Steve, I'll be happy to help draft an RFC along these lines--I think one is
probably needed and long overdue. I should be able to arrange for some
expert review and counsel from the Bureau of Export Controls.
It has been my impression for some time that the academic community
in particular was aware of the export restrictions on cryptography, but
were generally not aware of the COCOM and other restrictions. Recently,
with the relaxation of tensions with the former Soviet Union, the concern
about exports to them has decreased but the concern for proliferation to
third world countries such as Iran, Iraq, Syria, etc., of missile and nuclear
technology, and chemical and biological warfare agents has been increasing.
Most recently, the Russians have been invited to participate in a
"Cooperation Forum," with membership open to the republics of the former
Soviet Union, the Baltic republics, Poland, Hungary, and the Czech and Slovak
Republic(s?). On the other hand, I wouldn't be at all surprized if Yugoslavia
and its
various factions didn't end up going back on the restricted list.
Although the COCOM export controls have been the most visible and
well-orchestrated
set of controls over the last 40 years, some of the other groups (notably the
so-called
Australia group (missile technology, I think), the Nuclear Suppliers Group, and
another
group whose name I have forgotten that deals with CBR supplies) also pose a
potential threat to the scientific and academic community. The way that some of
the
legislation was written, anyone who sells ANYTHING to certain proscribed
countries or
organizations can be liable for stiff penalties. Theoretically, if AT&T allows
an international
call to be connected to one of these prohibited entities they could be in
violation.
I'm not suggesting that we try to include all of this information in an RFC--
it would be too
much work. But the situation bears watching. My suggestion to those who may be
involved
in international sales would be to know your customer and your distributors
well, and to
contact someone at Commerce if you suspect anything fishy. After the Iraq war,
companies
who had exported supplies in violation of good common sense were essentially
tried in the
court of world public opinion, and those penalties were harsher than any of the
legal ones.
Finally, to answer Dan Geer's question, "export" in this context means
"disclosure," and
includes the physical transferal of hardware, the physical or electronic
transmission of
software, and the physical, electronic, OR VERBAL transmission of proscribed
technical data
to someone who is not a U.S. citizen or permanent-resident alien with a "Green
Card."
Technically this means that if you have a foreign student working on a project
that involves
export-controlled technical data, and that student only has a student visa
rather than permanent
residency, you may be in violation of the export laws if you just have a verbal
discussion
regarding aspects of cryptography that have not already been "published."
(Prosecution
may not be terribly likely, but there is always the risk of selective
prosecution for quasi-
political reasons.)
Whether you sell it or give it away makes no difference-- it isn't a question
of "commerce"
as such, just disclosure in any form.
I don't mean to suggest that I am willingly acquising to all of these
controls---I think that the
proliferation of encryption in international standards will eventually force a
relaxation of
these laws and regulations. But on the other hand, if you look at what is
going on in the
world with drugs, terrorism, and the rampant nationalism that seems to be
breaking out
everywhere, I have to concede that some controls may be necessary to keep the
genie in the
bottle as long as possible.
With the NIST standard for digital signatures being reviewed, the FBI trying to
get the
telephone companies to provide a remote wiretapping ability, etc., this
promises to be an
interesting year. Get to know your Congressman, and particular your
Congressional
candidates, and let them know of your concerns in this area.
Bob