On May 23, 2006, at 11:58 AM, [EMAIL PROTECTED] wrote:
Thanks, Gary, for you very thorough review!
I am not a lawyer, either, not even a native English speaker, so I
have
not attempted to decipher the huge amount of information you link
to. I
rely on the judgment of my colleagues, who went through this
export/import control hell, several times. They said, the
classification for the encrypting drives was granted to Seagate,
because the ciphertext is only accessible with very expensive
equipment. I don't know, what classifications we could have got
otherwise.
Hmm interesting...
This means that an encrypting tape drive is a no-no.... Hmmm. DECRU
and Neoscale have been exporting these devices... Can you guys help
here with some clarifications?
One more point: these laws change. A few years ago, when I worked for
Panasonic, we had even problems to get export permissions for DVD
players. This is one of the reasons of the 40-bit key and very weak
crypto. Because of the terrorist threats, the direction is not towards
relaxing the regulations, so for us the only safe way is to assume the
most restrictive rules, that is, we have to work as if the export was
only allowed, when the ciphertext was not easily accessible.
Laszlo
-------- Original Message --------
Subject: Re: Export/Import control
From: Gary Calder <[EMAIL PROTECTED]>
Date: Tue, May 23, 2006 2:16 pm
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
The 'mass market' exclusion is covered under the Cryptography note
3 of
document http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf to
which I
previously referred (publicly available).
-----------------------------------------------
Note 3: Cryptography Note: ECCNs 5A002
and 5D002 do not control items that meet all of
the following:
a. Generally available to the public by being
sold, without restriction, from stock at retail
selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be
easily changed by the user;
c. Designed for installation by the user
without further substantial support by the
supplier; and
d. When necessary, details of the items are
accessible and will be provided, upon request, to
the appropriate authority in the exporter's country
in order to ascertain compliance with conditions
described in paragraphs (a) through (c) of this
note.
N.B. to Cryptography Note: Mass market
encryption commodities and software eligible for
the Cryptography Note are subject to the
notification or review requirements described in
§742.15(b)(1) and (b)(2) of the EAR, unless
specifically excluded from these requirements by
§742.15(b)(3) of the EAR. Mass market
commodities and software employing a key length
greater than 64 bits for the symmetric algorithm
must be reviewed in accordance with the
requirements of §742.15(b)(2) of the EAR in
order to be released from the “EI” and “NS”
controls of ECCN 5A002 or 5D002. All other
mass market commodities and software eligible
for the Cryptography Note are controlled under
ECCN 5A992 or 5D992 (without review) and may
be exported or reexported to most destinations
without a license, following notification, in
accordance with the requirements of
§742.15(b)(1) of the EAR.
--------------------------------------------------
So mass market products meeting the requirements stated are not
controlled by 5A002
However, the 'NB' further says: mass market products with symmetric
encryption > 64 bits must be reviewed to be released from EI and
NS of
5A002. So I would have expected the Seagate drives to have at
least been
reviewed under this clause.
Now there are products specifically not covered by 5A002 but
covered by
5A992 which are personal smart cards, radio and pay TV receivers,
cordless and mobile phones, equipment for banking and money
transactions
(an encrypting hard drive is none of these) and
(c) Equipment where the cryptographic
capability is not user-accessible and
which is specially designed and limited to
allow any of the following:
(1) Execution of copy-protected
“software”;
(2) Access to any of the following:
(a) Copy-protected contents
stored on read-only media;
or
(b) Information stored in
encrypted form on media
(e.g., in connection with the
protection of intellectual
property rights) where the
media is offered for sale in
identical sets to the public;
or
(3) Copying control of copyright
protected audio/video data.
(covering software and CDROMs DVDs etc I assume)
I'm not a lawyer, but I'm puzzled as to how a general purpose
encrypting
hard drive gets included under 5A992....that means it does not fall
under 5A0022 but its not one of the things listed above either.
Unless
its a read only hard drive for copy protected contents?
regards,
Gary Calder
Oxford Semiconductor
