Page 2 - Interesting Legal Question

If you are a British citizen in the UK, the US ITAR is of no concern to you. If you are a US citizen in the UK, the ITAR is alive, but it gets more complex.

I don't think the Brits have anything as idiotic as the ITAR, but I don't know. Since breaking the enigma was a key to winning WW2, there may be some sensitivity on the topic to anyone who is glad they aren't speaking German.

I don't know what happens if a Brit has crypto software on his laptop, comes to visit New York, and goes home. Does the return "export" the software?

Now that's a question!!

Must happen frequently, I'm sure.

Best regards,
AstroTux.

Crypto legislation is not my fortay, but didn't ITAR declassify strong crypto as of 97ish?

The best crypto legal reference I can provide is here: http://rechten.uvt.nl/koops/cryptolaw/

er, mostly, but not really.

First, it was never a question of "classification" as in Top Secret and other government classifications. The rules were about export of the software. In the mid-90s, with the skipjack and clipper rules, the civil liberties folks, and the serious cryptography folks, were very upset and vocal about how stupid the export rules here. Actually, when I talked to both "department of commerce" and "NIS&T" folks about it at the time, they admitted that the rules were stupid, but they were legally required to follow the laws. And the folks behind the curtain at Commerce and NIS&T, aka the No Such Agency folks, were not about to let it get exported.

If you casually look at the details, open source "source code" is ignored, but you are still supposed to tell Commerce about the URL. And you are supposed to make sure that known terrorist countries don't get it.

They loosened it up a lot of crypto is a minor part of the product. So a web browser that uses crypto has a much easier time being exported than pgp. The problem is that the definition of "minor part" is subjective, so you can't be sure without getting approval.

I got (or the company that I wrote crypto code for) export approval for RSA 1024 and 3DES in 1998. It was not trivial.

For historical background, see
Pat Farrell's notes at NIST key escrow conference

Per B-Con's note upthread, this came accross one of the professional crypto lists that I'm on. Specific thread is why hasn't Sun released all of the SPARC code when they moved most of the sparc layout to open source. The specifics is that they (Sun) did not release the crypyo acceleration hardware.

"The high-order bit here is that the reason Sun has not open sourced the crypto module of the Sparc T2 along with all the other modules is the US government's export restrictions and their extra-legal implicit threats. I've received another e-mail from a Sun employee stating that crypto export restrictions are the issue and that Sun management feels that it is too risky to defy the government's pressure because the government has the power to do billions of dollars in damage to the company by temporarily suspending their export licences for their whole suite of products.

My conclusions are:

1. We didn't exactly win the free-crypto struggle after all"

Hi,


Nice one!!

Seems like such a minefield, I'm probably best forgetting the idea for now (that or move country?).

I think I posted here a link to some information I found on current UK export law?? Sadly this issue seems to have gone rather quiet since about 1997-1998 when the crypto-wars were in full-swing and current information seems scarce.

Just swapping OS...brrb.

Best regards,
AstroTux.