Slashdot Mirror
Ask Slashdot: Using SSH on non-US Sites for Crypto Development?
cesarb droppped this interesting question in my inbox, that I would like to share with you all: "I would like to know if a developer in the U.S. could use telnet or SSH to a box outside the U.S. and help developing a code that uses crypto. If he types a whole file of source code for a crypto algorythm, this of course is export; however, if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes and the actual text you typed (like the new name for the function), and what appears on your screen was just imported but never exported back. This would allow things like the kernel, Mozilla or anything else to be developed with crypto outside the U.S. but by people inside the U.S., and so would stop the last piece of usefulness in those silly U.S. crypto export restrictions." Would something like this work? Are there any other solutions for U.S. citizens developing strong cryptography to share there work with others abroad?
Irregardless of "export," it's a felony for an American to provide "technical assistance" to foreigners about crypto.
Companies and organizations like mozilla.org have to keep their noses clean, so they can't even provide minor help like bugfixes to free-world crypto efforts. A single person could probably get away with it, though, especially if you were careful (e.g., anonymous encrypted mail with the bugfix, etc.) (Not that I would ever publicly encourage someone to commit a felony, of course!)
However, most of the major free-world crypto development efforts will not accept help from Americans, because under American law that then "taints" their effort as an American product, confusing the issue further. This is not just a technical worry; the US assumes its laws apply in all countries.
Check DejaNews, the appropriate portion of the regulation is posted to sci.crypt and crossposted later (by me) to talk.politics.crypt. U.S. citizens are prohibited from exporting crytography, and are prohibited from providing technical assistance, and if overseas are prohibited from working on products that would require an export permit within the U.S.
Regarding sovereignty the United States Government holds that if you are a U.S. citizen, you must obey U.S. law no matter where in the world you are. The USG has been known to kidnap U.S. citizens in foreign countries in order to bring them to trial here in the U.S. if they peeved the USG enough. Heck, they don't even have to be U.S. citizens -- anybody remember Manuel Noriega, who was (quite illegally) kidnapped and brought to trial in Miami for crimes that did not violate Panama law and that were committed within the borders of Panama?
-E
Send mail here if you want to reach me.
You're breaking the law even to contribute technical assistance. However, the USG has a "gentleman's agreement" not to prosecute where it feels that they'd lose on First Amendment grounds. But where is the border line? Do YOU want to be the test case who spends the next five years in jail waiting for trial?
-E
Send mail here if you want to reach me.
The regulation says that if you're an American citizen overseas and working on a product that would require export permission here in the 'States, you're breaking the law. For that matter, an American citizen re-keying the code into a system upon arrival overseas would be breaking the law (since he would be providing technical assistance).
For that matter, even printed on paper it's technically against the regulation, except that the regulation allows "academic discourse" and if you print a few academic notes to go with the code it slips through that loophole in the regulation. But don't think you can add a few academic notes and post the source to the USENET, the requirement is that it be printed on paper in order to qualify as "academic discourse", though the Bernstein case is trying to qualify source code in electronic form distributed as part of a book as "academic discourse" too (and he has a good case, but the USG will drag this out forever).
Anyhow, it's all a blatant violation of the First Amendment, but the U.S. government doesn't believe in the Constitution anyhow (see the RICO statutes, which violate the 5th Amendment, for another example), so it doesn't matter.
-E
Send mail here if you want to reach me.
Flee the USA if you wish, but expect that if you peeve the USG enough, they'll go out and kidnap you in order to bring you back to trial. Heck, Noreiga was president of his whole damned country and you saw how well he fared when the USG decided to kidnap him in order to bring him to trial in Miami (for acts legal in Panama, that occured within the borders of Panama). What makes you think that a little pipsqueak like you or me stands a chance if they get peeved?
-E
Send mail here if you want to reach me.
The problem is that most strong authentication mechanisms depend upon public key encryption, which IS export controlled. So, for example, let's say you want to only run binaries which are signed by Red Hat Software or by your Corporate Information Center. They would "sign" the binary by encrypting the MD5 of the binary using their private key, then before you run the binary you check the binary to make sure its MD5 matches the MD5 decrypted using their public key. Thus you can insure that you got a trusted binary and not some barfled one.
