While it is an old adage that the pen is mightier than the sword, the U.S. Department of State may have taken this concept a bit far too in classifying your email client as a munition. On June 3, 2015, the U.S. Department of State released new proposed International Trafficking in Arms Regulations (ITAR) rules.8 Unlike many of the previous rulemaking releases that were part of this process, this release dealt with general terms that underlie the regulations in many other sections. As part of these, seemingly innocuous, changes, they replaced several definitions. This Viewpoint considers the impact of these changes on the U.S. software industry and software education.
The U.S. has a very real need to protect certain information. Some of this information is so sensitive that it can be made available to only select individuals within or working for the government. A classification mechanism exists for this government-originated information that restricts it to only authorized users. The location, configuration, and capabilities of military assets and other similar information fall under this regime. Other information and certain goods are also seen as providing the U.S. strategic advantage and thus are restricted to only U.S. and authorized foreign use. Two regimes exist for controlling this information and these goods: the ITAR6 and the Export Administration Regulations (EAR).2 The former covers items that have a definitive military use (or for which military use is likely); the later covers less harmful goods. ITAR items are regulated by the U.S. Department of State, while EAR items are regulated by the U.S. Department of Commerce. The two regimes have many similarities; however, the process, certain exemptions and the penalties for violation can differ significantly.
The ITAR changes have drawn no shortage of criticism7 with some arguing, for example, that the regulations have made the U.S. uncompetitive in the space and aerospace industries. Others3 have asserted that they may violate freedom of speech protections embodied in the U.S. Constitution. Previous work5 has highlighted the impact that these regulations may have on small businesses, academic institutions, and individuals and proposed a safe harbor be created for these groups (with the space and aerospace industries specifically considered).
This Viewpoint bypasses the often discussed question of what the role of export control should be in our society and whether current regulations meet this goal and instead focuses on the impact of several changes to the ITAR that have been recently proposed. It is important to note that these changes are simply being proposed at this point, precisely so that a dialog (like the one hopefully started here) can be conducted to inform the agency's final actions.
The proposed changes8 were released as a proposed rule. The formal public comment period on this closed on August 3, 2015. The agency could, conceivably, still consider informal public comments. The next step in this process would, typically, be the release of a final rule (or the agency may opt to solicit feedback again before making a final rule, depending on a variety of factors). Of course, further changes to these rules could be initiated by the agency (at the request of the public or at its own initiative) or be necessitated by congressional action.
In the June 3, 2015 proposed rulemaking,8 several critical aspects of ITAR were changed:
The proposed changes will be analyzed from three perspectives: the U.S. software industry (with a particular focus on small developers), computer science educators, and the scientific enterprise in general.
U.S. software industry. From the perspective of the U.S. software industry, the changes are potentially problematic. Several sections are vague and could pull large segments of commercial software under the control of ITAR (meaning that sales, even in the U.S., would have to be closely monitored to ensure they were only to U.S. persons or a license would need to be obtained). For example, Category IX includes:12
Software and associated databases not elsewhere enumerated in this sub-chapter that can be used to model or simulate the following:
This would seem to encompass many battle-type games (notably, these types of games have been demonstrated to be usable for troop training4); however, the broad language "software ... that can be used" could ensnare operating systems and other benign applications that might have a supporting role in such modeling or simulation. Presumably, it is not the intent of the State Department to regulate the entire domestic software industry. However, fear and uncertainty could have a chilling effect on domestic development, sales, and exports. This may be particularly problematic for small firms that cannot afford to hire attorneys to advise them on ITAR compliance. Certain types of cyberphysical systems (for example, "vehicle management computers"13 and security systems14) and their associated software may be particularly difficult to find an exemption for.
Computer science educators. Fortunately, a note15 carves out an exemption for many educational activities, exempting "instruction in general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities." However, what may be implicated under the new regulations is the assistance that could otherwise be provided to students working on their own efforts (for example, in the context of project-based learning.15 The new language may also impair faculty aid to student start-ups, spin-outs and industry collaboration. Because software is now defined as a defense article, much of this aid may qualify as a defense service.
The ITAR changes have drawn no shortage of criticism, with some arguing that the regulations have made the U.S. less competitive.
For example, while a university faculty member might be able to provide foreign national students instruction on a topic, he or she could be precluded (absent application and approval) from providing feedback on an extracurricular project. Depending on how "instruction" is defined, this prohibition could even be taken to extend to providing feedback and guidance on class-related project based learning activities. If these same foreign national students sought to start a small business related to the material they had learned, the faculty member would not be able to assist them without securing approval.
