[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More Circumventing the ITAR



Mark Rosen wrote:
> 
>         I'm curious as to exactly what the ITAR/EAR/Whatever says specifically
> about "unrestricted FTP sites." My program, Kremlin, is available for
> download at the web page below. On my web page, I have some stuff in bold
> print that informs about the ITAR and tells people to go away if they're
> not from the US or Canada. Does this count as an unrestricted FTP site?
> It's not all that much different from what MIT has up for PGP.

	What you need to do to provide FTP access to crypto
software is spelled out in the EAR regulations. Here is a
summary. I am not a lawyer.

1) Users (downloaders) should be asked to answer some
questions to indicate that:

	They are aware of the crypto export regulations.
	They and their computers are in the US/Canada.
	They intend to follow the the crypto export regulations
		and not export the software they download.
	They are US persons as defined in the EAR regulations.

2) The server should check that the client site requesting the
download is in the US or Canada.

In other words, just displaying a warning is not enough.

>         Also, back to the question of registration numbers. A registration number
> is just a string of letters and numbers, and is essentially the same as a
> friendly letter; it contains no cryptographic code. For all anyone knows, I
> could just be charging for pseudo-random numbers, again, nothing of
> cryptographic significance. Is it illegal for me to mail someone outside of
> the US or Canada a registration code? Thanks for any help.

	I wouldn't try to circumvent the regulations by trying
to follow the letter of the law while ignoring its spirit. You
don't have to be convicted of a crime to make life a lot difficult.
Ask Phil Zimmerman, who never even uploaded pgp to the Internet.

--
Anil Das