BORG demands Takedown of printable gun files.
State Department Claims Export Control Violations.
The battle of dangerous digital shapes has just begun!
Andy Greenberg Forbes Staff
On Thursday, Defense Distributed founder Cody Wilson received a letter from the State Department Office of Defense Trade Controls Compliance demanding that he take down the online blueprints for the 3D-printable “Liberator” handgun that his group released Monday, along with nine other 3D-printable firearms components hosted on the group’s website Defcad.org. The government says it wants to review the files for compliance with arms export control laws known as the International Traffic in Arms Regulations, or ITAR. By uploading the weapons files to the Internet and allowing them to be downloaded abroad, the letter implies Wilson’s high-tech gun group may have violated those export controls.
“Until the Department provides Defense Distributed with final [commodity jurisdiction] determinations, Defense Distributed should treat the above technical data as ITAR-controlled,” reads the letter, referring to a list of ten CAD files hosted on Defcad that include the 3D-printable gun, silencers, sights and other pieces. “This means that all data should be removed from public acces immediately. Defense Distributed should review the remainder of the data made public on its website to determine whether any other data may be similarly controlled and proceed according to ITAR requirements.”
Wilson, a law student at the University of Texas in Austin, says that Defense Distributed will in fact take down its files until the State Department has completed its review. “We have to comply,” he says. “All such data should be removed from public access, the letter says. That might be an impossible standard. But we’ll do our part to remove it from our servers.”
As Wilson hints, that doesn’t mean the government has successfully censored the 3D-printable gun. While Defense Distributed says it will take down the gun’s printable file from Defcad.org, its downloads–100,000 in just the first two days the file was online–were actually being served by Mega, the New Zealand-based storage service created by ex-hacker entrepreneur Kim Dotcom, an outspoken U.S. government critic. It’s not clear whether the file will be taken off Mega’s servers, where it may remain available for download. The blueprint for the gun and other Defense Distributed firearm components have also been uploaded several times to the Pirate Bay, the censorship-resistant filesharing site.
Wilson argues that he’s also legally protected. He says Defense Distributed is excluded from the ITAR regulations under an exemption for non-profit public domain releases of technical files designed to create a safe harbor for research and other public interest activities. That exemption, he says, would require Defense Distributed’s files to be stored in a library or sold in a bookstore. Wilson argues that Internet access at a library should qualify under ITAR’s statutes, and says that Defcad’s files have also been made available for sale in an Austin, Texas bookstore that he declined to name in order to protect the bookstore’s owner from scrutiny.
Despite taking down his files, Wilson doesn’t see the government’s attempts to censor the Liberator’s blueprints as a defeat. On the contrary, Defense Distributed’s radical libertarian and anarchist founder says he’s been seeking to highlight exactly this issue, that a 3D-printable gun can’t be stopped from spreading around the global Internet no matter what legal measures governments take. “This is the conversation I want,” Wilson says. “Is this a workable regulatory regime? Can there be defense trade control in the era of the Internet and 3D printing?”
Wilson compares his new legal troubles to the widely-followed case in the mid-1990s of Philip Zimmermann, the inventor of the cryptographic software PGP, who was threatened with indictment under ITAR for putting his military-grade encryption software online. “It’s PGP all over again,” says Wilson.
In Zimmermann’s case, much of the technology community was outraged that PGP’s inventor was being treated as if he were selling bombs or missiles to a foreign regime when he had simply put a powerful piece of privacy software on the Internet. That public support is widely thought to have influenced the State Department decision in 1996 to drop its case against him.
In this case, by contrast, Cody Wilson is literally an arms manufacturer. But whether the government will have any more luck in controlling the spread of his invention remains to be seen.
I’ll provide updates as this story develops.
Correction: In an earlier version of this story I described Wilson as an “arms distributor.” In fact, he’s an arms manufacturer, while Defense Distributed is a software distributing non-profit. Since Defense Distributed–not Wilson himself–is the target of the State Department’s query, that may be an important distinction.
Update: Here’s the full text of the letter.
United States Department of State
Bureau of Political-Military Affairs
Offense of Defense Trade Controls Compliance
May 08, 2013
In reply letter to DTCC Case: 13-0001444
[Cody Wilson’s address redacted]
Dear Mr. Wilson,
The Department of State, Bureau of Political Military Affairs, Office of Defense Trade Controls Compliance, Enforcement Division (DTCC/END) is responsible for compliance with and civil enforcement of the Arms Export Control Act (22 U.S.C. 2778) (AECA) and the AECA’s implementing regulations, the International Traffic in Arms Regulations (22 C.F.R. Parts 120-130) (ITAR). The AECA and the ITAR impose certain requirements and restrictions on the transfer of, and access to, controlled defense articles and related technical data designated by the United States Munitions List (USML) (22 C.F.R. Part 121).
The DTCC/END is conducting a review of technical data made publicly available by Defense Distributed through its 3D printing website, DEFCAD.org, the majority of which appear to be related to items in Category I of the USML. Defense Distributed may have released ITAR-controlled technical data without the required prior authorization from the Directorate of Defense Trade Controls (DDTC), a violation of the ITAR.
Technical data regulated under the ITAR refers to information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles, including information in the form of blueprints, drawings, photographs, plans, instructions or documentation. For a complete definition of technical data, see 120.10 of the ITAR. Pursuant to 127.1 of the ITAR, it is unlawful to export any defense article or technical data for which a license or written approval is required without first obtaining the required authorization from the DDTC. Please note that disclosing (including oral or visual disclosure) or tranferring technical data to a foreign person, whether in the United States or abroad, is considered an export under 120.17 of the ITAR.
The Department believes Defense Distributed may not have established the proper jurisdiction of the subject technical data. To resolve this matter officially, we request that Defense Distributed submit Commodity Jurisdiction (CJ) determination requests for the following selection of data files available on DEFCAD.org, and any other technical data for which Defense Distributed is unable to determine proper jurisdiction:
- Defense Distributed Liberator pistol
- .22 electric
- 125mm BK-14M high-explosive anti-tank warhead
- 5.56/.223 muzzle brake
- Springfield XD-40 tactical slide assembly
- Sound Moderator – slip on
- “The Dirty Diane” 1/2-28 to 3/4-16 STP S3600 oil filter silencer adapter
- 12 gauge to .22 CB sub-caliber insert
- Voltlock electronic black powder system
- VZ-58 sight
DTCC/END requests that Defense Distributed submits its CJ requests within three weeks of the receipt of this letter and notify this office of the final CJ determinations. All CJ requests must be submitted electronically through an online application using the DS-4076 Commodity Jurisdiction Request Form. The form, guidance for submitting CJ requests, and other relevant information such as a copy of the ITAR can be found on DDTC’s website at http://www.pmddtc.state.gov.
Until the Department provides Defense Distributed with the final CJ determinations, Defense Distributed should treat the above technical data as ITAR-controlled. This means that all such data should be removed from public access immediately. Defense Distributed should also review the remainder of the data made public on its website to determine whether any additional data may be similarly controlled and proceed according to ITAR requirements.
Additionally, DTCC/END requests information about the procedures Defense Distributed follows to determine the classification of its technical data, to include aforementioned technical data files. We ask that you provide your procedures for determining proper jurisdiction of technical data within 30 days of the date of this letter to Ms. Bridget Van Buren, Compliance Specialist, Enforcement Division, at the address below.
Office of Defense Trade Controls Compliance
PM/DTCC, SA-1, Room L132
2401 E Street, NW
Washington, DC 20522
We appreciate your full cooperation in this matter. Please note our reference number in any future correspondence.
Glenn E. Smith
Chief, Enforcement Division