[Replies to this message should move to debian-legal.] On Wed, May 24, 2000 at 09:48:38PM -0400, Mike Bilow wrote: > You are also right in saying that the crypto in the Debian non-US tree > might well fall within the new rules and be legally exportable to most of > the world, but there is still a prohibited list (Libya, Cuba, Iran, Iraq, > North Korea, etc.) of countries to which export of even widely available > crypto is prohibited from the US, so posting on the Internet is not > allowed without at least some kind of gate checking. That may not be true. Quoting[1] from the February 17th letter of James A. Lewis, Director, Office of Strategic Trade and Foreign Policy Controls of the U.S. Department of Commerce (of which the BXA or Bureau of Export Administration is part) to Dan Bernstein's lawyers in reply to their letter requesting clarification of the guidelines: : The regulations take particular care to ensure that the posting of : encryption source code on the Internet(e.g., FTP or World Wide Web site) : where the source code may be downloaded by anyone would not establish : "knowledge" of a prohibited export or reexport to a proscribed destination. : Such posting also does not trigger "red flags" necessitating affirmative : duty to inquire under the "Know Your Customer" guidance provided in : Supplement No. 3 to Part 732 of the Export Administration Regulations. As : we have indicated in the "Question and Answers" posted on our Website, : liability would exist only for a direct, knowing transfer to a proscribed : entity of source code subject to License Exception TSU. : The effect of this ensures that there is no obligation for Professor : Bernstein to monitor the Internet addresses of those logging into his : website to download his source code (or to establish automatic screening : mechanisms). You state that Professor Bernstein has post-export knowledge : that individuals from proscribed countries either subscribe to a newsgroup : or read his web page, and that "his actions are therefore prohibited by § : 740.13(e)(2)." This is not correct,and his actions, as you have described : them, are not prohibited. However, the BXA regulations were later amended[2]. I haven't read through all the changes, but we might presume with some caution that you don't need to attempt to restrict access to public Web or FTP sites to exclude connections from countries that the United States has identified as its enemies. If, on the other hand, you were engaged in some sort of commerce where you would get the name and address of every person to whom you distributed crypto, you almost certainly would be expected to turn away Libyans, Sudanese, etc. This message is not an endorsement of BXA policy. Quite the contrary; I think the U.S. government needs to leave the cryptographic community to exercise its constitutional rights in peace. The very fact that such letters have to be written to explain these Byzantine regulations to American academics is evidence that the BXA should be dismantled and eliminated from the federal budget. Perhaps its employees could find gainful employment elsewhere as truant officers or gossip columnists. [1] <http://cryptome.org/bxa-bernstein.htm> [2] <http://cryptome.org/bxa032000.txt> -- G. Branden Robinson | Experience should teach us to be most on Debian GNU/Linux | our guard to protect liberty when the branden@ecn.purdue.edu | government's purposes are beneficent. roger.ecn.purdue.edu/~branden/ | -- Louis Brandeis
Attachment:
pgpfMY_kU14yS.pgp
Description: PGP signature