[266] in cryptography@c2.net mail archive
Re: UK Encryption Policy
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Feb 21 05:21:31 1997
To: Mike Cobb <mikec@cobweb.co.uk>
Date: Thu, 20 Feb 1997 19:30:05 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: cryptography@c2.net
In-Reply-To: <97Feb20.181347+0000_gmt.1310393-14578+13@mail.u-net.net> from "Mike Cobb" at Feb 20, 97 12:26:33 pm
Reply-To: ben@algroup.co.uk
Mike Cobb wrote:
>
> Over two months ago I posted a message to this list regarding UK export
> policy for encryption software. Since then I've had a frustrating but
> eventually rewarding dialog with the Department of Trade and Industry
> regarding exporting my file encryption and password tracker program which
> uses up to a 248bit key.
>
> Apparently my request was the first of its kind which is one reason why I
> have only just had a final reply back from the DTI.
That's funny - that's what they said when I started the same hoop-jumping last
year!
>
> In a nutshell there are no laws currently, UK or EC that cover the export
> of intangible technology. As long as I only make this program available
> over the Internet, it is not illegal and it does not require an export
> license.
>
> GCHQ and the "Policy Unit" are very annoyed by this and have apparantly
> discussed my request at length. There are several points of note attached
> with their reply. For example:
>
> 9. Hard to see what pratical advantage there is to exporters in exporting
> technology by intangible means because they could get licences anyway if no
> concerns about the export itself.
>
> 10. And if concerns are sufficient for a licene to be refused, what
> reputable exporter would wish to export it by any means?
>
> The more useful paragraphs cover many different laws and acts (none of
> which cover intangible technology) and a reminder that I must also comply
> with United Nations resolutions eg I cannot export to Iraq.
>
> To try and meet the spirit of their letter my website points out to anyone
> downloading my program that it will be them who exports the program from
> the UK and imports to their country. As I don't think it is reasonable for
> anyone to be expected to know every country's import laws, I feel the onus
> should be on the person downloading. I also point out that I will not
> accept registrations from anyone from a list of countries that are subject
> to an arms embargo.
>
> It was very difficult to get information from the DTI and I definately got
> the impression that they wished I would just go away. After playing a
> series of "20 questions" I did come across one enlightened soul who kept me
> in touch with my request's progress and helped "decipher" all the
> government speak.
I wonder if that was the same guy that fed me a pile of interesting documents
which seemed to say that export is no problem so long as the technology was
publicly available. Making the product available to all comers also seems to
make export OK (and it doesn't have to be free either).
I did all this to try to get a license for Apache-SSL, but dropped it, in the
end, when Oxford University agreed to host it (so export was no longer my
problem). Of course, the joke is, you can only get a license if it shouldn't
be exported - in which case, natch, they are unlikely to grant it. So, the
best you can hope for is "no license required". Which they are at pains to
point out, still doesn't mean you can give it to anyone you feel like. Doncha
just love it?
I'd love to see their response, BTW.
Cheers,
Ben.
>
> One glimmer of light was that I got the feeling that all though they would
> like to close this loophole, they are aware that it is pretty impratical.
> One factor that definitely went in my favour was that the algorithm I've
> used (blowfish) is in the public domain.
>
> I hope this is of some interest. I'm sorry it's a bit long winded but as it
> is supposedly the first case of its kind in the UK, it should be useful to
> someone.
>
> Regards
> Mike Cobb
> CobWeb Applications
> http://www.cobweb.co.uk
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
