Topic: FPGA Export Regulation and "Supply Chain Interdiction"
I just read this nugget in the blog post "Meeting Snowden in Princeton" by Ross Anderson based on discussions about NSA operations:
"The export control mechanisms are also used as an early warning mechanism, to tip off the agency that kit X will be shipped to country Y on date Z. Then the technicians can insert an implant without anyone at the exporting company knowing a thing. This is usually much better than getting stuff Trojanned by the vendor."
This is referring to the targeted interception programs run by some governments and which (maybe!) have been used against Tor developers.
I'm curious if the Crowdsupply and Novena folks needed to fill out ITAR or EAR style paperwork as part of customs for Novena hardware, either for the finished boards or for the raw components (particularly the Xilinx FPGA). I assume the assembled bare boards were shipped from Shenzhen to the USA for final boxing and then shipped onward internationally, but the Xilinx components might have been shipped from the USA to Shenzhen at some point.
I don't mean to be negative (ZOMG SPIES!!111!) or suggest that paperwork shouldn't be filed as necessary, i'm just curious if this is even an issue speculatively, as a gedankenexperiment. I've filled out plenty of export paperwork for specific digital components in the past and always just whined about the red tape, but I might think about it differently in the future. Off the top of my head, a way to avoid this on an individual level might be to get sensitive hardware shipped to a domestic friend in the USA and have them hand carry it (by plane?), filling out whatever export duties are necessary (IANAL, don't know if/how this can be done entirely legally). On a regional scale, folks can try to source components and do at least the pick-and-place assembly locally (made much more feasible by Novena being open hardware! <3).
URLs mangled to get around forum restrictions:
 lightbluetouchpaper.org /2015/05/02/meeting-snowden-in-princeton/
 arstechnica.com /tech-policy/2014/05
 privacysos.org /node/1311