Heikki Toivonen wrote:
Several pages on mozilla (Google: site:mozilla.org or site:mozilla.com
Libya) show the crypto export restrictions blurb ("countries and
nationals of Libya yada yada").

These notices are actually not the same. Some list Taliban controlled
areas of Afghanistan, some list parts of Serbia, and so on.

Which is the accurate one?

Short answer: Probably none of them. Long answer: See below.

Who is maintaining those notices?

I'm not sure if anyone is actively maintaining the notices. Ultimately the Mozilla Foundation is responsible for maintaining them; I'll take an action item to help consolidate and correct these. (Consider the remainder of this message a first step to try to clarify the issue.)

Where *exactly* (URLs if possible) do/did you get the language and/or
information for these notices?

I don't believe that there's a single public "official" source for the exact language of the notice; I've looked on the website of the US Bureau of Industry and Security <http://www.bis.doc.gov>, the agency that administers US encryption export controls, and couldn't find anything like these notices.

I think the exact restrictions ultimately derive from a combination of sources, as described below. (Note that I am not a lawyer, and this is not legal advice.)


1. The applicable US export regulations for open source / free software source code containing encryption functionality (and the corresponding object code) are in section 740.13(e) of the US Administration Export Regulations:

  http://www.access.gpo.gov/bis/ear/pdf/740.pdf

See page number 30 (page 32 in the PDF). This is the section that authorizes US persons and organizations to export such open source encryption code without a US export license (using license exception TSU).

However this permission to export is not absolute. In particular 740.13(e)(2) states that

  This paragraph (e) does not authorize: ...

  (ii) Any knowing export or reexport to a country listed in
  Country Group E:1 in Supplement No. 1 to part 740 of the EAR."


2. If we look in Part 740Spir, "Supplement No. 1 to Part 740, Country Groups":

  http://www.access.gpo.gov/bis/ear/pdf/740spir.pdf

we find that Country Group E:1 (on page 8) currently includes Cuba, Iran, North Korea, Libya, Sudan, and Syria.

In the past I believe that this list included other countries (or parts of countries), and that this is where the references to Afghanistan, Iraq, Serbia, etc., came from. However as far as I can tell those countries are no longer affected by US Export Administration Regulations relating to encryption. In particular, see the BIS "Regional Considerations" page:

http://www.bis.doc.gov/policiesandregulations/regionalconsiderations.htm

Following the links on that page, it appears that US export controls to Afghanistan were relaxed on January 24, 2002, to Iraq on July 30, 2004, and to Serbia on May 18, 2003. As of those dates or sometime thereafter those countries apparently were removed from Country Group E:1.


3. As noted on page 8 of Part 740Spir (the Country Group E:1 page), besides the country-based restrictions Part 744 of the EAR imposes additional restrictions on the permission to export granted by section 740.13(e):

    http://www.access.gpo.gov/bis/ear/pdf/744.pdf

In particular there are restrictions on export to Specially Designated Global Terrorists (SDGT) (see section 744.12), Specially Designated Terrorists (SDT) (section 744.13), and Foreign Terrorist Organizations (FTO) (see section 744.14). (The Country Group E:1 page also mentions a category named Specially Designated Narcotics Traffickers or SDNT, but this doesn't appear in the current version of part 744.)

For these groups Part 744 basically rescinds the ability to take advantage of License Exception TSU (or any other license exception for that matter); see in particular sections 744.12(b), 744.13(b), and 744.14(b).

The SDGT, SDT, and FTO groups are included on the so-called Specially Designated Nationals (SDN) list maintained by the US Department of the Treasury:

  http://www.treas.gov/offices/enforcement/ofac/sdn/

The SDN list also contains some other groups as well; it's not immediately clear to me whether or not all those other groups are prohibited groups as far as encryption export is concerned.


4. Part 744 also imposes restrictions on a more general "Entity List" of people and organizations, as specified in Part 744Spir, "Supplement No, 4 to Part 744, Entity List":

  http://www.access.gpo.gov/bis/ear/pdf/744spir.pdf

However the restrictions imposed on those on the Entity List are not necessarily absolute; in some cases export of all items subject to the EAR (including open source encryption software) is prohibited, in other cases the prohibition extends only to certain types of items, and not necessarily to encryption software.


