Encryption Export Control

Comments

  • Megan
    Megan
    1Password Alumni

    Hi @RichardPayne‌

    This sounds like a question for our security guru! So, I've asked @jpgoldberg‌ to pop in here. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    This is a really tricky issue. It has no direct impact on AgileBits' products because even if we were subject to US export restrictions, 1Password and Knox fall into a far less restricted category than embedded systems. Quite simply, 1Password and Knox can be exported to anywhere that the operating systems they run on can be exported to. Because we (largely) use the cryptographic libraries of the operating systems, we don't face any meaningful export restrictions under current law.

    But this has to be seen as a trial balloon for re-introducing some of the export restrictions that were used to control cryptographic tools back in the 1990s. So if, for example, it is unlawful to export certain technology to Syria, then can that technology be posted on the web? That is, even narrow export restrictions can be used to restrict, in practice, the availably of encryption tools for everyone. So although there is no immediate impact, it is the re-introduction of various controls that I am more generally worried about.

  • RichardPayne
    RichardPayne
    Community Member

    Because we (largely) use the cryptographic libraries of the operating systems, we don't face any meaningful export restrictions under current law.

    Doesn't that only apply to the Mac and iOS? I thought the Windows app uses third party libraries. I have no what you use on Android.

    So if, for example, it is unlawful to export certain technology to Syria, then can that technology be posted on the web?

    Surely they can only enforce such law against direct downloads from your servers? If you put a block on Syrian clients then surely you have discharged your legal liability. If a Syrian client obtains your software from a third party then it can't be held against you.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I don't have the details of this at hand (I'm traveling on not everything is in the cloud), but the Chilkat crypto library used on Windows falls into a very unrestrictive category. Products that use the library are even less restricted. Again, I don't have the details, but even if 1Password for Windows were subject to US export regulations, it falls into the least restrictive categories.

    There are a number of different, and independent, grounds that lead us to believe that 1Password is basically exempt from categories that could otherwise be considered. For example, 1Password is used primarily to encrypt passwords/keys. Likewise, it is a "widely available consumer product", and of course much of its development takes place outside of the US.

    Laws and regulations can change. Export controls have almost no practical effect on what is available to "them", but they do make it harder to have strong crypto available to everyone.

This discussion has been closed.