How the State Department’s ITAR Proposal Could Put Gun Owners and Information Security Professionals at Risk

Two weeks ago, President Obama released his Unified Agenda, part of which outlines many of his goals for the remainder of his term. Most of the proposals in the agenda are regulatory in nature and as such, require no approval from Congress. No matter what the content, this sort of governance is sure to attract the ire of conservatives who have already argued that the President has overstepped his authority several times over the last 6 years. Compounding these concerns is the fact that the Unified Agenda contains many firearms-related items that most enthusiasts take as punitive measures following the President’s congressional impotency on the issue. While the agenda is rife with potential risks, one proposal has gun owners and technology professionals especially worried.

The relevant proposal has been put forth by the Department of State and is titled, “International Traffic in Arms: Definitions of Defense Services, Technical Data, and Public Domain; Definition of Product of Fundamental Research; Electronic Transmission and Storage of Technical Data; and Related Definitions”, or “ITAR Amendment” for short. As its name suggests, the initiative seeks to amend many significant definitions within ITAR and is supposedly intended to modernize the regulations to better apply to current technology. As such, the new changes focus primarily on information and the “export” of data, rather than material goods.

The first substantial changes are the revisions to the definition of “defense article” which result in a much broader application of the term. According to the ITAR Amendment, applicable software would be considered a defense article, rather than “technical data” as it currently is treated. This is significant because encryption technologies and cryptographic algorithms are likely to fall within this scope. While section 120.6 lays out exceptions to the classification, these relate primarily to academic research and existing technologies. Independent, private research is not necessarily protected and new software is likely to be held to this definition. These changes are particularly worrisome because they potentially lower the threshold for software to be regulated under ITAR. Currently, software is categorized as technical data, meaning it must closely relate to a separate defense article in order to be ITAR relevant. The changes would remove this barrier (safeguard) by classifying software as a defense article itself.

Following the changes to defense articles, the ITAR Amendment proposes substantial modifications to the definition of technical data. In this section, the proposed modifications are especially significant so let’s take a look at the text (feel free to skip, I will address issues individually below):

The Department proposes to revise the definition of “technical data” in ITAR § 120.10 in order to update and clarify the scope of information that may be captured within the definition. Paragraph (a)(1) of the revised definition defines “technical data” as information “required” for the “development,” “production,” operation, installation, maintenance, repair, overhaul, or refurbishing of a “defense article,” which harmonizes with the definition of “technology” in the EAR and the Wassenaar Arrangement. This is not a change in the scope of the definition, and additional words describing activities that were in the prior definition are included in parentheticals to assist exporters.

Paragraph (a)(1) also sets forth a broader range of examples of formats that “technical data” may take, such as diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, or electronic media, that may constitute “technical data.” Additionally, the revised definition includes certain conforming changes intended to reflect the revised and newly added defined terms proposed elsewhere in this rule.

The proposed revised definition also includes a note clarifying that the modification of the design of an existing item creates a new item and that the “technical data” for the modification is “technical data” for the new item.

Paragraph (a)(2) of the revised definition defines “technical data” as also including information that is enumerated on the USML. This will be “technical data” that is positively described, as opposed to “technical data” described in the standard catch-all “technical data” control for all “technical data” directly related to a “defense article” described in the relevant category. The Department intends to enumerate certain controlled “technical data” as it continues to move the USML toward a more positive control list.

Paragraph (a)(3) of the revised definition defines “technical data” as also including classified information that is for the “development,” “production,” operation, installation, maintenance, repair, overhaul, or refurbishing of a “defense article” or a 600 series item subject to the EAR. Paragraph (a)(5) of the revised definition defines “technical data” as also including information to access secured “technical data” in clear text, such as decryption keys, passwords, or network access codes. In support of the latter change, the Department also proposes to add a new provision to the list of violations in § 127.1(b)(4) to state that any disclosure of these decryption keys or passwords that results in the unauthorized disclosure of the “technical data” or software secured by the encryption key or password is a violation and will constitute a violation to the same extent as the “export” of the secured information. For example, the “release” of a decryption key may result in the unauthorized disclosure of multiple files containing “technical data” hosted abroad and could therefore constitute a violation of the ITAR for each piece of “technical data” on that server.

