Subject: Re: New encryption regulations
From: Frank Hecker <>
Date: Thu, 13 Jan 2000 17:50:49 -0500

"D.V. Henkel-Wallace" wrote:
> What's an export?  Posting a URL without a mechanism to "check" for
> foreign access is (presumably) export.

This was true in the old regulations across the board, and is true in
the new regulations for almost everything as well, but it does not
appear to be true in the new regulations for open source software. See
the new language in 734.2(b)(9)(ii), which is the paragraph that
essentially says that putting encryption software up on the Internet
without access controls constitutes "export"; note in particular the
phrase "except for source code eligible for export under 740.13(e)".
740.13(e) is the section referring to publicly available encryption
source code "not subject to an express agreement for the payment of a
licensing fee...".

So this is sort of weird. I read 734.2(b)(9) in its new form as saying
that putting open source encryption source code on an unrestricted FTP
site is not "export" in the context of the EAR. But this seems at odds
with 740.13(e)(1), which implies that doing this is in fact export,
albeit a permitted export.

> Hence, as I read this: anyone
> planning to post gratis crypto source code needs to notify the
> government -- and every time you update the file.

Well, 740.13(e)(1) does require notifying the government initially "by
the time of export", but I personally don't read it (or anything else in
740.13(e)) as requiring notification every time you update the file. I
can't find any language in the EAR (old or new) that specifically
addresses this issue; did you?  (However note that for binaries exported
under the ENC license exception, 770.2(n), "Interpretation 14", says
that upgraded versions do not require further review as long as the
relevant encryption functionality has not been modified or enhanced.)

Frank Hecker            work:        home: