6 March 1998: Add messages
5 March 1998
From: Brian Gladman <gladman@seven77.demon.co.uk>
To: UK Crypto List <ukcrypto@maillist.ox.ac.uk>
Subject: EU Crypto Free Trade Area
Date: Thu, 26 Feb 1998 15:55:55 -0000
Historically EU 'common market' provisions have not applied to cryptographic
products and services because EU governments have argued that national
security allowed them to override such treaty provisions.
Now that cryptographic products and services are primarily commercial in
nature it seems to me that the requirements of the European Treaty that
governments should not constrain the free circulation of goods and services
within the EU should apply to all cryptographic products and services
intended for commercial use.
I am not entirely sure how to arrange a situation in which the supremacy of
these treaty provisions over UK export control laws could be demonstrated
but I would be interested if any Lawyers on the list could expand on how
this might be tested.
I would also appreciate it if anyone who is interested in mounting a
challenge along these lines could let me know by secure PGP email - my PGP
5.0 key is below:
Brian Gladman
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.5.3 for non-commercial use <http://www.pgp.com>
mQGiBDOmxKYRBADUEQVRLAc65geIyoo5XikKJBl6eF/+4fLLVmhReAPYmg4GTcrH
1lxZMcPZ3pC6x/TmEvYb+RxDXIJZ9GkCELrwq+/C/rS7sa8gRUr7AeOe0XDXRG+r
HWjVGtD2JgW+HSMxJJV71nRyBxrw3QNEhmnfI873rtdwIunVy3TM6rU23QCg/xFw
fq3j+adxnW8Q2gceOGPvC7cD/A+SrmJaHp5m8bNmlEoEbg6QaiVHua7t2AsUispu
IZZ2z1KrnKosPuEn6fs2BzBgLkfx3bWklonVGrPMOVTdrhh+6CsV+ZJHcKftIUOw
+a70DCXhKSVtTGj91FkhaJLlXcLmGIYohYwQHr1b0AnKJVonEjq0Jhe+XcGlyIsn
/v8jA/9FeRdBEG+ZEoropwfElqx6Ce+BOUB/rvtCkbBEKf8e/qBug8pJp1ZwvoTz
4zH2PzdCks07o6+Z21aZ7QoNYxvs0QD7coBpjgcTuxBKjR0tS29acBTgv0FJmq7I
11ZBB4AoJ56n1ie9Og7dOO+GQE55Fvss+wgU/iIFBbWd1W0jg7QrQnJpYW4gR2xh
ZG1hbiA8Z2xhZG1hbkBzZXZlbjc3LmRlbW9uLmNvLnVrPokASwQQEQIACwUCM6bE
pgQLAwECAAoJENhfW7D3Ci2Kt3kAoJZfxj38P04JyqaFXTKcgHwwDMzbAJ9Rx3ef
RoJa8FsEtHaaRP1xG1yh5YkAlQMFEDOmxK2gykYpxscbDwEBacEEAJnqOSbDeOHH
gBpcA6JkJ43jbwscAY6RjpydOTG6Nex9w0VpvmXL2CKJaLUQDqKdeJTQFuHijZkt
ycXKFZcqKDeIOFEzQEum3PjZaIxFVOyDSiXIhfLHGIVlRguQkb8XVzNJOoP/GozT
wGBqr5gjRPrurQPI9dnsJehre7C+jNEyiQA/AwUQM7qsB4anlG1u4tyVEQIgaQCg
4qu79yeBslywBCWunBpGtWqNxW8AnijCCrYDdCMC68qEU3rvbYLWX1ffiQA/AwUQ
M8nzy0He6VBuwIoCEQLG6QCgoYeTNxRCRkr/DOvo8U9iDuAqmzEAnRdqB7CLH5jh
dSVWFCFH1Oer9W75iQBGBBARAgAGBQI03FfbAAoJEJ8vtLWycX8+sXgAoLpaoFaQ
5sFa/w7wjKZhWJdC3A1zAKDK/vNWM16HkObaHbLqhGISqirB/IkAPwMFEDTOchlH
DPPYeA84gxECv2EAn2Z4GX1PBvbpud+FL6jZWPtFTwAUAKC/Ap1BLk+Zw0fLsMEt
weijY1JqJ7kCDQQzpsSmEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDa
AadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z
4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBY
K+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WM
uF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmW
n6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAmEa3pJbQeSvu
iFLI6mNl69pHzaW5mPjuz5bSMECl7jV1KgE4KpKWfRd0/jtIwKyN3vIh62DQYOZ+
Da06s1MgzM48LneHZuHBebAK46VqZF5SPmHzZIuU0sh0ihc4qD9rtxSBlcz7P011
egB3qEjRRq4jSLNgwLJUKDk7eB1Vzj1Mclmzo43XHEn8+T6hnKowxWgrLyIvjZ1y
tv8wpoYqNOPjXvIhLEXc8CLhN5qjOBZXlo63gD1YbM71htXWthvxfQPSW895aFg2
sYmLMgYSAb11dQQVY2PEMXHEe4umd3W8OtM1w3YraWnB3pILeiRqBFuwwAVqOmSP
+z1WF/q7jIkAPwMFGDOmxKbYX1uw9wotihECBDYAn0kjGOV/AcrnBfTJF81Veu5J
pJGuAJ9QJsve5mew/zdxO3HPYbq0MpgD4w==
=EM3T
-----END PGP PUBLIC KEY BLOCK-----
Date: Sat, 28 Feb 1998 18:27:58 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Nicholas Bohm <nbohm@ernest.net>
Subject: Re: EU Crypto Free Trade Area
At 15:55 26/02/98 -0000, Brian Gladman wrote:
>Historically EU 'common market' provisions have not applied to cryptographic
>products and services because EU governments have argued that national
>security allowed them to override such treaty provisions.
