[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

on international transmissions



The situation:

-- non-USA person retains a USA-based email service
-- this person forwards mail to non-USA machine
-- this person requests crypto software be sent to the USA email address
-- another person sends software to the USA address
-- the forwarding works and the software is shipped outside the USA

>This way, the author has not broken the law by sending the software
>to anysite.com, 

This is correct, since the sender of the crypto was told that the
address was a US place.  If, however, the sender of the crypto knows
that it will be automatically forwarded outside of the country, the
they become liable because they have prior knowledge of the
consequences of their actions.

>and I haven't either because all I did was to tell
>the unix box to forward my mail out of the country.  

Such a direction is not improper _per se_, but the combination with a
request to have crypto software sent to that address means that the
requester has prior knowledge that the request will cause crypto
software to be exported across US boundaries.  And that prior
knowledge creates liability.

>Neither I nor Joey_CryptoAuthor broke ITAR.  Not really.  Not
>intentionally.  

Incorrect.  The person who sets up forwarding with the intention of
moving crypto software automatically outside of the country is in
violation.

But since I am not a lawyer I feel compelled to point out that the
cost of extradition of random people to the USA for trial under USA
laws is expensive and difficult, the most recent high-profile example
being Noriega.  In addition, detection of such an action will be
difficult at best, and near impossible to prove if encryption is used.

Proof that software was exported in encrypted mail would require at
least the following:

-- a copy of a particular piece of mail claimed to contain encryption
software

-- evidence that this particular piece of encrypted mail did in fact
contain encryption software

-- evidence that a particular piece of encrypted mail was sent outside
of the country at a particular time and between two given machines

So, someone has to supply the authorities with a copy of the mail,
with a decryption of the mail, and with mailer logs evidencing a
transmission across USA borders.

Mailer logs are typically purged after a week or two.  So if the
intermediate machine has purged logs and the .forward file is gone,
there will be precious little direct evidence left of an actual
transmission.  

If the encryption is addressed to only the receiver, and if the sender
did not keep a record of the session key, only the receiver can
provide the session key.  The session key is necessary to show that a
given piece of encrypted mail is an encrypted copy of a particular
piece of software.

And unless the NSA or the intermediate machine or the sender provides
a copy of the particular piece of mail, there's no fact in evidence
that any software was actually sent.

Of course, if the sender is out to sting you and ther intermediary
provides logging information, one might get screwed.  But then again,
all intermediaries would have to cooperate, were there more than one.

And finally, I have written so much only to point out that legality
and enforceability are two very different things.

Eric