Return-Path: <push>
Return-Path: owner-openssl-dev@openssl.org
Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153])
	by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id JAA24324
	for <levitte@stacken.kth.se>; Thu, 16 Mar 2000 09:01:56 +0100 (MET)
Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-dev-L
	id IAA07341; Thu, 16 Mar 2000 08:41:01 +0100 (MET)
Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for <openssl-dev@openssl.org>
	from old.law.columbia.edu id IAA07335; Thu, 16 Mar 2000 08:40:54 +0100 (MET)
Received: from eben  by old.law.columbia.edu
	with local id 12VUq1-000371-00; Thu, 16 Mar 2000 02:36:57 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
To: =?iso-8859-1?Q?Ulf_M=F6ller?= <ulf@fitug.de>
Cc: openssl-dev@openssl.org, Ben Laurie <ben@algroup.co.uk>, rms@gnu.org,
        members@apache.org, php-dev@lists.php.net
Subject: Re: [Eben Moglen <moglen@columbia.edu>] Re: US crypto export restrictionsand GNU (fwd)
In-Reply-To: Ulf Möller's message of Thu, 16 Mar 2000 01:41:40 +0100
      <20000316014140.A604@rho>
References: <Pine.WNT.4.21.0003090021290.-31249-110000@vaio.php.net>
	<38CDFEEC.9C9159BD@algroup.co.uk>
	<200003150456.VAA29971@aztec.santafe.edu>
	<E12V7R4-0002c0-00@old.law.columbia.edu>
	<38CFC136.8B8873FE@algroup.co.uk>
	<E12VIgR-00030m-00@old.law.columbia.edu>
	<20000316014140.A604@rho>
From: Eben Moglen <moglen@columbia.edu>
Message-Id: <E12VUq1-000371-00@old.law.columbia.edu>
Date: Thu, 16 Mar 2000 02:36:57 -0500
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by opensource.ee.ethz.ch id IAA07337
Sender: owner-openssl-dev@openssl.org
Precedence: bulk
Reply-To: openssl-dev@openssl.org
X-Sender: Eben Moglen <moglen@columbia.edu>
X-List-Manager: OpenSSL Majordomo [version 1.94.4]
X-List-Name: openssl-dev

On Thu, 16 March 2000, Ulf Möller wrote:

  Then what is the proper understanding of "Foreign products developed
  with or incorporating U.S.-origin encryption source code, components
  or toolkits remain subject to the EAR" (EAR being the Export
  Administration Regulations), which is a direct quote from the relevant
  American law?
  
Well, as I warned everyone, this is an exercise in conjugation of the
conditional future subjunctive, but here goes:

"Reexport," under the regs, means movement from one "foreign" country
to another of material that was originally "in" the US.  [It is
helpful in all these matters to remember that the regs primarily apply
to physical objects that cannot be infinitely duplicated with no
marginal cost; software is a type of commodity 'shoehorned' into
regulations designed with, inter alia, missile guidance systems in
mind.]  Code that was once "in" the US and exported to, say, Germany,
is still subject to the EARs when it is subsequently sent from Germany
to, say, Iraq.  That means, under both the old and new forms of the
regs, that someone who exported crypto to Germany with a license could
be held responsible if the licensed technology was reexported from
Germany to Iraq.  This was supposed to make US exporters careful about
who in Germany they sent technology to, lest it wind up in Iraq or
other bad places.  (Now that no license is necessary to send crypto to
Germany, it would be hard to found a prosecution for violation of the
EARs on the reexport to Iraq, but it is theoretically possible.)
Note, however, that as it says in the quotation from 772 below,
nothing can be reexported that wasn't originally subject to the EARs,
and nothing that wasn't ever in the US can be subject to EAR.  That's the
point of the word "remains" in the quotation above.  There is still no
"infection" of material that was never "in" the US to begin with.  The
US-produced components of a mixed product can be subject to the EARs
even though the mixed product was assembled in Germany, as Ulf Muller
points out, and as I said in my previous message, but the
German-produced components of the mixed product are not subject to
EAR, and may be freely exported anywhere German law permits, and may
be freely imported to the US as far as US law is concerned.

