[265] in cryptography@c2.net mail archive
Re: UK Encryption Policy
daemon@ATHENA.MIT.EDU (Adam Back)
Fri Feb 21 05:19:26 1997
Date: Wed, 19 Feb 1997 21:29:18 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: mikec@cobweb.co.uk
CC: cryptography@c2.net
In-reply-to: <97Feb20.181347+0000_gmt.1310393-14578+13@mail.u-net.net>
(mikec@cobweb.co.uk)
Mike Cobb <mikec@cobweb.co.uk> writes:
> Over two months ago I posted a message to this list regarding UK export
> policy for encryption software. Since then I've had a frustrating but
> eventually rewarding dialog with the Department of Trade and Industry
> regarding exporting my file encryption and password tracker program which
> uses up to a 248bit key.
>
> Apparently my request was the first of its kind which is one reason why I
> have only just had a final reply back from the DTI.
>
> In a nutshell there are no laws currently, UK or EC that cover the export
> of intangible technology. As long as I only make this program available
> over the Internet, it is not illegal and it does not require an export
> license.
I was led to believe that a DTI license is required in order to export
crypto software.
Do you have a reference for the document which says you don't need an
export license?
Did you obtain a license to export your product? Or just abandon the
process after you considered you could legally export without a
license?
What about SafePassage and StrongHold how did you get on with
obtaining permission to export them (the product you describe sounds
different)?
> GCHQ and the "Policy Unit" are very annoyed by this and have apparantly
> discussed my request at length. There are several points of note attached
> with their reply. For example:
>
> 9. Hard to see what pratical advantage there is to exporters in exporting
> technology by intangible means because they could get licences anyway if no
> concerns about the export itself.
One immediate purely practical advantage -- it speeds up the process!
> 10. And if concerns are sufficient for a licene to be refused, what
> reputable exporter would wish to export it by any means?
> The more useful paragraphs cover many different laws and acts (none of
> which cover intangible technology) and a reminder that I must also comply
> with United Nations resolutions eg I cannot export to Iraq.
>
> To try and meet the spirit of their letter my website points out to anyone
> downloading my program that it will be them who exports the program from
> the UK and imports to their country.
Paul Leyland (Oxford univ ftp archive maintainer) stated this also:
"the downloader is the exporter". Is there some legal document which
states this is the case? It seems to be the opposite of the
interpretation used in the US.
> As I don't think it is reasonable for anyone to be expected to know
> every country's import laws, I feel the onus should be on the person
> downloading. I also point out that I will not accept registrations
> from anyone from a list of countries that are subject to an arms
> embargo.
Did you obtain legal advice on this? What you or I consider
reasonable may not stand up against legal opinion, etc.
> One glimmer of light was that I got the feeling that all though they would
> like to close this loophole, they are aware that it is pretty impratical.
> One factor that definitely went in my favour was that the algorithm I've
> used (blowfish) is in the public domain.
Is there wording in the documentation that says there is any kind of
public domain exemption in terms of the algorithm, or the
implementation?
> I hope this is of some interest. I'm sorry it's a bit long winded but as it
> is supposedly the first case of its kind in the UK, it should be useful to
> someone.
I found it very interesting, thanks for making your information
public.
Adam
--
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
