If someone writes a piece of software, a networking layer, or anything else with support for later cryptographic enhancement but doesn't actually include the cryptographic implementation and it is later added by somebody outside of the United States does this fall under ITAR? In other words the original U.S. authors wrote the software with support for crypto, function hooks, etc. They didn't include any crypto at all. Somebody outside the United States uses these hooks and writes strong cryptography. These modifications are kept as patches and never exported from the U.S.. Is this allowed? What if the U.S. authors are actively collaborating with the non-US authors?
On 19 Nov 1997, lcs Mixmaster Remailer wrote:
If someone writes a piece of software, a networking layer, or anything else with support for later cryptographic enhancement but doesn't actually include the cryptographic implementation and it is later added by somebody outside of the United States does this fall under ITAR?
In other words the original U.S. authors wrote the software with support for crypto, function hooks, etc. They didn't include any crypto at all. Somebody outside the United States uses these hooks and writes strong cryptography. These modifications are kept as patches and never exported from the U.S.. Is this allowed? What if the U.S. authors are actively collaborating with the non-US authors?
I've always been told that software with function hooks for crypto was just as unexportable as crypto itself. This however doesn't make any sense, because then anything with a plugin interface falls into that category. Hell, anything that can call external programs would qualify as having a plugin interface, and all web browsers, mail/news readers, IRC clients, editors, and possibly even all operating systems would fall into that category. Of course, this is the goobermint we're dealing with... what did we expect but another arbitrary-arrest law. -- Brian Buchanan brian@smarter.than.nu No security through obscurity! Demand full source code! 4.4BSD for the masses - http://www.freebsd.org
On Wed, Nov 19, 1997 at 01:00:02AM -0000, lcs Mixmaster Remailer wrote:
If someone writes a piece of software, a networking layer, or anything else with support for later cryptographic enhancement but doesn't actually include the cryptographic implementation and it is later added by somebody outside of the United States does this fall under ITAR?
Crypto exports have been governed (for the most part) by the EAR, not ITAR, for about 11 months now. The EARs can be found at 15 CFR 730 et seq.
In other words the original U.S. authors wrote the software with support for crypto, function hooks, etc. They didn't include any crypto at all. Somebody outside the United States uses these hooks and writes strong cryptography. These modifications are kept as patches and never exported from the U.S.. Is this allowed?
No. Software designed or modified to use cryptography is export controlled; see ECCN 5D002 in 15 CFR part 744.
What if the U.S. authors are actively collaborating with the non-US authors?
See 15 CFR 744.9, "Restrictions on Technical Assistance by US Persons With Respect to Encryption Items": (a) General prohibition No U.S. person may, without a license from BXA, provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled for"EI" reasons under ECCN 5A002 or 5D002. Note that this prohibition does not apply if the U.S. person providing the assistance has a license or is otherwise entitled to export the encryption commodities and software in question to the foreign person(s) receiving the assistance. Note in addition that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting, by itself would not establish the intent described in this section, even where foreign persons are present. --- also, see the definition of "technology" in 15 CFR 772 - "Technology". (General Technology Note)-- Specific information necessary for the "development", "production", or "use" of a product. The information takes the form of "technical data" or "technical assistance". Controlled "technology" is defined in the General Technology Note and in the Commerce Control List (Supplement No. 1 to part 774 of the EAR). N.B.: Technical assistance--May take forms such as instruction, skills training, working knowledge, consulting services. Note: "Technical assistance" may involve transfer of "technical data". "Technical data".--May take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories. -- axlotl@cyberpass.net
First of all, you're the first person I've seen with a Niue address -
congratulations! (South Pacific Island suburb of Lompoc :-)
At 05:27 PM 11/18/1997 -0800, Brian W. Buchanan
I've always been told that software with function hooks for crypto was just as unexportable as crypto itself.
The legal status of crypto-equipment-without-the-crypto-plugin is fuzzier under the current regime than the previous one, but it was basically illegal to export components of a cryptosystem.
doesn't make sense You answered that correctly later: Of course, this is the goobermint we're dealing with...
So don't export that crypto-cellphone - export a phone with voice amplifier software implemented as a plugin, or a digital background noise reducer, or programmable muzak-on-hold replacement, or or even enhanced authentication protocols. They're not crypto devices, they're perfectly normal commercial products, and you're shocked, _shocked_ at the free scratchy-white-noise background music plugin that somebody with entirely no musical taste is shipping, or that some Bulgarian hackers are abusing your phone to provide service to Colombian narcoterroristas in blatant violation of their warranty. Thanks! Bill Bill Stewart, stewarts@ix.netcom.com Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
participants (4)
-
axlotl -
Brian W. Buchanan -
lcs Mixmaster Remailer -
stewarts@ix.netcom.com