6 March 1998: Add messages
5 March 1998
From: Brian Gladman <gladman@seven77.demon.co.uk> To: UK Crypto List <ukcrypto@maillist.ox.ac.uk> Subject: EU Crypto Free Trade Area Date: Thu, 26 Feb 1998 15:55:55 -0000 Historically EU 'common market' provisions have not applied to cryptographic products and services because EU governments have argued that national security allowed them to override such treaty provisions. Now that cryptographic products and services are primarily commercial in nature it seems to me that the requirements of the European Treaty that governments should not constrain the free circulation of goods and services within the EU should apply to all cryptographic products and services intended for commercial use. I am not entirely sure how to arrange a situation in which the supremacy of these treaty provisions over UK export control laws could be demonstrated but I would be interested if any Lawyers on the list could expand on how this might be tested. I would also appreciate it if anyone who is interested in mounting a challenge along these lines could let me know by secure PGP email - my PGP 5.0 key is below: Brian Gladman -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 5.5.3 for non-commercial use <http://www.pgp.com> mQGiBDOmxKYRBADUEQVRLAc65geIyoo5XikKJBl6eF/+4fLLVmhReAPYmg4GTcrH 1lxZMcPZ3pC6x/TmEvYb+RxDXIJZ9GkCELrwq+/C/rS7sa8gRUr7AeOe0XDXRG+r HWjVGtD2JgW+HSMxJJV71nRyBxrw3QNEhmnfI873rtdwIunVy3TM6rU23QCg/xFw fq3j+adxnW8Q2gceOGPvC7cD/A+SrmJaHp5m8bNmlEoEbg6QaiVHua7t2AsUispu IZZ2z1KrnKosPuEn6fs2BzBgLkfx3bWklonVGrPMOVTdrhh+6CsV+ZJHcKftIUOw +a70DCXhKSVtTGj91FkhaJLlXcLmGIYohYwQHr1b0AnKJVonEjq0Jhe+XcGlyIsn /v8jA/9FeRdBEG+ZEoropwfElqx6Ce+BOUB/rvtCkbBEKf8e/qBug8pJp1ZwvoTz 4zH2PzdCks07o6+Z21aZ7QoNYxvs0QD7coBpjgcTuxBKjR0tS29acBTgv0FJmq7I 11ZBB4AoJ56n1ie9Og7dOO+GQE55Fvss+wgU/iIFBbWd1W0jg7QrQnJpYW4gR2xh ZG1hbiA8Z2xhZG1hbkBzZXZlbjc3LmRlbW9uLmNvLnVrPokASwQQEQIACwUCM6bE pgQLAwECAAoJENhfW7D3Ci2Kt3kAoJZfxj38P04JyqaFXTKcgHwwDMzbAJ9Rx3ef RoJa8FsEtHaaRP1xG1yh5YkAlQMFEDOmxK2gykYpxscbDwEBacEEAJnqOSbDeOHH gBpcA6JkJ43jbwscAY6RjpydOTG6Nex9w0VpvmXL2CKJaLUQDqKdeJTQFuHijZkt ycXKFZcqKDeIOFEzQEum3PjZaIxFVOyDSiXIhfLHGIVlRguQkb8XVzNJOoP/GozT wGBqr5gjRPrurQPI9dnsJehre7C+jNEyiQA/AwUQM7qsB4anlG1u4tyVEQIgaQCg 4qu79yeBslywBCWunBpGtWqNxW8AnijCCrYDdCMC68qEU3rvbYLWX1ffiQA/AwUQ M8nzy0He6VBuwIoCEQLG6QCgoYeTNxRCRkr/DOvo8U9iDuAqmzEAnRdqB7CLH5jh dSVWFCFH1Oer9W75iQBGBBARAgAGBQI03FfbAAoJEJ8vtLWycX8+sXgAoLpaoFaQ 5sFa/w7wjKZhWJdC3A1zAKDK/vNWM16HkObaHbLqhGISqirB/IkAPwMFEDTOchlH DPPYeA84gxECv2EAn2Z4GX1PBvbpud+FL6jZWPtFTwAUAKC/Ap1BLk+Zw0fLsMEt weijY1JqJ7kCDQQzpsSmEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDa AadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z 4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBY K+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WM uF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmW n6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAmEa3pJbQeSvu iFLI6mNl69pHzaW5mPjuz5bSMECl7jV1KgE4KpKWfRd0/jtIwKyN3vIh62DQYOZ+ Da06s1MgzM48LneHZuHBebAK46VqZF5SPmHzZIuU0sh0ihc4qD9rtxSBlcz7P011 egB3qEjRRq4jSLNgwLJUKDk7eB1Vzj1Mclmzo43XHEn8+T6hnKowxWgrLyIvjZ1y tv8wpoYqNOPjXvIhLEXc8CLhN5qjOBZXlo63gD1YbM71htXWthvxfQPSW895aFg2 sYmLMgYSAb11dQQVY2PEMXHEe4umd3W8OtM1w3YraWnB3pILeiRqBFuwwAVqOmSP +z1WF/q7jIkAPwMFGDOmxKbYX1uw9wotihECBDYAn0kjGOV/AcrnBfTJF81Veu5J pJGuAJ9QJsve5mew/zdxO3HPYbq0MpgD4w== =EM3T -----END PGP PUBLIC KEY BLOCK-----
Date: Sat, 28 Feb 1998 18:27:58 +0000 To: ukcrypto@maillist.ox.ac.uk From: Nicholas Bohm <nbohm@ernest.net> Subject: Re: EU Crypto Free Trade Area At 15:55 26/02/98 -0000, Brian Gladman wrote: >Historically EU 'common market' provisions have not applied to cryptographic >products and services because EU governments have argued that national >security allowed them to override such treaty provisions. > >Now that cryptographic products and services are primarily commercial in >nature it seems to me that the requirements of the European Treaty that >governments should not constrain the free circulation of goods and services >within the EU should apply to all cryptographic products and services >intended for commercial use. This certainly seems sound in principle, and consistent with the approach adopted by the EU on this subject so far. >I am not entirely sure how to arrange a situation in which the supremacy of >these treaty provisions over UK export control laws could be demonstrated >but I would be interested if any Lawyers on the list could expand on how >this might be tested. [snip] Several if not all roads lead to the Treaty of Rome. As the Spanish shipping boat cases ("Factortame") show, the UK courts will treat UK law which is inconsistent with EC law as inapplicable to the extent of the