Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id HAA07419;
 Mon, 22 May 1995 07:33:31 -0700
Received: from newton.ncsa.uiuc.edu by taz.hyperreal.com (8.6.10/8.6.5) with
 SMTP id HAA07396; Mon, 22 May 1995 07:33:27 -0700
Received: from void.ncsa.uiuc.edu by newton.ncsa.uiuc.edu with SMTP id AA26838
  (5.65a/IDA-1.4.2 for new-httpd@hyperreal.com); Mon, 22 May 95 09:33:08 -0500
Received: by void.ncsa.uiuc.edu (4.1/NCSA-4.1)
	id AA00368; Mon, 22 May 95 09:29:22 CDT
Message-Id: <9505221429.AA00368@void.ncsa.uiuc.edu>
From: efrank@ncsa.uiuc.edu (Elizabeth Frank)
Date: Mon, 22 May 1995 09:29:22 -0500
In-Reply-To: drtr@ast.cam.ac.uk (David Robinson)
       'Re: export restrictions & mirroring Apache at NCSA' (May 21,  4:08pm)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: new-httpd@hyperreal.com
Subject: Re: export restrictions & mirroring Apache at NCSA
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

On May 21,  4:08pm, David Robinson wrote:
} Subject: Re: export restrictions & mirroring Apache at NCSA
 > 
 > Beth wrote:
 > > > Hmmm, is it okay for David to continue to allow access to Apache
 > > > (with hooks) from the UK ?... can we say that hyperreal is mirroring
 > > > his site so that it comes under "import" regulations instead of
 > > > export ?  :-)
 > >
 > >No.  In fact, if David allows export of the software (with hooks) from
 > >the UK, he is violating UK export restrictions and the UK equivalent
 > >of the NSA could come knocking on his door.  The treaty is an international
 > >agreement and in theory Europe has agreed to control export from their
 > >countries.
 > 
 > I'd be interested in any evidence you have to support this assertion that it
 > would be illegal to export apache from the UK. There is no reason for the
 > interpretation or enactment of the treaty as legislation to be identical
 > in the UK as the US. Also, we don't have an equivalent of the NSA; the
 > enforcing agency would probably be H.M. Customs & Excise (or maybe
 > Cambridgeshire County Constabulary [local police]). Though I suppose
 > investigation of 'arms smuggling' might fall under the remit of MI5.

All I have to go by is what the NSA people told me.  They said Europe,
Israel and other places I don't remember all signed the treaty so in theory
we would have the same problems exporting from any European country.  (The
question arose out of a discussion of some colaborative work we're doing
with Gratz University in Germany.)  I have no idea if all of Europe or
just most of Europe signed, and Finland came up as a location where we
theoretically could distribute the software from.  The NSA scotched that
fairly rapidly, and pointed out that unless it was INDEPENDANTLY developed
there NCSA would still be responsible and it would be considered an illegal
export of encryption technology.

As an aside, my husband works in the security area and he mentioned that
they have to traverse this nightmare for their code.  There are documents
which are perfectly legal to export on paper but are illegal to export
as code.  In one case, a typed copy of the code can leave the country, but
put the same code on the ftp server and they are in violation.  When they
were looking for ftp sites for certain encryption routines, they found
easily accessable copies in Germany, Australia, and Africa.

 > 
 > So I would have no qualms about exporting apache, given that it does not
 > contain any encryption. There are plenty of other items of software
 > which _do_ contain encryption that are on ftp servers around the country.
 > 
 > > Further more the state department considers colaborative
 > >research, making detailed implementation information, or specifications
 > >available to be the same as exporting it.  On top which, our laws are
 > >written in such a way that importing cryptography is legal, but once
 > >inside the country we can not export it even if we got it outside the
 > >US to start with.
 > 
 > Which means that where the software is exported from is a moot point.
 > As far as the US members of the Apache group are concerned, merely
 > collaborating on Apache is enough to break the law.

I get the impresssion the discussion of ideas is a grey area they aren't
going to get into.  If you start saying, change routines x, y & z, then
they consider it collaboration and the code was not independantly developed.
Whether you will get into trouble if one person makes the changes in the US,
and someone else makes the changes on each of the other continents, I don't
know.  You'll have to ask the NSA.

	-Beth Frank
	efrank@ncsa.uiuc.edu

 >  David.
 > 
}-- End of excerpt from David Robinson