More New Crypto Rules

Carl Brewer writes "Looks like the US is finally opening the gates." ...with this announcement from the Department of Commerce. Well, if you believe the draft of the new rules, supposedly just about anything will be okay to publish, including source code. Me, I keep thinking about Lucy, Charlie Brown, and the football, but maybe I'm just a cynic. Update: 01/13 13:40 by michael : The ACLU, EFF, and EPIC have put out a press release describing their reactions to the new rules. They still have plenty of problems with the U.S. export regulations.

Here is the football

[tilly]

The following appeared on a mailing list:

(I wrote:)

Take a look

http://www.cdt.org/crypto/admin/000110cryptoregs.s html

Skip down to the words "open source".

"3. Also in 740.13, to, in part, take into account the "open source" approach to software development,
(snip)
Looks good to me! :-) Am I missing anything?

Yes. To start with, 740.13(e) applies only to source code. I don't see anything in the regulations which gives special dispensations to
binaries generated from such code, so if you wanted to host compiled binaries on your (U.S.) site along with the source code, then I believe
you would have to formally apply to BXA and request classification of your software; based on the results of that request you might be able to
export the binaries under the ENC license exception (e.g., using 740.17(a)(2) or 740.17(a)(3), depending on whether the products get
"retail" status or not). However you might have to implement access controls on the binaries beyond what you have on the source code, for
example to prevent download requests from "government end-users" and the "T7" nations (North Korea, Iran, Iraq, etc.)

If your source code implements an "open cryptographic interface" (e.g., something like the RSA PKCS#11 API) then your binaries are even more tightly controlled, and it looks as if you might have to apply for a formal export license (as opposed to using a license exception); see
740.15(f). (But again, this restriction does not apply to the source code, just the binaries.)

Next, there's the issue of prohibitions against "technical assistance", per 744.9. These prohibitions appear to be moot in the case of
assistance with source code, based on the language in 744.9(a) that says it doesn't apply when you're already "entitled to export the encryption commodities and software in question to the foreign person(s) receiving the assistance." However 744.9 appears to still apply in some cases like where the person you're providing the assistance to is a national
of North Korea, etc.

(The new regulations don't give you any blanket exemption from "knowingly exporting or reexporting" stuff to the "T7" nations;
740.13(e)(2) only gives you a specific "safe harbor" to put stuff up for public download without triggering the "T7" prohibitions. However
that doesn't cover cases like export or assistance via email.)

Then there's the issue of combining U.S. and non-U.S. open source encryption source code, both in the U.S. and elsewhere. Based on 740.17(d), "foreign products" including U.S. encryption source code don't require BXA review or classification, and can be freely exported
from the U.S. However there still might be issues here due to language elsewhere in the regulations. The prior regulations had some complicated "de minimis" language which in effect made it illegal for non-U.S. code imported into the U.S. to then be exported out again, even if the non-U.S. code had no U.S. content at all, and I'm not sure yet if vestiges of that might not be lurking somewhere.

740.17(d) also states that "foreign products" incorporating U.S. source code are "subject to the EAR". This I'm sure will alarm some people
outside the U.S., but I don't know if this actually would cause any problems in practice. It may be directed at persons under U.S. jurisdiction, to alert them that they still have to follow U.S. regulations when exporting such "foreign products"; it may also be intended to give the U.S. government leverage over non-US persons or companies who might export such products to "T7" nations.

So at least in my opinion the effect of the new regulations on FSBs is not entirely straightforward, and I think we'll have to wait for further public review of the regulations to see if some of this becomes clearer.

*sigh*
Ben

Cool

[delmoi]

From the paper

3. Also in 740.13, to, in part, take into account the "open source" approach to software development, unrestricted encryption source code not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code can, without review, be released from "EI" controls and exported and reexported under License Exception TSU. Intellectual property protection (e.g., copyright, patent, or trademark) would not, by itself, be construed as an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. To qualify, exporters must notify BXA of the Internet location (e.g., URL or Internet address) or provide a copy of the source code by the time of export. These notifications are only required for the initial export; there are no notification requirements for end-users subsequently using the source code. Notification can be made by e-mail to crypt@bxa.doc.gov.

