1997-01-29 - Complying with the EAR [was: More Circumventing the ITAR]

Header Data

From: Michael Paul Johnson <mikej2@exabyte.com>
To: Mark Rosen <mrosen@peganet.com>
Message Hash: d8044ed75427adf49323301878b3ff37e13ab8993ca858f01f42d8b18a8b2932
Message ID: <199701291937.LAA08691@toad.com>
Reply To: N/A
UTC Datetime: 1997-01-29 19:37:25 UTC
Raw Date: Wed, 29 Jan 1997 11:37:25 -0800 (PST)

Raw message

From: Michael Paul Johnson <mikej2@exabyte.com>
Date: Wed, 29 Jan 1997 11:37:25 -0800 (PST)
To: Mark Rosen <mrosen@peganet.com>
Subject: Complying with the EAR [was: More Circumventing the ITAR]
Message-ID: <199701291937.LAA08691@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


On Tue, 28 Jan 1997, Mark Rosen wrote:

> 	I'm curious as to exactly what the ITAR/EAR/Whatever says specifically
> about "unrestricted FTP sites." My program, Kremlin, is available for

You should check the exact text yourself, but the way I read the EAR, you
are not "exporting" strong cryptographic software without a license (exept
to Canada, which needs no license) if you do things "such as"
(1) have the guests to your site acknowledge that the EAR restricts
export, (2) have the guests affirm that they can legally get the software
(proper citizenship or residency & location), and (3) "check the address
of the destination computer to see if it is in the USA" or Canada. The
last one, I interpret rather loosely to mean that if the guest's email
address domain isn't one commonly used in the USA or Canada, then I deny
access. We all know that not all .com addresses are North American, but
chances are really good that if the address ends in .ru, then the
destination machine is probably not in North America. This is not a
perfect way to prevent export, of course, but it is what the regulations
say, as I read them. For a pointer to the regulations and to my access
request form and crypto site, see http://www.sni.net/~mpj/crypto.htm

Disclaimer: I am not a lawyer, and most lawyers don't even understand this
stuff, so you read and act on it at your own risk. This is just my best
effort to comply with the law without sacrificing my right to publish.

> download at the web page below. On my web page, I have some stuff in bold
> print that informs about the ITAR and tells people to go away if they're
> not from the US or Canada. Does this count as an unrestricted FTP site?

Is there any reason why people have to look at your warning before reading
your warning? At my site, the ftp site itself is in a hidden directory
that changes names often enough that people can't successfully link to the
restricted files for very long without going through my warning page.
Indeed, my site can't be navigated and indexed properly by web search
robots. At your site, it is extremely likely that someone would find your
software without ever seeing your warning. Indeed, your software is on
another server with another interface. I think that your site counts as
unrestricted.

> 	Also, back to the question of registration numbers. A registration number
> is just a string of letters and numbers, and is essentially the same as a
> friendly letter; it contains no cryptographic code. For all anyone knows, I
> could just be charging for pseudo-random numbers, again, nothing of
> cryptographic significance. Is it illegal for me to mail someone outside of
> the US or Canada a registration code? Thanks for any help.

The registration code is legally equivalent to the registered software
that it unlocks. Sending the registration code to France, for example,
would be likely to be considered the same as sending the registered
software to France (in violation of the laws of both countries).

Now if the "unregistered" software is weak (i. e. crippled key length)
without the registration code, you need not worry about posting it
publicly and without restriction, as long as you don't export the
registration code (except to Canada) without a license. I do this with
Quicrypt (ftp://ftp.csn.net/mpj/qcrypt11.zip).

BTW, I posted krem104.zip at my site. Please let me know if I mangled it
in the process...

http://www.sni.net/~mpj/crypto.htm

 Michael Paul Johnson      Opinions herein are not necessarily Exabyte's.
 Work:     mpj@exabyte.com http://www.exabyte.com
 Personal: mpj@csn.net     http://www.csn.net/~mpj       BBS 303-772-1062







Thread