Heikki Toivonen wrote:
Several pages on mozilla (Google: site:mozilla.org or site:mozilla.com
Libya) show the crypto export restrictions blurb ("countries and
nationals of Libya yada yada").
These notices are actually not the same. Some list Taliban controlled
areas of Afghanistan, some list parts of Serbia, and so on.
Which is the accurate one?
Short answer: Probably none of them. Long answer: See below.
Who is maintaining those notices?
I'm not sure if anyone is actively maintaining the notices. Ultimately
the Mozilla Foundation is responsible for maintaining them; I'll take an
action item to help consolidate and correct these. (Consider the
remainder of this message a first step to try to clarify the issue.)
Where *exactly* (URLs if possible) do/did you get the language and/or
information for these notices?
I don't believe that there's a single public "official" source for the
exact language of the notice; I've looked on the website of the US
Bureau of Industry and Security <http://www.bis.doc.gov>, the agency
that administers US encryption export controls, and couldn't find
anything like these notices.
I think the exact restrictions ultimately derive from a combination of
sources, as described below. (Note that I am not a lawyer, and this is
not legal advice.)
1. The applicable US export regulations for open source / free software
source code containing encryption functionality (and the corresponding
object code) are in section 740.13(e) of the US Administration Export
Regulations:
http://www.access.gpo.gov/bis/ear/pdf/740.pdf
See page number 30 (page 32 in the PDF). This is the section that
authorizes US persons and organizations to export such open source
encryption code without a US export license (using license exception TSU).
However this permission to export is not absolute. In particular
740.13(e)(2) states that
This paragraph (e) does not authorize: ...
(ii) Any knowing export or reexport to a country listed in
Country Group E:1 in Supplement No. 1 to part 740 of the EAR."
2. If we look in Part 740Spir, "Supplement No. 1 to Part 740, Country
Groups":
http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf
we find that Country Group E:1 (on page 8) currently includes Cuba,
Iran, North Korea, Libya, Sudan, and Syria.
In the past I believe that this list included other countries (or parts
of countries), and that this is where the references to Afghanistan,
Iraq, Serbia, etc., came from. However as far as I can tell those
countries are no longer affected by US Export Administration Regulations
relating to encryption. In particular, see the BIS "Regional
Considerations" page:
http://www.bis.doc.gov/policiesandregulations/regionalconsiderations.htm
Following the links on that page, it appears that US export controls to
Afghanistan were relaxed on January 24, 2002, to Iraq on July 30, 2004,
and to Serbia on May 18, 2003. As of those dates or sometime thereafter
those countries apparently were removed from Country Group E:1.
3. As noted on page 8 of Part 740Spir (the Country Group E:1 page),
besides the country-based restrictions Part 744 of the EAR imposes
additional restrictions on the permission to export granted by section
740.13(e):
http://www.access.gpo.gov/bis/ear/pdf/744.pdf
In particular there are restrictions on export to Specially Designated
Global Terrorists (SDGT) (see section 744.12), Specially Designated
Terrorists (SDT) (section 744.13), and Foreign Terrorist Organizations
(FTO) (see section 744.14). (The Country Group E:1 page also mentions a
category named Specially Designated Narcotics Traffickers or SDNT, but
this doesn't appear in the current version of part 744.)
For these groups Part 744 basically rescinds the ability to take
advantage of License Exception TSU (or any other license exception for
that matter); see in particular sections 744.12(b), 744.13(b), and
744.14(b).
The SDGT, SDT, and FTO groups are included on the so-called Specially
Designated Nationals (SDN) list maintained by the US Department of the
Treasury:
http://www.treas.gov/offices/enforcement/ofac/sdn/
The SDN list also contains some other groups as well; it's not
immediately clear to me whether or not all those other groups are
prohibited groups as far as encryption export is concerned.
4. Part 744 also imposes restrictions on a more general "Entity List" of
people and organizations, as specified in Part 744Spir, "Supplement No,
4 to Part 744, Entity List":
http://www.access.gpo.gov/bis/ear/pdf/744spir.pdf
However the restrictions imposed on those on the Entity List are not
necessarily absolute; in some cases export of all items subject to the
EAR (including open source encryption software) is prohibited, in other
cases the prohibition extends only to certain types of items, and not
necessarily to encryption software.
5. BIS maintains a "Lists to Check" page that provides some guidance on
how to check whether you need an export license for a particular person
or organization:
http://www.bis.doc.gov/ComplianceAndEnforcement/ListsToCheck.htm
These lists include the ones typically mentioned in Mozilla notices
relating to encryption code:
* Denied Persons List. This is a list of people and organizations who've
participated in past export control violations.
* Entity List (discussed above).
* Specially Designated Nationals list (discussed above).
The page also mentions three other lists:
* Unverified List. There's no blanket prohibition for exports to people
or organizations on this list, but they are deemed to be suspicious.
* Debarred List. This list is in reference to ITAR-controlled defense
articles, and as such doesn't apply to encryption software, which was
removed from ITAR controls several years ago.
* Nonproliferation Sanctions. This list appears to be in regard to
activities relating to proliferation of weapons of mass destruction
(WMD). It's not clear that it applies to export of encryption software.
Given the above, here are my preliminary thoughts on how the encryption
export control notice should be updated and standardized:
First, I think the notice should be changed to read "This source code
... may not be *knowingly* exported or re-exported ...". Technically
putting source code on an open web site or FTP site constitutes export
under the EAR, so as it reads the notice implies that you can't put the
software on the net at all. This is not in fact the case, for two reasons:
a) As noted above, the specific prohibition in 744.13(e)(2) is against
"knowing export or reexport", not against export or reexport per se.
b) The concluding note to 744.13(e) specifically states that
Posting encryption source code and corresponding object code on
the Internet ... where it may be downloaded by anyone [does not
establish] 'knowledge' of a prohibited export or reexport for
purposes of this paragraph ...
(In other words, it's not "knowing export or reexport".)
Second, I think that the list of countries in the notice should be
changed to list only those currently named in Part 744Spir as being part
of Country Group E:1.
Finally, references to the Bureau of Export Administration and Security
should be changed to refer to the Bureau of Industry and Security (its
new name).
The proposed standard notice would then be as follows:
This source code is subject to the U.S. Export Administration
Regulations and other U.S. law, and may not be knowingly exported
or re-exported to certain countries (currently Cuba, Iran, Libya,
North Korea, Sudan and Syria) or to persons or entities prohibited
from receiving U.S. exports (including Denied Parties, entities on
the Bureau of Industry and Security Entity List, and Specially
Designated Nationals).
This notice is still over-broad; for example, as noted above there are
people and organizations on the Entity List to whom export of encryption
software under license exception TSU is in fact permitted. However I
don't think being a bit over-broad is a problem in this context.
Before anyone changes the current notices I think it would be a good
idea to get legal signoff on any changes. I'll talk to the relevant
people about doing this.
Also I wonder: is it ok for these notices to be somewhat hidden, in the
sense that most people will never see them when they go download NSS or
Mozilla because the notices are either on some developer page or a file
in ftp root directory or something?
No, the notices should be relatively prominent, especially notices
directed at developers downloading source code, since they're the most
likely persons to be exporting or reexporting the code.
Frank
P.S. One final comment, because there's been confusion in the past on
this point: Occasionally people in Cuba, Iran, etc., complain about the
notice discussed above, claiming that it prohibits them from downloading
Mozilla code. This is not really the case, for a variety of reasons.
First, the notice is directed at people and organizations who are
subject to the US Export Administration Regulations, which mainly means
US citizens and resident aliens, US-based companies and other
organizations, and so on.
Second, the notice is directed at people and organizations who are going
to export or reexport the code, for example by putting the code on a web
site (whether public or private), sending the code to other people or
organizations via email (or IM, P2P, etc.), shipping CDs of the code,
and so on. If you're not exporting or reexporting the code then by
definition you're not doing anything controlled by the US Export
Administration Regulations.
As noted above, the US government permits anyone subject to its laws and
regulations to put open source encryption code on public web sites or
FTP sites, in the full knowledge that anyone in the world can download
it, including people in Cuba, Iran, etc.
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto