Obeying UK crypto export restrictions on the Internet

Owen Lewis oml at eloka.demon.co.uk
Mon, 3 Sep 2001 10:39:55 +0100 

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman
> Sent: 03 September 2001 08:45
> To: UK Crypto Posting
> Subject: Re: Obeying UK crypto export restrictions on the Internet
>
>
> From: "Mark RISON" <mrison@hotmail.com>
> To: <ukcrypto@chiark.greenend.org.uk>
> Sent: Sunday, September 02, 2001 11:01 PM
> Subject: Obeying UK crypto export restrictions on the Internet
>
>
> > I wish to release source code implementing (triple) DES on the Z80.
> >
> > Is saying "you may not download this if you're in Iraq, Angola, or
> > Yugoslavia" enough?  If not, how am I supposed to implement "free
> > download over the Internet"?  I see that OpenSSL has a UK mirror --
> > how did they arrange to jump through all the legal hoops?
>
> I have made no effort to restrict its acessibility because it is
> impractical
> to do this without seriously restricting its availability for legitimate
> use.
>
> I informed UK government authorities of the existence of this site and the
> code it makes available in 1998 (strictly an older site with the same sort
> of content) . Some of the cryptographic code has been
> continuously available
> since that date.

This was researched about 1993(by Paul, ISTR). The (unofficial) view of DTI
was/is that there is no offence in putting the material on a site. If it is
downloaded by a party not permitted under UK law to receive it or downloaded
into a proscribed country (or downloaded from you and subsequently
transferred to a proscribed party/place), the offence is committed by the
downloading party and not by you. This would seen to assume that you neither
made the code available specifically to facilitate an illegal transfer or in
the knowledge that such a transfer would occur.

OTOH, put the same code on a disk and send it to them and that could be
breaking the law.

DTI takes a position re. export controls that is easy to interpret as
'weasel-worded'. It will not tell you whether or not it is lawful for you
export your product (though it *may* offer advice). It is for you to satisfy
yourself that you are complying with the law, employing the services of a
specialist lawyer if you feel so inclined. I.e. the responsibility for
compliance is yours and not theirs.

Since coding for 3-DES (and mush else) is in the public domain, it's hardly
likely that an original implementation for the Z80 could be construed as
more than educational (but INAL nor do I speak for DTI).

> I might also add that some of it has been downloaded by UK government
> organisations. Also my AES code is being used in a number of US government
> sponsored projects.

Yes, GCHQ usually like a copy of whatever is going. So do agencies in a
number of other governments around the world. A frequent reason for this
interest is to have a continual stream of fresh cipher breaking projects on
which to train their newbies. It would be nice if they had the reciprocal
courtesy to report back the success or lack of it they have had. But somehow
they never do. It's an unfair world


Owen