AW: AUCRYPTO: `Germany Frees Crypto' - do you believe it?

[Ross Anderson]

I raised the issue of the proposed EU regulation on the export of
dual-use goods, which appears to compel member states to prohibit
intangible exports of items on the Wassenaar list. This might not
just cause problems for people like brian and me who put crypto
source code on our web pages, but hit a very broad range of
technology. (Wassenaar considers as dual-use goods not just crypto
and everything else to do with inforsec, but also decent numerically
controlled machine tools, semiconductor test equipment, anything to
do with asynchronous transfer mode ... and even modems that run
faster than 9.6 kb/s). More on my web page.

The response?

We are assured by Hubertus Soquat, of the Federal German Ministry of 
Economics and Technology, Berlin, that:

> The new german government position makes very clear that R&D, 
> production, import and use of strong crypto products are not 
> regulated, they are complety free.

But, Herr Squat, your government has used its weight in the EU to push
more and more of Europe's R&D goes through multinational efforts such
as the fifth framework. How can a university in Britain collaborate
with one in Germany if any EU regulation forbids either of them from
sending software to the other? Will all the code have to be written in
Singapore? (but, hey, Singapore allows export, but not import. So
they'll have to get the code right first time :-)

> As far as export is concerned there is a regulation following our 
> Wassenaar obligations: legal basis is the EU directive for dual use 
> (latest change: Council decision changing annex IV 09.03.1999 
> (1999/193/GASP - Official Journal L 73 19.03.1999) and the respective 
> german national law (Ausfuhrverordnung and Ausfuhrliste). 

That's precisely the problem.

> The negotiations for further changes to EU-Regulations are on the way 
> and will be continued during the coming finnish presidency.

Tell me, does the German government support the Commission's position
that export controls should be extended to intangibles?

If so, that will put some European countries (such as Britain) at a
severe disadvantage to the USA. Let me explain.

Although the USA has export controls on intangibles, it also has a
constitution which guarantees freedom of speech. Academic speech is
considered to be protected but commercial speech is not. What that
means in practice is that when my US colleague Ron Rivest hires a
non-US citizen as a research student at MIT, he can give the student
access to crypto code without further ado. However, when he hires a
similar foreign national for his company, RSA Data Security, he has
to apply for a personal export licence. That meant, for example,
that when RSA hired Matt Robshaw, he had to sit around doing nothing
for several months before the paperwork came through.

Here in the UK, we have no written constitution, and so we would very
likely have to get personal export licences for all our foreign
research students in the School of Technology (which is most of them).

We're unlikely to get an OGEL, as the Foreign Office doesn't like the
universities. (The current dispute is that they want a covert veto
over what foreign research students we offer places to, but as
admission decisions are generally taken by the individual member of
staff who would supervise the applicant, there's no mechanism we could
use to perform this screening covertly. In any case, both Oxford and
Cambridge have refused to participate on grounds of principle.)

So the UK would end up at a serious disadvantage to the US in
technology research. (This is not just in crypto, but in physics,
chemistry, materials science, ...)

Come to think of it, Germany also has a written constitution, so I
assume Andreas Pfitzmann would get the same exemption as Ron Rivest.
The same will apply to many other member states, and some others won't
bother to enforce the law.

So the UK will end up getting screwed.

Is this the idea?

Ross