18 January 2000
Date: Tue, 18 Jan 2000 10:44:34 -0500
To: cryptography@c2.net, cypherpunks@cyberpass.net
From: Declan McCullagh <declan@well.com>
Subject: Response from Commerce Dept to "Is this man a crypto-criminal?"
********
Date: Tue, 18 Jan 2000 10:01:49 -0500
From: "JIM LEWIS" <JLEWIS@bxa.doc.gov>
To: <politech@vorlon.mit.edu>, <declan@well.com>
Cc: "EUGENE COTTILLI" <ECOTTILL@bxa.doc.gov>
Subject: Re: FC: Is this man a crypto-criminal? The Feds won't say...
Declan: This point is worth clarifying. The new regs remove restrictions from the posting of publicly available encryption source code for downloading. The regs say:
a) If you post encryption source code to a site on the net and anyone can access it, you do not need to have it reviewed by BXA or obtain a license.b) Simply posting this "publicly available" encryption source code does not count as an export and does not trigger all the terrorist sanctions and other requirements created by various Federal sanctions laws.
(what this means is that if you post some code and Saddam Hussein downloads it, you are not liable. If Saddam calls you up and asks you to e-mail him the code, and you send the e-mail without applying for and receiving a license, you are liable).
c) You do need to send BXA an E-mail with the internet location of the posted source code and you are prohibited from sending (as opposed to posting) the encryption source code to a terrorist country or an individual on one of our denial lists.
d) if a foreign person makes a new product with the source code you've posted, there are no review or licensing requirements for that foreign product. If they pay you a royalty or licensing fee for a product they've developed for commercial sale, however, you may have to report some information to BXA.
It appears that the only requirement for Mr. Young is to notify us of the location of the source code (http://jya.com/crypto.htm).
I've attached the relevant section of the regs (from Page 2497 of the Federal Register) below. The entire reg (including the sections on commercial source code and reporting) can be found at http://www.bxa.doc.gov/
¯Begin reg text--------------------------------------------------------------------------------------------------------------------------------------------------- (e) Unrestricted encryption source code. (1) Encryption source code controlled under 5D002, which would be considered publicly available under §734.3(b)(3) and which is not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code, is released from "EI" controls and may be exported or reexported without review under License Exception TSU, provided you have submitted written notification to BXA of the Internet location (e.g. URL or Internet address) or a copy of the source code by the time of export. Submit the notification to BXA and send a copy to ENC Encryption Request Coordinator (see §740.17(g)(5) for mailing addresses). Intellectual property protection (e.g., copyright, patent or trademark) will not, by itself, be construed as an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. (2) You may not knowingly export or reexport source code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria. (3) Posting of the source code on the Internet (e.g., FTP or World Wide Web site) where the source code may be downloaded by anyone would not establish "knowledge" of a prohibited export or reexport, including that described in paragraph (e)(2) of this section. In addition, such posting would not trigger "red flags" necessitating the affirmative duty to inquire under the "Know Your Customer" guidance provided in Supplement No. 3 to Part 732. ¯End Reg
text----------------------------------------------------------------------------------------------------------------------------------------------------
>>> Declan McCullagh <declan@well.com> 01/15/00 10:02AM >>>
*********
http://www.wired.com/news/politics/0,1283,33672,00.html
Is This Man a Crypto
Criminal?
by Declan McCullagh (declan@wired.com)
3:00 a.m. 15.Jan.2000
PST
Crypto maven John Young has a problem.
He may be a felon, guilty of a
federal
crime punishable by years in prison. Or
he
may not be. He'd just like to know
one
way or another.
--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this
text:
subscribe politech
More information is at
http://www.well.com/~declan/politech/
--------------------------------------------------------------------------