inconsistency. If an unlicensed exporter is prosecuted, he can argue the invalidity of UK law as a defence. The court can (and the House of Lords must, unless there is no doubt on the point) refer the issue to the Court of Justice of the EC for a view on the EC law. This isn't much fun for the exporter. It may be possible to seek judicial review of the validity of the UK law, although applications for judicial review normally have to be made within a short time of the doing of the thing to be reviewed. There might be some way of engineering an opportunity for a challenge of this kind. The EC Commission can demand that the UK change its laws where inconsistent with EC law, and can take the UK to the EC court to resolve any legal dispute. If the EC Court ruled against the UK, the UK must change its law; and the existence of such a judgment would ensure that exporters then being prosecuted would be acquitted. To get the Commission to take the point up, someone would need to complain to it. Best might be an exporter who really wanted to export within the EC. This isn't really my field, and it's a bit specialist, so this is a fairly rough guide; and there may be other ways of tackling it. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
Date: Mon, 2 Mar 1998 16:32:06 -0500 From: Nigel Hickson <nigelhickson@compuserve.com> Subject: Re: EU Crypto Free Trade Area To: <ukcrypto@maillist.ox.ac.uk> Colleagues With respect to "export controls" the intra-EU controls fall under Export of Good Regulation which is a Community Instrument. This has an Annex (4 I think) with a list of those products which are excluded from "free" intra-eU trade. Crypto is one of the categories. The Commission have noted they intend to revisit the latter this year. Nigel Hickson
From: "Yaman Akdeniz" <lawya@lucs-01.novell.leeds.ac.uk> Organization: University of Leeds To: Nigel Hickson <nigelhickson@compuserve.com> Date: Tue, 3 Mar 1998 12:08:00 GMT0BST Subject: Re: EU Crypto Free Trade Area CC: ukcrypto@maillist.ox.ac.uk Dear Nigel, > With respect to "export controls" the intra-EU controls fall under > Export of Good Regulation which is a Community Instrument. This has > an Annex (4 I think) with a list of those products which are > excluded from "free" intra-eU trade. Crypto is one of the > categories. The Commission have noted they intend to revisit the > latter this year. The following is from a piece that I have written last year before the consultation paper was announced. The full reference for the paper is below. UK Export Controls The use of cryptographic software transmitted internationally may be restricted by export regulations in the UK as in the US. The Export of Goods (Control) Order 1994 as amended by The Dual-Use and Related Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271, 1995) apply to the exportation of cryptographic software from the UK. The definition of cryptographic software is included in the Schedule 2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations 1995 and the export of this kind of regulated information requires an export licence from the Department of Trade and Industry (section 9). Failure to comply with the licence conditions may result in a maximum of two years of imprisonment (Section 8). The DTI White Paper states that export controls will remain in place for encryption products and for digital encryption algorithms (White Paper 1996, para 15). The Government however states that it will take steps to simplify export controls within the European Union with respect to encryption products which are of use with licensed TTPs. Although this sounds like a good initiative, it only includes products which are of use with licensed TTPs. This means that other encryption tools which are not approved by the TTPs will still be subject to stricter export regulations. UK Government Policy on Encryption - 1997 Web Journal of Current Legal Issues 1 at http://www.ncl.ac.uk/~nlawwww/1997/issue1/akdeniz1.html Any comments ? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yaman Akdeniz <lawya@leeds.ac.uk> Cyber-Rights & Cyber-Liberties (UK) at: http://www.leeds.ac.uk/law/pgs/yaman/yaman.htm Read CR&CL (UK) Report, 'Who Watches the Watchmen' http://www.leeds.ac.uk/law/pgs/yaman/watchmen.