overly restrictive reading of the EAR
Posted Oct 23, 2003 2:23 UTC (Thu) by roelofs
Parent article: Bernstein wins, sort of
Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.
That's incorrect. Open Source software (including associated binaries) is explicitly exempt from that rule under License Exception TSU, as noted in the 6 June 2002 clarification of section 740.13(e) of the EAR (see Federal Register, vol. 67, no. 109, p. 38857, middle of page):
c. Clarification of when a notification is required. i. Encryption source code that would be considered publicly available, and corresponding object code. This rule simplifies U.S. export treatment of encryption source code that would be considered publicly available, by allowing all such source code (and corresponding object code) to be exported and reexported under License Exception TSU once notification (or a copy of the source code) is provided to BIS, regardless of whether a fee or royalty is charged for the commercial production or sale of products developed using this software. Refer to § 740.13(e).
This exception is used by both Debian and Info-ZIP (although I seem to have forgotten to upload the updated notice to the latter site...I'll fix that soon). Note that other portions of the EAR provide the proper contact addresses and so forth. The relevant copy of the Register is available in PDF form from some US government site, but I've forgotten which one (LoC? BIS? check Google for "License Exception TSU" and/or "Federal Register").
to post comments)