Let's bring ourselves to the ultimate issue: Where does this leave us
with respect to the wisdom of using US-produced components in
crypto-containing free software assembled outside the US?  US-produced
components can be subject to EARs, which means that at the present
time they may be freely exported to all but seven countries (none of
which currently permits free access to the network to its own
citizens), so long as a copy of the source code is available to the
Bureau of Export Administration, which acts as a surrogate for NSA.
All free software fulfills this criterion by definition, although we
do have to nominate an official source-availability URL, as I
previously mentioned.  In the worst case analysis, components exported
now might subsequently become non-exportable in the event that
regulations in the US become more restrictive.  No one would be
subject to prosecution or interference as a result of export occurring
before the change in regulations (that's a matter of constitutional
law in the US), but all subsequent development of those components
would then have to occur somewhere other than here.  No code not
originally developed in the US would be subject to this tightened
regulatory environment, unless such code were "in" the US, in which
case the particular copy that was "in" the US wouldn't be able to
leave again--a restriction which makes no difference.

I am grateful to Ulf Muller for his question.  It reminds all of us
that insanity is easier to mitigate than it is to cure, and creates a
hope that the lawyers who have invested years in comprehending the US
export control rules may be able to get paid for their efforts for a
few more minutes.  (I am not paid for my efforts, but that's because I
am the victim of a different form of insanity.)  Nonetheless, I don't
want to let people's natural and justifiable caution lead them astray:
as someone who has dealt with the regs since my initial defense of
Phil Zimmerman in 1991-94, I am here to tell you that the war is over.
For all practical purposes the US spooks have surrendered, and we can
go about our business without worrying that our products will be
sequestered or that their authors will be prosecuted for violation of
US law.

Best regards to all.

--
 Eben Moglen                       voice: 212-854-8382 
 Professor of Law & Legal History    fax: 212-854-7946        moglen@
 Columbia Law School, 435 West 116th Street, NYC 10027      columbia.edu
 General Counsel, Free Software Foundation   http://emoglen.law.columbia.edu



  [From the U.S. Government Printing Office via GPO Access]
  [DOCID: f:772.wais]
  
  Part 772 - Definitions of Terms
  
  Export Administration Regulations       January 2000
  
  Definitions of Terms    Part 772-page
  The following are definitions of terms as used in the Export
  Administration Regulations (EAR).
  
   Reexport.  "Reexport" means an actual shipment or transmission
   of items subject to the EAR from one foreign country to another
   foreign country.  For purposes of the EAR, the export or
   reexport of items subject to the EAR that will transit through a
   country or countries, or be transshipped in a country or
   countries to a new country, or are intended for reexport to the
   new country, are deemed to be exports to the new country.  (See
   §734.2(b)of the EAR.)  In addition, for purposes of satellites
   controlled by the Department of Commerce, the term "reexport"
   also includes the transfer of registration of a satellite or
   operational control over a satellite from a party resident in
   one country to a party resident in another country.
  
  
  >From the Federal Register Online via GPO Access [wais.access.gpo.gov]
  [DOCID:fr14ja00-20]
  
  Sec. 740.13  Technology and software--unrestricted (TSU)
  
      (e) Unrestricted encryption source code.
      (1) Encryption source code controlled under 5D002, which would be
  considered publicly available under Sec. 734.3(b)(3) and which is not
  subject to an express agreement for the payment of a licensing fee or
  royalty for commercial production or sale of any product developed with
  the source code, is released from ``EI'' controls and may be exported
  or reexported without review under License Exception TSU, provided you
  have submitted written notification to BXA of the Internet location
  (e.g., URL or Internet address) or a copy of the source code by the
  time of export. Submit the notification to BXA and send a copy to ENC
  Encryption Request Coordinator (see Sec. 740.17(g)(5) for mailing
  addresses). Intellectual property protection (e.g., copyright, patent
  or trademark) will not, by itself, be construed as an express agreement
  for the payment of a licensing fee or royalty for commercial production
  or sale of any product developed using the source code.
      (2) You may not knowingly export or reexport source code or
  products developed with this source code to Cuba, Iran, Iraq, Libya,
  North Korea, Sudan or Syria.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org