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 05 Mar 1998 21:35:49 +0000 To: ukcrypto@maillist.ox.ac.uk From: Nicholas Bohm <nbohm@ernest.net> Subject: Re: EU Crypto Free Trade Area At 12:08 3/03/98 GMT0BST, Yaman Akdeniz wrote: [snip] >The use of cryptographic software transmitted internationally may be >restricted by export regulations in the UK as in the US. The Export of >Goods (Control) Order 1994 as amended by The Dual-Use and Related >Goods (Export Control) Regulations 1995 (Customs and Excise, No. 271, >1995) apply to the exportation of cryptographic software from the UK. >The definition of cryptographic software is included in the Schedule >2, 5D2 of the Dual-Use and Related Goods (Export Control) Regulations >1995 and the export of this kind of regulated information requires an >export licence from the Department of Trade and Industry (section 9). >Failure to comply with the licence conditions may result in a maximum >of two years of imprisonment (Section 8). Thanks for these useful references. The 1995 Regulations are made not under the powers granted by general UK export control legislation, but under powers granted by the European Communities Act, and are made to implement an EC Decision (94/942/CFSP) and an EC Regulation (3381/94), both in the EC Official Journal No L367 of 31 December 1994. Assuming that the 1995 Regulations are validly made in conformity with the EC instruments, I would expect this to preclude any challenge to the UK rules on the grounds of their contravening EC law. The assumption is not necessarily valid: the UK has been accused in the past of gold-plating EC rules in the course of purporting to implement them, and might have gone too far. I prefer to leave the investigation of that possibility to an expert. The reference to cryptographic software in the 1995 Regulations (which is in fact in Schedule 1, not 2) is in Section D of Category 5, and is governed by the following note at the beginning of the Schedule, which seems to open up a useful loophole: *** quotation from Regulations *** GENERAL SOFTWARE NOTE (This note overrides any control within section D of Categories 0 to 9.) Categories 0 to 9 of this list do not control software which is either: a. Generally available to the public by being: 1. Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; c. Telephone order transactions; and 2. Designed for installation by the user without further substantial support by the supplier; or b. In the public domain. *** quotation ends *** "In the public domain" is defined in the Regulations as meaning "technology or software which has been made available without restrictions on its further dissemination (copyright restrictions do not remove technology or software from being "in the public domain")." This seems to open a fairly wide road, given the amount of public domain crypto software to be found nowadays. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
Date: Fri, 06 Mar 1998 08:34:24 +0000 To: ukcrypto@maillist.ox.ac.uk From: Nicholas Bohm <nbohm@ernest.net> Subject: Re: EU Crypto Free Trade Area A further point I intended to make on the 1995 Export Control Regulations is that they control the export of GOODS. This is reflected in the note I quoted, with its references to sales from stock at retail outlets. Software can of course take the form of goods (as music can take the form of records), but it does not necessarily do so (as a concert performance is not a sale of goods). Diskettes and CDs containing software are no doubt controlled, but the Regulations do not appear to affect software downloaded from a website or attached to an email. Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285 (+44 1279 870285) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
To: ukcrypto@maillist.ox.ac.uk Subject: Re: EU Crypto Free Trade Area Date: Fri, 06 Mar 1998 10:05:22 +0000 From: Stefek Zaba <sjmz@hplb.hpl.hp.com> Nicholas Bohm writes: > A further point I intended to make on the 1995 Export Control Regulations > is that they control the export of GOODS. This is reflected in the note I > quoted, with its references to sales from stock at retail outlets. > > Software can of course take the form of goods (as music can take the form > of records), but it does not necessarily do so (as a concert performance is > not a sale of goods). Diskettes and CDs containing software are no doubt > controlled, but the Regulations do not appear to affect software downloaded > from a website or attached to an email. Indeed - the topic of whether the Export Control Regulations cover "intangibles" has come up before on this list. I believe that "intangibles" would include software-as-bit-on-the-wire, but also other "things" which could be traded - insurance contracts, futures, ... The legal opinion I heard expressed from a real lawyer is that bits-on-the-wire are indeed not covered under a strict reading of the export regs: but that The Relevant Authorities have let it be known informally that companies trading in otherwise export-restricted goods which seek to evade export licensing would be considered to be deliberately flouting the spirit of the regulations. For