The problem is that even though this would recieve an export license if you applied for one (because it is an authentication scheme, not an encryption scheme), you cannot include source code, because the source code would be capable of being "misappropriated for non-authorized uses". The GPL means that thus this capability won't go into the kernel.
In other words, the US Government is propping up Microsoft here, since Microsoft can include this capability in their OS. (If they gave a damn, which they apparently don't). But that figures, the US Government is also giving Microsoft huge export subsidies too, at the same time that they're suing Microsoft for monopolistic acts. Quite a government we have, eh?
-E
Send mail here if you want to reach me.
This is the Bernstein case, and was about posting the source code that went with an academic paper. See the EFF home page (http://www.eff.org ) for more info.
As far as I know it's still tied up in court. I'll just note that the regulations allow academic discourse but unless it takes place on paper and ink the USG doesn't believe it's academic discourse. Bernstein is trying to pry a hole in the rule to say that academic discourse can take place over the Internet too. That still won't help Red Hat export a product that incorporates encryption. (SuSE, on the other hand, has no such problem, since they are not an American company -- in other words, the USG is putting American companies at a disadvantage).
-E
Send mail here if you want to reach me.
Not exactly. Source code AS ACADEMIC DISCOURSE is free speech -- in one particular circuit court, and the decision is being appealed. Source code outside of academic discourse is another story altogether. See http://www.eff.org for more info on the Bernstein case.
-E
Send mail here if you want to reach me.
http://www.access.gpo.gov/nara/cfr/index.html
-E
Send mail here if you want to reach me.
Other countries do have their own crypto. That's the problem. American companies are at a disadvantage because they cannot put strong crypto into their products, while foreign companies can.
The most beloved product by all Unix system administrators is 'ssh', which does encrypted rsh/telnet connections instead of sending passwords in plain text. It was done in (guess what!) Europe, and in fact is illegal to use in the United States unless you buy it from a licensed vendor (because it incorporates the RSA algorithm, which is patented, though only in the United States).
Of the candidates for the AES data encryption standard, a 128-and-256-bit-key encryption standard which will be required to be used by all government agencies and contractors as the replacement for 56-bit DES, three of the five finalists were coded entirely outside of the United States. We may soon be using foreign encryption code to run the U.S. Government!
--E
Send mail here if you want to reach me.
I don't personally care. If the Federal Government wants to prosecute me because I've been fuddling around on sci.crypt and posted some thoughts about Diffie-Hellman in a place where foreigners could see, it, screw them.
:-(.
But dozens of people rely on my employer for their living, and he's not going to jeopardize his company by saying "screw you!" to the government. So he's not going to export a product containing strong encryption in violation of the regulations, because they could fine him millions of dollars and throw the whole executive staff in jail, in which case the company is kaput and everybody who's not in jail is out of a job. So he cannot compete with European companies who CAN sell products with strong encryption.
So the final status is that we will have two products: A US/Canada product with strong encryption, and an overseas product which does not have encryption (because the export regulations also require that we track where each copy is sold to make sure it's not re-exported to a company on the "forbidden" list -- hell, we ship these things en-masse to distributors, how'n'hell do we know where they've been sold to?!). So we will be at a disadvantage compared to European competitors. Pisses me off, personally, I think I have great code in one utility that I'd love to release as Open Source, but nobody will ever be able to see it because of those @#$% export restrictions
-- Eric (EST's crypto expert "because somebody had to do it").
Send mail here if you want to reach me.
The fiction is that publishing papers is "academic discourse" and thus is protected by the First Amendment, while source code in electronic form is a "mechanism" and thus covered by the commerce clause. Actually, even publishing papers internationally would technically be against the law that prohibits "technical assistance" to foreign nationals, if I'm reading the draconian CFR correctly, except that the Justice Department has issued a directive that they won't prosecute cases that clearly are First Amendment cases.
See the EFF site for the Bernstein case, which is trying to get source code classified as academic discourse too.
