Re: New US regs ban downloadable data-security software
Lucky Green said:
The new US crypto export regulations control the export of most if not all data-security software. Regardless if the software uses cryptography or not. Many software archives seem to be in violation of the new regs.
<snip>
This certainly controls virus checkers, firewalls, and other security software. There are substantial penalties involved in violating the EAR. The US can assess daily penalties and block all exports of a company's non-violating products. Criminal penalties apply as well.
"Export", as defined in the new regs, includes making software available on the web or via ftp.
After _very_ careful reading of the Export Administration Regulations (EAR) (though IANAL), it would seem that the above is slightly inaccurate. Although, as Lucky pointed out, virus checkers et al. are indeed regulated for export from the US, and putting software up for ftp or WWW is considered export, the EAR does _not_ apply to "publicly available" software (732.2(b)(1)). Software is publicly available "when it is available for general distribution either for free or at a price that does not exceed the cost of reproduction and distribution" (734.7(b)). Therefore, it would seem that, as long as the security software on your ftp or WWW site is free of cost, it is OK to keep it there. Commercial security software, however, remains export-restricted. NOTE, however, that products that actually do contain cryptography fall under an exception (734.7(c)): "Notwithstanding paragraphs (a) and (b) of this section, note that encryption software controlled under ECCN 5D002 for ``EI'' reasons on the Commerce Control List (refer to Supplement No. 1 to part 774 of the EAR) remains subject to the EAR even when publicly available." The software controlled for EI reasons under 5D002 are described as: "EI controls apply to encryption software transferred from the U.S. Munitions List to the Commerce Control List consistent with E.O. 13026 of November 15, 1996 (61 FR 58767) and pursuant to the Presidential Memorandum of that date. Refer to Sec. 742.15 of the EAR." As virus checkers et al. were not on the Munitions List, they are not controlled for EI (Encryption Items) reasons, but rather for NS (National Security) and AT (Anti-Terrorism) reasons. The RISKS: the government suddenly creating (and putting into effect) new rules covering large amounts of software, without warning or (in my opinion) justification. - Ian "again, IANAL"
Ian Goldberg wrote:
Although, as Lucky pointed out, virus checkers et al. are indeed regulated for export from the US, and putting software up for ftp or WWW is considered export, the EAR does _not_ apply to "publicly available" software (732.2(b)(1)). Software is publicly available "when it is available for general distribution either for free or at a price that does not exceed the cost of reproduction and distribution" (734.7(b)).
Therefore, it would seem that, as long as the security software on your ftp or WWW site is free of cost, it is OK to keep it there. Commercial security software, however, remains export-restricted.
I can't believe that there's no one taking advantage of this to make a 'shareware' version of their software available, and having available, for export and sale, an 'enabler' to bring it to full functionality. I know that this was done in the past, by several small companies in southern California, but perhaps on a larger issue, such as this, the Feds would slam the door quickly on what they would surely regard as a 'loophole'.
participants (2)
-
Ian Goldberg
-
Toto