Wow, thats certanly great, I hope this does pass.

"Suble Mind control? why do html buttons say submit?",

Jerking the Football Away

[thales]

This isn't a law. It's a regulation. Laws are passed by Congress and can only be changed by Congress. The Current law allows the Commerce Department to Issuse whatever regulations it wants to regarding Crypto. Last year Congress was moving towards changing the law and reducing the Departments power regarding Crypto. Clinton was having trouble keeping it bottled up in comitee. By changing the regulations now they avoided losing the power of setting regulations. They can change the rules again next year. Lucy (Commerce) still controlls the football. We might get to kick it today, But she can jerk it away anytime she thinks she can get away with it.

Re:Interesting notes about the document

[konstant]

I like the law is a little to lax, and I wonder if this isn't some sort of a ploy by the US gov't. I mean, for years, they have had very little popular support about their encryption laws, and now they draft a law that is so sweeping and reforming that even the US gov't staunchest critics go "Whoa, wait a minute, let's not get *too* crazy here". Then, with perfect honesty, the US gov't can yank the law away, and say, "Hey, we *wanted* to open the export laws up, but popular support was against us, so we dropped it because *we* *love* *our* *voters*".

That doesn't seem likely. Very few voters are even aware of cryptography, let alone the concept of export restrictions. Those who are, generally are technically savvy individuals like ourselves, who tend to oppose such regulation. Since nearly the entirety of the popular reaction to encryption limits has been from this fairly elite group, the scenario you illustrate is basically just as unlikely as the entire population of slashdot waking up tomorrow and deciding that online export freedoms are a bad thing. That is to say, very very unlikely.

But if we view the reality of the situation, we see that this has very little to do with voters. It is propelled by two forces. One apparently (and gratifyingly) is the "GnuPGP" project that essentially rendered strong crypto limits moot. The second, more important influence is from United States tech companies and their constituent option-paid workers. Many of these companies are horribly wealthy, and many of them feel annually the testing, development, and marketing pinch of producing both a high and a low version of their crypto-enabled products. These companies want restrictions dead.

If you want to pitch in your efforts by writing your congressman, I heartily recommend you elaborate to him/her the fact that your tech employer is paying through the nose because of this national policy and would be sure to see higher nets each year if this cumbersome beaurocratic nonsense went away. Better yet, I recommend getting your whole business involved in lobbying for this change, if only by means of a letter from the CEO/CIO to the appropriate lawmaker.

Congress is in the pocket of fat cats, but that doesn't mean we can't still get our way once in a while if we pull the right strings.

-konstant
Yes! We are all individuals! I'm not!

Interesting notes about the document

[DoomHaven]

I, for one, am very skeptical about the documents continual use of the phrases "to all destinations" and "without additional review and classification". I mean, yes, open the flood gates, yada, yada, allow encryption for export, yada, yada. But what about countries the USA is at war with? And bluntly, by the sounds of it, this law takes away pretty much ALL of the US government's control on encryption; and traditionally, the US gov't doesn't like releasing control.

I like the law is a little to lax, and I wonder if this isn't some sort of a ploy by the US gov't. I mean, for years, they have had very little popular support about their encryption laws, and now they draft a law that is so sweeping and reforming that even the US gov't staunchest critics go "Whoa, wait a minute, let's not get *too* crazy here". Then, with perfect honesty, the US gov't can yank the law away, and say, "Hey, we *wanted* to open the export laws up, but popular support was against us, so we dropped it because *we* *love* *our* *voters*".

A point from OS

[1DeepThought]

You all seem to think that the United States is the only place anyone can get full strenght ecryption. I hate to tell you this but encryption work is being done all around the world. There are many full strenght products that were not developed in the United States. Even some that were are available elsewhere, ie PGP. The only people this is a major bonus for is US vendors not users around the world or at least not on the same scale.

Another example is Fortify. This puts full strenght encryption back into Netscape browsers. I realise there are other reasons such as being able to share code etc but for the main part the real benefactors are only US vendors. Im fine down here in Australia with the products that are already available to me and Im sure many others around the world are.

"Patience is a virtue, afforded those with nothing better to do." - I don't remember