[287] in cryptography@c2.net mail archive
Re: UK Encryption Policy
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sat Feb 22 18:27:05 1997
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net, ukcrypto@maillist.ox.ac.uk
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Sat, 22 Feb 1997 19:28:30 (NZDT)
>In a nutshell there are no laws currently, UK or EC that cover the export of
>intangible technology. As long as I only make this program available over the
>Internet, it is not illegal and it does not require an export license.
Specifically the wording is:
"The control of technology transfer in the Strategic Goods List is limited to
tangible forms".
This is because the text of the strategic goods list arising from Wassenaar is
almost identical to the older COCOM text which dates from the cold war, and
noone had considered electronic communications back then. The reason for this
clause was to ensure that people were allowed to export their minds out of the
country (if it wasn't for this, you'd need to have a lobotomy before you got on
a plane, after which you'd be qualified to work for the Arms Control Section of
NZ's Ministry of Foreign Affairs and Trade). The extension to electronic
communications media was an unexpected side-effect.
Since every country I know of has just copied the Wassenaar text verbatim
(with the obvious exception of the US), export over the Internet from any
country is allowed.
>One glimmer of light was that I got the feeling that all though they would
>like to close this loophole, they are aware that it is pretty impratical.
This is the case over here too, but I don't think they know it's impractical.
>One factor that definitely went in my favour was that the algorithm I've used
>(blowfish) is in the public domain.
Again, the specific text is:
"Categories 0 to 9 of this list do not control `software' which is either:
a. Generally available to the public by being:
1. Sold from stock at retail selling points, without restriction, by
means of:
a. Over-the-counter transactions;
b. Mail order transactions; or
c. Telephone order transactions; and
2. Designed for installation by the user without further substantial
support by the supplier; or
b. `In the public domain'.
`In the public domain' is defined as:
"`Technology' or `software' which has been made available without restrictions
upon its further dissemination (copyright restrictions do no remove
`technology' or `software' from being `in the public domain'".
(`technology' and `software' are further defined).
The consequences of this exception are interesting. Last year the Canadian
government allowed the free export of a whole batch of encryption software
based on this clause. However the Wassenaar arrangement requires that:
"In accordance with the provisions of this arrangement, participating states
agree to notify transfers and denials".
The Canadian government was therefore required to notify other states of the
ruling that there were no restrictions on the software. In export regulations
published after this date, a curious change has been made to the regulations
with the addition of:
"With the exception of Category 5, Part 2"
(which covers encryption software) to the "does not control..." text. This
means that all mass-market or public-domain software except encryption software
is freely exportable (i.e. there is an exception to the exception). This is a
very messy hack to the regulations, because the resulting statement now clashes
with two other sections of the regulations.
The export regulations as a whole are pretty bizarre. Because todays high
technology is tomorrows museum curio, the regulations restrict a wide variety
of items which are freely available and have no special significance - probably
half the technology exports from any country violate at least one part of these
regulations, and the only reason noone is prosecuted is that the regulations
are so obscure and bizarre that noone knows or cares about them. For example a
20-year-old video game I have up in the attic violates 3A001.a.1 (the
museum-piece 1802 microprocessor on it happens to qualify as "radiation-
hardened"); most laptop computers violate 3A001.a.3.10.a (they have chips with
more than 208 pins in them); some video-game-oriented PC graphics cards and
possibly recent Nintendo and Sega video games (I'd have to check this, no two
sources ever state the video performance of their toys the same way) violate
4A003.d (graphics systems with performance above a certain level); Linux
violates (at least) 4D003.a (an operating system which supports multiple
processors) and 5D001.c.4 (dynamic adaptive routing software); the routers used
by many telcos violate 5A001.c.5 (they handle ATM routing); many software
development tools violate 5D001.c.3 (they allow decompiling of software). The
list goes on and on. It would be interesting to get some PC suppliers
catalogue and sit down with it and the regulations one afternoon to see how
many rules and regulations you'd be breaking by shipping one of their PC's out
of the country.
As part of my further work on investigating this nonsense, I would *really*
like to get a copy of both the UK and the Austrian export controls, but I've
been unable to find anyone who can get them for me. In the UK you'd need to
contact the DTI and ask for something with a name like "Controls on the export
of defence and strategic goods". In Austria you'd contact the
Bundesministerium fuer wirtschaftliche Angelegenheiten in Vienna and ask for
the text of the "Aussenhandelsgesetz AHG-EU", "EU-Exportkontrolle fuer Dual-Use
Gueter". There's also an older version, the "Aussenhandelsgesetz BGBl. 848/92"
(or the slightly newer BGBl. 180/95) which I'd be interested in seeing if
possible (if they want to know why you're interested in all the variants, tell
them you're researching the history of arms controls or something). In both
cases I'm after the complete text (which should run to around 100 pages) and
not just excerpts. I'm particularly interested in the Austrian ones because
they predate the late-1996 no-crypto-software hack and I want to see what the
text says. If anyone can to get hold of these for me and snail mail them over,
please let me know.
Peter (who probably knows more about the Wassenaar rubbish than most of the
people charged with enforcing it).