Readers will have to excuse the wall of text I just dumped on this article. For gun owners, proposed paragraph (a)(1) is one of the most ominous pieces of the amendment. According to State, the definition of technical data would be broadened to account for practically any information relating to a defense article and the applicable formats for such data expanded to include all practical communications. Since firearms have frequently been deemed defense articles by State, this expansion of relevant technical data could put firearms discussions and training at risk. Indeed, merely posting a tutorial for cleaning an AR-15 on the Internet could constitute an export of technical data according to this new definition.

This section is even more frightening for “DIY-ers” who enjoy legally assembling firearms from parts or manufacturing firearm components. Under the proposal, sharing information related to the “production” or “installation” of firearms parts could constitute a “release” or “export” of ITAR regulated technical data. Readers should note that the Department of State is currently entangled in a lawsuit with Defense Distributed’s Cody Wilson over the government’s assertion that posting CAD files of firearms components online violated ITAR. This ongoing legal battle combines with the ATF’s increased scrutiny regarding the manufacture of 80% receivers to make the amendment look like a highly reactive initiative, fueled by the government’s inability to otherwise jeopardize legal firearms builds.

From an information security perspective, the proposed changes to technical data are less frightening, but are worth mentioning. According to State, storage of technical data abroad is permissible, provided the information is secured (encrypted). An export of this data would only occur if that data could be readily decrypted by a foreign actor. However to facilitate this definition, State clarifies that the release of keys for encrypted technical data could be considered an export and may be subject to ITAR regulations and penalties.

After establishing the new definition for technical data, State endeavors to redefine “public domain” as it relates to ITAR (wall of text inbound):

The proposed definition requires that information be made available to the public without restrictions on its further dissemination. Any information that meets this definition is “public domain.” The definition also retains an exemplary list of information that has been made available to the public without restriction and would be considered “public domain.” These include magazines, periodicals and other publications available as subscriptions, publications contained in libraries, information made available at a public conference, meeting, seminar, trade show, or exhibition, and information posted on public Web sites. The final example deems information that is submitted to co-authors, editors, or reviewers or conference organizers for review for publication to be “public domain,” even prior to actual publication. The relevant restrictions do not include copyright protections or generic property rights in the underlying physical medium.

Paragraph (b) of the revised definition explicitly sets forth the Department’s requirement of authorization to release information into the “public domain.” Prior to making available “technical data” or software subject to the ITAR, the U.S. government must approve the release through one of the following: (1) The Department; (2) the Department of Defense’s Office of Security Review; (3) a relevant U.S. government contracting authority with authority to allow the “technical data” or software to be made available to the public, if one exists; or (4) another U.S. government official with authority to allow the “technical data” or software to be made available to the public.

The requirements of paragraph (b) are not new. Rather, they are a more explicit statement of the ITAR’s requirement that one must seek and receive a license or other authorization from the Department or other cognizant U.S. government authority to release ITAR controlled “technical data,” as defined in § 120.10. A release of “technical data” may occur by disseminating “technical data” at a public conference or trade show, publishing “technical data” in a book or journal article, or posting “technical data” to the Internet. This proposed provision will enhance compliance with the ITAR by clarifying that “technical data” may not be made available to the public without authorization. Persons who intend to discuss “technical data” at a conference or trade show, or to publish it, must ensure that they obtain the appropriate authorization.

Information that is excluded from the definition of “defense article” in the new § 120.6(b) is not “technical data” and therefore does not require authorization prior to release into the “public domain.” This includes information that arises during or results from “fundamental research,” as described in the new § 120.49; general scientific, mathematical, or engineering principles commonly taught in schools, and information that is contained in patents.

The Department also proposes to add a new provision to § 127.1 in paragraph (a)(6) to state explicitly that the further dissemination of “technical data” or software that was made available to the public without authorization is a violation of the ITAR, if, and only if, it is done with knowledge that the “technical data” or software was made publicly available without an authorization described in ITAR § 120.11(b)(2). Dissemination of publicly available “technical data” or software is not an export-controlled event, and does not require authorization from the Department, in the absence of knowledge that it was made publicly available without authorization.

