These are just notes on what pieces of information I picked up from the session, not legal advice or even necessarily correct.
The consultation was for an amendment, which specifically adds exceptions for Australian law enforcement and defence agencies operating overseas (whoops!). It also trys to soften the blow for "publishing".
If you deal with "Section 1" goods (military stuff), you belong to DoD now. But you did before, so now you have to fill in another form for each project you do.
- "Publishing": If you make the knowledge available to anyone (payment or otherwise)
- "Supply": If you send the knowledge to a limited market
- "Export": When the knowledge leaves Australia (not counting via grey-matter)
- "In the public domain": If it shows up in a Google search - excluded
- "Basic research": Try to frame what you're doing as this - excluded
If you deal in "Section 2" / "Dual Use" goods the amendments introduce weaker restrictions and less red-tape (ie. give a license by default, and they'll take it off you if somebody's spooked by your work), limited to publishing. They also don't require a license for pre-publication work (eg. talking to reviewers etc), except when they do, but you'll know when that is.
This is where you might need to talk to lawyers:
- New curves (for Elliptic-Curve Cryptography): Basic Research?
- Open source crypto tool, using standard libraries: In the public domain or Publication?
- Exploit sales: get a license
- Reporting bugs: report the bug. The exploit would be the controlled part
- Cryptanalysis: That covers a lot of ground. Some might be Publishing, others might be Basic Research
The DSGL is a list of items that are dual-use or military. It seems to cover most of the frontiers of IT (not just infosec).
It comes from four treaties one of which is Wassenaar. I asked who you can make representations to in order to get it fixed (remove Crypto - it's stupid to have it there), and the response was that you need to get 41 countries to unanimously agree to a change before it can be amended. "Who do I speak to about that?" was met with laughter from the whole room. Yeah laugh - your own government isn't even in control of which thoughts are Export-Controlled Military Thoughts. Funny.
If these amendment doesn't pass, enforcement comes in May - the amendment will apparently delay enforcement for 6 months. Deadline for written submissions is 30th Jan (tomorrow). You can also contact your M.P. - mine's on holiday still though. Keep in mind that throwing out this amendment is far worse than getting it slightly changed.
Somehow in my first write-up I missed the hilarity of the proposed collaboration protocol (with colleagues - the lady presenting didn't seem to comprehend "mailing lists" at all).
The proposal was that you'd ask your colleagues if they're currently in-country before emailing them with your possible dual-use thoughts, then wait for their reply before sending.
One key point for folks that previously haven't encountered this area of the law: the US has the most stringent Wassenaar enforcement regime to date (the "International Trade in Arms" regulations), so if you're worried about an activity that plenty of Americans engage in every day, it's probably OK to relax a bit, as the intent of the Australian law is to be less restrictive than ITAR (while still meeting our Wassenaar obligations). There are still open questions as to whether the specific drafting of even the amended act meets that goal, but it's going to take lawyers to say "Yay" or "Nay" on that one.
More details at http://www.curiousefficiency.org/posts/2015/01/dtca-public-consultation.html