> From: Russell Nelson <[EMAIL PROTECTED]>
> Date: Fri, 24 Sep 1999 16:22:51 -0400 (EDT)
> Dick St.Peters writes:
> > Remember that traceroute I sent you showing packets from me to a site
> > near here going by way of Europe? I was telling a friend about that
> > this morning, and he asked an interesting question.
> >
> > Suppose someone on my network sent someone at the site a cryptographic
> > program - a US citizen in the US sending it to another US citizen in
> > the US, but the packet route is via Europe. Is that illegal?
> >
> > If so, who is guilty? My user with no knowledge of the route?
> > Sprint, who sent the packets abroad with no knowledge of what they
> > contained? EUNet, who BGP-announced the route to Sprint in Europe?
The NSA, for pressuring Sprint and EUNet to route packets this way so
they can legally intercept them. :-)
Seriously, my first reaction was that no crime had been committed, but
upon re-examining the export regulations I'm not so sure. Perhaps the
fact that the packets are explicitly destined for the US is considered
"adequate precaution" against unauthorized transfer. Here is the
relevant section [734.2(b)(9)] of the EAR:
(9) Export of encryption source code and
object code software.
(i) For purposes of the EAR, the export of encryption source
code and object code software means:
(A) An actual shipment, transfer, or transmission out of
the United States (see also paragraph (b)(9)(ii) of this
section); or
(B) A transfer of such software in the United States to
an embassy or affiliate of a foreign country.
(ii) The export of encryption source code and object code
software controlled for EI reasons under ECCN 5D002 on the
Commerce Control List (see Supplement No. 1 to part 774 of
the EAR) includes downloading, or causing the downloading of,
such software to locations (including electronic bulletin
boards, Internet file transfer protocol, and World Wide Web
sites) outside the U.S. (except Canada), or making such
software available for transfer outside the United States
(except Canada), over wire, cable, radio, electromagnetic,
photo optical, photoelectric or other comparable
communications facilities accessible to persons outside the
United States (except Canada), including transfers from
electronic bulletin boards, Internet file transfer protocol
and World Wide Web sites, unless the person making the
software available takes precautions adequate to prevent
unauthorized transfer of such code outside the United States
or Canada. Such precautions shall include ensuring that the
facility from which the software is available controls the
access to and transfers of such software through such
measures as:
(A) The access control system, either through automated
means or human intervention, checks the address of every
system requesting or receiving a transfer and verifies
that such systems are located within the United States or
Canada;
(B) The access control system provides every requesting
or receiving party with notice that the transfer includes
or would include cryptographic software subject to export
controls under the Export Administration Regulations, and
that anyone receiving such a transfer cannot export the
software without a license; and
(C) Every party requesting or receiving a transfer of
such software must acknowledge affirmatively that he or
she understands that the cryptographic software is
subject to export controls under the Export
Administration Regulations and that anyone receiving the
transfer cannot export the software without a license.
BXA will consider acknowledgments in electronic form
provided that they are adequate to assure legal
undertakings similar to written acknowledgments.