1997-05-18 - Re: Distributing cryptographic code

Header Data

From: Greg Broiles <gbroiles@netbox.com>
To: Yoav Yerushalmi <yoav@MIT.EDU>
Message Hash: c70a89290acb319e87dc5519c06a841b12768defefa76ba2b5e99f4fc6ea10d3
Message ID: <3.0.1.32.19970517183655.00867d60@mail.io.com>
Reply To: <9705161836.AA28876@angreal.MIT.EDU>
UTC Datetime: 1997-05-18 01:51:30 UTC
Raw Date: Sun, 18 May 1997 09:51:30 +0800

Raw message

From: Greg Broiles <gbroiles@netbox.com>
Date: Sun, 18 May 1997 09:51:30 +0800
To: Yoav Yerushalmi <yoav@MIT.EDU>
Subject: Re: Distributing cryptographic code
In-Reply-To: <9705161836.AA28876@angreal.MIT.EDU>
Message-ID: <3.0.1.32.19970517183655.00867d60@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain



This thread was booted from coderpunks, perhaps the interested parties will
continue it here. 

At 02:36 PM 5/16/97 EDT, Yoav Yerushalmi wrote:
[...]
>  I'm part of a research group here at MIT, and several groups here
>have written implementations of concepts and protocols that involve
>cryptography in one way or another (encryption/signing/voting, etc).
>
>  We would like to put this code up for distribution (within the US
>of course), but don't actually know what is a 'reasonable' amount of
>protection that one need apply to prevent people from exporting
>it to the rest of the world.

If I were you, I'd talk to the other folks at MIT distributing strong
crypto code, they've certainly had to think about/work on this problem.
Might as well ride on their coattails. 

Having said that, you might take a look at 15 CFR 734.2(b)(9)(ii) if you're
really feeling masochistic, which says that making software available via
the Internet such that it is available for transfer outside of the United
States is an export unless the person making the software available takes
certain precautions. The precautions are:

>>>>
    (A) Ensuring that the facility from which the software is available 
controls the access to and transfers of such software through such measures
as:
    (1) The access control system, either through automated means or 
human intervention, checks the address of every system requesting or 
receiving a transfer and verifies that such systems are located within 
the United States;
    (2) The access control system, provides every requesting or 
receiving party with notice that the transfer includes or would include 
cryptographic software subject to export controls under the Export 
Administration Act, and that anyone receiving such a transfer cannot 
export the software without a license; and
    (3) Every party requesting or receiving a transfer of such software 
must acknowledge affirmatively that he or she understands that the 
cryptographic software is subject to export controls under the Export 
Administration Act and that anyone receiving the transfer cannot export 
the software without a license; or
    (B) Taking other precautions, approved in writing by the Bureau of 
Export Administration, to prevent transfer of such software outside the 
U.S. without a license.
<<<<

The software publishers I'm familiar with who make strong crypto available
via the Internet in a commercial setting (Microsoft, Netscape, C2Net) do
reverse-DNS lookups on the requester to try to figure out whether or not
they're inside the United States. 

This is *not* an "official" answer, nor is it legal advice. The regulations
discussed above have been public for less than five months. I've spoken
with several attorneys who specialize in export control and they've all
commented that the regs were drafted quickly, without good attention to
detail, and are not necessarily models of clarity or precision. Nobody's
100% sure what they mean. 

Also, one person commented within the coderpunks thread:
>>>>
A disclaimer would be adeqate protection if I remember correctly.
I don`t recall what the situation is in the US, is it the case that
the provider of the information is guilty of export, or the person
that actually downloads it, if it is available via anonymous FTP???
<<<<

A disclaimer is not good enough. Both are potentially liable under US law
(modulo arguments about constitutionality, vagueness, etc). The downloader
is guilty of an illegal export, and the person who made the software
available is (using the definition in 15 CFR 734.2) guilty of an export,
and also has potential liability for conspiracy and/or aiding and abetting,
depending on the facts of the particular case. 

But a clerk in Egghead who sells a copy of 128-bit Netscape to a "foreign
person" is also guilty of an export violation. The interesting question is
whether or not the feds will choose to prosecute violators .. and which
ones. Internet crypto distribution sites have a much higher profile than
random minimum-wage clerks who wouldn't have violated the law if they'd had
any clue it existed. 


--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.






Thread