>
>Now that cryptographic products and services are primarily commercial in
>nature it seems to me that the requirements of the European Treaty that
>governments should not constrain the free circulation of goods and services
>within the EU should apply to all cryptographic products and services
>intended for commercial use.
This certainly seems sound in principle, and consistent with the approach
adopted by the EU on this subject so far.
>I am not entirely sure how to arrange a situation in which the supremacy of
>these treaty provisions over UK export control laws could be demonstrated
>but I would be interested if any Lawyers on the list could expand on how
>this might be tested.
[snip]
Several if not all roads lead to the Treaty of Rome. As the Spanish
shipping boat cases ("Factortame") show, the UK courts will treat UK law
which is inconsistent with EC law as inapplicable to the extent of the
inconsistency.
If an unlicensed exporter is prosecuted, he can argue the invalidity of UK
law as a defence. The court can (and the House of Lords must, unless there
is no doubt on the point) refer the issue to the Court of Justice of the EC
for a view on the EC law. This isn't much fun for the exporter.
It may be possible to seek judicial review of the validity of the UK law,
although applications for judicial review normally have to be made within a
short time of the doing of the thing to be reviewed. There might be some
way of engineering an opportunity for a challenge of this kind.
The EC Commission can demand that the UK change its laws where inconsistent
with EC law, and can take the UK to the EC court to resolve any legal
dispute. If the EC Court ruled against the UK, the UK must change its law;
and the existence of such a judgment would ensure that exporters then being
prosecuted would be acquitted. To get the Commission to take the point up,
someone would need to complain to it. Best might be an exporter who really
wanted to export within the EC.
This isn't really my field, and it's a bit specialist, so this is a fairly
rough guide; and there may be other ways of tackling it.
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
Date: Mon, 2 Mar 1998 16:32:06 -0500
From: Nigel Hickson <nigelhickson@compuserve.com>
Subject: Re: EU Crypto Free Trade Area
To: <ukcrypto@maillist.ox.ac.uk>
Colleagues
With respect to "export controls" the intra-EU controls fall under Export
of Good Regulation which is a Community Instrument. This has an Annex (4 I
think) with a list of those products which are excluded from "free"
intra-eU trade. Crypto is one of the categories. The Commission have
noted they intend to revisit the latter this year.
Nigel Hickson
From: "Yaman Akdeniz" <lawya@lucs-01.novell.leeds.ac.uk>
Organization: University of Leeds
To: Nigel Hickson <nigelhickson@compuserve.com>
Date: Tue, 3 Mar 1998 12:08:00 GMT0BST
Subject: Re: EU Crypto Free Trade Area
CC: ukcrypto@maillist.ox.ac.uk
Dear Nigel,
> With respect to "export controls" the intra-EU controls fall under
> Export of Good Regulation which is a Community Instrument. This has
> an Annex (4 I think) with a list of those products which are
> excluded from "free" intra-eU trade. Crypto is one of the
> categories. The Commission have noted they intend to revisit the
> latter this year.
The following is from a piece that I have written last year before
the consultation paper was announced. The full reference for the
paper is below.
UK Export Controls
The use of cryptographic software transmitted internationally may be
restricted by export regulations in the UK as in the US. The Export of
Goods (Control) Order 1994 as amended by The Dual-Use and Related
Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271,
1995) apply to the exportation of cryptographic software from the UK.
The definition of cryptographic software is included in the Schedule
2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations
1995 and the export of this kind of regulated information requires an
export licence from the Department of Trade and Industry (section 9).
Failure to comply with the licence conditions may result in a maximum
of two years of imprisonment (Section 8).
The DTI White Paper states that export controls will remain in place
for encryption products and for digital encryption algorithms (White
Paper 1996, para 15). The Government however states that it will take
steps to simplify export controls within the European Union with
respect to encryption products which are of use with licensed TTPs.
Although this sounds like a good initiative, it only includes products
which are of use with licensed TTPs. This means that other encryption
tools which are not approved by the TTPs will still be subject to
stricter export regulations.
UK Government Policy on Encryption - 1997 Web Journal of Current Legal
Issues 1 at http://www.ncl.ac.uk/~nlawwww/1997/issue1/akdeniz1.html
Any comments ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yaman Akdeniz <lawya@leeds.ac.uk>
Cyber-Rights & Cyber-Liberties (UK) at:
http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm
Read CR&CL (UK) Report, 'Who Watches the Watchmen'
http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 05 Mar 1998 21:35:49 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Nicholas Bohm <nbohm@ernest.net>
Subject: Re: EU Crypto Free Trade Area
At 12:08 3/03/98 GMT0BST, Yaman Akdeniz wrote:
[snip]
>The use of cryptographic software transmitted internationally may be
>restricted by export regulations in the UK as in the US. The Export of
>Goods (Control) Order 1994 as amended by The Dual-Use and Related
>Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271,
>1995) apply to the exportation of cryptographic software from the UK.
>The definition of cryptographic software is included in the Schedule
>2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations
>1995 and the export of this kind of regulated information requires an
>export licence from the Department of Trade and Industry (section 9).
>Failure to comply with the licence conditions may result in a maximum
>of two years of imprisonment (Section 8).
Thanks for these useful references. The 1995 Regulations are made not
under the powers granted by general UK export control legislation, but
under powers granted by the European Communities Act, and are made to
implement an EC Decision (94/942/CFSP) and an EC Regulation (3381/94), both
in the EC Official Journal No L367 of 31 December 1994.
Assuming that the 1995 Regulations are validly made in conformity with the
EC instruments, I would expect this to preclude any challenge to the UK
rules on the grounds of their contravening EC law. The assumption is not
necessarily valid: the UK has been accused in the past of gold-plating EC
rules in the course of purporting to implement them, and might have gone
too far. I prefer to leave the investigation of that possibility to an
expert.
The reference to cryptographic software in the 1995 Regulations (which is
in fact in Schedule 1, not 2) is in Section D of Category 5, and is
governed by the following note at the beginning of the Schedule, which
seems to open up a useful loophole:
*** quotation from Regulations ***
GENERAL SOFTWARE NOTE
(This note overrides any control within section D of Categories 0 to 9.)
Categories 0 to 9 of this list do not control software which is either:
a. Generally available to the public by being:
1. Sold from stock at retail selling points, without restriction, by
means of:
a. Over-the-counter transactions;
b. Mail order transactions;
c. Telephone order transactions; and
2. Designed for installation by the user without further substantial
support by the supplier; or
b. In the public domain.
*** quotation ends ***
"In the public domain" is defined in the Regulations as meaning "technology
or software which has been made available without restrictions on its
further dissemination (copyright restrictions do not remove technology or
software from being "in the public domain")."
This seems to open a fairly wide road, given the amount of public domain
crypto software to be found nowadays.
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
Date: Fri, 06 Mar 1998 08:34:24 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Nicholas Bohm <nbohm@ernest.net>
Subject: Re: EU Crypto Free Trade Area
A further point I intended to make on the 1995 Export Control Regulations
is that they control the export of GOODS. This is reflected in the note I
quoted, with its references to sales from stock at retail outlets.
Software can of course take the form of goods (as music can take the form
of records), but it does not necessarily do so (as a concert performance is
not a sale of goods). Diskettes and CDs containing software are no doubt
controlled, but the Regulations do not appear to affect software downloaded
from a website or attached to an email.
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: EU Crypto Free Trade Area
Date: Fri, 06 Mar 1998 10:05:22 +0000
From: Stefek Zaba <sjmz@hplb.hpl.hp.com>
Nicholas Bohm writes:
> A further point I intended to make on the 1995 Export Control Regulations
> is that they control the export of GOODS. This is reflected in the note I
> quoted, with its references to sales from stock at retail outlets.
>
> Software can of course take the form of goods (as music can take the form
> of records), but it does not necessarily do so (as a concert performance is
> not a sale of goods). Diskettes and CDs containing software are no doubt
> controlled, but the Regulations do not appear to affect software downloaded
> from a website or attached to an email.
