Export controls (was RE: Documentation confidentiality level policy )

Subject: Export controls (was RE: Documentation confidentiality level policy )
From: "McLauchlan, Kevin" <Kevin -dot- McLauchlan -at- safenet-inc -dot- com>
To: "techwr-l -at- lists -dot- techwr-l -dot- com" <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Thu, 22 Oct 2009 11:39:59 -0400

Janet Swisher wrote something very much like:

> The term for information that is covered by an NDA should follow the
> terminology that is used in the NDA text. If the NDA uses the term
> "confidential" for this material, then that is the term that should
> appear on the material to alert readers that that the NDA applies.
> "Proprietary" is another term that is sometimes used.
> I've only seen three levels in practical use: public, confidential,
> and internal. One company I contracted for had another level that was
> restricted as to who within the company could see it, but I never
> dealt with that level.
> If you have customer support forums, you might want to have a
> governance category for information from customers that they have
> consented to share with other customers. In other words, customers
> might want some support questions to be private between them and your
> company, but make other questions searchable by other customers (but
> not the general public). But that is a completely separate issue than
> the categories for your own information.

This discussion, particularly Janet's post, reminded me of a presentation that we had from our corporate legal beagles, earlier in the year.

The topic was export controls and export categories.

Not only did we have to be very careful about which of our company-produced weapons we shipped anywhere in the world, we equally had to be very careful about what we said about them, and about whom we "spoke" to.

Oh, and did I mention that our products are information-security/cryptographic software and hardware? Those are considered "munitions" under the USA's HD* Act. Nothing that we make could cause physical harm to a person unless they stood in a puddle and stuck a fork ... but wait, we also baffle all the ventilation slots... they'd have to chew on the power cord to electrocute themselves, or drop the appliance on their heads to invoke a headache. Even licking the devices wouldn't do it, since they're all RoHS-compliant (no heavy metals).

[* HD as in Humpty Dumpty, as in 'When I use a word', said Humpty Dumpty in rather a scornful tone, 'it means just what I choose it to mean - neither more nor less.' ]

Now, under export controls, especially ITAR, it is not merely illegal to ship hardware, software, and technical manuals for same, to certain regions and countries, it is illegal to even discuss them without the requisite permits.

As one of our people was told, when he tried to parse what he'd just been told, and asked: "So, if I attend an industry conference in (say) Paris, and I talk about our products to the same (shallow) level of technical detail that our Irish or Israeli or Russian competitors are talking about theirs, I'm opening myself to charges under munitions-export laws?". . . yes. You have exported prohibited data from the US to non-US persons. And by the way, you can't sit in your office and say the same things on a conference call that includes people out-of-country (same with online chat, e-mail...). If you are talking to a company in an acceptable part of the world, you can't know that one of their employees isn't from an unacceptable place.

The guy sitting a bit further down the table was shaking his head in dismay. He was one of our (successful) product managers and business development guys. "I can't do my job. It's illegal to do what I do every day!" René was gone within a month. Coincidence?

Meanwhile, definitions and ways of speaking/writing about your products are critically important. At worst, you want your products to fall under the general export controls regime. Unless it is intended only and specifically for military use, you really, really don't want it being interpreted as falling under ITAR. Suddenly the restrictions become crippling and you can't be competitive because every move you'd care to make requires explicit formal permission from the US State Dept. So, if your product is intended for general markets, be very careful that it doesn't get sucked into the munitions regime. The gods of four different major religions have to appear and simultaneously vouch for you, before you can get a product OFF that list.

But... what does being careful mean? Let's say you have a multi-terrain vehicle that would be well-received by recreational users, forrestry workers, rescue workers, ranchers, prospectors and surveyors, energy-resource companies, and on and on, but it would also be a good seller to military organizations, if modified for their use. Since you don't want to have two separate production lines, you adjust your vehicle to have a hole in the dash, the right size to accept the mount for a "standard" military radio. They you affix a plate over the hole for the rest of your market. Whoops! You've just caused your little vehicle to fall under the wrong classification. Plate or no plate, the vehicle is now a "munition" and can't be exported without serious and lengthy hoop-jumping for each and every instance.

For something that performs cryptographic operations that would (say) secure credit-card or inter-bank transactions, but which could also have government or military application, you have to be careful how you talk about it, write about it, etc. Never sell it to a government agency as your first customer - always be able to demonstrate that, not only did you designate/intend it as a commercial product, but the commercial marketplace demonstrated its agreement with that assertion. Etc., etc., etc.

All subject to interpretation, of course.

All subject to retroactive re-interpretation by the PTB.

All of the above to suggest that merely labelling your stuff "proprietary" or "confidential" or whatever isn't going to save you. :-)

- Kevin

The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.


Free Software Documentation Project Web Cast: Covers developing Table of
Contents, Context IDs, and Index, as well as Doc-To-Help
2009 tips, tricks, and best practices.

Help & Manual 5: The complete help authoring tool for individual
authors and teams. Professional power, intuitive interface. Write
once, publish to 8 formats. Multi-user authoring and version control! http://www.helpandmanual.com/

You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-

To unsubscribe send a blank email to
techwr-l-unsubscribe -at- lists -dot- techwr-l -dot- com
or visit http://lists.techwr-l.com/mailman/options/techwr-l/archive%40web.techwr-l.com

To subscribe, send a blank email to techwr-l-join -at- lists -dot- techwr-l -dot- com

Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit
http://www.techwr-l.com/ for more resources and info.

Please move off-topic discussions to the Chat list, at:


Documentation confidentiality level policy: From: Claudine CHAUSSON
Re: Documentation confidentiality level policy: From: voxwoman
Re: Documentation confidentiality level policy: From: Janet Swisher

Previous by Author: Peer review - movin' it along
Next by Author: RE: Export controls (was RE: Documentation confidentiality level policy )
Previous by Thread: Re: Documentation confidentiality level policy
Next by Thread: Re: Export controls (was RE: Documentation confidentiality level policy )

What this post helpful? Share it with friends and colleagues:

Sponsored Ads