[1892] in cryptography@c2.net mail archive
Re: crypto export
daemon@ATHENA.MIT.EDU (Greg Broiles)
Tue Nov 25 13:13:45 1997
Date: Mon, 24 Nov 1997 22:16:57 -0800
To: kds@ornl.gov (Kibbee D.Streetman)
From: Greg Broiles <gbroiles@netbox.com>
Cc: cryptography@c2.net
In-Reply-To: <3.0.16.19800107163222.407f7270@dsunix2.dsrd.ornl.gov>
At 04:32 PM 1/7/80 -0500, Kibbee D.Streetman wrote:
>
>Can a US company use/export encryption software in its foreign offices
>without an export license? Thanks!
If the answer to this question is important to you, you should get yourself
(or your organization) an attorney who will help you address export control
issues. Simple answers to simple questions posed on the net don't map well
to real life issues.
The simple answer to your question is no, you cannot export crypto without
a license, unless one of the license exceptions (listed at 15 CFR 740)
applies.
There are different kinds of licenses - some are broad licenses which will
apply to almost every potential customer for a particular product, some
apply to sales of a particular product to a particular customer or nation,
and some apply to individual sales (or transfer) transactions, one at a
time. Some license determinations (grants or denials) happen quickly,
others happen slowly.
The scope and duration of licenses which may be available to you will
depend on the encryption strength of the software you're seeking to export,
as well as whether or not it's been adapted to allow silent government
eavesdropping of the encrypted data.
My impression is that the sort of application of crypto you've described is
one to which the BXA is sympathetic, and that you're likely to be able to
get approval for moderate (56 bit) or better strength crypto which isn't
especially surveillance-friendly, but that processing of the license may
take between 6 weeks and 6 months.
Addressing the practical side of your question, you could also find a
foreign supplier for your cryptographic software, and ship it into the US
from your foreign subsidiary/office, and standardize on that software
instead, modulo any local patent or other intellectual-property issues. You
might also find software written to an open standard, and make different
software purchases in each jurisdiction which are legal according to local
laws, and thereby construct an interoperable collection of cryptographic
software while avoiding the US' idiotic restrictions on software exports.
--
Greg Broiles | US crypto export control policy in a nutshell:
gbroiles@netbox.com | Export jobs, not crypto.
http://www.io.com/~gbroiles | http://www.parrhesia.com