-E
Send mail here if you want to reach me.
Academic discourse is protected under the First Amendement, according to the DOJ, and thus will not be prosecuted under the regulations even if foreign nationals can see it. Bernstein is trying to get source code classified as academic discourse (see the EFF home page).
Atomic bombs are export-controlled, but as a U.S. citizen you cannot go to Pakistan and help them with their atomic bomb project. The notion is that this is like yelling "Fire!" in a crowded theatre -- i.e., that the purpose of the speech counts, you can yell Fire! all you want to in the privacy of your own home or in a cow pasture, but not where it can harm others.
The RSA incident may be from "The Codebreakers", I don't remember it in Schneier (though I have not memorized Schneir -- yet -- so it may be in there).
-E
Send mail here if you want to reach me.
Keypunching or scanning the code in off of a printed research paper (note that a printed "book" with a few lines describing the algorithm and the rest being the algorithm qualifies as a "research paper" as far as the US DOJ is concerned) is okay, and the USA cannot put you in jail for doing so since you are not a US citizen. You can in fact put your code up for grabs on the Internet. See http://www.replay.com for an example.
On the other hand, while you will not be prosecuted for using false pretenses to gain access to U.S. code and then putting U.S. code on international servers, the authors of that code may very well be prosecuted. Phil Zimmerman (PGP) spent years with the hounds of the US Government on his tail. In addition, many countries do have recipricol agreements with the US that they will not re-export US code in exchange for various special favors. Canada is an example, that is why only a version of Kerberos 4 re-coded from the "bones" by foreign nationals is part of OpenBSD, even though Kerberos 5 is available from the worldwide crypto archives (via the same print-out-then-scan-back-in mechanism). The difference is that Kerberos 5 was not re-coded from the "bones" and thus qualifies as U.S. code as far as Canada is concerned.
-E
Send mail here if you want to reach me.
Err, block ciphers of 128 bits or greater are safe for the time being. The output of known good block ciphers, such as the five AES candidates, is statistically indistinguishable from random noise. The only real attack that can be made is differential attacks, and that appears to be a problem only for DES, which is why the NIST is retiring DES in favor of a new American government encryption standard (the AES candidates). If you use Bruce Schneir's "TwoFish", a derivative of "Blowfish" and the best known of the AES candidates, you can pretty much be assured that you're safe -- all of the five AES candidates have been extensively cryptanalysed (especially by their competitors, all of whom are looking for a weakness in the others' algorithms!).
RSA public key encryption, on the other hand, could be succeptible to new solutions to the underlying "factoring problem". (Public key encryption uses the product of two large strong primes and relies on the difficulty of factoring very large numbers to provide its strength). There are varieties of public key encryption which use exponential equations distributed over a field (ElGamal) or elliptic curves (see http://www.certicom.com/ for info there) as the underlying "hard problem" rather than the factoring problem, but they have not been as widely cryptanalysed. Actually, elliptic curve cryptography is just now getting to the point where I think it's been analysed enough to be safe, but any public key encryption algorithm implicitly has a relationship between the public and private keys, so public key encryption is always succeptible to new revelations in mathematics, and the NSA has some of the best.
Which won't help them crack a message encoded with 256-bit TwoFish! But I would say that 512-bit RSA is toast, and 1024 bit probably would take the NSA spooks only a few days at most on their big specialized RSA cracker machines. (But note that someone "inside" has stated that the NSA doesn't even need to crack RSA for the most part, because people's computer security is so bad that usually they can walk right in and intercept the cleartext BEFORE they're encrypted).
_E
Send mail here if you want to reach me.
According to the regulation as recently posted to sci.crypt, even helping someone outside of the country with their crytographic product is illegal. And you can't even move to Mexico (which has no encryption restrictions) and get away from the long arm of American law -- the regulation says that if you're outside of the U.S. and either develop or help someone make a product that would be export-controlled within the U.S., you can be prosecuted. Before you say "so what, I'm in Mexico!", the U.S. government has been known to *KIDNAP* American citizens overseas in order to prosecute them here... hell, they don't even have to be American citizens, they kidnapped Manuel Noriega and prosecuted him here too, quite illegally I might add, the man was a scumbag but that doesn't excuse it.
