FAQ on UK law

[Peter Fairbrother]

On 07/05/13 10:43, Nicholas Cole wrote:
> Dear List,
>
> Is there an FAQ anywhere on the state of UK law as it relates to the
> development of cryptography and software that uses cryptography?
>
> I've read the Crypto Law Survey:
>
> http://www.cryptolaw.org
>
> and the rules surrounding domestic use are very clear.
>
> What is much less clear is the question of "export".  Does, for example,
> hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
> website count as "export"?

I don't know, technically (see Lindqvist) but I suspect "they" could 
make it so if they really wanted to. IANAL though.

However there is the GSN exception (as amended) in the Dual-use 
Regulations Schedules for software "in the public domain", so even if it 
is export, hosting open-source code goes is lawful.

Note that "in the public domain" has nothing to do with copyright or IP 
law here:.

""In the public domain", as it applies herein, means "technology" or 
"software" which has been made available without restrictions upon its 
further dissemination (copyright restrictions do not remove "technology" 
or "software" from being "in the public domain")."


> What about providing support for such software?


Again I don't know, technically, whether it counts as export - but I 
think the GTN (as amended) would allow it:

{ GENERAL TECHNOLOGY NOTE (GTN)
(To be read in conjunction with section E of Categories 1 to 9.)
The export of "technology" which is "required" for the "development", 
"production" or "use" of goods controlled in Categories 1 to 9, is 
controlled according to the provisions of Categories 1 to 9.

"Technology" "required" for the "development", "production" or "use" of 
goods under control remains under control even when applicable to 
non-controlled goods.

Controls do not apply to that "technology" which is the minimum 
necessary for the installation, operation, maintenance (checking) and 
repair of those goods which are not controlled or whose export
has been authorised.

N.B.:     This does not release such "technology" specified in 1E002.e., 
1E002.f., 8E002.a. and
           8E002.b.

[ that's stealth radar absorbers, some high-tech alloys and ceramics, 
submarine noise reduction technology ]

Controls on "technology" transfer do not apply to information "in the 
public domain", to "basic scientific research" or to the minimum 
necessary information for patent applications. }



However even if the GTN doesn't cover providing support I doubt you are 
likely to get done for it unless you are helping Al Quaida, when "they" 
would probably bring terrorist offence charges anyway.


> Unlike the Americans, who seem to have specific regulations
> for Open Source Software, I can't see anything comparable in UK law.


The US does not fully implement the GTN and GTN parts of the Wassenaar, 
specifically the "in the public domain" part.

Cryptography software is covered by the Cryptography Note, Supplement 
No. 1 to part 774, Category 5, part 2, Note 3. For open-source stuff you 
are, in theory, required to inform BIS before export, but I don't think 
many people actually do.

I don't know anything about US law regarding providing support for 
open-source crypto, sorry.


>   There was a flurry of activity around this in the late 1990s, and
> things seem to have cooled down since, but clarity still seems to be
> lacking!

Yes (if you include RIPA in 2000), not much has actually happened since 
then. There have been a some subtle changes though, it's hard to keep 
up. Wassenaar rev. 2008 made a few changes, eg key lengths for some 
commercial crypto, electronic export became specifically included 
whereas it wasn't clearly included before, but didn't change the "public 
domain" exemptions.


-- Peter Fairbrother