>>>>> "Florian" == Florian Lohoff <[EMAIL PROTECTED]> writes:
Florian> --i9LlY+UWpKt15+FH Content-Type: text/plain; Florian> charset=us-ascii Content-Disposition: inline Florian> Content-Transfer-Encoding: quoted-printable Florian> On Sun, Feb 24, 2002 at 01:02:51PM -0500, Sam Hartman Florian> wrote: >> I maintain openafs and krb5. Both of these programs are US >> origin programs in non-us maintained by US maintainers. I >> believe there are others. Florian> Didnt know that - How does that fit into the picture. Well, it has to go in non-us because it's crypto. I'm maintaining it because I want to and because when I brought up the legal issues on debian-legal over a year ago, no objected. Once this stuff moves into main, it will be easier for me to convince maintainers to add Kerberos support into their packages. That will make our (or some of our) users happy. >> But hey, guess what? We're using a different section of the >> EAR to export our crypto. In particular, we're using 15 CFR >> 740.13(e). =20 And guess what? That section says nothing about >> items staying=20 subject to the EAR after export. =20 Florian> What i also meant was the reexportation by automation Florian> which one could interpret as a knowingly shipment to T7 Florian> countries. Except that: A) It is not reexportation (see defn of reexportation below) B) The fact that it is automated doesn't matter. For something to be illegal it has to break some specific law. It's illegal for me to export to a t7 country. The law is written in terms of specific actions. If there were a law that stated that it was illegal for me to cause some software to be exported to a t7 country then your reasoning is incorrect. However the law only says it is illegal for me to knowingly export to a T7 country. That's knowingly export--not knowingly cause an export to happen. So for me to violate the law I actually have to be doing the export. Thus to determine if it is legal for me to give you crypto we need to look closely at the definition of export. I've done so (looked at the specific definition of export in the US law) and as far as I can tell, I'm not exporting to a T7 country when I export to you, even if you may end up exporting to a T& country later. If I'm not exporting to a T7 country, then I cannot be knowingly exporting. The same argument applies for an automated script. For there to be a knowing export to a T7 country, there must be an export to a T7 country. There's a bit of complexity involved if the purpose of my export to you is to get around the law. In that case, me exporting to you might be considered an export to a T7 country. Actually, I think what happens is that there's case law that says it is illegal to take some action just to get around the law. But that doesn't apply in any of the cases here. I'm exporting to you so you can run a mirror. I'd export to you even if you hated the T7 countries even more than the US. It should seem clear even to a court that Debian is not moving crypto into main just to set up a complex situation so we can export to T7 countries from the US. >> I think you're confused >>about the definition of re-export as >> well. As far as I can tell >>under US law, a re-export is when >> an item imported to the US is >>exported again, not when an item >> exported from the US to another >>country is exported again from >> that country. That might be a >>re-export under that country's >> laws, but not in general under US >>law. Florian> Thats the US centric view - First, it is not just a US-centric view. It's what is stated in the law. There's a huge section that defines terms. One thing it defines is export and re-export. And hey, if we are talking about a particular law we should use the definitions from that law. Those are the definitions the court will use to convict or fail to convict for violations of that law. Even if the EAR defines putting code on a website as exporting that code (which it does), then we need to use that definition of export when we're talking about the law. Under a common English interpretation of export, I would not expect putting US code on a US website to be an export. But because the law says that's an export, for the purposes of this discussion we would be silly not to consider that an export. Just so, if the law says something is not a re-export or is not an export, we would be foolish to make up our own definitions (even if they seem more reasonable) and apply the text of the law to those definitions. Florian> From my view this means - We are importing the crypto Florian> stuff from the US to Germany - And then ME as the mirror Florian> maintainer i export the stuff to t7 countries e.g. as Florian> mirror. Florian> Which means in the end that any upload to the main site Florian> is a knowingly export to T7 countries (in the end) Yeah, but as I said earlier, it is not the consequences that matter but the specific actions. The export to you as a mirror maintainer is legal under US law. Your export to a T7 country is legal under US law because you are not a US person and the crypto code is no longer a US item. (US person is a term of law; US item is my own term--I could go look at the specific text for what terminology they use.) >> The maintainer, not Debian, is doing the export. Every time I >> upload new software to pandora, I am exporting from the US. I >> have the option of either violating US law or notifying the BXA >> of my export. Not surprisingly, I choose to notify the BXA >> myself. Florian> The point i made is that in the future all incoming Florian> queues + master site may be in the US - There are Florian> hundrets of full and partial mirrors access that site and Florian> exporting to "good" parts of the world. There are some Florian> bad guys over there in Cuba (Sorry - US speech) which Florian> mirror from a site e.g. in Germany. Now - One might Florian> interpret as a knowingly exportation to T7 countries. One might. The interesting question is whether an American court, looking at the definition of export and knowing export would interpret it that way. I think the answer is no having read those definitions. If you want to go read the law, read the definition of export, re-export, knowing export, and explain how I'm wrong, that would be a mildly interesting conversation. Florian> Who Florian> is to blame ? The DPL ? No - From my guess the'll go Florian> after the individual maintainers who send stuff to the Florian> normal queue and from that on do a knowingly (multi-step) Florian> export to T7 countries. Or the ftpmasters or the people running the servers in the US. Actually in practice, what they'll do is send us a formal letter telling us to stop. It doesn't look good to try and convict a bunch of volunteers writing free software for exporting stuff to Cuba when you could just send them a legal order telling them to stop doing it. It seems to me fairly clear what we are doing is reasonable. It seemed clear to the lawyer as well. So while Debian should seriously consider any legal threats from the US government, if we are failry sure that what we are doing is legal and no such threat will be coming, going forward seems reasonable. Now you are correct that the US government could have written the law such that taking actions I knew would lead to exporting to T7 countries is illegal. If they did that, this entire situation would be more complex. Fortunately they did not do so. Florian> Am i just too paranoid ? I feel uncomfortable with the Florian> point that there might be legal DoS possible against a Florian> very important part of Debian=20 the package pool and its Florian> automatic distribution to mirrors. Might is way too weak of a word. There are so many ways of mounting a layer-9 (policial/legal) DOS against debian it's not funny. Send a bunch of DMCA copyright complaints. Send a bunch of patent letters. The US could assert (it's about as likely as anything that you have proposed) that 1) Debian is a US organization (false but the US might easily believe so) 2) Debian runs non-us.debian.org 3) Thus non-us.debian.org must follow US export laws even though it is not in the US. Note that if Debian were a US corporation then all three of these points would be clearly true. I think that you do not understand the law well enough for the level of paranoia you are implying. Please read over http://www.access.gpo.gov/bxa/ and look at the definitions of export, re-export etc before continuing this discussion.