EU Crypto Free Trade Area

Stefek Zaba sjmz at hplb.hpl.hp.com
Fri, 06 Mar 1998 10:05:22 +0000 

Nicholas Bohm writes:

> A further point I intended to make on the 1995 Export Control Regulations
> is that they control the export of GOODS.  This is reflected in the note I
> quoted, with its references to sales from stock at retail outlets.
> 
> Software can of course take the form of goods (as music can take the form
> of records), but it does not necessarily do so (as a concert performance is
> not a sale of goods).  Diskettes and CDs containing software are no doubt
> controlled, but the Regulations do not appear to affect software downloaded
> from a website or attached to an email.

Indeed - the topic of whether the Export Control Regulations cover
"intangibles" has come up before on this list. I believe that "intangibles"
would include software-as-bit-on-the-wire, but also other "things" which
could be traded - insurance contracts, futures, ... The legal opinion I
heard expressed from a real lawyer is that bits-on-the-wire are indeed not
covered under a strict reading of the export regs: but that The Relevant
Authorities have let it be known informally that companies trading in
otherwise export-restricted goods which seek to evade export licensing
would be considered to be deliberately flouting the spirit of the regulations.
For companies which make their living this way, such flouting could be made
uncomfortable in a variety of practical ways - government purchasing power,
words in shell-like ears of prime contractors who might otherwise buy
bits of crypto software from such grubby little scofflaws, etc. The pragmatic
position therefore might be that if you rely on the "intangibles" provision
*alone*, you should be prepared to be an interesting test case.

Probably of more practical significance is the "mass market" exemption which
Nicholas and Yaman have already pointed out: the export regs are worded to
catch high-end special-installation-assistance-required (e.g. setting up
a centralised key management facility) crypto capability such as an army's
command-and-control system might use, while leaving the "password protection"
of WordPerfect/MSWord/PKZip etc. uncaught. Given those two ends of the
spectrum, it would seem a bizarrely unreasonable interpretation to consider
(to take an example not exactly at random) a full-strength SSLified Web
server (hi Ben :-) as "mass-market" rather than "hi-end custom installation
by supplier". Of course in the particular case of Stronghold, the exemptions
stack up particularly strongly:

 1) it's software downloaded over the Net, hence intangible;
 2) it's mass-market in the sense of the General Software Note;
 3) it's public-domain - the source for Apache (and SSLeay) is explicitly
    and deliberately in the public domain;

FTP archive sites of public-domain software seem to me to be in a similarly
firmly expempt position in the UK.

Obviously enough I'm not a lawyer, and this is not legal advice - it's an
opinion from a techie with a dangerously little amount of apparent knowledge!
General opinions from the legally qualified are more useful: neither flavour
of opinion-expressed-on-the-net is a substitute for paid-for specific legal
advice in your particular circumstances.

Cheers, Stefek