Indeed - the topic of whether the Export Control Regulations cover
"intangibles" has come up before on this list. I believe that "intangibles"
would include software-as-bit-on-the-wire, but also other "things" which
could be traded - insurance contracts, futures, ... The legal opinion I
heard expressed from a real lawyer is that bits-on-the-wire are indeed not
covered under a strict reading of the export regs: but that The Relevant
Authorities have let it be known informally that companies trading in
otherwise export-restricted goods which seek to evade export licensing
would be considered to be deliberately flouting the spirit of the regulations.
For companies which make their living this way, such flouting could be made
uncomfortable in a variety of practical ways - government purchasing power,
words in shell-like ears of prime contractors who might otherwise buy
bits of crypto software from such grubby little scofflaws, etc. The pragmatic
position therefore might be that if you rely on the "intangibles" provision
*alone*, you should be prepared to be an interesting test case.
Probably of more practical significance is the "mass market" exemption which
Nicholas and Yaman have already pointed out: the export regs are worded to
catch high-end special-installation-assistance-required (e.g. setting up
a centralised key management facility) crypto capability such as an army's
command-and-control system might use, while leaving the "password protection"
of WordPerfect/MSWord/PKZip etc. uncaught. Given those two ends of the
spectrum, it would seem a bizarrely unreasonable interpretation to consider
(to take an example not exactly at random) a full-strength SSLified Web
server (hi Ben :-) as "mass-market" rather than "hi-end custom installation
by supplier". Of course in the particular case of Stronghold, the exemptions
stack up particularly strongly:
1) it's software downloaded over the Net, hence intangible;
2) it's mass-market in the sense of the General Software Note;
3) it's public-domain - the source for Apache (and SSLeay) is explicitly
and deliberately in the public domain;
FTP archive sites of public-domain software seem to me to be in a similarly
firmly expempt position in the UK.
Obviously enough I'm not a lawyer, and this is not legal advice - it's an
opinion from a techie with a dangerously little amount of apparent knowledge!
General opinions from the legally qualified are more useful: neither flavour
of opinion-expressed-on-the-net is a substitute for paid-for specific legal
advice in your particular circumstances.
Cheers, Stefek
Date: Fri, 6 Mar 1998 15:26:56 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: ukcrypto@maillist.ox.ac.uk
Subject: Re: EU Crypto Free Trade Area
Stefek Zaba <sjmz@hplb.hpl.hp.com> writes:
> Indeed - the topic of whether the Export Control Regulations cover
> "intangibles" has come up before on this list. I believe that "intangibles"
> would include software-as-bit-on-the-wire,
I have a couple of documents on the web under:
http://www.dcs.ex.ac.uk/~aba/ukexport/
and a supplement sheet apparently confirming Stefek's suggestion:
> The Relevant Authorities have let it be known informally that
> companies trading in otherwise export-restricted goods which seek to
> evade export licensing would be considered to be deliberately
> flouting the spirit of the regulations.
in DTI's (?) own words, see:
http://www.dcs.ex.ac.uk/~aba/dti-let.txt
Also there is a less interesting DTI document "ECO Notice STU/1":
http://www.dcs.ex.ac.uk/~aba/eco-stu1.txt
> For companies which make their living this way, such flouting could
> be made uncomfortable in a variety of practical ways - government
> purchasing power, words in shell-like ears of prime contractors who
> might otherwise buy bits of crypto software from such grubby little
> scofflaws, etc. The pragmatic position therefore might be that if
> you rely on the "intangibles" provision *alone*, you should be
> prepared to be an interesting test case.
I would be interested to hear of any cases where the DTI/CESG have
turned down a tangible an export permission request. Any other DTI
export documentation would be interesting also.
If you talk to CESG about the topic of tangible exports they start to
talk about requiring the crypto to be hard to modify (kind of hard to
arrange if you are shipping source on the CD), and they are in general
quite hard to pin down on their criteria for an exportable software
system.
I have a suspicion that the simplest thing to do may be to not talk to
them (DTI and CESG) in the first place, unless you really are thinking
of shipping something which you consider falls under the export
licensing regulations (eg nuclear related, military related, or
shipping to embargoed country).
Talking to them when you are comfortably sure that your CD with
software should be exempt under any reasonable interpretation of the
regs just invites them to add stipulations which do not exist in the
regs.
I have been exporting T-shirts with an RSA implementation (the code in
my sig) printed on them:
http://www.dcs.ex.ac.uk/~aba/uk-shirt.html
I have not asked permission of the DTI to do so. I think I exported a
few to Russia if I remember rightly, as well as a number of other
countries. A t-shirt is surely a tangible item. Any one in Baghdad
want to order one?
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`