The situation: -- non-USA person retains a USA-based email service -- this person forwards mail to non-USA machine -- this person requests crypto software be sent to the USA email address -- another person sends software to the USA address -- the forwarding works and the software is shipped outside the USA
This way, the author has not broken the law by sending the software to anysite.com,
This is correct, since the sender of the crypto was told that the address was a US place. If, however, the sender of the crypto knows that it will be automatically forwarded outside of the country, the they become liable because they have prior knowledge of the consequences of their actions.
and I haven't either because all I did was to tell the unix box to forward my mail out of the country.
Such a direction is not improper _per se_, but the combination with a request to have crypto software sent to that address means that the requester has prior knowledge that the request will cause crypto software to be exported across US boundaries. And that prior knowledge creates liability.
Neither I nor Joey_CryptoAuthor broke ITAR. Not really. Not intentionally.
Incorrect. The person who sets up forwarding with the intention of moving crypto software automatically outside of the country is in violation. But since I am not a lawyer I feel compelled to point out that the cost of extradition of random people to the USA for trial under USA laws is expensive and difficult, the most recent high-profile example being Noriega. In addition, detection of such an action will be difficult at best, and near impossible to prove if encryption is used. Proof that software was exported in encrypted mail would require at least the following: -- a copy of a particular piece of mail claimed to contain encryption software -- evidence that this particular piece of encrypted mail did in fact contain encryption software -- evidence that a particular piece of encrypted mail was sent outside of the country at a particular time and between two given machines So, someone has to supply the authorities with a copy of the mail, with a decryption of the mail, and with mailer logs evidencing a transmission across USA borders. Mailer logs are typically purged after a week or two. So if the intermediate machine has purged logs and the .forward file is gone, there will be precious little direct evidence left of an actual transmission. If the encryption is addressed to only the receiver, and if the sender did not keep a record of the session key, only the receiver can provide the session key. The session key is necessary to show that a given piece of encrypted mail is an encrypted copy of a particular piece of software. And unless the NSA or the intermediate machine or the sender provides a copy of the particular piece of mail, there's no fact in evidence that any software was actually sent. Of course, if the sender is out to sting you and ther intermediary provides logging information, one might get screwed. But then again, all intermediaries would have to cooperate, were there more than one. And finally, I have written so much only to point out that legality and enforceability are two very different things. Eric