This thread was booted from coderpunks, perhaps the interested parties will continue it here. At 02:36 PM 5/16/97 EDT, Yoav Yerushalmi wrote: [...]
I'm part of a research group here at MIT, and several groups here have written implementations of concepts and protocols that involve cryptography in one way or another (encryption/signing/voting, etc).
We would like to put this code up for distribution (within the US of course), but don't actually know what is a 'reasonable' amount of protection that one need apply to prevent people from exporting it to the rest of the world.
(A) Ensuring that the facility from which the software is available controls the access to and transfers of such software through such measures as: (1) The access control system, either through automated means or human intervention, checks the address of every system requesting or receiving a transfer and verifies that such systems are located within
A disclaimer would be adeqate protection if I remember correctly. I don`t recall what the situation is in the US, is it the case that
If I were you, I'd talk to the other folks at MIT distributing strong crypto code, they've certainly had to think about/work on this problem. Might as well ride on their coattails. Having said that, you might take a look at 15 CFR 734.2(b)(9)(ii) if you're really feeling masochistic, which says that making software available via the Internet such that it is available for transfer outside of the United States is an export unless the person making the software available takes certain precautions. The precautions are: the United States; (2) The access control system, provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Act, and that anyone receiving such a transfer cannot export the software without a license; and (3) Every party requesting or receiving a transfer of such software must acknowledge affirmatively that he or she understands that the cryptographic software is subject to export controls under the Export Administration Act and that anyone receiving the transfer cannot export the software without a license; or (B) Taking other precautions, approved in writing by the Bureau of Export Administration, to prevent transfer of such software outside the U.S. without a license. <<<< The software publishers I'm familiar with who make strong crypto available via the Internet in a commercial setting (Microsoft, Netscape, C2Net) do reverse-DNS lookups on the requester to try to figure out whether or not they're inside the United States. This is *not* an "official" answer, nor is it legal advice. The regulations discussed above have been public for less than five months. I've spoken with several attorneys who specialize in export control and they've all commented that the regs were drafted quickly, without good attention to detail, and are not necessarily models of clarity or precision. Nobody's 100% sure what they mean. Also, one person commented within the coderpunks thread: the provider of the information is guilty of export, or the person that actually downloads it, if it is available via anonymous FTP??? <<<< A disclaimer is not good enough. Both are potentially liable under US law (modulo arguments about constitutionality, vagueness, etc). The downloader is guilty of an illegal export, and the person who made the software available is (using the definition in 15 CFR 734.2) guilty of an export, and also has potential liability for conspiracy and/or aiding and abetting, depending on the facts of the particular case. But a clerk in Egghead who sells a copy of 128-bit Netscape to a "foreign person" is also guilty of an export violation. The interesting question is whether or not the feds will choose to prosecute violators .. and which ones. Internet crypto distribution sites have a much higher profile than random minimum-wage clerks who wouldn't have violated the law if they'd had any clue it existed. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto.