1997-01-14 - Re: New US regs ban downloadable data-security software

Header Data

From: Ian Goldberg <iang@cs.berkeley.edu>
To: risks@CSL.sri.com
Message Hash: 22624a2534d4ed0f4f729a878f0c206d7ae0ca7796a90cd4265c27c4454c8782
Message ID: <199701140145.RAA07183@cypherpunks.ca>
Reply To: N/A
UTC Datetime: 1997-01-14 01:46:07 UTC
Raw Date: Mon, 13 Jan 1997 17:46:07 -0800 (PST)

Raw message

From: Ian Goldberg <iang@cs.berkeley.edu>
Date: Mon, 13 Jan 1997 17:46:07 -0800 (PST)
To: risks@CSL.sri.com
Subject: Re: New US regs ban downloadable data-security software
Message-ID: <199701140145.RAA07183@cypherpunks.ca>
MIME-Version: 1.0
Content-Type: text/plain


Lucky Green said:
> The new US crypto export regulations control the export of most if not all
> data-security software. Regardless if the software uses cryptography or
> not. Many software archives seem to be in violation of the new regs.
> 
> <snip>
> 
> This certainly controls virus checkers, firewalls, and other security
> software. There are substantial penalties involved in violating the EAR.
> The US can assess daily penalties and block all exports of a company's
> non-violating products. Criminal penalties apply as well.
> 
> "Export", as defined in the new regs, includes making software available on
> the web or via ftp.

After _very_ careful reading of the Export Administration Regulations (EAR)
(though IANAL), it would seem that the above is slightly inaccurate.

Although, as Lucky pointed out, virus checkers et al. are indeed regulated
for export from the US, and putting software up for ftp or WWW is considered
export, the EAR does _not_ apply to "publicly available" software
(732.2(b)(1)).  Software is publicly available "when it is available for
general distribution either for free or at a price that does not exceed
the cost of reproduction and distribution" (734.7(b)).

Therefore, it would seem that, as long as the security software on your ftp
or WWW site is free of cost, it is OK to keep it there.  Commercial
security software, however, remains export-restricted.

NOTE, however, that products that actually do contain cryptography fall under
an exception (734.7(c)): "Notwithstanding paragraphs (a) and (b) of this
section, note that encryption software controlled under ECCN 5D002 for
``EI'' reasons on the Commerce Control List (refer to Supplement No. 1
to part 774 of the EAR) remains subject to the EAR even when publicly
available."

The software controlled for EI reasons under 5D002 are described as:
"EI controls apply to encryption software transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O. 13026
of November 15, 1996 (61 FR 58767) and pursuant to the Presidential
Memorandum of that date. Refer to Sec. 742.15 of the EAR."

As virus checkers et al. were not on the Munitions List, they are not
controlled for EI (Encryption Items) reasons, but rather for NS (National
Security) and AT (Anti-Terrorism) reasons.

The RISKS: the government suddenly creating (and putting into effect)
new rules covering large amounts of software, without warning or
(in my opinion) justification.

   - Ian "again, IANAL"





Thread