Re: Exporting software doesn't mean exporting

[Adam Shostack <adam@lighthouse.homeport.org>]

Dan Weinstein wrote:

| The what U.S. law says and what U.S. officials can enforce are two
| different things.  You are in violation of ITAR if you send crypto
| software from Mexico to Europe over the INTERNET if it is routed
| through the U.S..  Think of it like drugs being shipped through the
| U.S., the drug lord that sent it throught is just as guilt under U.S.

	Its worth noting that IP is a packet routing system.  It does
not use paths or virtual circuits, like ATM or X.25.  This means that
it is not always possible to predict what route packets will follow.
This is especially true of non-interactive protocols like SMTP.  I can
traceroute to get a good idea of where my ftp packets are going right
now, but between the time I do the traceroute, send a mail message,
and it actually gets transmitted, a router somewhere along my old path
might have died, and my packets, unbeknownst to me, are taking a new
path.

	Thus, if the user in Italy has no reason to expect that their
mail to Germany will traverse the US, then I suspect that the US would
have a hard time proving any criminal act.  Doesn't a criminal act
require intent of some type?  If IP routing, in conjunction with SMTP,
beyond the control of the users, ships packets through the US, I have
a hard time believing that that makes those users criminals.


Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume