The International Traffic in Arms Regulations don’t usually garner national attention from the press, but when they do, they do so with a bang. A recent case involving University of Texas law student Cody Wilson has brought the ITAR into the national spotlight in a way that few events have. The State Department alleges that Wilson may have violated the ITAR when he released online the blueprint for a fully functional gun that can be printed at home on a 3D printer. If the State Department finds that Wilson has indeed violated the ITAR, he or his company, Defense Distributed Inc., may face up to $1 million for each violation of the ITAR, or ten years in prison if his violations of the ITAR were found to be willful. With the initial release estimated at more than 100,000 downloads (and who knows how many viewings) of Wilson’s blueprint, the amount of liability that he faces has more zeros than I could write in my lifetime. We all know that he is not going to prison for a bazillion years, nor will his company pay a bazillion dollars in fines (it will be bankrupt before that). What we don’t know is how the State Department will monitor and enforce the blueprint now that it is already widely available. The reason why Wilson’s case is so interesting is not due to the fact that it is unique, it’s the fact that it’s so common. With the Internet available worldwide, and with millions of enterprising folks like Wilson, how will DDTC enforce individual compliance with the ITAR?

The answer is simply that they can’t. After receiving a letter from DDTC informing him that he may have run afoul of the ITAR, Wilson complied with DDTC’s demand to take the blueprint off the Internet. The problem is that what happens on the Internet never leaves the Internet. Before DDTC ordered Wilson to take down his blueprint, websites like Pirate Bay, which allows users to download both legal and illegal media, were already hosting the blueprints. Even though Wilson has complied with DDTC’s request, Pirate Bay and other sites have continued hosting the blueprints, and there is not a thing that DDTC can do about it.

Wilson’s case raises serious questions about the future of ITAR enforcement. The export community is used to seeing large settlements between the government and major companies, like Raytheon, which paid $8 million to the State Department for their violations, and ITT Cannon’s plea agreement to pay $50 million in addition to investing $50 million in an export compliance program. The fact remains, we see very few cases of DDTC issuing penalties against individuals for the release of technical data. The closest high-profile example of this would be the case of Reece Roth, a professor who received a four-year prison sentence for releasing controlled information to students who were Chinese and Iranian foreign nationals. We must note that Roth’s case is different from Wilson’s. Roth committed his violations as a professor for a major institution, the University of Tennessee. Wilson, on the other hand, is pretty much acting as an individual, although the prints were distributed through his proprietorship, Defense Distributed Inc. So the question is, what is the best way for DDTC to monitor content between individuals on the Internet and how will DDTC prevent that information from being shared further once it is already available?

In order for DDTC to monitor and prevent online sharing of technology, they will probably have to adopt a more aggressive stance both in terms of investigating online file sharing and in issuing penalties. One way DDTC may go is to devote more resources towards tracking the IP addresses of those who are downloading the restricted technology. Once they have the IP address they can determine who the most likely users of that address are and tag them for notification and warnings on the restriction of that technology. As mentioned above, DDTC may also need to take actions to deter others from re-releasing or replicating controlled technology, which could involve more unforgiving penalties.

In any case, individuals and companies alike will probably face no less scrutiny from DDTC than they currently face in the area of technology sharing. Online sharing frustrates the efforts of DDTC due to the public visibility of shared information and the ease at which it can be replicated. This frustration is likely to lead to DDTC leveraging its enforcement tools to prevent further sharing. In a world where one person can create very dangerous innovations behind the computer screen, it is important for everyone, not just large companies, to have a basic understanding of the ITAR and what information can and cannot be shared. This is what Cody Wilson’s case may teach us.