On 2021-09-26 21:20, Rich Freeman wrote:
Back in the PGP ITAR days I believe somebody went through some loopholes to publish the software outside the US,
Yes, PGP 2.6 source code got published as an OCR-friendly book (https://dl.acm.org/doi/book/10.5555/207390) which was then legally taken from the US abroad.
and it is probably debatable whether that was legal under US law,
I am no expert on US law but from what I have read (in many different sources, with me having begun using PGP in either late 1996 or early 1997 i.e. when it was still very much subject to US export restrictions) about this case, both the publishing of the source-code book and it having subsequently been taken out of the country has been legal - the former due to publishing the first amendment and the second due to the scope of ITAR as far as crypto software was concerned.
but presumably the people who did it didn't care, and enforcement was unlikely at all, and especially unlikely if you didn't have plans to visit the US after bragging about distributing it.
I don't know if Ståle Schumacher (the person who scanned the book and subsequently published "international" versions of PGP 2 in Norway) ever visited the US afterwards. On the other hand the source-code book itself, the purpose of which was rather clear given it even contained notes on how to OCR it, was written by a US person (Phil Zimmermann himself) and published by a US company (MIT Press) - so I am not quite convinced they either thought they would be our of reach of US law (indeed, wasn't PRZ still being persecuted by US Customs at the time?), or didn't care.
Not that any of this changes the point you have tried to make regarding due diligence, mind you.
-- Marecki
