Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

Google
 
Web cryptome.org cryptome.info jya.com eyeball-series.org cryptome.cn


21 February 1997
With permission of Mike Cobb
http://www.cobweb.co.uk


To: "Cryptography Mailing List" <cryptography@c2.net>
From: "Mike Cobb" <mikec@cobweb.co.uk>
Date: Thu, 19 Dec 1996 06:58:01 -0000

UK Encryption Export Policy

I am a UK-based developer working on a modest commercial encryption product (uses Blowfish, will be distributed as shareware). Can anyone point me towards a source of UK export laws and controls on crypto. My calls to the government only solicit vague and frankly unhelpful responses along the lines of "send us your product and we'll let you know." Someone sent me a list of countries you can't export encryption products to, but there seems little information on what is deemed an encryption product, e.g. is password protection on a file compression program considered the same as a 496 key file encryption program.

Obviously I would like to sell this in the US as well as UK, in fact, I would just like to let people download it from my Web site at http://www.cobweb.co.uk but realise this might be illegal.

Since I don't fancy prison and can't afford martyrdom, and just want to sell my wares for a modest return, I need to know where I stand from a regulatory perspective.

Any input appreciated....Mike Cobb


To: "Cryptography Mailing List" <cryptography@c2.net>
From: "Mike Cobb" <mikec@cobweb.co.uk>
Date: Thu, 20 Feb 1997 12:26:33 -0000

UK Encryption Export Policy 2

Over two months ago I posted a message to this list regarding UK export policy for encryption software. Since then I've had a frustrating but eventually rewarding dialog with the Department of Trade and Industry regarding exporting my file encryption and password tracker program which uses up to a 248 bit key.

Apparently my request was the first of its kind which is one reason why I have only just had a final reply back from the DTI.

In a nutshell there are no laws currently, UK or EC that cover the export of intangible technology. As long as I only make this program available over the Internet, it is not illegal and it does not require an export license.

GCHQ and the "Policy Unit" are very annoyed by this and have apparently discussed my request at length. There are several points of note attached with their reply. For example:

9. Hard to see what practical advantage there is to exporters in exporting technology by intangible means because they could get licences anyway if no concerns about the export itself.

10. And if concerns are sufficient for a license to be refused, what reputable exporter would wish to export it by any means?

The more useful paragraphs cover many different laws and acts (none of which cover intangible technology) and a reminder that I must also comply with United Nations resolutions, e.g., I cannot export to Iraq.

To try and meet the spirit of their letter my website points out to anyone downloading my program that it will be them who exports the program from the UK and imports to their country. As I don't think it is reasonable for anyone to be expected to know every country's import laws, I feel the onus should be on the person downloading. I also point out that I will not accept registrations from anyone from a list of countries that are subject to an arms embargo.

It was very difficult to get information from the DTI and I definitely got the impression that they wished I would just go away. After playing a series of "20 questions" I did come across one enlightened soul who kept me in touch with my request's progress and helped "decipher" all the government speak.

One glimmer of light was that I got the feeling that all though they would like to close this loophole, they are aware that it is pretty impractical. One factor that definitely went in my favour was that the algorithm I've used (blowfish) is in the public domain.

I hope this is of some interest. I'm sorry it's a bit long winded but as it is supposedly the first case of its kind in the UK, it should be useful to someone.

Regards

Mike Cobb
CobWeb Applications
http://www.cobweb.co.uk


To: "Cryptography Mailing List" <cryptography@c2.net>
From: "Mike Cobb" <mikec@cobweb.co.uk>
Date: Fri, 21 Feb 1997 05:29:20 -0000

UK Encryption Export Policy 3

Thanks for all your replies.

I have copied the complete text that I received from the DTI so that you can each draw your own conclusions.

I am certainly no legal expert and the opinions I expressed in my first email were just that. It amazes me that the people who make the law, will not or cannot interpret it, their advice is always consult a lawyer. In my efforts to get this far I definitely found that I had to ask just the right question to get any information, it was never offered freely. That said I did find one very helpful individual who helped me ask the right questions.

