28 June 1999
From: "Soquat, Hubertus, VIB3" <soquat@bmwi.bund.de> To: "'ukcrypto@maillist.ox.ac.uk'" <ukcrypto@maillist.ox.ac.uk> Subject: AW: AUCRYPTO: `Germany Frees Crypto' - do you believe it? Date: Sat, 26 Jun 1999 10:07:29 +0200 German crypto and Wassenaar position: The new german government position makes very clear that R&D, production, import and use of strong crypto products are not regulated, they are complety free. That should give german crypto products an advantage to users: they should know "what you get is what is really inside".Simply difficult to understand that many users go with products which are weak and are certainly not secure. As far as export is concerned there is a regulation following our Wassenaar obligations: legal basis is the EU directive for dual use (latest change: Council decision changing annex IV 09.03.1999 (1999/193/GASP - Official Journal L 73 19.03.1999) and the respective german national law (Ausfuhrverordnung and Ausfuhrliste). The negotiations for further changes to EU-Regulations are on the way and will be continued during the coming finnish presidency. Hubertus Soquat Federal German Ministry of Economics and Technology Berlin -----Ursprüngliche Nachricht----- Von: Mok-Kong Shen [mailto:mok-kong.shen@stud.uni-muenchen.de] Gesendet am: Freitag, 25. Juni 1999 17:46 An: ukcrypto@maillist.ox.ac.uk Cc: aucrypto@suburbia.net Betreff: Re: AUCRYPTO: `Germany Frees Crypto' - do you believe it? Ross Anderson wrote: > > Some people are under the impression that France and Germany have > freed crypto. However, export controls look like being tightened. > Guess who organised that? As Brian eloquently puts it: To my humble knowledge, there is currently no export regulation in Germany of crypto (at least in software). The recent paper issued by the government expressedly says that R&D of crypto is free but adds that the situation is to be reviewed in 2 years. There is some wording apparently related to the issue of Wassenar but it appears that the government wishes not to implement Wassenar if possible rather than to implement it. I might be wrong in my reading and interpretation, of course. You should read the original http://bmwi.de/presse/1999/0602prml.html or an English translation of it at John Young's site http://jya.com/de-crypto-all.htm > GCHQ's agenda is obviously to stop people like Brian and me having > crypto source code on our web pages. They don't seem to have > understood that: > > (a) the public domain exemption will apply to the Serpent home page > which will still be there. If the exemption is removed, the Serpent > home page will still be available in Norway, Israel, Taiwan ...; However, if the law prohibits export of crypto in any form, whether printed, on magnetic media or via eletronic transmission, then there is no legal way the material can get across the country boarder at all and web publication will be out of question. But in US Berstein has had success recently. His case probably will be re-opened in the near future though. The outcome of that could have fairly wide impacts. That's why I suggested that some collective actions be taken to attempt to find somw arguments that eventually could be useful for the Bernstein case. (See my recent two posts to aucrypto; the same content can be found in sci.crypt.) M. K. Shen ----------------------------- http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99) (Origin site of WEAK2-EX, WEAK3-EX and WEAK4-EX, three Wassenaar-conform algorithms based on the new paradigm Security through Inefficiency.)
From: "Soquat, Hubertus, VIB3" <soquat@bmwi.bund.de> To: "'John Young'" <jya@pipeline.com> Subject: AW: AUCRYPTO: `Germany Frees Crypto' - do you believe it? Date: Sat, 26 Jun 1999 13:40:21 +0200 Hi John, We have no problem with that. Please call if you need additional confirmation. Hubertus Soquat Senior Official Federal Ministry of Economics and Technology Tel. +49-30-2014-9 (direct 7139) (fx -5433) -----Ursprüngliche Nachricht----- Von: John Young [mailto:jya@pipeline.com] Gesendet am: Samstag, 26. Juni 1999 13:28 An: soquat@bmwi.bund.de Betreff: AW: AUCRYPTO: `Germany Frees Crypto' - do you believe it? Hubertus Soquat Federal German Ministry of Economics and Technology Berlin Dear Mr. Soquat, I have seen your message to mail list UK Crypto and would like to publish it on our Web site devoted to cryptography: http://jya.com/crypto.htm May I confirm that you wrote the message as an official of the German government? Congratulations for German's leadership on crypto policy. Thanks very much, John Young
To: ukcrypto@maillist.ox.ac.uk Subject: AW: AUCRYPTO: `Germany Frees Crypto' - do you believe it? Date: Sat, 26 Jun 1999 12:45:24 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> I raised the issue of the proposed EU regulation on the export of dual-use goods, which appears to compel member states to prohibit intangible exports of items on the Wassenaar list. This might not just cause problems for people like brian and me who put crypto source code on our web pages, but hit a very broad range of technology. (Wassenaar considers as dual-use goods not just crypto and everything else to do with inforsec, but also decent numerically controlled machine tools, semiconductor test equipment, anything to do with asynchronous transfer mode ... and even modems that run faster than 9.6 kb/s). More on my web page. The response? We are assured by Hubertus Soquat, of the Federal German Ministry of Economics and Technology, Berlin, that: > The new german government position makes very clear that R&D, > production, import and use of strong crypto products are not > regulated, they are complety free. But, Herr Squat, your government has used its weight in the EU to push more and more of Europe's R&D goes through multinational efforts such as the fifth framework. How can a university in Britain collaborate with one in Germany if any EU regulation forbids either of them from sending software to the other? Will all the code have to be written in Singapore? (but, hey, Singapore allows export, but not import. So they'll have to get the code right first time :-) > As far as export is concerned there is a regulation following our > Wassenaar obligations: legal basis is the EU directive for dual use > (latest change: Council decision changing annex IV 09.03.1999 > (1999/193/GASP - Official Journal L 73 19.03.1999) and the respective > german national law (Ausfuhrverordnung and Ausfuhrliste). That's precisely the problem. > The negotiations for further changes to EU-Regulations are on the way > and will be continued during the coming finnish presidency. Tell me, does the German government support the Commission's position that export controls should be extended to intangibles? If so, that will put some European countries (such as Britain) at a severe disadvantage to the USA. Let me explain. Although the USA has export controls on intangibles, it also has a constitution which guarantees freedom of speech. Academic speech is considered to be protected but commercial speech is not. What that means in practice is that when my US colleague Ron Rivest hires a non-US citizen as a research student at MIT, he can give the student access to crypto code without further ado. However, when he hires a similar foreign national for his company, RSA Data Security, he has to apply for a personal export licence. That meant, for example, that when RSA hired Matt Robshaw, he had to sit around doing nothing for several months before the paperwork came through. Here in the UK, we have no written constitution, and so we would very likely have to get personal export licences for all our foreign research students in the School of Technology (which is most of them). We're unlikely to get an OGEL, as the Foreign Office doesn't like the universities. (The current dispute is that they want a covert veto over what foreign research students we offer places to, but as admission decisions are generally taken by the individual member of staff who would supervise the applicant, there's no mechanism we could use to perform this screening covertly. In any case, both Oxford and Cambridge have refused to participate on grounds of principle.) So the UK would end up at a serious disadvantage to the US in technology research. (This is not just in crypto, but in physics, chemistry, materials science, ...) Come to think of it, Germany also has a written constitution, so I assume Andreas Pfitzmann would get the same exemption as Ron Rivest. The same will apply to many other member states, and some others won't bother to enforce the law. So the UK will end up getting screwed. Is this the idea? Ross