- From: Ned Freed <NED@innosoft.com>
- Date: Mon, 01 Jan 1996 22:54:50 -0800 (PST)
- To: ams@terisa.com
- Cc: Dan Stromberg - OAC-DCS <strombrg@hydra.acs.UCI.EDU>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-security@ns2.rutgers.edu
> What I *do* know is how *I* behave, given my perhaps buggy understanding of > export regulations. Roughly speaking, if my software doesn't do encryption, > I export it without consideration of (the cryptography portion of) ITAR. If > I had code that did, say, digest authentication and nothing else, I > wouldn't hesitate to ship it overseas -- or put it on a public FTP server. And in doing so you may well be OK. As far as I know there have been no prosecutions for violations of ITAR caused by shipping auth-only products overseas. You could, after all, claim that you understood from your reading of ITAR that they are exempt -- it's not an unreasonable reading of the prose at all. And even if you do get in trouble the fact that others have gotten a license may will mean that this will be all you have to do as well, so modulo the hassle factor (which can be considerable -- ask Phil Zimmerman!) you may still be OK. The other factor here, however, is in what capacity you are acting. It's one for you, acting as an individual, to do something you could have gotten a license for without actually getting the license. You may get fined some amount, but you're unlikely to go to jail over something like this. It's quite another if you're acting in some official capacity for a corporation. You may have a fiduciary responsibility not to expose the corporation to undue risk, which means you may be open to a stockholder or even customer lawsuit if you don't play by the rules. Ned
Received on Monday, 1 January 1996 23:09:30 UTC