EU Crypto Free Trade Area

Nicholas Bohm nbohm at ernest.net
Thu, 05 Mar 1998 21:35:49 +0000 

At 12:08 3/03/98 GMT0BST, Yaman Akdeniz wrote:
[snip]
>The use of cryptographic software transmitted internationally may be
>restricted by export regulations in the UK as in the US. The Export of
>Goods (Control) Order 1994 as amended by The Dual-Use and Related
>Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271,
>1995) apply to the exportation of cryptographic software from the UK.
>The definition of cryptographic software is included in the Schedule
>2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations
>1995 and the export of this kind of regulated information requires an
>export licence from the Department of Trade and Industry (section 9).
>Failure to comply with the licence conditions may result in a maximum
>of two years of imprisonment (Section 8).

Thanks for these useful references.  The 1995 Regulations are made not
under the powers granted by general UK export control legislation, but
under powers granted by the European Communities Act, and are made to
implement an EC Decision (94/942/CFSP) and an EC Regulation (3381/94), both
in the EC Official Journal No L367 of 31 December 1994.

Assuming that the 1995 Regulations are validly made in conformity with the
EC instruments, I would expect this to preclude any challenge to the UK
rules on the grounds of their contravening EC law.  The assumption is not
necessarily valid:  the UK has been accused in the past of gold-plating EC
rules in the course of purporting to implement them, and might have gone
too far.  I prefer to leave the investigation of that possibility to an
expert.

The reference to cryptographic software in the 1995 Regulations (which is
in fact in Schedule 1, not 2) is in Section D of Category 5, and is
governed by the following note at the beginning of the Schedule, which
seems to open up a useful loophole:

***   quotation from Regulations   ***

GENERAL SOFTWARE NOTE

(This note overrides any control within section D of Categories 0 to 9.)

Categories 0 to 9 of this list do not control software which is either:

a.	Generally available to the public by being:

	1.  Sold from stock at retail selling points, without restriction, by
means of:

		a.  Over-the-counter transactions;

		b.  Mail order transactions;

		c.  Telephone order transactions; and

	2.  Designed for installation by the user without further substantial
support by the supplier; or

b.	In the public domain.

***   quotation ends   ***

"In the public domain" is defined in the Regulations as meaning "technology
or software which has been made available without restrictions on its
further dissemination (copyright restrictions do not remove technology or
software from being "in the public domain")."

This seems to open a fairly wide road, given the amount of public domain
crypto software to be found nowadays.

	Regards,

		Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 870285	(+44 1279 870285)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF