Australia's Department of Defence is meeting with security professionals, including Google, to nut out the finer points of that country's dual-use control laws in what is described as a move away from a punitive crack-down on information security data sharing.
Nine Defence delegates and five of 15 invited industry and other agency bods met in Canberra in May to discuss the amended Defence Controls Act, which received Royal Assent on April 2nd.
The amended Act includes a 12-month compliance breather such that those exporting controlled dual use technologies like security exploits and cryptography will not face prosecution under penalties ranging up to a 10-year prison term.
David Hook, founder of popular cryptography API library Bouncy Castle said Defence is keen to avoid a punitive approach.
"I've talked to quite a few Defence people now and they are trying not to be punitive about it; it is not their intention that this should be some sort of reign of terror," Hook said.
"Crypto invades almost everything now and they understand how important this is to commerce," he added. "From a national security point of view, if your legal system creates an environment where it is impossible for anyone in the area to work in your country, people will stop; the DSD (Australian Signals Directorate) still want to hire those skills themselves."
Hook has supplied Defence with a scenario of how the Act could apply to Bouncy Castle, noting that a version of the library developed for FIPS compliance would require a Defence Export Control Office permit for only the temporary period in which it is a closed-door operation.
The FIPS library would then be released open source and therefore no longer be subject to the Act.
Google is supplying its own scenario of how the Act could apply to it.
Defence Export Control Office heads Gabrielle Burrell and Claire Willette chaired the 15 May meeting, which, according to meeting documents seen by Vulture South, discussed the extension of the Strengthened Export Controls steering group until April next year, and record keeping and compliance requirements under the Act.
The committee notes that controlled technologies will not require a permit in order to be hosted offshore, nor if that technology is stored in an email account and is accessed by an Australian located overseas.
The documents state that Australian teachers educating overseas students on cryptography will not be subject to the Act because the material is "in the public domain" and neither will those who publish crypto software – with the exception of when the technology applies to "weapons of mass destruction".
Defence is focused on building "appropriate" licences and "clear and concise guidance" for businesses and open source contributors, and will hold its next meeting on 27 August. ®