meeting, seminar, trade show,
or exhibition, generally accessible to the interested public;
(4) Public dissemination (i.e., unlimited distribution) in any form (e.g.,
not necessarily in published form), including posting on the Internet on
sites available to the public; or
(5) Submission of a written composition, manuscript, presentation,
computer-readable dataset, formula, imagery, algorithms, or some other
representation of knowledge with the intention that such information will
be made
publicly available if accepted for publication or presentation:
(i) To domestic or foreign co-authors, editors, or reviewers of journals,
magazines, newspapers or trade publications;
(ii) To researchers conducting fundamental research; or
(iii) To organizers of open conferences or other open gatherings.
(b) Published encryption software classified under ECCN 5D002 remains
subject to the EAR unless it is publicly available encryption object code
software classified under ECCN 5D002 and the corresponding source code
meets the criteria specified in § 742.15(b) of the EAR.
…
742.15(b) Publicly available encryption source code
(1) Scope and eligibility.
Subject to the notification requirements of paragraph (b)(2) of
this section, publicly available (see § 734.3(b)(3) of the EAR) encryption
source code classified under ECCN 5D002 is not subject to the EAR.
Such source code is publicly available even if it is subject to an express
agreement for the payment of a licensing fee or royalty for commercial
production or sale of any product developed using the source code.
(2) Notification requirement. You must notify BIS and the ENC Encryption
RequestCoordinator via e-mail of the Internet location
(e.g., URL or Internet address) of the publicly available encryption source
code classified under ECCN 5D002 or provide each of them a copy of the
publicly available encryption source code. If you update or modify the
source code, you must also provide additional copies to each of them each
time the cryptographic functionality of the source code is updated or
modified. In addition, if you posted the source code on the Internet, you
must notify BIS and the ENC Encryption Request Coordinator each time the
Internet location is changed, but you are not required to notify them of
updates or modifications made to the encryption source code at the
previously notified location. In all instances, submit the notification or
copy to crypt at bis.doc.gov and to enc at nsa.gov.
—
Since EAR allows publication on a web site under 734.7(a)(4), we can easily
make sure that all of our work but cryptographic software is not subject to
the EAR. Development of cryptography is not specifically a goal of ORI, and
is being carried out well by other Open Source projects, for example
OpenSSL and GNU TLS. However, it is expected that such software will be
included in our projects. The main reason is that all popular web browsers
are being programmed to deprecate or reject unencrypted web sites for ample
security reasons. And of course our software can be expected to make use of
authorization, authentication, and communication facilities for which
encryption is useful for critical.
In order to make sure that our encryption software qualifies as not subject
to the EAR, we will make the email notifications required under
742.15(b)(2). - This may be obsolete - I think the government announced
that encryption was no longer under the EAR but I haven't looked carefully,
and given that the current administration doesn't like end-to-end
encryption in social networks, laws may change.
More information about the AMSAT-BB
mailing list