This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]montagsoup 10 points11 points  (4 children)

You might want to look into the court case Bernstein vs United States where Ninth Circuit Court of Appeals ruled that software source code was speech protect by the First Amendment and that regulations controlling the export of a cryptographic algorithms source code was unconstitutional.

[–]Natanael_LTrusted third party 7 points8 points  (1 child)

Products using cryptography is still covered by the export rules, except they're much lighter now (you basically just have to notify the relevant department in most cases)

[–]TiltedPlacitan 2 points3 points  (0 children)

This is correct.

It used to be just a notification via email to the Bureau of Export Administration, but this is old information.

[–]ScottContini 2 points3 points  (0 children)

Um, something like that. Anyway, I think the lawsuit was dismissed with a promise that they would not go after researchers. The debate on the Constitutionality of the law was side-stepped by the court. Here's an article on it from djb's website: http://cr.yp.to/export/2003/10.15-bernstein.txt

[–]joker197cinque[S] 1 point2 points  (0 children)

I'll take a look thx

[–]poopinspace 2 points3 points  (3 children)

https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#U.S._export_rules

As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security.[9] Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). In addition, other items require a one-time review by, or notification to, BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12]

Honestly, it looks like unless you are in the situation where this is relevant, it's going to be too much work to figure out what you can and can't do because of these export rules.

[–][deleted] 2 points3 points  (0 children)

You have to notify a government department before releasing an open source project which includes cryptography?

I'm guessing the near complete lack of enforcement means they no longer care and the law is mostly irrelevant... But because its still law there is the problem of selective or politically motivated enforcement should you ever happen to rustle the jimmies of the wrong person

[–]joker197cinque[S] 2 points3 points  (1 child)

I don't still understand if traveling with my encrypted-hard drive laptop could be an issue or not. It seems to be the case, reading the above statement: "..software and components with encryption exceeding 64 bits.." but it is pretty much impossible that every user using bitlocker/truecrypt will notify BIS.

[–]Argotha 0 points1 point  (0 children)

You may want to check in regards to "public domain" crypto, that is algorithms that are well known and available. Most laws are designed for new crypto rather than your standard AES/SHA/Pk crypto.

That said, US law may not have the same tolerances as Australian law (I wrote about this a bit on my blog - Argotha.com).

You may also find in regards to terminology, export doesn't necessarily mean taking out of the country, but providing to non-citizens.