5. BIS maintains a "Lists to Check" page that provides some guidance on how to check whether you need an export license for a particular person or organization:

  http://www.bis.doc.gov/ComplianceAndEnforcement/ListsToCheck.htm

These lists include the ones typically mentioned in Mozilla notices relating to encryption code:

* Denied Persons List. This is a list of people and organizations who've participated in past export control violations.
* Entity List (discussed above).
* Specially Designated Nationals list (discussed above).

The page also mentions three other lists:

* Unverified List. There's no blanket prohibition for exports to people or organizations on this list, but they are deemed to be suspicious. * Debarred List. This list is in reference to ITAR-controlled defense articles, and as such doesn't apply to encryption software, which was removed from ITAR controls several years ago. * Nonproliferation Sanctions. This list appears to be in regard to activities relating to proliferation of weapons of mass destruction (WMD). It's not clear that it applies to export of encryption software.


Given the above, here are my preliminary thoughts on how the encryption export control notice should be updated and standardized:

First, I think the notice should be changed to read "This source code ... may not be *knowingly* exported or re-exported ...". Technically putting source code on an open web site or FTP site constitutes export under the EAR, so as it reads the notice implies that you can't put the software on the net at all. This is not in fact the case, for two reasons:

a) As noted above, the specific prohibition in 744.13(e)(2) is against "knowing export or reexport", not against export or reexport per se.

b) The concluding note to 744.13(e) specifically states that

  Posting encryption source code and corresponding object code on
  the Internet ... where it may be downloaded by anyone [does not
  establish] 'knowledge' of a prohibited export or reexport for
  purposes of this paragraph ...

(In other words, it's not "knowing export or reexport".)

Second, I think that the list of countries in the notice should be changed to list only those currently named in Part 744Spir as being part of Country Group E:1.

Finally, references to the Bureau of Export Administration and Security should be changed to refer to the Bureau of Industry and Security (its new name).

The proposed standard notice would then be as follows:

  This source code is subject to the U.S. Export Administration
  Regulations and other U.S. law, and may not be knowingly exported
  or re-exported to certain countries (currently Cuba, Iran, Libya,
  North Korea, Sudan and Syria) or to persons or entities prohibited
  from receiving U.S. exports (including Denied Parties, entities on
  the Bureau of Industry and Security Entity List, and Specially
  Designated Nationals).

This notice is still over-broad; for example, as noted above there are people and organizations on the Entity List to whom export of encryption software under license exception TSU is in fact permitted. However I don't think being a bit over-broad is a problem in this context.

Before anyone changes the current notices I think it would be a good idea to get legal signoff on any changes. I'll talk to the relevant people about doing this.

Also I wonder: is it ok for these notices to be somewhat hidden, in the
sense that most people will never see them when they go download NSS or
Mozilla because the notices are either on some developer page or a file
in ftp root directory or something?

No, the notices should be relatively prominent, especially notices directed at developers downloading source code, since they're the most likely persons to be exporting or reexporting the code.

Frank

P.S. One final comment, because there's been confusion in the past on this point: Occasionally people in Cuba, Iran, etc., complain about the notice discussed above, claiming that it prohibits them from downloading Mozilla code. This is not really the case, for a variety of reasons.

First, the notice is directed at people and organizations who are subject to the US Export Administration Regulations, which mainly means US citizens and resident aliens, US-based companies and other organizations, and so on.

Second, the notice is directed at people and organizations who are going to export or reexport the code, for example by putting the code on a web site (whether public or private), sending the code to other people or organizations via email (or IM, P2P, etc.), shipping CDs of the code, and so on. If you're not exporting or reexporting the code then by definition you're not doing anything controlled by the US Export Administration Regulations.

As noted above, the US government permits anyone subject to its laws and regulations to put open source encryption code on public web sites or FTP sites, in the full knowledge that anyone in the world can download it, including people in Cuba, Iran, etc.

--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to