Interesting Legal Question

Hi,

If I use the .NET libraries that permit access to the CryptoAPI in Windows, could my program be considered to contain crypto, even though no actual crypto code exists in my application but instead merely relies on what is in effect 3rd party support for the actual crypto functions?

Could it be argued that by linking to it that it becomes part of my app?

Best regards,
AstroTux.

IANAL, and this stuff is really hard, so you can use this for personal use, but if you are doing it for public consumption, get a real lawyer.

I have not kept up with any recent changes, but I was current on this in the late 1990s.

If you write code for use in the US, Canada and maybe a few other places, its not a big concern. But if you write it and let anyone in the world download it, then bad guys (tm) can get it, and that is not allowed. For example, today, if you search the NetBeans forums, you will see folks from Pakistan complaining that they can't download Netbeans and the JDK. Because of ITAR restrictions.

The ITAR explicitly say (said?) that you can not write applications with 'hooks' for later installing crypto. So you can not call into a library that is magically supplied from elsewhere.

The US law applies to US persons. They can not apply to folks living in say Eastern Europe or Africa. Mark Shuttleworth made enough money on crypto code written in South Africa to be one of the first space tourists, and had money to spare to support Ubuntu.

ITAR, by the way, means International Trafficing in Arms Regulations, or something like that. Its about not selling guns to bad guys(tm) in USSR, North Korea, Zimbabwe, etc.

Hi,

(Your disclaimer in mind): so the fact that my app relies on a 3rd party for crypto services means that under ITAR at least (?) as well as US export restrictions, it is considered as containing crypto?

I think I need a real lawyer (or move country... not sure which is more lucrative...).

Best regards,
AstroTux.

Yes, if it has a 'hook' to call something else with strong crypto, then it is under ITAR coverage.

If I remember correctly, about six months ago, IT&T got hit with a $100 million dollar fine for ITAR violations. They make night googles for soldiers, so its clearly a strategic military product.

However, part of how the ITAR is written is that weak assed crypto is allowed. in the mid 90s, it was 40 bit DES, it could be released without limit, since any one can break 40 bit DES.

The early Java and Microsoft crypto libraries defined the API without defining the strength. So you could safely write your code, and even test it, with 40bit DES from freely available libraries. For some reason, this was considered acceptable.

Of course, what that means is the the weak or strong versions of the crypto libraries can be plugged in outside your control.

Last time I looked at a retail box containing Windows XP, it clearly stated that it was for sale only in the US. Which really means that it contained the DLLs for the strong crypto library.

I remember when IE4 and Windows 2000 came out - there was the standard 56-bit version of IE, and a standard crypto library for Windows, and both had "high encryption packs" available that upgraded them.

From testing I did earlier, my version of Windows permits creating a 16384-bit RSA key, so this has the strong crypto libraries, but doesn't show any sales restrictions notices on the box. Maybe it is something only done in the US?


I'm guessing they'd assume it was working with the strong crypto libraries, even if I didn't code with them?

If I restricted the capabilities of my app to the minimum strengths for export purposes, does that count? e.g. I fix the RSA key length to 384-bits, non-user selectable etc..?

Best regards,
AstroTux.

I don't know the current limits, but an RSA key under 1024 bits is useless for anything worth protecting from anyone better than your 12 year old sister.

Yeah - I read about that a few months ago!!

Thanks for pointing me in the direction of more research - greatly appreciate it!

Best regards,
AstroTux.

I know Im changing the subject a bit here guys, but I'm a bit of newbie and I have to ask this. Does the ITAR restrict what the highest amount of encryption you can legally have on an application? Like if I wrote an application for encrypting my passwords back home here, with a HUGE bit piece of powerful encryption I could get fined?

Not clear what you are asking. The ITAR is about writing crypto code, or applications, in the US and exporting them out of the country. There are no restrictions for use of the strongest crypto in existence if you don't export it.

What it means to "export" it is unclear and IANAL. Putting the source on a website may be OK, putting the executable on a website is probably not OK.

There are limits for most of the world, so exporting from the US to say Britain is controlled but not draconian. But there are countries on the bad guy list, and you can't export to them at all.

Just to spin that a little further...

If I put my code on a UK server and someone from outside the UK downloads it, who is the "exporter" for legal purposes, or do I need to speak to counsel?

Best regards,
AstroTux.

If you live in the US, to get to the UK, someone has to export it. I don't want to be that person. I would expect that the ITAR enforcement folks would assume that a US citizen who has his name on the source code did the exporting. They harasses Phil Zimmerman for years on exactly this topic. They never proved anything, but it cost Phil a ton of money.

If you live in the UK, then US law has nothing to do with you.

Last time I checked, nearly all crypto was under legal limits in France.

If you are really doing this, you need an experienced lawyer.

I didn't see any indication of what country you're from...that's what really matters, not what country you're potentially exporting to.

Um... assume he's in the USA. That makes this false. ITAR on Wikipedia, the legalese itself