FAQ on UK law
Peter Fairbrother
zenadsl6186 at zen.co.uk
Wed May 8 23:53:51 BST 2013
On 08/05/13 16:42, Nicholas Cole wrote:
>
>
>
> On Tue, May 7, 2013 at 8:02 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk
> <mailto:zenadsl6186 at zen.co.uk>> wrote:
>
> On 07/05/13 10:43, Nicholas Cole wrote:
>
> Dear List,
>
> Is there an FAQ anywhere on the state of UK law as it relates to the
> development of cryptography and software that uses cryptography?
>
> I've read the Crypto Law Survey:
>
> http://www.cryptolaw.org
>
> and the rules surrounding domestic use are very clear.
>
> What is much less clear is the question of "export". Does, for
> example,
> hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
> website count as "export"?
>
>
> I don't know, technically (see Lindqvist) but I suspect "they" could
> make it so if they really wanted to. IANAL though.
>
> However there is the GSN exception (as amended) in the Dual-use
> Regulations Schedules for software "in the public domain", so even
> if it is export, hosting open-source code goes is lawful.
>
>
>
> All I can find is this:
>
> https://www.gov.uk/export-of-cryptographic-items
>
> which doesn't mention Open Source at all, but does list some
> restrictions that would make it all too easy to be in contravention of
> the guidance, since all four need to apply. Am I missing some other
> document?
The GSN, or General Software Note.
Export control law comes from many places and covers many things - eg
torture equipment, drugs which could be used for lethal injection,
military goods, radioactive materials, high-tech stuff, cryptographic
software, hardware and knowledge, WMD stuff, and more.
Crypto export comes under the EU Dual-use Regulation, part of which is
the EU Dual-Use List which unsurprisingly lists stuff which is export
controlled under the EU Dual-Use Regulation.
The EU Dual-use Regulation was originally transposed into UK law as a
Schedule to an Order under the Export Control Act - but the EU
Regulation acts directly now.
For our convenience the gubbmint prepare an updated combined list of
everything which is export controlled (except some WMD stuff):
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/184049/strategic-export-control-consolidated20130320.pdf
The GSN appears on page 45, in the EU Dual-use part.
GENERAL SOFTWARE NOTE (GSN)
(This note overrides any control within section D of Categories 0 to 9.)
Categories 0 to 9 of this list do not control "software" which is either:
a. Generally available to the public by being:
1. Sold from stock at retail selling points,
without restriction, by means of:
a. Over-the-counter transactions;
b. Mail order transactions;
c. Electronic transactions; or
d. Telephone order transactions; and
2. Designed for installation by the user
without further substantial support by the supplier; or
N.B. Entry a. of the General Software Note does
not release "software" specified in Category 5 - Part 2 ("Information
Security").
b. "In the public domain".
You will note that entry a does not apply to crypto software, in
relation to which it is replaced by the Cryptography note you mentioned
above (which is part of the EU Dual-Use Regulation, and appears on page
191 of the combined lists).
However entry b., software which is "In the public domain". _does_ apply
to crypto software, specifically open-source software.
"In the public domain" has a different meaning here to it's meaning in
IP law - here it is defined to mean ""technology" or "software" which
has been made available without restrictions upon its further
dissemination (copyright restrictions do not remove "technology" or
"software" from being "in the public domain")."
IANAL.
-- Peter Fairbrother
More information about the ukcrypto
mailing list