18 January 2000

Date: Tue, 18 Jan 2000 10:44:34 -0500
To: cryptography@c2.net, cypherpunks@cyberpass.net
From: Declan McCullagh <declan@well.com>
Subject: Response from Commerce Dept to "Is this man a crypto-criminal?"

********

Date: Tue, 18 Jan 2000 10:01:49 -0500
From: "JIM LEWIS" <JLEWIS@bxa.doc.gov>
To: <politech@vorlon.mit.edu>, <declan@well.com>
Cc: "EUGENE COTTILLI" <ECOTTILL@bxa.doc.gov>
Subject: Re: FC: Is this man a crypto-criminal? The Feds won't say...

Declan: This point is worth clarifying.  The new regs remove restrictions from the posting of publicly available encryption source code for downloading.  The regs say:

a) If you post encryption source code to a site on the net and anyone can access it, you do not need to have it reviewed by BXA or obtain a license.

b) Simply posting this "publicly available" encryption source code does not count as an export and does not trigger all the terrorist sanctions and other requirements created by various Federal sanctions laws.

(what this means is that if you post some code and Saddam Hussein downloads it, you are not liable.  If Saddam calls you up and asks you to e-mail him the code, and you send the e-mail without applying for and receiving a license, you are liable).

c)  You do need to send BXA an E-mail with the internet location of the posted source code and you are prohibited from sending (as opposed to posting) the encryption source code to a terrorist country or an individual on one of our denial lists.

d) if a foreign person makes a new product with the source code you've posted, there are no review or licensing requirements for that foreign product.  If they pay you a royalty or licensing fee for a product they've developed for commercial sale, however, you may have to report some information to BXA.

It appears that the only requirement for Mr. Young is to notify us of the location of the source code (http://jya.com/crypto.htm).

I've attached the relevant section of the regs (from Page 2497 of the Federal Register) below.  The entire reg (including the sections on commercial source code and reporting) can be found at http://www.bxa.doc.gov/

¯Begin reg 
text---------------------------------------------------------------------------------------------------------------------------------------------------
(e) Unrestricted encryption source code.

                 (1) Encryption source code controlled under 5D002, which 
 would be considered publicly available under §734.3(b)(3) and which is 
 not subject to an express agreement for the payment of a licensing fee or 
 royalty for commercial production or sale of any product developed with 
 the source code, is released from "EI" controls and may be exported or 
 reexported without review under License Exception TSU, provided you have 
 submitted written notification to BXA of the Internet location (e.g. URL 
 or Internet address) or a copy of the source code by the time of 
 export.  Submit the notification to BXA and send a copy to ENC Encryption 
 Request Coordinator (see §740.17(g)(5) for mailing 
 addresses).  Intellectual property protection (e.g., copyright, patent or 
 trademark) will not, by itself, be construed as an express agreement for 
 the payment of a licensing fee or royalty for commercial production or 

 sale of any product developed using the source code.

                 (2) You may not knowingly export or reexport source code 
 or products developed with this source code to Cuba, Iran, Iraq, Libya, 
 North Korea, Sudan or Syria.

                 (3) Posting of the source code on the Internet (e.g., FTP 
 or World Wide Web site)  where the source code may be downloaded by 
 anyone would not establish "knowledge" of a prohibited export or 
 reexport, including that described in paragraph (e)(2) of this 
 section.  In addition, such posting would not trigger "red flags" 
 necessitating the affirmative duty to inquire under the "Know Your 
 Customer" guidance provided in Supplement No. 3 to Part 732.

¯End Reg 

text----------------------------------------------------------------------------------------------------------------------------------------------------

>>> Declan McCullagh <declan@well.com> 01/15/00 10:02AM >>>

*********

http://www.wired.com/news/politics/0,1283,33672,00.html

                         Is This Man a Crypto Criminal?
                         by Declan McCullagh (declan@wired.com)

                         3:00 a.m. 15.Jan.2000 PST
                         Crypto maven John Young has a problem.

                         He may be a felon, guilty of a federal
                         crime punishable by years in prison. Or he
                         may not be. He'd just like to know one
                         way or another.

--------------------------------------------------------------------------

POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/

--------------------------------------------------------------------------