-E
Send mail here if you want to reach me.
What you need is legal advice from a seasoned criminal lawyer who is also well grounded in D.C. politics. And even then, you won't know for sure until the first cases reaches the Supreme Court.
This is playing with fire. Even if it's legal, expect to spend years and millions in court.
All laws are subject to interpretation. I say its time to get the lawyers involved and perhaps do some digging to see what kind of corruption we really have in the US government behind the "dangers" of encryption.
When I say all laws are subject to interpretation by the courts, let me relate my experience with a personal bad habit a several years back. You see, I liked to drive fast. A lot. From speeding tickets to OJ getting away with murder, I'm sure the principle behind encryption is much more honorable and should be pursued.
My experience with taking things to court suggest anything can be pursued given enough energy for much less than you think. I accumulated *five* speeding tickets in Kansas City. My lawyer told me the law only allowed one instance of getting a ticket reduced to, say, a "parking violation." I got two tickets that week, a 90 in a 55 and a 69 in a 55. I may have interested him with my comment I would like to fight these (perhaps unwisely) to the supreme court. He was intrigued and to make a long story short and a few courtroom visits later, I had no points on my license due to him getting the worst violations dismissed for technical wording. I added up the legal costs out of my pocket was $1055. After that I got rid of my radar detector and haven't gotten a ticket since.
Anyhow, I'm sure this encryption debate is not a boring issue with some powerful, yet isolated government officials. Its time to turn up the heat and see how they react. It has nothing to do with terrorism or child molestors, but may have much to do with government officials stealing secrets from industry and their sideline consulting businesses. I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.
I think this could work...
As mentioned, the screen seen while editing is obviously "import", and code never does get exported, as it is abroad all-the-time.
The article's title is a bit misleading, SSH is only a detail in the method, ssl-telnet or any other encryption program could be used.
shipping a nuclear bomb overseas, one tiny little piece at a time? I don't think the feds would let that one slip through the cracks. :-)
Certainly not, if they ever found out, which is the point of this whole discussion in the first place.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
It would be vary slow but may me in the law because nothing is leaving.
Nope, the data is still being sent -- it's just encoded in the ACK sequences then. In fact, modulating ACKs is one popular way to quietly get data out of non-airwalled "secure" networks, hence we use fun devices like NLS pumps to prevent that.
[ n.b. if you actually care about something, don't ever put it on a machine even remotely near an open network, firewalls, NLS pumps or no. Airwalls are the only way. (and even then they're not totally secure due to human factors) ]
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
At the end of each line, you could put a checksum digit. Then, if the OCR fails on that line, it can be flagged for checking by the human operator.
This was done for the PGP book and others.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
There's no restriction on importing strong crypto INTO the US, is there? If not, why doesn't the Linux community just agree to restrict all strong crypto development to people who aren't going to get in trouble for it and have US-based developers focus on other projects? We all get to benefit from the proceeds, so what's the difference?
One of the main reasons there is such a stint over crypto is that it is considered a munition. So exporting it is tantamount to exporting live rounds, according to the law.
Here's something interesting: Quite a few posters here would suggest that such an association of crypto with munitions is silly. That crypto isn't like live rounds or armour. But if that is the case, then why is it that crypto is referred to as a technology to "protect" us from the government's eyes and ears? Why the mention of ssh for "protected" and "secured" channels of communication. Obviously cryptography is being used as a tool, one which proves to be as effective as a gun, flak jacket, armoured tank, or missle silo.
With cryptography, you can potentially run an underground operation without being detected. Your paper trail would take decades to decode or decipher, during which time, the statuet of limitations would expire. With cryptography, the order to assasignate would never be heard by anyone other than the person the message was intended. It is the cloak which pairs with the dagger. The stealth camouflage.
Yet there are still some people who argue that the idea of crypto being a munition is silly. Fine. Whatever.
The law is there not because the government thinks US citizens are the brightest folk on the planet. It is to offer a means to punish those who would think to leak the secrets, weapons, technology, secret keys, etc to other nations either out of sheer ignorance or for personal gain.
