FC: Response from Commerce Dept to "Is this man a crypto-criminal?"

[Declan McCullagh <declan () well com>]

********

> Date: Tue, 18 Jan 2000 10:01:49 -0500
> From: "JIM LEWIS" <JLEWIS () bxa doc gov>
> To: <politech () vorlon mit edu>, <declan () well com>
> Cc: "EUGENE COTTILLI" <ECOTTILL () bxa doc gov>
> Subject: Re: FC: Is this man a crypto-criminal? The Feds won't say...
>
> Declan: This point is worth clarifying.  The new regs remove restrictions 
> from the posting of publicly available encryption source code for 
> downloading.  The regs say:
>
> a) If you post encryption source code to a site on the net and anyone can 
> access it, you do not need to have it reviewed by BXA or obtain a license.
>
> b) Simply posting this "publicly available" encryption source code does 
> not count as an export and does not trigger all the terrorist sanctions 
> and other requirements created by various Federal sanctions laws.
>
> (what this means is that if you post some code and Saddam Hussein 
> downloads it, you are not liable.  If Saddam calls you up and asks you to 
> e-mail him the code, and you send the e-mail without applying for and 
> receiving a license, you are liable).
>
> c)  You do need to send BXA an E-mail with the internet location of the 
> posted source code and you are prohibited from sending (as opposed to 
> posting) the encryption source code to a terrorist country or an 
> individual on one of our denial lists.
>
> d) if a foreign person makes a new product with the source code you've 
> posted, there are no review or licensing requirements for that foreign 
> product.  If they pay you a royalty or licensing fee for a product they've 
> developed for commercial sale, however, you may have to report some 
> information to BXA.
>
> It appears that the only requirement for Mr. Young is to notify us of the 
> location of the source code (http://jya.com/crypto.htm).
>
> I've attached the relevant section of the regs (from Page 2497 of the 
> Federal Register) below.  The entire reg (including the sections on 
> commercial source code and reporting) can be found at http://www.bxa.doc.gov/
>
> ¯Begin reg 
> text--------------------------------------------------------------------------------------------------------------------------------------------------
> (e) Unrestricted encryption source code.
>
>                 (1) Encryption source code controlled under 5D002, which 
> would be considered publicly available under §734.3(b)(3) and which is 
> not subject to an express agreement for the payment of a licensing fee or 
> royalty for commercial production or sale of any product developed with 
> the source code, is released from "EI" controls and may be exported or 
> reexported without review under License Exception TSU, provided you have 
> submitted written notification to BXA of the Internet location (e.g. URL 
> or Internet address) or a copy of the source code by the time of 
> export.  Submit the notification to BXA and send a copy to ENC Encryption 
> Request Coordinator (see §740.17(g)(5) for mailing 
> addresses).  Intellectual property protection (e.g., copyright, patent or 
> trademark) will not, by itself, be construed as an express agreement for 
> the payment of a licensing fee or royalty for commercial production or 
> sale of any product developed using the source code.
>
>                 (2) You may not knowingly export or reexport source code 
> or products developed with this source code to Cuba, Iran, Iraq, Libya, 
> North Korea, Sudan or Syria.
>
>                 (3) Posting of the source code on the Internet (e.g., FTP 
> or World Wide Web site)  where the source code may be downloaded by 
> anyone would not establish "knowledge" of a prohibited export or 
> reexport, including that described in paragraph (e)(2) of this 
> section.  In addition, such posting would not trigger "red flags" 
> necessitating the affirmative duty to inquire under the "Know Your 
> Customer" guidance provided in Supplement No. 3 to Part 732.
>
> ¯End Reg 
> text---------------------------------------------------------------------------------------------------------------------------------------------------
>
> >>> Declan McCullagh <declan () well com> 01/15/00 10:02AM >>>
> *********
>
> http://www.wired.com/news/politics/0,1283,33672,00.html
>
>                         Is This Man a Crypto Criminal?
>                         by Declan McCullagh (declan () wired com)
>
>                         3:00 a.m. 15.Jan.2000 PST
>                         Crypto maven John Young has a problem.
>
>                         He may be a felon, guilty of a federal
>                         crime punishable by years in prison. Or he
>                         may not be. He'd just like to know one
>                         way or another.





--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------