Re: Distributing cryptographic code
This thread was booted from coderpunks, perhaps the interested parties will continue it here. At 02:36 PM 5/16/97 EDT, Yoav Yerushalmi wrote: [...]
I'm part of a research group here at MIT, and several groups here have written implementations of concepts and protocols that involve cryptography in one way or another (encryption/signing/voting, etc).
We would like to put this code up for distribution (within the US of course), but don't actually know what is a 'reasonable' amount of protection that one need apply to prevent people from exporting it to the rest of the world.
(A) Ensuring that the facility from which the software is available controls the access to and transfers of such software through such measures as: (1) The access control system, either through automated means or human intervention, checks the address of every system requesting or receiving a transfer and verifies that such systems are located within
A disclaimer would be adeqate protection if I remember correctly. I don`t recall what the situation is in the US, is it the case that
If I were you, I'd talk to the other folks at MIT distributing strong crypto code, they've certainly had to think about/work on this problem. Might as well ride on their coattails. Having said that, you might take a look at 15 CFR 734.2(b)(9)(ii) if you're really feeling masochistic, which says that making software available via the Internet such that it is available for transfer outside of the United States is an export unless the person making the software available takes certain precautions. The precautions are: the United States; (2) The access control system, provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Act, and that anyone receiving such a transfer cannot export the software without a license; and (3) Every party requesting or receiving a transfer of such software must acknowledge affirmatively that he or she understands that the cryptographic software is subject to export controls under the Export Administration Act and that anyone receiving the transfer cannot export the software without a license; or (B) Taking other precautions, approved in writing by the Bureau of Export Administration, to prevent transfer of such software outside the U.S. without a license. <<<< The software publishers I'm familiar with who make strong crypto available via the Internet in a commercial setting (Microsoft, Netscape, C2Net) do reverse-DNS lookups on the requester to try to figure out whether or not they're inside the United States. This is *not* an "official" answer, nor is it legal advice. The regulations discussed above have been public for less than five months. I've spoken with several attorneys who specialize in export control and they've all commented that the regs were drafted quickly, without good attention to detail, and are not necessarily models of clarity or precision. Nobody's 100% sure what they mean. Also, one person commented within the coderpunks thread: the provider of the information is guilty of export, or the person that actually downloads it, if it is available via anonymous FTP??? <<<< A disclaimer is not good enough. Both are potentially liable under US law (modulo arguments about constitutionality, vagueness, etc). The downloader is guilty of an illegal export, and the person who made the software available is (using the definition in 15 CFR 734.2) guilty of an export, and also has potential liability for conspiracy and/or aiding and abetting, depending on the facts of the particular case. But a clerk in Egghead who sells a copy of 128-bit Netscape to a "foreign person" is also guilty of an export violation. The interesting question is whether or not the feds will choose to prosecute violators .. and which ones. Internet crypto distribution sites have a much higher profile than random minimum-wage clerks who wouldn't have violated the law if they'd had any clue it existed. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto.
Greg Broiles
A disclaimer would be adeqate protection if I remember correctly. I don`t recall what the situation is in the US, is it the case that
[...] Also, one person commented within the coderpunks thread: the provider of the information is guilty of export, or the person that actually downloads it, if it is available via anonymous FTP??? <<<<
A disclaimer is not good enough. Both are potentially liable under US law (modulo arguments about constitutionality, vagueness, etc). The downloader is guilty of an illegal export, and the person who made the software available is (using the definition in 15 CFR 734.2) guilty of an export, and also has potential liability for conspiracy and/or aiding and abetting, depending on the facts of the particular case.
The downloader by definition is restricted by his own national laws
not by US laws. US attempted world policeman attitude does not mean
that US laws apply outside the US, particularly not to non-US citizens
outside the US.
(Yeah, I know tell that to Noriega, but that was simple kidnap).
(The UK has recently introduced a few laws which they claim apply to
UK nationals outside when resident outside UK also... bad trend.)
The counter argument is that say Iraq says that you must not show
pictures of women's faces. Do you similarly honour Iraqs request to
extradite the news media in the US?
Extradition treaties to my understanding tend rely on the crime being
a crime in both countries. For illegality of exporting crypto code on
the Internet the US is largely on it's own. And anyway, I'm
_importing_ crypto, you're exporting it, or at least allowing me to
import it. There are even fewer examples of import restrictions than
of export restrictions.
Personally I would feel no compunction in downloading anything I
choose from any US site on the basis of US laws; they do not apply to
me.
However out of politeness to the operators of the US archives I would
generally not recommend this for the simple reason that it might get
the archive operator in trouble. This is my only consideration.
For a giggle a while back I had a go at downloading Netscape 128 bit
browser using anonymizer.com. Found a handy US zip code, phone number
street address (I used a US bank's, which I found handily on the web).
