[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New crypto regs outlaw financing non-US development



As you know, the President has transferred most crypto from State to
Commerce. We were all waiting in anticipation for the text of new
regulations to take effect on 12/30/96. Not because we thought that the new
regs will be more favorable to industry and the individual (we know
better), but so we could assess the damage. I will try to give a brief look
at some interesting provisions in the new regs. I assume the reader is
familiar with the carrot and stick (export of single DES and key escrow)
provision of the new regs. IANAL.

This post refers to the text of the regulations available at
http://jya.com/bxa123096.txt and
http://jya.com/itar123096.txt

The above URL's mirror [Federal Register: December 30, 1996 (Volume 61,
Number 251)], also available via
http://www.access.gpo.gov/su_docs/aces/aces140.html

First the good news: the export controls mentioned in the draft of the regs
on any kind of data security software, regardless if it uses crypto or not
did not carry into the final version.

Now to the rest of the news. 

>equests for one-time review of recoverable
>products which allow government officials to obtain, under proper legal
>authority and without the cooperation or knowledge of the user, the
>plaintext of the encrypted data and communications will also receive
>favorable consideration.

The GAK provisions require that the keys are made available without
knowledge of the user. This disqualifies some of the suggested key recovery
schemes alerting the user to the fact that keys are being requested.

>A
>printed book or other printed material setting forth encryption source
>code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However,
>notwithstanding Sec. 734.3(b)(2), encryption source code in electronic
>form or media (e.g., computer diskette or CD ROM) remains subject to
>the EAR (see Sec. 734.3(b)(3)). The administration continues to review
>whether and to what extent scannable encryption source or object code
>in printed form should be subject to the EAR and reserves the option to
>impose export controls on such software for national security and
>foreign policy reasons.

Printed source can still be exported. Source printed in special OCR fonts
will eventually be banned.

Finally, to the big one:
>Sec. 736.2  General prohibitions and determination of applicability.
>
>* * * * *
>    (7) General Prohibition Seven--Support of Certain Activities by
>U.S. persons--(i) Support of Proliferation Activities (U.S. Person
>Proliferation Activity). If you are a U.S. Person as that term is
>defined in Sec. 744.6(c) of the EAR, you may not engage in any
>activities prohibited by Sec. 744.6 (a) or (b) of the EAR which
>prohibits the performance, without a license from BXA, of certain
>financing, contracting, service, support, transportation, freight
>forwarding, or employment that you know will assist in certain
>proliferation activities described further in part 744 of the EAR.
>There are no License Exceptions to this General Prohibition Seven in
>part 740 of the EAR unless specifically authorized in that part.

IMHO, this closes the door on the foreign contracting loophole used by C2
and others. It is now illegal for US persons to finance or contract out
overseas crypto development, since doing so will obviously assist in
proliferation. While not unexpected (I offered a bet on Cypherpunks that
this would happen. Nobody took the bet.), this provision sets a dangerous
precedence. The technical assistance prohibitions of the past have been
transformed into general prohibitions against "financing, contracting,
service, support, transportation, freight forwarding, or employment".

Again, IANAL.



-- Lucky Green <mailto:[email protected]> PGP encrypted mail preferred
   Make your mark in the history of mathematics. Use the spare cycles of
   your PC/PPC/UNIX box to help find a new prime.
   http://www.mersenne.org/prime.htm