[6417] in cryptography@c2.net mail archive
Response from Commerce Dept to "Is this man a crypto-criminal?"
daemon@ATHENA.MIT.EDU (Declan McCullagh)
Tue Jan 18 13:51:17 2000
Message-Id: <4.3.0.29.0.20000118104352.00acbe70@pop.webcom.com>
Date: Tue, 18 Jan 2000 10:44:34 -0500
To: cryptography@c2.net, cypherpunks@cyberpass.net
From: Declan McCullagh <declan@well.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
********
>Date: Tue, 18 Jan 2000 10:01:49 -0500
>From: "JIM LEWIS" <JLEWIS@bxa.doc.gov>
>To: <politech@vorlon.mit.edu>, <declan@well.com>
>Cc: "EUGENE COTTILLI" <ECOTTILL@bxa.doc.gov>
>Subject: Re: FC: Is this man a crypto-criminal? The Feds won't say...
>
>Declan: This point is worth clarifying. The new regs remove restrictions=
=20
>from the posting of publicly available encryption source code for=20
>downloading. The regs say:
>
>a) If you post encryption source code to a site on the net and anyone can=
=20
>access it, you do not need to have it reviewed by BXA or obtain a license.
>
>b) Simply posting this "publicly available" encryption source code does=20
>not count as an export and does not trigger all the terrorist sanctions=20
>and other requirements created by various Federal sanctions laws.
>
>(what this means is that if you post some code and Saddam Hussein=20
>downloads it, you are not liable. If Saddam calls you up and asks you to=
=20
>e-mail him the code, and you send the e-mail without applying for and=20
>receiving a license, you are liable).
>
>c) You do need to send BXA an E-mail with the internet location of the=20
>posted source code and you are prohibited from sending (as opposed to=20
>posting) the encryption source code to a terrorist country or an=20
>individual on one of our denial lists.
>
>d) if a foreign person makes a new product with the source code you've=20
>posted, there are no review or licensing requirements for that foreign=20
>product. If they pay you a royalty or licensing fee for a product they've=
=20
>developed for commercial sale, however, you may have to report some=20
>information to BXA.
>
>It appears that the only requirement for Mr. Young is to notify us of the=
=20
>location of the source code (http://jya.com/crypto.htm).
>
>I've attached the relevant section of the regs (from Page 2497 of the=20
>Federal Register) below. The entire reg (including the sections on=20
>commercial source code and reporting) can be found at=
http://www.bxa.doc.gov/
>
>=AFBegin reg=20
>text-----------------------------------------------------------------------=
----------------------------------------------------------------------------
>(e) Unrestricted encryption source code.
>
> (1) Encryption source code controlled under 5D002, which=
=20
> would be considered publicly available under =A7734.3(b)(3) and which is=
=20
> not subject to an express agreement for the payment of a licensing fee or=
=20
> royalty for commercial production or sale of any product developed with=20
> the source code, is released from "EI" controls and may be exported or=20
> reexported without review under License Exception TSU, provided you have=
=20
> submitted written notification to BXA of the Internet location (e.g. URL=
=20
> or Internet address) or a copy of the source code by the time of=20
> export. Submit the notification to BXA and send a copy to ENC Encryption=
=20
> Request Coordinator (see =A7740.17(g)(5) for mailing=20
> addresses). Intellectual property protection (e.g., copyright, patent or=
=20
> trademark) will not, by itself, be construed as an express agreement for=
=20
> the payment of a licensing fee or royalty for commercial production or=20
> sale of any product developed using the source code.
>
> (2) You may not knowingly export or reexport source code=
=20
> or products developed with this source code to Cuba, Iran, Iraq, Libya,=20
> North Korea, Sudan or Syria.
>
> (3) Posting of the source code on the Internet (e.g., FTP=
=20
> or World Wide Web site) where the source code may be downloaded by=20
> anyone would not establish "knowledge" of a prohibited export or=20
> reexport, including that described in paragraph (e)(2) of this=20
> section. In addition, such posting would not trigger "red flags"=20
> necessitating the affirmative duty to inquire under the "Know Your=20
> Customer" guidance provided in Supplement No. 3 to Part 732.
>
>=AFEnd Reg=20
>text-----------------------------------------------------------------------=
----------------------------------------------------------------------------=
-
>
> >>> Declan McCullagh <declan@well.com> 01/15/00 10:02AM >>>
>*********
>
>http://www.wired.com/news/politics/0,1283,33672,00.html
>
> Is This Man a Crypto Criminal?
> by Declan McCullagh (declan@wired.com)
>
> 3:00 a.m. 15.Jan.2000 PST
> Crypto maven John Young has a problem.
>
> He may be a felon, guilty of a federal
> crime punishable by years in prison. Or he
> may not be. He'd just like to know one
> way or another.
--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------