companies which make their living this way, such flouting could be made uncomfortable in a variety of practical ways - government purchasing power, words in shell-like ears of prime contractors who might otherwise buy bits of crypto software from such grubby little scofflaws, etc. The pragmatic position therefore might be that if you rely on the "intangibles" provision *alone*, you should be prepared to be an interesting test case. Probably of more practical significance is the "mass market" exemption which Nicholas and Yaman have already pointed out: the export regs are worded to catch high-end special-installation-assistance-required (e.g. setting up a centralised key management facility) crypto capability such as an army's command-and-control system might use, while leaving the "password protection" of WordPerfect/MSWord/PKZip etc. uncaught. Given those two ends of the spectrum, it would seem a bizarrely unreasonable interpretation to consider (to take an example not exactly at random) a full-strength SSLified Web server (hi Ben :-) as "mass-market" rather than "hi-end custom installation by supplier". Of course in the particular case of Stronghold, the exemptions stack up particularly strongly: 1) it's software downloaded over the Net, hence intangible; 2) it's mass-market in the sense of the General Software Note; 3) it's public-domain - the source for Apache (and SSLeay) is explicitly and deliberately in the public domain; FTP archive sites of public-domain software seem to me to be in a similarly firmly expempt position in the UK. Obviously enough I'm not a lawyer, and this is not legal advice - it's an opinion from a techie with a dangerously little amount of apparent knowledge! General opinions from the legally qualified are more useful: neither flavour of opinion-expressed-on-the-net is a substitute for paid-for specific legal advice in your particular circumstances. Cheers, Stefek
Date: Fri, 6 Mar 1998 15:26:56 GMT From: Adam Back <aba@dcs.ex.ac.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Re: EU Crypto Free Trade Area Stefek Zaba <sjmz@hplb.hpl.hp.com> writes: > Indeed - the topic of whether the Export Control Regulations cover > "intangibles" has come up before on this list. I believe that "intangibles" > would include software-as-bit-on-the-wire, I have a couple of documents on the web under: http://www.dcs.ex.ac.uk/~aba/ukexport/ and a supplement sheet apparently confirming Stefek's suggestion: > The Relevant Authorities have let it be known informally that > companies trading in otherwise export-restricted goods which seek to > evade export licensing would be considered to be deliberately > flouting the spirit of the regulations. in DTI's (?) own words, see: http://www.dcs.ex.ac.uk/~aba/dti-let.txt Also there is a less interesting DTI document "ECO Notice STU/1": http://www.dcs.ex.ac.uk/~aba/eco-stu1.txt > For companies which make their living this way, such flouting could > be made uncomfortable in a variety of practical ways - government > purchasing power, words in shell-like ears of prime contractors who > might otherwise buy bits of crypto software from such grubby little > scofflaws, etc. The pragmatic position therefore might be that if > you rely on the "intangibles" provision *alone*, you should be > prepared to be an interesting test case. I would be interested to hear of any cases where the DTI/CESG have turned down a tangible an export permission request. Any other DTI export documentation would be interesting also. If you talk to CESG about the topic of tangible exports they start to talk about requiring the crypto to be hard to modify (kind of hard to arrange if you are shipping source on the CD), and they are in general quite hard to pin down on their criteria for an exportable software system. I have a suspicion that the simplest thing to do may be to not talk to them (DTI and CESG) in the first place, unless you really are thinking of shipping something which you consider falls under the export licensing regulations (eg nuclear related, military related, or shipping to embargoed country). Talking to them when you are comfortably sure that your CD with software should be exempt under any reasonable interpretation of the regs just invites them to add stipulations which do not exist in the regs. I have been exporting T-shirts with an RSA implementation (the code in my sig) printed on them: http://www.dcs.ex.ac.uk/~aba/uk-shirt.html I have not asked permission of the DTI to do so. I think I exported a few to Russia if I remember rightly, as well as a number of other countries. A t-shirt is surely a tangible item. Any one in Baghdad want to order one? Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`