From: aba@dcs.exeter.ac.uk
Date: Tue, 24 Oct 95 05:11:24 PDT
To: jbaber@mi.leeds.ac.uk
Subject: Re: crypto export from the UK
In-Reply-To: <208.9510241158@misun2.mi.leeds.ac.uk>
Message-ID: <28071.9510241209@exe.dcs.exeter.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain



[Paul: cc'd you about legal question about who it is that "exports"
the person downloading or the person with the server, you made a
comment on this a short while ago in one of the crypto groups (below)]

Jon Baber <jbaber@mi.leeds.ac.uk> writes in cypherpunks:
> Adam <aba@atlas.ex.ac.uk> writes:
> > I thought they were markedly different!
> > 
> > I always understood there were NO restrictions on crypto export,
> > import or use to western countries.  There used to be COCOM agreements
> > which said that you should get approval to send commercially produced
> > crypto to some blacklisted countries (Iraq, etc).  I also read that
> > the COCOM restrictions did not claim to apply to free software.
> 
> I think that it was the COCOM restrictions that I was thinking
> about. The blacklist was fairly large (including the USSR) and I
> believe that it did apply to software (although I do not know about
> free software).

Hadn't seen the blacklist.  USSR now has it's own blanket crypto ban,
a translation of the Russian text of the presidential decree was
posted by someone a while back.

> > Anyway, I read that the COCOM agreement has expired, so none of this
> > applies anymore, even.
> 
> Now this I did not know. Do you know when it expired and why it was
> not renued?  We must still have some export restrictions for
> Munitions does this no-longer cover crypo?

Sorry, that one was I think got from reading USENET, or at least I no
longer recall where I read it, so I can't vouch for the accuracy of
that.  (I should have disclaimed that).  Perhaps someone else knows
enough to refute, or validate that.

But I was reading about the COCOM restrictions this morning on
Bert-Jaap Koops crypto law survey page:

http://www.kub.nl:2080/FRW/CRI/projects/bjk/lawsurvy.htm

and it says this about COCOM:

> COCOM [1, 5]
> 
> 1. COCOM (Coordinating Committee for Multilateral Export Controls) is
> an international organization for the mutual control of the export of
> strategic products and technical data from country members to
> proscribed destinations. It maintains, among others, the International
> Industrial List and the International Munitions List. In 1991, COCOM
> has decided to allow export of mass-market cryptographic software
> (including public domain software). Some member countries of COCOM
> follow its regulations, but others, such as Germany and the United
> States, maintain separate regulations.
> 
> Its 17 members are Australia, Belgium, Canada, Denmark, France,
> Germany, Greece, Italy, Japan, Luxemburg, The Netherlands, Norway,
> Portugal, Spain, Turkey, United Kingdom and the United
> States. Cooperating members include Austria, Finland, Hungary,
> Ireland, New Zealand, Poland, Singapore, Slovakia, South Korea,
> Sweden, Switzerland, and Taiwan.

This phrase, if accurate, says it all:

> In 1991, COCOM has decided to allow export of mass-market
> cryptographic software (including public domain software).

> > > However our Government seems to take the view that putting crypto
> > > software on the net is not exporting it, the exporting is done
> > > whenever anyone from an export restricted country downloads the
> > > software and is done by them rather than by the person who made the
> > > software available.
> 
> > I also have heard this.
>
> I can not remember where I heard this though. I don't suppose you
> know whether this was an official policy statement or just a comment
> like 'well it may technically be illegal but we would hold the
> downloader liable rather than the supplier'?

I'm not sure if it's unofficial policy or law.  One place I remember
reading this was in one of the crypto groups, Paul Leyland expressed
this view in a recent post to one of the crypto groups.  This was to
do with potential "export" from ftp.ox.ac.uk, which he has something
to do with, and which contains copies of PGP (as well as nautilus,
pgpfone, various encrypting file systems, etc).

Here's my list of relevant sites, with info on EU crypto laws:

http://www.privacy.org/pi/
ftp://ftp.cl.cam.ac.uk/users/rja14/queensland.ps.Z
http://web.cnam.fr/Network/Crypto/survey.html
ftp://ftp.wimsey.com/pub/crypto/Doc/laws/laws-for.ps.gz
http://www.kub.nl:2080/FRW/CRI/projects/bjk/lawsurvy.htm
ftp://ftp.uni-stuttgart.de/pub/doc/security/crypto/euro-clipper.ps.gz

I have been trying to maintain a list of them on:

	http://www.obscura.com/~shirt/

for political background for the munitions T-shirt, in the hope that
some people who browse it will read it and come away more aware than
they were before.  The main thing which worries me at the moment is
the implications of the eu-clipper: the secret service agencies of EU
countries have been plotting this for a while now, and probably have a
clipper like attempt on their agenda.  Ross Anderson reported that
there had been a secret meeting of secret service organisations
earlier this year, to discuss 

Ross Anderson <rja14@cl.cam.ac.uk> wrote (forwarded by somebody, but
originally in one or more of the crypto groups):
> [...]
> While at the conference, 

[the elided text indicated that the conference referred to was "the
Cryptography Policy and Algorithms Conference, Queensland University
of Technology"]

> I found out that a classified meeting took place this March in
> Germany between the signals intelligence agencies of the developed
> countries, plus Australia and South Africa, at which the assembled
> spooks agreed to press their governments to bring in escrow and/or
> weak crypto.

This comment was some time before the latest EU-clipper goings on were
announced.

Adam