Powerful encryption is just as important as the latest technological advancement in military technology. It is useful if you have an understanding of how to use it which is on par or better than others who are using it. It is EXTREMELY beneficial if you are the only nation which holds control over it.
The laws cover US citizens no matter where they go. Or at least tries to. Some peope praise it for saving their asses when they get into trouble in other countries. Those same people scream their head off when those same laws follow them when they want to do something illegal outside of the jurisdiction of the states.
If you ran a company and needed to keep clientele secrets for a living. What would happen if your employees had a habit of going home with a headful of those secrets and tells them to a friend when off duty and off company grounds? Just because they aren't working, does that mean the rules and regulations won't apply until they check in again? Does THAT make sense? No. The rules would apply even after work hours and off company grounds. It is the nature of the situation which creates the necessities for these laws. Due to one viewpoint or another.
The ironic thing, of course, is that these laws were probably created by the very same type of people who are now seeking their removal. And in time, these new people will bring about laws which will become targets of yet another generation with different viewpoints.
Basically, if you don't like it, talk to your representatives. Send letters. Send emails. Change the law. It IS your right. Better that than sneaking around hoping to not get caught because you think the law is evil.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
So, what you are saying is that someone, in this case, a US citizen, is participating in the development of cryptography, yes?
And while that isn't a big deal, we add into the stew the note that this person is physically in the states.But the databases and code he is working with are outside of the states.
This has some ramifications. Namely, the person in question is developing cryptography. But not only that, he is helping a foreign organization develop it outside of the states. But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.
If the problem is somewhat hard to see, let's use another example. Nuclear weaponry and technology.
Let's say our friend is a US citizen and through an encrypted channel, is helping an organization in another nation work on nuclear weaponry. Sure, he doesn't have any documents on this side of the border and sure, all the work he is doing is stored remotely. But what do his actions amount to?
I'm not sure in our current state of "peace", but if it were during a war, this person would be considered a traitor and if caught, would be held for treason.
I'm not saying it is right or it is wrong. But the aiding of foreign nations to develope technology which could in turn be used against the states isn't exactly smiled upon.
But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?
On a side note, a knife painted like a banana is sort of silly, but it is still a knife and by that token, still dangerous and something to be respected. Even if the wielder is nothing more than a clown.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes
In this you'd be safe, imho, only because any anti-crypto prosecutions would be laughed out of court. If you were busted and were forced to use the 'only a few key-strokes' argument, however, you'd be skating on thin ice. After all, all programs could be considered the sum of their key-strokes, and it doesn't matter whether they were written by one person or ten; if you willingly contribute code in a foreign land you're breaking the law.
The company I work for (which shall remain nameless) has a strict policy on this sort of thing; our hot'n'juicy lawyers have made sure that the policy strictly conforms to US and international law. ANY work done by a US national that is implemented in a project outside of the borders of the US is considered export work. This includes bug fixes, and even commenting on work done by foreign nationals outside the US. In fact, even commenting on software produced by foreign nationals WHILE IN THE US is considered exporting those resources. Consequently, our encryption division looks like a typical shaker community; you shake it, and nothing but white guys fall out.
Call me stupid, but I thought mad-cow virus lived in brain tissue. Is there a waiting time or something? cause I can't imagine mad cow staying in your blood stream past a certain amount of time. (though you'd probably be dead by then I guess but thats not the point)
another way to do it would be to spend some time in europe and fiddle with us bearded european math wizzes.
it takes more time than SSH but you get to have some real food instead of american genetically engineered hormone grown hamburgers..
laurent
Dev elpizw tipota, dev phoboumai tipota eimai lephteros http://euclidian.org
But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally.
...
...
However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken.
If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law.
Like it or not, sensible or not, what you describe is illegal technical assistance. The only exportable information is that which is clearly public: it has to be printed and it has to be publicly available. Also acceptable is public technical discussion at conferences, etc. Furthermore, some of the other commentors are right: in this area, following what you believe to be the letter of the law in hopes of finding loopholes is not a good idea. Big parts of the law are generally enough written to end with the situation that they mean what their enforcers want them to mean.
