In article <[EMAIL PROTECTED]>,
Steven M. Bellovin <[EMAIL PROTECTED]> wrote:
>For that matter, what is "export"? Posting something to Usenet?
>Putting it up on a Web page or FTP server? The act of downloading it?
As far as I know, they haven't changed the definition of "export". Which
means this is still the one:
EAR 734.2 (b)(9) reads:
// (9) Export of encryption source code and object code software. (i)
For purposes of the EAR, the export of encryption source code and
object code software means:
(A) An actual shipment, transfer, or transmission out of the United
States (see also paragraph (b)(9)(ii) of this section); or
(B) A transfer of such software in the United States to an embassy
or affiliate of a foreign country.
(ii) The export of encryption source code and object code software
controlled for EI reasons under ECCN 5D002 on the Commerce Control List
(see Supplement No. 1 to part 774 of the EAR) includes downloading, or
causing the downloading of, such software to locations (including
electronic bulletin boards, Internet file transfer protocol, and World
Wide Web sites) outside the U.S., or making such software available for
transfer outside the United States, over wire, cable, radio,
electromagnetic, photooptical, photoelectric or other comparable
communications facilities accessible to persons outside the United
States, including transfers from electronic bulletin boards, Internet
file transfer protocol and World Wide Web sites, unless the person
making the software available takes precautions adequate to prevent
unauthorized transfer of such code outside the United States. Such
precautions shall include:
(A) Ensuring that the facility from which the software is available
controls the access to and transfers of such software through such
measures as:
(1) The access control system, either through automated means or
human intervention, checks the address of every system requesting or
receiving a transfer and verifies that such systems are located within
the United States;
(2) The access control system, provides every requesting or
receiving party with notice that the transfer includes or would include
cryptographic software subject to export controls under the Export
Administration Act, and that anyone receiving such a transfer cannot
export the software without a license; and
(3) Every party requesting or receiving a transfer of such software
must acknowledge affirmatively that he or she understands that the
cryptographic software is subject to export controls under the Export
Administration Act and that anyone receiving the transfer cannot export
the software without a license; or
(B) Taking other precautions, approved in writing by the Bureau of
Export Administration, to prevent transfer of such software outside the
U.S. without a license.//
So that would mean putting source on a web or ftp site in the US, available
to anyone on the Internet, would be "export". And note, too, that the new
rules which say you're allowed to "export" certain kinds of crypto source,
*except to the evil countries*, means that you _still_ can't just put source
on the web without making an attempt to keep the evil Cubans, etc. from
getting it.
- Ian "who doesn't trust the "new regs" any further than he could throw
Fidel Castro"
