US law on re-exporting crypto software?

[Lee Tien]

At 3:49 PM -0800 2/19/98, Anonymous wrote:
>An article in the current issue of the German journal `Datenschutz und
>Datensicherheit' claims that exporting crypto software from anywhere
>outside the US to a third country violates US law if the software
>contains (only marginal amounts of) US-developed code, such as a C
>standard library, and that anyone distributing crypto software that
>has been compiled with an American compiler had better not visit the
>United States.  Is that true?

Probably not.  I can see why someone might think that, though.  I'm doing
this from recollection, not research; corrections are welcome.

Obviously, US law says that US crypto software is export-controlled,
including re-exports.

Under EAR (Commerce export regs) a minimum content rule takes account of
how US-ness dilutes, e.g., a US part is US but if it's incorporated into a
foreign car that doesn't make the foreign car US.

Exception:  no minimum content rule for crypto items.  Take the PGP plug-in
for Eudora and integrate it into a foreign OS.  Even if that's the only
crypto in the OS it's enough.  Can't dilute US-ness of US crypto.

The hypo by Anonymous, however, presumes US code that isn't crypto code.
Foreign crypto is mixed with US non-crypto code.  That's different.

I've heard of no US action in this regard; be interested to know of any.
Other countries also have minimum content rules, e.g., Canada.  But Canada,
I heard, has no crypto exception.  So at some point, I think, a crypto item
stops being US under Canadian export law, but still is US under US law.
Obvious conflict.

Lee Tien