As I understand it, as I am only making KeyRing available via the Internet I do not need a licence, and so I will not be applying for one. I do not mind if the following is posted elsewhere on the net, as long as it is only done in an attempt to help others understand the situation in the UK. I would like to ruffle as few feathers as possible, if that's possible.

The letter from the DTI was dated 18 February 1997 and any spelling mistakes are mine.

Thank you for your letter of 30 January 1997 providing further information.*

It appears to us that the KeyRing Version 1.0 Encryption Software Program, when exported by intangible means, does not require an export licence, unless you find the end-use of your intended export falls within the categories outlined in the Supplementary Notice of Export Licensing Procedures (ECO Notice STU/1, Issue 14) dated November 1996.

Please note, however, that software programs of the type covered by your enquiry do require an export licence if exported in a tangible form, (e.g. on floppy disc or CD ROM) and a licence application form should be submitted.

Although The Import, Export and Customs Powers (Defence) Act 1939, Council Regulation (EC) No. 3381/94, The Export of Goods (Control) Order 1994 and the Dual-Use and Related Goods (Export control) Regulations 1995 do not contain any provisions covering the export of technology by intangible means, the absence of regulations under the above Orders does not mean that export by intangible means is totally free from obligations. The attached points to Note on the Transfer of Technology by Intangible Means should be carefully considered. Clearly, the government would prefer that exports such as yours be made by tangible means only, under the authority of an export licence.

You can obtain further information and advice on the procedures for obtaining an export licence from the DTI's Export Control Organisation Enquiry Unit on 0171-215-8070. To assist in the processing of a subsequent licence application, on the items referred to in this letter, please quote the reference number on this letter or send a copy of this letter with your application.

This assessment has been made on the information given in your letters dated 18 December and 30 January 1997 and attachments.**

*I stated that I would only being making KeyRing available via the Internet.

** I described how the program worked and that it used the Blowfish algorithm.

I received a copy of ECO Notice STU/1 Ref: STU/9/3/2 Issue 14 which refers to weapons of mass destruction. I also received a two page attachment as follows.

TRANSFER OF TECHNOLOGY BY INTANGIBLE MEANS

POINTS TO NOTE

1. The Import, Export and Custom Powers (Defence) Act 1939, Council Regulation (EC) No. 3381/94, The Export of Goods (Control) Order 1994 and the Dual-Use and Related Goods (Export control) Regulations 1995 do not contain any provisions covering the export of technology by intangible means.

2. However this does not mean that there are no controls on intangible technology or that, as an exporter, you are free from obligations:

- United Nations Act 1946: in certain circumstances, some intangible transfers of technology might constitute a breach of one of the Orders made under this Act implementing sanctions; but none of the Orders controls intangible technology transfer as such;

- Official Secrets Act 1989: technology developed under government contract which falls into one of the categories of information protected by the Act is also covered because the Act prohibits the transfer by whatever means;

- Copyright conditions apply in certain cases;

- Patents Act 1977 contains relevant provisions;

- Contractual obligations may apply.

3. You must refer to legal advisers to check what applies in your own case.

4. Government is aware of the potential for abuse of the spirit of export controls. If it appears HMG's export control policies are being undermined, then further action may have to be considered.

5. HMG works with exporters in pursuit of the policy of preventing the spread of weapons of mass destruction. Public support for this policy is strong.

6. Exporters whose actions work against that policy risk damaging their good reputations with regulatory authorities and the public: and both domestically and internationally.

7. The public relations and longer term economic costs of any such action must be set against any apparent advantages which may be gained.

8. Advise against any employee embarking on such a course of action without consulting the officer responsible for export control policy compliance.

9. Hard to see what practical advantage there is to exporters in exporting technology by intangible means because they could get licences anyway if no concerns about the export itself.

10. And if concerns are sufficient for a licence to be refused, what reputable exporter would wish to export it by any means?

Policy Unit
Export Control and Non-Proliferation Division (XNP)
DTI

January 1996

Regards

Mike Cobb
CobWeb Applications
http://www.cobweb.co.uk