On Thu, 16 March 2000, Ulf M�ller wrote:
Then what is the proper understanding of "Foreign products developed
with or incorporating U.S.-origin encryption source code, components
or toolkits remain subject to the EAR" (EAR being the Export
Administration Regulations), which is a direct quote from the relevant
American law?
Well, as I warned everyone, this is an exercise in conjugation of the
conditional future subjunctive, but here goes:
"Reexport," under the regs, means movement from one "foreign" country
to another of material that was originally "in" the US. [It is
helpful in all these matters to remember that the regs primarily apply
to physical objects that cannot be infinitely duplicated with no
marginal cost; software is a type of commodity 'shoehorned' into
regulations designed with, inter alia, missile guidance systems in
mind.] Code that was once "in" the US and exported to, say, Germany,
is still subject to the EARs when it is subsequently sent from Germany
to, say, Iraq. That means, under both the old and new forms of the
regs, that someone who exported crypto to Germany with a license could
be held responsible if the licensed technology was reexported from
Germany to Iraq. This was supposed to make US exporters careful about
who in Germany they sent technology to, lest it wind up in Iraq or
other bad places. (Now that no license is necessary to send crypto to
Germany, it would be hard to found a prosecution for violation of the
EARs on the reexport to Iraq, but it is theoretically possible.)
Note, however, that as it says in the quotation from 772 below,
nothing can be reexported that wasn't originally subject to the EARs,
and nothing that wasn't ever in the US can be subject to EAR. That's the
point of the word "remains" in the quotation above. There is still no
"infection" of material that was never "in" the US to begin with. The
US-produced components of a mixed product can be subject to the EARs
even though the mixed product was assembled in Germany, as Ulf Muller
points out, and as I said in my previous message, but the
German-produced components of the mixed product are not subject to
EAR, and may be freely exported anywhere German law permits, and may
be freely imported to the US as far as US law is concerned.
Let's bring ourselves to the ultimate issue: Where does this leave us
with respect to the wisdom of using US-produced components in
crypto-containing free software assembled outside the US? US-produced
components can be subject to EARs, which means that at the present
time they may be freely exported to all but seven countries (none of
which currently permits free access to the network to its own
citizens), so long as a copy of the source code is available to the
Bureau of Export Administration, which acts as a surrogate for NSA.
All free software fulfills this criterion by definition, although we
do have to nominate an official source-availability URL, as I
previously mentioned. In the worst case analysis, components exported
now might subsequently become non-exportable in the event that
regulations in the US become more restrictive. No one would be
subject to prosecution or interference as a result of export occurring
before the change in regulations (that's a matter of constitutional
law in the US), but all subsequent development of those components
would then have to occur somewhere other than here. No code not
originally developed in the US would be subject to this tightened
regulatory environment, unless such code were "in" the US, in which
case the particular copy that was "in" the US wouldn't be able to
leave again--a restriction which makes no difference.
I am grateful to Ulf Muller for his question. It reminds all of us
that insanity is easier to mitigate than it is to cure, and creates a
hope that the lawyers who have invested years in comprehending the US
export control rules may be able to get paid for their efforts for a
few more minutes. (I am not paid for my efforts, but that's because I
am the victim of a different form of insanity.) Nonetheless, I don't
want to let people's natural and justifiable caution lead them astray:
as someone who has dealt with the regs since my initial defense of
Phil Zimmerman in 1991-94, I am here to tell you that the war is over.
For all practical purposes the US spooks have surrendered, and we can
go about our business without worrying that our products will be
sequestered or that their authors will be prosecuted for violation of
US law.
Best regards to all.
--
Eben Moglen voice: 212-854-8382
Professor of Law & Legal History fax: 212-854-7946 moglen@
Columbia Law School, 435 West 116th Street, NYC 10027 columbia.edu
General Counsel, Free Software Foundation http://emoglen.law.columbia.edu
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:772.wais]
Part 772 - Definitions of Terms
Export Administration Regulations January 2000
Definitions of Terms Part 772-page
The following are definitions of terms as used in the Export
Administration Regulations (EAR).
Reexport. "Reexport" means an actual shipment or transmission
of items subject to the EAR from one foreign country to another
foreign country. For purposes of the EAR, the export or
reexport of items subject to the EAR that will transit through a
country or countries, or be transshipped in a country or
countries to a new country, or are intended for reexport to the
new country, are deemed to be exports to the new country. (See
�734.2(b)of the EAR.) In addition, for purposes of satellites
controlled by the Department of Commerce, the term "reexport"
also includes the transfer of registration of a satellite or
operational control over a satellite from a party resident in
one country to a party resident in another country.
>From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr14ja00-20]
Sec. 740.13 Technology and software--unrestricted (TSU)
(e) Unrestricted encryption source code.
(1) Encryption source code controlled under 5D002, which would be
considered publicly available under Sec. 734.3(b)(3) and which is not
subject to an express agreement for the payment of a licensing fee or
royalty for commercial production or sale of any product developed with
the source code, is released from ``EI'' controls and may be exported
or reexported without review under License Exception TSU, provided you
have submitted written notification to BXA of the Internet location
(e.g., URL or Internet address) or a copy of the source code by the
time of export. Submit the notification to BXA and send a copy to ENC
Encryption Request Coordinator (see Sec. 740.17(g)(5) for mailing
addresses). Intellectual property protection (e.g., copyright, patent
or trademark) will not, by itself, be construed as an express agreement
for the payment of a licensing fee or royalty for commercial production
or sale of any product developed using the source code.
(2) You may not knowingly export or reexport source code or
products developed with this source code to Cuba, Iran, Iraq, Libya,
North Korea, Sudan or Syria.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