The research enterprise. While research in academia enjoys similar protection to before (embodied in a new section 120.49), industry loses a key exemption that has allowed them to participate in scientific discourse: the public domain exemption. While the university exemption is now expanded to cover federally funded research in industry, materials meeting the previous definition of being in the public domain (note that public domain is defined differently in ITAR than under copyright law) do not qualify for an exemption unless authorized. Authorizing agencies include the Directorate of Defense Trade Controls, The Department of Defense's Office of Security Review, "relevant U.S. government contracting" entities "with authority" or "another U.S. government official with authority."14 Making technical data publically available (a key component of the public domain exemption) over the Internet is now defined as a type of export (irrespective of whether it reaches a foreign person), which may impair growth in Internet software delivery and cloud services.17
This change could prospectively reduce the participation of industry in conferences and other (for example, journal) publications. The need for agency approval may increase the expense incurred by members of the public and small and large businesses for participating in presentations and publications. This change, thus, may reduce privately funded research outside of the university environment. A small business that has developed an innovative technology, for example, may decide that the risk created by non-review and the cost and delay of government review make publication of their work untenable. This firm may, thus, decide not to allow publication, impairing the use of the discovery by the broader scientific community and the career advancement of the scientist who made the discovery.
A logical question, following from the foregoing identified problems, is how to prospectively correct these (possibly unintended) impacts of the ITAR changes. This would seem to have several prospective approaches.
The first is to create a separate classification for software that is neither technical data nor a defense article. This would allow regulations to be created and applied specifically to software (which is arguably different from both other categories and doesn't fit perfectly in either) after appropriate consideration of the needs related specifically to defense versus general-use software.
The second issue is the change to the public domain definition. Setting up the government as the clearinghouse of what is and is not in the public domain (particularly without any consideration to items previously generally available) is inherently problematic. The old approach (which allowed a pathway for almost anything that wasn't government funded or classified to enter the public domain) was probably overly broad; however, the proposed approach is problematically burdensome and restrictive. In the short term, changing the proposed rule to explicitly include anything previously meeting the public domain definition under the current language (before the change was made) in the public domain definition and anything substantially similar (in that it proposes no new export control concerns) to items currently in the public domain would eliminate some problems. More broadly, the notion of what information and software should and should not be controlled by the Department of State should be a topic for greater debate, as there is clearly a balance that needs to be struck.
Finally, enacting a safe harbor (as proposed by Straub and Vacek5) could be an important step to keeping small businesses and individuals innovating. The safe harbor proposed suggested that in most cases the government must show actual harm (as opposed to just a, prospectively technical, rules violation) to be successful in a prosecution or civil claim.
This most recent set of proposed changes to the ITAR attempt to clarify several topics. They better define the concept of what is and is not protected by the exemption related to fundamental research (likely narrowing the definition somewhat from what it may be perceived as, at present). They add additional sections codifying definitions for development, production, release and retransfer. Further, they add and expand several types of export definitions.
Problematically, however, they also regulate software development activities that are not defense directed. They raise consideration of whether certain instructional activities may constitute defense services, with regard to software (now a defense article) development and they prospectively impair the dissemination of research by corporate researchers (and, prospectively, harm collaboration between corporate scientists and their university counterparts).
The foregoing illustrates the necessity for the computer science and the greater scientific community to get more involved with policy development. In the short term, it is important to clarify the State Department's intent with regards to the foregoing (much of which may be unanticipated or unintended consequences). Continued proactive involvement will also facilitate the shaping of this important topic into the future.
3. Gold, M. Thomas Jefferson, we have a problem: The unconstitutionality nature of the U.S.'s aerospace export control regime as supposed by Bernstein v. U.S. Department of Justice. Cleveland State Law Review 57 (2009).
4. Proctor, M. Are officers more reticent of games for serious training than enlisted soldiers? The Journal of Defense Modeling and Simulation: Applications, Methodology, Technology 5 (2008), 179–196 (2008).
5. Straub, J. and Vacek, J. Reforming regulation of basic and small business research and education in Space technologies under ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Space Law Journal 39, 2 (2014).
8. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions. Federal Register 80, 106, (June 3, 2015), 31525–31538.
9. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related Definitions. Federal Register 80, 106 (June 3, 2015), 31526.
10. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions, proposed section 120.11(b). Federal Register 80, 106 (June 3, 2015), 31535.
11. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions, proposed section 120.49(a)(2). Federal Register 80, 106 (June 3, 2015), 31536.
15. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions, proposed section 120.9(note to paragraph(a))(9). Federal Register 80, 106 (June 3, 2015), 31534.
16. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions, proposed section 120.11(b)(1–4). Federal Register 80, 106 (June 3, 2015), 31535.
17. U.S. Department of State. International traffic in arms: Revisions to definitions of defense services, technical data, and public domain; definition of product of fundamental research; electronic transmission and storage of technical data; and related definitions, proposed section 120.17(a)(7). Federal Register 80, 106 (June 3, 2015), 31535.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2017 ACM, Inc.
No entries found