From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 13 Mar 1996 17:07:35 +0800
To: an534774@anon.penet.fi
Subject: Re: Crypto Exposure
Message-ID: <199603130737.XAA22803@ix15.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 04:05 AM 3/13/96 UTC, an534774@anon.penet.fi wrote:
>A few questions concerning the access to crypto
>software from foreigners living in the US: 
>
>- Suppose that an ISP (or a University) provides an account to
>a foreigner (i.e. the foreigner can access a few UNIX machines
>that are property of the ISP). Suppose now that PGP (for
>example) is installed on these machines, then the ISP expose
>the foreigner to crypto software, right? Is the ISP (or
>University) punishable by law?   

There isn't a good answer to this, but it's probably a bad idea
for any US-based school or ISP that permits foreigners to
access its files to provide crypto capability, unless it limits
it to Yankees (e.g. though Unix group permissions.)
It's certainly a bad idea for any _small_ organization,
or organization with a small legal budget, to do so.

>- Which version of PGP is the foreigner allowed to use in the
>US?  He would violate export restriction if he uses the US
>version and he would violate the RSA copyrights if he uses
>the internation version, right? 

No - this one there _is_ a good answer to :-)  US Law doesn't
restrict use of encryption by foreigners located within its borders
(except maybe special circumstances like agents of foreign
governments; I'll pass on answering that) - only on whether
US persons can give them munitions, and of course patents.
The clean approach is for the foreigner to bring a copy of the
US version of PGP into the US, either on magnetic media
or by downloading from ftp.ox.ac.uk or other free-world site.

>- What if the foreigner actually write crypto code while in
>the US?  Does he (or the Uni/ISP) violate export restrictions each 
>time he access the source code or execute his program if they are 
>stored on a public (Uni/ISP) machine? 

The foreigner isn't a US person, so he doesn't violate the
law by reading the code himself.  If the Uni or ISP knows
that it's providing encryption software to the foreigner,
it may be liable, but without scienter it's tough to have guilt.
Probably the foreigner should not keep encryption software on
University or ISP machines - floppy disks should do just fine :-)

Encryption material used only for authentication, of course,
is just fine, at least unless the foreigner is from a country
the US State Department considers to be an enemy, like Cuba.
#--
#			Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215 pager 408-787-1281
# "At year's end, however, new government limits on Internet access threatened
# to halt the growth of Internet use.  [...] Government control of news media 
# generally continues to depend on self-censorship to regulate political and
# social content, but the authorities also consistently penalize those who
# exceed the permissable."  - US government statement on China...