Programmers' concerns about export restrictions from the United States

Question

Which aspects do I need to consider when designing and publishing software that must meet the US export restrictions for cryptographic software?

Wikipedia says that there are various categories which you can assign to cryptographic software. And the export destination (e.g. China, Russia) does play a major role as well. But I didn't really understand those restrictions and their effect on my work.

Can anybody explain that to me?

I'm asking because if you try to publish your application (e.g. on Apple's App Store or Android's Market) you have to assure that your application meets the US export restrictions. And there are lots of applications who offer secure information storage, e.g. for passwords.

Have they all notified the government and asked for a review? Of course, you cannot know if they did. But do they need to do this?

Answer 1

If your code is open source, the restrictions are very light-weight: you cannot export your code to countries or entities that have been restricted and you must notify the government of the location where they can download source and object files. You must make some effort to prevent the code from being downloaded by Cuba, Iran, Libya, North Korea, Syria, and Sudan. You must ask all your users to not export to these nations.

You will be expected to prepare lists of all "packages" and "files" that contain the encryption primitives. (I recall that we were allowed to skip hashing primitives that were used only for authentication or integrity controls.)

If your code is not open source, you must file for exceptions on your own code. I expect you'll need to prepare similar lists of source / object files and which algorithms are implemented for what mechanisms. I further expect it'll require review before the license is granted.

While I believe all my information is correct as of 30 December 2011, I am not a lawyer and cannot provide you with legal advice. These are simply pointers to currently-available US government resources.

Answer 2

Are you writing your own cryptographic routines or merely calling a 3rd party routine?

The reason I ask is because if for example on Windows you are using one of the Microsoft provided routines then you are not the one publishing or distributing the controlled software, in which case your software would not be under any restriction.

Answer 3

If this is just a question for interest's sake, then the other answers are great. If it pertains to something you are actually doing?

GO SEE A Lawyer. NOW.

Are you still waiting? Then I'll expand.

Go see a lawyer. Now. Don't wait, don't think. If you don't have one already, find one. Ask them to put you in touch with someone who handles business law as a job. Check his credentials, and if they look right, sit down with that person and offer them money for advice. Feel free to negotiate on terms.

If you don't trust me, and I'll admit I'm being very definite without much experience in this area, read this article, written in May 2010, by someone who's been successfully running a family business since '93.

If you are trying to run an Indie game business, you are, first and foremost, running a business. All local, state, and federal laws apply. You need a business license. Or licenses. Every business should have a lawyer and an accountant. I personally have done without having a dedicated lawyer on tap (an unwise course), but every business should have a skilled accountant.

What this means is that someone whose business comprises two people selling games where lizards in armour beat up goblins is aware he's taking a risk by not having access to his own personal lawyer at all times.

Are you a business? Don't know. If you're selling something, you could well be. Guess who would know? A Lawyer.

You don't have to pay for a very expensive lawyer for a long time, but at the very least you need to have someone available by appointment who you can run things by before doing stuff that may be legally dangerous, and who can explain to you what may be legally dangerous.

Because here's the thing. If you do it up front, then many things apply.

1. You're less likely to screw up and attract the attention of the govt.
2. You're more aware when you have screwed up, and what to do about it, including an existing contact you can call to help you.
3. If you do screw up and attract the attention of the govt, you can explain that you tried to do everything right, and have the notes from the lawyer to prove it.

If you don't? Well, I recently discovered that if you are aware that you're not competent to handle something, and you don't seek advice, that legally means you deliberately chose to screw up. In money, that's fraud. In export sanctions, I think it's on the same scale as treason.

Regarding internet research: This blog post was written in Jan 17 2011. And the first thing it says in there? That this stuff changed recently. So it could change again. It could already have changed. Which means that if someone blindly follows this 3 years from now, they could end up having to spend some serious time explaining to besuited men that they're not a traitor, they're just daft enough to think that blog posts are legal documents.

Do me a favour for my own peace of mind. Go see a lawyer.

Answer 4

A slightly different answer, but why write the encryption code in the USA? Even if you write the rest of the product in the USA, it makes a lot of sense to do the encryption parts elsewhere. You can still sell your product in the USA, but you import into the USA, rather than export from the USA.

As an aside, in the early PGP days, the export rules were sidestepped by printing a book containing the source code, and exporting the book.