Michael H. Warfield wrote:
> Well, it would help if some of you would read the regulations
Indeed. This seems to be the post that best addresses the actual reality
of US encryption export control, so I thought it was appropriate to add
my own comments to it.
IMPORTANT: Note that I am not a lawyer, and this is not legal advice.
Also note that I'm not speaking officially for mozilla.org; these are my
personal opinions.
> (I have).
I can sympathize :-)
> Those regulations have rather explicit exemptions for
> open source projects, the binaries that are based on them, and the
> sites which host them.
Correct. More specifically, open source encryption software falls under
the "TSU" ("Technology and Software - Unrestricted") export license
exception, and is (for the most part) exempted from the requirements of
the encryption export regulations.
> Specifically, and explicitly, sites which
> host cryptography in source form or based on freely available sources,
> are exempt from the "safe harbor" (aka "cover your ass" announcements
> and due diligence practices) and "know your customer" (identification
> and tracking) requirements.
> In other words, you as a site operator, do NOT have to take any
> measures to restrict who can download from your
> site or even recognize or know where the downloads are going to.
Correct. This point is worth reemphasizing: If a site in the US puts up
open source encryption software for general download (e.g., via
anonymous FTP or unauthenticated HTTP download), so that it gets
downloaded by someone in Iraq, North Korea, or wherever, the site
operator has _not_ done anything wrong under US law and regulations
(provided only that they notified the US government as discussed below).
A more interesting question is whether the person in Iraq, etc., has
violated any law. To the best of my knowledge the US export regulations
don't apply to a non-US person downloading the software from outside the
US for personal use outside the US.
However the person may be subject to local laws relating to encryption,
and I suspect that a number of the countries on the US "prohibited
countries" list may have quite severe laws against using encryption
software. For information on encryption-related laws and regulations in
countries around the world, see the most recent "Cryptography and
Liberty" survey published by EPIC:
http://www2.epic.org/reports/crypto2000/
(Note that this report doesn't include information on all of the
countries on the US-prohibited list.)
> The
> only requirements on the ORIGINAL sites hosting cryptography is to
> send a message to the BXA notifying them that the site is hosting
> cryptography. Nothing more. You don't even have to tell them what
> cryptography or provide them with copies (unlike the commercial stuff
> which has much stricter regulations).
Minor correction: You do have to provide BXA either a copy of the
software or a URL where the software can be obtained.
> Mirror sites are even exempt
> from the notification requirements.
Correct, although I'm not sure that this is explicitly mentioned in the
regulations themselves. This point is addressed in the Mozilla Crypto FAQ:
http://www.mozilla.org/crypto-faq.html#2-1
> The notice on the Mozilla site
> is NOT required in any way shape or form in the regulations. Some
> lawyers have recommended these notices as sort of a "cover your ass"
> action but they are not part of the regulations themselves. If it
> WERE commercial or encumbered software or if the sources were not
> available, then it would be a different matter. That may be why
> some lawyers are recommending some of these announcements even
> though they are not required.
I didn't write the notice on the mozilla.org site, but I can give at
least two reasons for including it:
First, a person downloading the Mozilla software from mozilla.org may be
working for a US-based company planning to ship a Mozilla-based product.
If this product is proprietary (i.e., it includes added code that is not
open source) then the product would fall under the export regulations
relating to proprietary software, which are more severe than for open
source software. So we want to put such companies (and their lawyers) on
notice that Mozilla includes encryption software and is subject to US
export regulations.
Second, even an individual Mozilla user in the US may run afoul of US
export regulations. Recall that the exemption granted for open source
software applies only if you do not "knowingly" export the software to
people or countries on the prohibited list. But suppose that a US
citizen or US resident alien puts together a version of Mozilla
(including the crypto parts) at the request of someone in Iraq, North
Korea, etc., and sends it to them via email. (Or they might fulfill the
request for the software by putting the Mozilla version on a personal
web site and then sending personal email to the people in Iraq, etc., to
tell them where to download it.)
This type of export does not necessarily qualify for the exemption
granted to people who put open source encryption software up for general
download, because the person would have "knowingly" exported the code to
prohibited persons and countries. As a BXA representative put it in an
email message
http://lists.insecure.org/politech/2000/Jan/0046.html
"... if you post some code and Saddam Hussein downloads it, you are not
liable. If Saddam calls you up and asks you to e-mail him the code, and
you send the e-mail without applying for and receiving a license, you
are liable ..."
So this notice is also intended to make individuals in the US aware that
Mozilla is not just standard open source software, but does come under
US export regulations, and that those regulations apply to them as well.
Now, would the US government prosecute someone in the US just for
emailing someone in Iraq, etc., some open source encryption code? Maybe
not. But if the person exporting the code were detained for other
reasons, would government prosecutors add the violation of export
control regulations to the list of charges threatened against that
person? I wouldn't bet against that possibility.
> While the regulations in total are pretty thick, the sections
> which apply to open source software are reasonably readable. I'll
> posted pointers to the appropriate chapter and vers on the government
> site later (I don't have the at my finger tips at the moment).
The complete Export Administration Regulations (EAR) can be found at
http://w3.access.gpo.gov/bxa/ear/ear_data.html
The most important language dealing with open source software is at
740.13(e)(1) through 740.13(e)(4), on page 25 of the following PDF document:
http://w3.access.gpo.gov/bxa/ear/pdf/740.pdf
There are some other sections that are relevant, but this is the best
place to start.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