Damn would've worked too, only it tried to open an SSL session through
anonymizer.com for the download and anonymizer doesn't support SSL
sessions (or didn't then). Bummer :-) So I had to download it from
Alex de Joode's site ftp.replay.com in the Netherlands instead which
was faster anyway.
Self appointed world policemen are fooling themselves if they think
they have any control over bit flow.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0
At 11:44 AM 5/18/97 +0100, Adam Back wrote:
I don`t recall what the situation is in the US, is it the case that the provider of the information is guilty of export, or the person that actually downloads it, if it is available via anonymous FTP???
The downloader by definition is restricted by his own national laws not by US laws. US attempted world policeman attitude does not mean that US laws apply outside the US, particularly not to non-US citizens outside the US.
They may apply to you anyway - they're not very enforceable if you're outside US territory, though if you try to visit the US once they've pegged you as a crypto-terrorist aider-and-abetter of drug smugglers, money launderers, child pornographers, and Commies, they could give you a hard time. Just because you haven't been caught YET doesn't make you innocent :-) Remember the Canadian author / Disney hero Farley Mowat? He once got annoyed enough at the US military for flying nuclear-armed bombers over Canada that he shot at some as they crossed the border. Sure, his .22 caliber rifle wasn't going to hit a plane at 30,000 feet, and he was just making a political statement by it, but he was banned from the US for years.
Self appointed world policemen are fooling themselves if they think they have any control over bit flow.
As long as it keeps Americans from using strong crypto on an everyday basis, for everything, and from taking the attitude that their privacy is their own business, it's working. Doesn't matter if a few foreign spies can talk to each other.
(Yeah, I know tell that to Noriega, but that was simple kidnap). Different case - Noriega was on the CIA payroll, and he embarassed his masters :-)
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
Bill Stewart
At 11:44 AM 5/18/97 +0100, Adam Back wrote:
I don`t recall what the situation is in the US, is it the case that the provider of the information is guilty of export, or the person that actually downloads it, if it is available via anonymous FTP???
The downloader by definition is restricted by his own national laws not by US laws. US attempted world policeman attitude does not mean that US laws apply outside the US, particularly not to non-US citizens outside the US.
They may apply to you anyway
I was arguing that US laws do not apply to me living outside the US. The US courts/government may claim otherwise but this does not alter that fact. Where international agreements have been agreed the laws become part of the legal framework of the agreeing countries. Extradition is another method, but people normally only get extradited from their own country if they commit a crime against a citizen of the extraditing country. And finally kidnap, the fact that this is an extra-legal process does not bother the US. (In fact they even declare it legal if they consider it appropriate, as I understand it.)
- they're not very enforceable if you're outside US territory, though if you try to visit the US once they've pegged you as a crypto-terrorist aider-and-abetter of drug smugglers, money launderers, child pornographers, and Commies, they could give you a hard time. Just because you haven't been caught YET doesn't make you innocent :-)
For the sake of argument if I were detained at a US airport, or kidnapped and taken to the US, and further was found to be "guilty" as defined by US law, I would not be guilty, and I would hope that my country would attempt to intervene. The reality of all this is strained however because, a) they wouldn't extradite someone, nor kidnap them for this, b) they wouldn't detain me if I entered the US (I did last year with no ill effects), c) I am having difficulty imagining what it is they could legitimately charge me with, even by US standards of legitmacy with regard to crypto export. I attempted to _import_ a piece of software into the UK, no crime there.
Remember the Canadian author / Disney hero Farley Mowat? He once got annoyed enough at the US military for flying nuclear-armed bombers over Canada that he shot at some as they crossed the border. Sure, his .22 caliber rifle wasn't going to hit a plane at 30,000 feet, and he was just making a political statement by it, but he was banned from the US for years.
I suspect it would be dodgy shooting at military aircraft in Canada also. In the UK, and most of EU (with the exclusion of France), we can export electronically (on the web etc) to our hearts content. The situation with tangible exports, at least in the UK, is different. I understand you need a license to export tangibly. I was unaware of this at the time I started exporing T-shirts, but I'm aware of it now, and have no particular intention of ceasing to export T-shirts. If they want to do something about it and make a media spectacle of themselves, they're most welcome to try :-) Actually I took a couple of my munitions T-shirts with me when I went to the US last year, and bought them back out with me. I was wearing one of them (under another garment) through the airport as I left. Again if the US would like to try something, the next time I'm there they are welcome to try. Unfortunately perhaps it appears, at least according to Peter Junger that the T-shirts are probably OK now under the EAR regulations being printed material, whilst I think he held that they would be technically a violation under ITAR. ITAR was the active regulation at the time.
Self appointed world policemen are fooling themselves if they think they have any control over bit flow.
As long as it keeps Americans from using strong crypto on an everyday basis, for everything, and from taking the attitude that their privacy is their own business, it's working. Doesn't matter if a few foreign spies can talk to each other.
True enough.
Adam
--
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0
participants (3)
-
Adam Back
-
Bill Stewart
-
Greg Broiles