EU Crypto Free Trade Area

[Adam Back]

Stefek Zaba <sjmz@hplb.hpl.hp.com> writes:
> Indeed - the topic of whether the Export Control Regulations cover
> "intangibles" has come up before on this list. I believe that "intangibles"
> would include software-as-bit-on-the-wire, 

I have a couple of documents on the web under:
	
	http://www.dcs.ex.ac.uk/~aba/ukexport/

and a supplement sheet apparently confirming Stefek's suggestion:

> The Relevant Authorities have let it be known informally that
> companies trading in otherwise export-restricted goods which seek to
> evade export licensing would be considered to be deliberately
> flouting the spirit of the regulations.

in DTI's (?) own words, see:

	http://www.dcs.ex.ac.uk/~aba/dti-let.txt

Also there is a less interesting DTI document "ECO Notice STU/1":

	http://www.dcs.ex.ac.uk/~aba/eco-stu1.txt

> For companies which make their living this way, such flouting could
> be made uncomfortable in a variety of practical ways - government
> purchasing power, words in shell-like ears of prime contractors who
> might otherwise buy bits of crypto software from such grubby little
> scofflaws, etc. The pragmatic position therefore might be that if
> you rely on the "intangibles" provision *alone*, you should be
> prepared to be an interesting test case.

I would be interested to hear of any cases where the DTI/CESG have
turned down a tangible an export permission request.  Any other DTI
export documentation would be interesting also.

If you talk to CESG about the topic of tangible exports they start to
talk about requiring the crypto to be hard to modify (kind of hard to
arrange if you are shipping source on the CD), and they are in general
quite hard to pin down on their criteria for an exportable software
system.

I have a suspicion that the simplest thing to do may be to not talk to
them (DTI and CESG) in the first place, unless you really are thinking
of shipping something which you consider falls under the export
licensing regulations (eg nuclear related, military related, or
shipping to embargoed country).

Talking to them when you are comfortably sure that your CD with
software should be exempt under any reasonable interpretation of the
regs just invites them to add stipulations which do not exist in the
regs.

I have been exporting T-shirts with an RSA implementation (the code in
my sig) printed on them:

	http://www.dcs.ex.ac.uk/~aba/uk-shirt.html

I have not asked permission of the DTI to do so.  I think I exported a
few to Russia if I remember rightly, as well as a number of other
countries.  A t-shirt is surely a tangible item.  Any one in Baghdad
want to order one?

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`