

US Export Regulations on Crypto Eased - dchest
http://www.federalregister.gov/articles/2011/01/07/2010-32803/publicly-available-mass-market-encryption-software-and-other-specified-publicly-available-encryption

======
runningdogx
This is interesting. If I'm reading it correctly, it continues to give open
source crypto an advantage over commercial crypto, since commerical crypto is
not publicly available and therefore sellers have to do some due diligence
about their customers to make sure they're not selling to e.g. a North Korean
government front.

I don't understand why the BIS can't say the cat's out of the bag, and
deregulate encryption software completely. If North Korean and Iran and Libya
aren't using good encryption, it's not because they lack access to it.

If a company can make money selling crypto to regimes like that, what's the
problem? Money flows into crypto companies' pockets at the expense of idiots
in those regimes who could be implementing their own systems based on open
source crypto software, without paying companies from imperialist, corrupt,
decadent western societies a dime.

Why is the state department opposed to letting U.S. companies make money off
of enemy regimes?

~~~
jcr
When President Clinton was asked by a reporter why he had Cuban cigars, he
responded, "Don't think of it as supporting the Cuban economy, instead, think
of it as burning their crops."

~~~
zach
Actually Reagan's secretary of state Alexander Haig. It totally sounds like
something an old conservative ex-army guy would say, doesn't it?

~~~
jcr
Yes, Haig was reported to have said it, possibly first. There are similar
claims for Clinton, Jack Kennedy[1], and Arnold Schwarzenegger having said it.

[1] <http://www.extremeink.com/jokes/2008_08_01_archive.html>

~~~
zach
No doubt countless Cuban smokers have said it since Mort Sahl attributed to
him, because it's a great line. I can't see Clinton, famously circumspect in
such matters, cracking that joke _to a reporter_ , though.

I like the Kennedy misattribution better, but the attested anecdotes about
Jack Kennedy and Cuban cigars are pretty great too:

<http://cubanmadecigars.com/kennedy.html>

------
TheCoreh
Does this mean iOS developers can finally sell apps that use HTTPS without
filling that forms?

~~~
dchest
I've sent a support request to Apple as soon as I heard the news, asked if
there are any changes with regards to this. I'll post the reply once they
answer.

~~~
dchest
Got non-answer:

Thank you for contacting Apple Developer Support regarding the iOS Developer
Program.

Developers should be testing and developing their apps in line with the
Program License Agreement and the App Store Review Guidelines.

Please know that you will also be presented a copy of the Program License
Agreement during the enrollment process.

Should you have any questions or concerns, we request that you review the iOS
Developer Program License Agreement details with your own legal counsel.

If you are not yet a member of one of our Apple Developer Programs and are
interested in finding out more about our programs, please visit our web site
at:

<[http://developer.apple.com>](http://developer.apple.com>);

Thank you for interested in our programs.

------
jcr
> This action will not result in the decontrol of source code classified under
> ECCN 5D002

> because, once it is “publicly available,” it is, by definition, available
> for download by any end user without restriction, removing it from the
> jurisdiction of the EAR will have no effect on export control policy.

To me, the above looks like double-speak. Hopefully grellas or someone legally
trained will chime in on what the announcement _really_ means.

~~~
dchest
Full quote:

\--

"This action will not result in the decontrol of source code classified under
ECCN 5D002, but it will result in a simplification of the regulatory
provisions for publicly available mass market software and specified
encryption software in object code."

\--

ECCN 5A002 is "software". This simplifies provisions for "publicly available
mass market software".

~~~
jcr
And "simplification" means what exactly? --My main point.

The real trouble is, unless these statements are very clear in the legal
sense, some poor bastard might unintentionally become the poster child of bad
litigation/direction. Even unintentional violation of the export laws is a
federal offense, and must be taken very seriously.

~~~
tptacek
It is already vanishingly unlikely that you would be prosecuted for
"exporting" crypto software. I shipped commercial software in the mid-90's,
when we actually had to fill out forms to export code that used (eg) Blowfish
to protect secrets, and I didn't even _remember_ that until this announcement.

My understanding of this announcement is that it simply makes official what
was already near-universal in practice: it's safe to export any non-classified
crypto code. (What's "classified"? You'd know it if you had it. Classified
crypto has more to do with the setting in which its used than the actual
algorithms in use.)

~~~
jcr
I completely agree on the "vanishingly unlikely prosecution" and "accepting
the obvious" of code already being available. Off the top of my head, I can
think of only one person who has been in this particular hot water over the
years; Phil Zimmerman for his PGP work [1].

For me at least, it's not a matter of whether or not I will get in trouble,
instead, it's whether or not I can get in trouble?

It's just like copyright infringement; you can probably get away with it, but
it's still illegal.

The question now is if it's now legal to export crypto code?

[1]
[http://en.wikipedia.org/wiki/Phil_Zimmermann#Criminal_invest...](http://en.wikipedia.org/wiki/Phil_Zimmermann#Criminal_investigation_by_US_Customs)

~~~
tptacek
Back in the '90s, there was all manner of drama surround the "export" of RSA
code. People got it patented, or mailed it printed on paper, or had "non-
exportable" T-shirts printed (I bought one of those T-shirts in 1995; this was
before SSL, so I had to send the vendor the bank account information off the
bottom of a check).

If those rules were still germane, just note that they've been violated many
hundreds of times on Hacker News.

I'm glad the government clarified these rules, but there's no genuine
practical impact to this announcement.

~~~
jcr
I believe the RSA code was, initially at least, under a "sealed" patent?

The PGP-based drama of printing books of the source code to get copyright
protections, and then exporting the books rather than exporting the machine
readable code, was just ridiculous. The "International Version" of PGP
(www.pgpi.org) was intended to deal with both the ITAR export restrictions and
also the RSA patents. Fun times, but a real PITA.

Just for clarity, you're referring to 56-bit versus 128-bit SSL debacle of the
mid 90's.

Getting back to the real problem... how the heck is an open source developer
in the US to know if the crypto code he's written can be legally exported?

Though the announcement seems friendly, it is (intentionally?) not clear.
There is no mention of the ITAR restrictions being lifted. Also, there's
always the issue of unknowing reinvention of something classified.

Other than stating the status quo of crypto code being currently exported, the
announcement does not really offer any legal protection for exporting crypto
code.

Am I just reading the announcement wrong?

Am I wrong in expecting the ITAR restriction being removed?

~~~
ghshephard
Re: "how the heck is an open source developer in the US to know if the crypto
code he's written can be legally exported?"

tptacek: "My understanding of this announcement is that it simply makes
official what was already near-universal in practice: it's safe to export any
non-classified crypto code. "

~~~
tptacek
'jcr is from OpenBSD, a project that did go way, way out of its way to stay
away from US export regulations. I can understand why they'd be picky about
this. I'm just saying, if you're not from OpenBSD, this is largely a solved
problem.

------
technomancy
Federal Law: catching up to a decade ago, yet again.

