At 12:56 AM 1/25/96, Derek Atkins wrote:

Yes, it is a huge can of worms. Worse, since it is done on a case-by-case basis, there really is no clear definition of where the exportable vs. non-exportable line actually is. You need to try it to test if it will work or not.

Several people have mentioned the "case by case" nature of the crypto export situation, and this is of course the key. I don't claim to have studied the ITARs as, say, Phil Karn or Dan Bernstein have. Or to to have reviewed relevant case law, precedents, etc. But I'm not sure it's important. That is, the Munitions Act and related laws/regulations were set up to meet certain end goals considered desirable. With considerable flexibility in interpreting these rules and regulations, State and NSA seek to meet the end goals they have established, not to scrupulously define the exact boundaries of the law. Thus, let me try to think like them and present some situations people have proposed (or actually filed cases about, a la Bernstein, Karn, etc.), and *guess* which way things will go. Others may disagree. Here they are: Situation/Test Case Likely End Result * Export of t-shirt * Foot-dragging, but eventual approval (foot-dragging because D.C. won't be sure how any decision they make will be taken) * Ian Goldberg returning to Canada * The issue won't even come up (Students routinely return to Israel, Netherlands, etc. Nobody cares. Especially with regard to students returing to Canada, which is of course treated as a backward child of the U.S. for the purposes of crypto policy.) * Goldberg's team sets up in Zurich * NSA issues warning to Foobar, Inc. (In this hypothetical, Ian Goldberg has a team in Berkeley writing the MongoBrowser Web browser. They decide U.S. laws on crypto export are too restrictive and decide to move their operation to Zurich. This is clearly designed to skirt the "spirit" of the Munitions Act/ITARs, and so the NSA/State will try to head it off. Assuming they even learn it is happening, which is a very real impediment to practical enforcement. Ex post facto, MongoBrowser and its programmers could be hassled upon entry to the U.S. later.) And so on. In other words, you need to "think like them" with regard to what's a potentially real threat and what's not. T-shirts are not real threats, but RSADSI deciding to move its core crypto development to Zurich is. --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."