At 3:49 PM -0800 2/19/98, Anonymous wrote:
An article in the current issue of the German journal `Datenschutz und Datensicherheit' claims that exporting crypto software from anywhere outside the US to a third country violates US law if the software contains (only marginal amounts of) US-developed code, such as a C standard library, and that anyone distributing crypto software that has been compiled with an American compiler had better not visit the United States. Is that true?
Probably not. I can see why someone might think that, though. I'm doing this from recollection, not research; corrections are welcome. Obviously, US law says that US crypto software is export-controlled, including re-exports. Under EAR (Commerce export regs) a minimum content rule takes account of how US-ness dilutes, e.g., a US part is US but if it's incorporated into a foreign car that doesn't make the foreign car US. Exception: no minimum content rule for crypto items. Take the PGP plug-in for Eudora and integrate it into a foreign OS. Even if that's the only crypto in the OS it's enough. Can't dilute US-ness of US crypto. The hypo by Anonymous, however, presumes US code that isn't crypto code. Foreign crypto is mixed with US non-crypto code. That's different. I've heard of no US action in this regard; be interested to know of any. Other countries also have minimum content rules, e.g., Canada. But Canada, I heard, has no crypto exception. So at some point, I think, a crypto item stops being US under Canadian export law, but still is US under US law. Obvious conflict. Lee Tien