“Technical data” and software that is made publicly available without proper authorization remains “technical data” or software and therefore remains subject to the ITAR. As such, the U.S. government may advise a person that the original release of the “technical data” or software was unauthorized and put that person on notice that further dissemination would violate the ITAR.

As readers can see, State has elected to take a very specific stance in defining public domain. However, the changes themselves are quite simple. Effectively, public domain is to be taken as any mode of communication that is accessible for the general public. This includes magazines, libraries, trade shows, the Internet, and many more formats. While State indicates that some data must be available to the public domain (including “fundamental research”), the Department does not make the scope of this information clear. It is probable that a substantial portion of small arms data that most gun owners consider public domain would actually be taken as technical data under these new rules. In large part, this is because the Department of State (or the U.S. Government as a whole) has taken sole authority for determining what technical data may be “released” to the public domain. Without explicit permission from the U.S. Government, relevant parties would be prohibited from releasing any information that might be considered technical data.

Because it is impossible for firearms and security enthusiasts to determine what existing information truly constitutes technical data, this new definition of public domain is likely to lead to heavy self-censorship in online communities and at trade seminars. It is not reasonable to expect that individual practitioners would obtain express permission from State prior to releasing any technical information about something that may be considered a defense article. As the gatekeeper of this information, the Department of State takes on a unique and powerful position in regulating “free” speech.

In a new section, State separates “fundamental research” from its previous home under public domain. In 120.49, technical data arising from fundamental research is defined as:

(a) Technical Data arising during, or resulting from, fundamental research. Unclassified information that arises during, or results from, fundamental research and is intended to be published is not technical data when the research is: (1) Conducted in the United States at an accredited institution of higher learning located; or (2) Funded, in whole or in part, by the U.S. government.

In short, there are only two approved ways for information from research studies that would typically be considered technical data to be classified as public domain. The first encompasses research done in the U.S. by accredited universities and colleges. This information, intended for publication, would be considered public domain only after prepublication review. Likewise, any research funded by the U.S. government would also be considered fundamental and its results would be subject to prepublication review prior to dissemination. The ITAR Amendment makes no provisions for independent research.

State has proposed minor changes to the definitions for “release” and “export”, but for all practical purposes, these terms mean exactly what we might expect. Under the ITAR Amendment, a release of technical data essentially applies to any dissemination of the material to the public domain. A release only constitutes an export when the data crosses borders and is shared with foreign nationals. However, this is problematic because firearms discussion and technology research frequently cross borders. With the Internet as the primary vehicle for exchanging these ideas, avoiding illegal exports of technical data is practically impossible.

While some have dismissed assertions by the NRA and other groups that this is a “gag order” on firearms related speech, the ultimate effect will be exactly the same. The regulatory changes outlined by the ITAR Amendment render lawful collaboration on firearms, security, and a variety of other topics impractical. The self-censorship that is likely to result from these revisions is not only scary, but it also runs counter to the ideals of a free society and protected speech.

According to the Department of State, this regulation is not expected to have an impact on the economy that exceeds $100 million. I must disagree with this assertion. In fact, it is likely that the economic impact of the ITAR Amendment will far exceed this figure. According to the National Shooting Sports Federation (NSSF), the total economic impact of the firearms and ammunition industry was over $42 billion in 2014. The industry also generated over $5 billion in federal and state tax revenue. In 2013, data from Gartner indicated that the information security industry is expected to exceed $86 billion in total size by 2016. If even a tiny fraction of these two industries is impacted by the ITAR Amendment, the total economic impact of the changes will far exceed $100 million.

As of now, the proposal has received 4,914 comments via the regulations.gov web portal. While this does not include mailed or emailed submissions, the number is far too low. The Department of State will accept comments up until the close date of August 3.  Comments may be submitted through the online portal or via email (DDTCPublicComments@state.gov, subject “ITAR Amendment – Revisions to Definitions; Data Transmission and Storage”).

 

ITAR Amendment (PDF): http://www.regulations.gov/contentStreamer?documentId=DOS-2015-0023-0001&disposition=attachment&contentType=pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s