FAQ on UK law

Peter Fairbrother zenadsl6186 at zen.co.uk
Wed May 8 23:53:51 BST 2013

On 08/05/13 16:42, Nicholas Cole wrote:
> On Tue, May 7, 2013 at 8:02 PM, Peter Fairbrother <zenadsl6186 at zen.co.uk
> <mailto:zenadsl6186 at zen.co.uk>> wrote:
>     On 07/05/13 10:43, Nicholas Cole wrote:
>         Dear List,
>         Is there an FAQ anywhere on the state of UK law as it relates to the
>         development of cryptography and software that uses cryptography?
>         I've read the Crypto Law Survey:
>         http://www.cryptolaw.org
>         and the rules surrounding domestic use are very clear.
>         What is much less clear is the question of "export".  Does, for
>         example,
>         hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
>         website count as "export"?
>     I don't know, technically (see Lindqvist) but I suspect "they" could
>     make it so if they really wanted to. IANAL though.
>     However there is the GSN exception (as amended) in the Dual-use
>     Regulations Schedules for software "in the public domain", so even
>     if it is export, hosting open-source code goes is lawful.
> All I can find is this:
> https://www.gov.uk/export-of-cryptographic-items
> which doesn't mention Open Source at all, but does list some
> restrictions that would make it all too easy to be in contravention of
> the guidance, since all four need to apply.  Am I missing some other
> document?

The GSN, or General Software Note.

Export control law comes from many places and covers many things - eg 
torture equipment, drugs which could be used for lethal injection, 
military goods, radioactive materials, high-tech stuff, cryptographic 
software, hardware and knowledge, WMD stuff, and more.

Crypto export comes under the EU Dual-use Regulation, part of which is 
the EU Dual-Use List which unsurprisingly lists stuff which is export 
controlled under the EU Dual-Use Regulation.

The EU Dual-use Regulation was originally transposed into UK law as a 
Schedule to an Order under the Export Control Act - but the EU 
Regulation acts directly now.

For our convenience the gubbmint prepare an updated combined list of 
everything which is export controlled (except some WMD stuff):


The GSN appears on page 45, in the EU Dual-use part.

(This note overrides any control within section D of Categories 0 to 9.)

Categories 0 to 9 of this list do not control "software" which is either:
          a.       Generally available to the public by being:
                   1.         Sold from stock at retail selling points, 
without restriction, by means of:
                              a.       Over-the-counter transactions;
                              b.       Mail order transactions;
                              c.       Electronic transactions; or
                              d.       Telephone order transactions; and
                   2.         Designed for installation by the user 
without further substantial support by the supplier; or

                   N.B.       Entry a. of the General Software Note does 
not release "software" specified in Category 5 - Part 2 ("Information 
          b.       "In the public domain".

You will note that entry a does not apply to crypto software, in 
relation to which it is replaced by the Cryptography note you mentioned 
above (which is part of the EU Dual-Use Regulation, and appears on page 
191 of the combined lists).

However entry b., software which is "In the public domain". _does_ apply 
to crypto software, specifically open-source software.

"In the public domain" has a different meaning here to it's meaning in 
IP law - here it is defined to mean ""technology" or "software" which 
has been made available without restrictions upon its further 
dissemination (copyright restrictions do not remove "technology" or 
"software" from being "in the public domain")."


-- Peter Fairbrother

More information about the ukcrypto mailing list