Research

DTCA-FAQ

A focus on research of an international quality and the fostering of an outstanding research culture have positioned UWA as one of the best universities in Australia and in the top 150 in the world.

FAQ – Questions from UWA research office, with answers from DoD's DEC

The following questions were asked by research administrators at UWA, and the answers below each are the 'draft' replies from Department of Defence's Defence Export Controls (DEC) in July through August 2015.

Q     What constitutes 'preparatory to the publication of Part 2 DSGL technology'. Where in the research life cycle does that begin? University researchers see collaboration over planning a project which leads naturally to publications as the beginning of publication. Where does DTCA see preparation for publication beginning?

A     An activity will be 'preparatory to the publication' where the person has commenced drafting a publication that contains Part 2 (Dual-Use) DSGL technology, the author intends to publish the publication, and the draft publication (or part of the draft publication) is supplied by the author, or another person, to a person overseas to further that publication. For example, activities such as sending a draft publication overseas to a co-author, colleague or expert for comment, or sending a draft publication to or from a peer reviewer or journal editor will not require a supply permit.

Q     Does a doctoral dissertation that is stored in a university library in paper, but not available on-line, provide a publication exemption?

A     This technology has already been published by making it available to the public via the institutional library. Once published and available in the public domain, it is no longer controlled and no supply permits are required.

Q     Does a doctoral dissertation in a university library that is flagged as 'restricted access', and not available on-line, provide a publication exemption?

A     Further advice from UWA on 3 July 2015 - Universities put most PhD, Masters and Honours dissertations (theses) in their library on paper, but in the last few years they have also put them in an online database of dissertations. The online database is searchable for free from anywhere. However, some dissertations are ‘sealed’, that is, they do not go on the online database, and they have some sort of flag on the paper copy that means the library will not allow that dissertation to be viewed except under certain conditions. Usually this is because the contents is ‘commercial in confidence’ – this happens when the student gets a scholarship from a corporation that wants a research project done but does not want the results to be visible to their competitors.

If access to the dissertation is controlled or restricted to particular users or groups, which is the case here, any DSGL technology in the dissertation has not been placed 'in the public domain', and would continue to be controlled for any subsequent supplies or publications.

Q     Do old publications that are no longer available provide a publication exemption? For example material from a print-out of a publication that was later removed from online journal databases.

A     Yes, if it has been published with no restrictions, then it is ‘in the public domain’.

Q     If a researcher publishes information on a university website that is open to the public, before sending it cross-border by email, is that an already published / public domain exemption?

A     Yes, for Part 2 DSGL technology, there is no approval required to publish and once it is published in the public domain, the technology is no longer controlled and a supply permit is not required. For Part 1 technology, the researcher would need to apply for approval before they could publish the technology.

Q     Is inclusion in The Anarchist Cookbook, or unpublished but downloadable recent revisions of it, considered public domain? (These publications focus on the practical knowledge of making, and even using, several things that are listed in DSGL, parts 1 and 2).

A     If the information is publicly available without restriction, this is considered to be ‘in the public domain’ and the technology is no longer controlled.

Q     Are PDFs and MS-Word files in the TOR / deep-web in the public domain for the purpose of DTCA?

A     Our understanding is that the deep-web is part of the internet not necessarily accessible to search engines like Google. The only way the user can access this portion of the internet is by typing a directed query into a web search form to conduct a search and retrieve information that is within a particular website.

In this case, we would treat the deep-web, as a storage medium, similar to cloud storage, and not in the public domain.

Q     Does the existence of a document on WikiLeaks, or other whistle-blower sites, provide a publication exemption?

A     Yes, information published on one of these sites is considered to be in the public domain.

Q     Many of the DSGL plant and animal pathogens, viruses, bacteria, and toxic chemicals have been used in warfare and documented afterward. Articles about how that was done are available online. Does this mean that discussing know-how for using these is public-domain and thus not prosecuted by the DTCA?

A     If the technology you are discussing is in the public domain, then the technology is no longer controlled and a permit would not be required.