Under the current US interpretation, it's illegal to do a logical no-op like downloading a file and immediately reuploading the identical file.
Editing a file remotely, instead of downloading it, editing locally, then uploading the changed file might not be considered a legally significant difference since the end results are identical - software exists outside of the US and Canada which didn't exist there prior to your acts.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Those comments are completely uninformed. It is completely legal to publish the complete source code to PGP, DES, Kerberos, etc. (either in bound book form, or even source listings), and transport them out of the country.
Not only "can" this be done, O'Reilly has published several books using special fonts designed to reduce OCR records. "Cracking DES" is one well-known example, and AFAIK it has been exported without problems.
The *only* thing that's illegal is to export the exact same material in electronic format. So you can ship a palette full of boxes containing source code, but not a CD-ROM containing the identical material. You can even carry the OCR software out on a disk, since it's not export restricted.
This is why many of us are so frustrated with current US policy. It doesn't stop anyone from exporting cryptographic software, it just makes it such a pain that few people bother. (BTW, when Phil Zimmermann was being investigated for exporting PGP the focus was always on a specific FTP transfer that occured almost immediately after he released his code.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The problem with this reasoning is that you can't re-export cryptographic software, so you can't have US mirrors of these packages. Ditto US-based distributions, for the same reason.
Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:
- strong filesystem encryption (at the kernel level)
- strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)
plus numerous other applications which are currently in userland since the kernel lacks encryption. (SecureRPC, VPN, etc.)
The results of this policy are very much like the driver who slams on the brakes to avoid harming the cute little squirrel running across the street... but causes several injuries to her passengers and the people in the following cars, to say nothing of $50,000 in damage. It's a damn good trade-off, as long as you never take your eyes off the furry little drug-running child pornography terrorists which only you can see.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Nope, Canada is still considered a "domestic" site for the purposes of ITAR. US law allows export to Canada, but *Canadian* law bans reexport.
What you're describing is crypto developed in Canada alone, which is a grey area. I think the treaties ban it also, but last I heard the current Canadian government didn't have it's head as severely dislocated into its digestive track as the US government.
BTW, before someone else marks this "offtopic" or "flamebait" I believe these treaties date back to the creation of NORAD and the associated consolidated US/Canadian military commands. It made sense in that context, but nothing about treating unclassified software as a "military munition" makes any sense.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Crypto algorithms are short and sweet (well not always) but Crypto modes and protocols are often complicated and cumbersome, especially if you want the program to be useful.
-
The real question here is of course "Where are you on the internet". The answer is obviously "A student came to Moon and asked...". To be hypotetically concrete:
If I am physically in the US (say on an extended vacation) but telecommute to Sweden to program for a firm that has hired me, pays me, and bills its customers in Sweden, where am I working?
Arguably, I am using up more swedish resources (administration of postal services, social security, and what not) than US (a couple of KB internet bandwidth that I pay for explicitly anyway).
The above case would probably be judged that I was working in sweden because I am employed by a company that is clearly in sweden. Now change the gedanken experiment to have me not employed but rather contracting... oooh! now I'd probably be working in the US.
The problem is that old labour laws (IANAL) are to new labor situations like newtonian physics are to quantum. The old way works fine as long as we don't look at the limiting cases, like one person working at a distance. (I couldn't resist a non-locality pun).
I've looked at some laws and they're full of things like preponderance of evidence, and other vagaries that make no sense when applied to an individual.
The short of it is basically that location is a null issue on the internet, and until governments recognize this, we're going to see one absurdity after another.
I've been thinking about this type of thing myself lately. (#$%*@ Cryptonomicon)
The main question I keep comming back to is, what defines the crypto?
Say I and a buddy are developing an editor that encrypts the files when they are written/read from the disk. If he lives in Timbuktu and writes the crypto module, and I in the USA write functions that operate solely on the cleartext, can it be exported? Or is the whole project covered by the crypto laws by default?
Sig:
Barbeque is a noun. Not a verb.