[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Aust crypto regulations




Well, fuck that for thinking I was living under a less restrictive
regime -- and I can say goodbye to an international market for my
software.

---- begin include ----
From: M.Gream@uts.edu.au (Matthew Gream)
Newsgroups: aus.computers.ibm-pc,alt.security.pgp
Subject: Re: PGP for Oz users
Date: 6 Sep 1994 06:44:14 GMT

Matthew Gream (M.Gream@uts.edu.au) wrote:

> That sounds bogus to me, at least from the information you've given me
> there. I've had the pleasure of being routed from our `Australian Trade
[..]
> I'm fairly confident in saying that there are no export restrictions on
> software (specific clause stating that mass market, public domain and
> "unsupported after installation" software is not covered by the
> Industrial List). There do exist restrictions on hardware. All of these
> restrictions are a direct result of our adherence with COCOM
> regulations.

I'm afraid I have to post a clarification to a clarification. I've just
been in contact with the relevant people at the Defence Signals
Directorate. It seems that regardless of advice obtained from other
departments and documentation that points to the contrary, there are
restrictive controls on software.

In my conversation, the following was articulated (she was refering to
the same document as previously mentioned [1]):

1. The "General Software Note" on Page 1-6 of [1] does not override
   the regulations in "Category 5: Telecommunications and `Information
   Security'", specifically s.5.A.2 and s.5.D.2. This means that they
   assert control over all forms of software _including_ public domain.
   I tried to pin-point what the "General Software Note" is for then,
   but didn't receive an acceptable answer.

2. DES can only be exported for specific banking and associated 
   applications, even then only to 8 governments and certain banking 
   groups. They accept RSA for export where it's used in Key 
   Distribution applications. In essence, there is a list of specific
   uses for certain algorithms.

3. Message digests are in general OK, so long as they can't be modified
   to perfom cryptographic functions (ie. encryption/decryption).

4. Export is regulated on a per end user basis. In order words, they
   assert control over _each_ item of software sold.

5. The fact that COCOM is in a "forum" period does not affect the
   current regulations.

6. I specifically asked about "public domain" distribution of software
   via the Internet. She said that this was "highly inadvisable" and
   "if our government found out about it, they could take action" and
   asserted that it would be worse for an individual than if the
   violation was carried out by a company. She said that she wouldn't
   like someone to become a "test case", and made mention of problems
   in the USA.

She was extremely helpfull though, but the real problem I had, and I
spent most of my time on this, was that these requirements aren't
solidified anywhere, and hence subjective. I'm not really surprised
though, that's the whole point of it all.

I wasn't concerned about "weak crypto", only DES, IDEA, RSA, MD* and
locally produced algorithms.

In short: Anything cryptographic, they want to know about, and they
want to know about it on a per end-user basis. They advise against
distribution on the "Internet" and any distribution without prior
approval otherwise there could be "problems".

Matthew.

[1] "Australian Controls on the Export of Technology with Civil and
	Military Applications", Aust Dept of Defence, Sept 1992.

--
Matthew Gream <M.Gream@uts.edu.au> -- Consent Technologies, (02) 821-2043
Disclaimer: From? \notin speaking_for(Organization?)            [cfqx103]
---- end include ----

-- 
Matthew Gream <M.Gream@uts.edu.au> -- Consent Technologies, (02) 821-2043
Disclaimer: From? \notin speaking_for(Organization?)            [cfqx103]