Q     If a researcher sends an email to a recipient outside Australia and encrypts it, for example with Advanced Encryption Standard (AES), is that a trigger for investigation? Does Australian legislation require a researcher to provide decryption key?

A     The legislation does not specify how the technology should be supplied. A permit will be required if the technology is supplied by a person in Australia to a person outside Australia regardless of the method of transfer, including whether the email is encrypted.

Q     If a researcher sends an email to a recipient outside Australia and encrypts it using asymmetric encryption (that is, where an encryption key is known and used by the researcher but the message can only be decrypted by a different key which is held by the recipient and unknown to the sender) does Australian legislation require a researcher to provide the original message in such a case?

A     As above

Q     If someone sends an email to a colleague within Australia, and then checks their own sent mail-box and reads that email while in China, is that a cross-border communication.

A     No.

A permit will only be required if the DSGL technology is supplied by a person in Australia to another person located overseas. Accessing your own information is not controlled.

Q     If someone accesses their own computer via remote access software while outside Australia and reads DSGL restricted content, are they in breach of DTCA?

A     As above

Q     Is access to a File Transfer Protocol (FTP) repository prohibited if username & password information are available on a related web-site?

A     Provided that the repository and the related web-site are accessible to the public, then the stored information is in the public domain and therefore, not subject to any control.

Q     Does genetic manipulation of DSGL listed bacteria and viruses, come under the basic science exemption?

A     Most research in life sciences field is applied research, the basic scientific research exemption would not usually be available. ‘Genetic manipulation’ is a broad area and we would need to consider a specific example to determine if the exemption applied.

Q     Does genome sequencing of DSGL listed bacteria and viruses, come under the basic science exemption?

A     It is DEC policy not to control written DNA sequences.

Q     If an email is sent to someone outside Australia, and it contains a hyper-link to an unpublished document which is DSGL listed (for example on an FTP server or a web-page that is not linked to anything and thus not in any search engines) is that a breach of DTCA?

A     Yes. A permit is required for supplying DSGL technology which includes providing someone with the means to access DSGL technology. Providing a hyperlink would be considered to be providing someone with access to technology.

Q     What about the scenario immediately above where a hyperlink in an email is to documents describing know-how in Part 1 (Munitions List) of the DSGL?

A     For Part 1 DSGL Technology, if the know-how described in the documents falls within the ‘technical assistance’ definition in the DSGL, then it will be subject to control and a permit would be required. DEC would need to consider the documents to determine whether the know-how meets the threshold levels of the DSGL.

Q     Scenario: a software or network security researcher discovers a vulnerability in say Microsoft Windows, or in a Cisco Router. She develops a proof of concept to demonstrate the use of the vulnerability to achieve elevated access on Windows, or cross-traffic on the router. The current research/industry practice is for the researcher to package up the details, with the proof of concept, and send it to the vendor. It does not get published until after the vendor has developed a fix/patch and made it available to their customer base. How should an Australian researcher act responsibly and legally under DTCA?

A     Intrusion software controls in the DSGL are found at 4A005, 4D004 and 4E001.c. It is important to note that intrusion software as a stand alone component is not controlled. Rather, it is the software and technology components which are used to control or disseminate intrusion software which are controlled.

Therefore a permit is not required when exporting or supply the following:

  • exploit samples;
  • exploit proof of concepts;
  • vulnerability information;
  • information on how to search for, discover or identify a vulnerability in a system, including vulnerability scanning;
  • information about the vulnerability, including causes of the vulnerability;
  • information on testing the vulnerability, including ‘fuzzing’ or otherwise trying different inputs to determine what happens;
  • information on analyzing the execution or functionality of programs and processes running on a computer, including decompiling or disassembling code and dumping memory;
  • port scanners, packet sniffers, protocol analysers and vulnerability scanners (which just find vulnerabilities without actually exploiting them and extracting or modifying data);
  • information about intrusion software which is in the public domain;
  • publishing information about intrusion software into the public domain;
  • pre-publication activities for information regarding intrusion software, such as supplying a final draft of a publication or presentation.

The sharing of malware samples to identify and respond to infections, vulnerability reporting, or software used to jailbreak commercial commodity devices is also not controlled.