US law on re-exporting crypto software?
Lee Tien
tien at well.com
Sat Feb 21 23:33:05 PST 1998
At 3:49 PM -0800 2/19/98, Anonymous wrote:
>An article in the current issue of the German journal `Datenschutz und
>Datensicherheit' claims that exporting crypto software from anywhere
>outside the US to a third country violates US law if the software
>contains (only marginal amounts of) US-developed code, such as a C
>standard library, and that anyone distributing crypto software that
>has been compiled with an American compiler had better not visit the
>United States. Is that true?
Probably not. I can see why someone might think that, though. I'm doing
this from recollection, not research; corrections are welcome.
Obviously, US law says that US crypto software is export-controlled,
including re-exports.
Under EAR (Commerce export regs) a minimum content rule takes account of
how US-ness dilutes, e.g., a US part is US but if it's incorporated into a
foreign car that doesn't make the foreign car US.
Exception: no minimum content rule for crypto items. Take the PGP plug-in
for Eudora and integrate it into a foreign OS. Even if that's the only
crypto in the OS it's enough. Can't dilute US-ness of US crypto.
The hypo by Anonymous, however, presumes US code that isn't crypto code.
Foreign crypto is mixed with US non-crypto code. That's different.
I've heard of no US action in this regard; be interested to know of any.
Other countries also have minimum content rules, e.g., Canada. But Canada,
I heard, has no crypto exception. So at some point, I think, a crypto item
stops being US under Canadian export law, but still is US under US law.
Obvious conflict.
Lee Tien
More information about the Testlist
mailing list