Export laws on the cloud (key size)

Question

Do the U.S. export laws around AES-256 apply to applications hosted in the cloud?

Please add more contextual information to your question. Read the FAQ for guidance on how to ask questions - http://security.stackexchange.com/faq — Rory Alsop, Jul 13 '11 at 21:04
^ What they said. I could be wrong, but I thought export laws on publicly-available cryptography mechanisms were rescinded in the U.S. and most other countries? — Iszi, Jul 14 '11 at 04:07
Isn't it still a problem exporting stuff to iran, north korea etc, that said the rest of the world can receive normal encryption. — Andrew Russell, Jul 14 '11 at 07:34
For clarification, I am referring to US law. As an example, considder a web-based application hosted in the cloud. The server that is hosting/serving the application may be located in Asia, or Europe - but with the cloud, it could be up to the service provider to determine that. — David Savage, Jul 14 '11 at 13:09
You may consider it off-topic for this particular question, but why are you considering AES-256 rather than AES-128 (which has no restrictions under US law, as I understand it, and has essentially the same resistance to attack, at least today)? — nealmcb, Jul 14 '11 at 14:20
@nealmcb, I'm not aware of any differences in export restrictions between AES-128 vs AES-256. Do you know differently, and if so, do you have a pointer where can learn more? — D.W., Jul 15 '11 at 06:09
@d.w. Well, I'm guilty of just repeating something I heard without having seen a proper reference. I recall that it was somewhere on this site, but I forget. But that points to the fact that the question also has no reference, and that seems like the place to start. What US laws affect export of AES? @rory, can you cite something? — nealmcb, Jul 15 '11 at 13:35

score 8 · Accepted Answer · edited Oct 04 '11 at 11:04

To expand on Thomas's answer and my comment, in this particular case:

Exporting AES-256 encryption to certain customers is restricted by the US Government. For example, if you are selling to the government of China, you need an export license. But you can sell to a private entity in China.

You can not get a license to sell to certain embargoed countries and persons:

These include Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taliban-controlled areas of Afghanistan.
Some countries, including China and Russia, require an import permit (or prohibit import) for encryption products.

Which doesn't give you a definitive answer where the cloud is ill-defined, so the solution will be to use a cloud provider who will agree under contract to limit the geographical distribution of your cloud. Many already do this - e.g. IronMountain allows you to choose the exact locations you want your data to be in, and cloud providers in the EU are supposed to keep customer data within the EU.

Sorry it took so long to flag answered; but this was what I was looking for. — David Savage, Feb 22 '12 at 20:03

score 5 · Answer 2 · answered Jul 14 '11 at 12:23

Laws of a given country apply wherever the country itself extends. It is a geographical context. It has been noted many times that space-based jurisdictions do not map well on a computerized, networked world, because it is often hard to know in which countries a given information transited between two systems (especially since "information" is not the same as "bunch of electrons whose wiggling in some copper cable somewhere is harnessed to transfer information"). The "cloud" just goes a bit further in that direction; it does not change things qualitatively, but quantitatively.

As an illustration of jurisdiction-related issues, consider the case of Sony against Geohot about the PS3 jailbreak, in particular this quote:

SCEA has sought to establish personal jurisdiction in California, because the US District Court there has a tendency to favor electronics companies in lawsuits thanks to some precedents set in prior landmark cases. The company maintains it has the grounds to file its suit in California, claiming that most of the people who downloaded the PS3 jailbreak can be traced to that particular state. That is to say that Hotz has the minimum contacts in Calfornia for Sony to bring its case before the state's District Court.

Sony got to much trouble to obtain log records from ISP to try to establish that jurisdiction thing. (Two weeks later, Sony and Geohot settled out of court, so we will never know how this would have turned out legally speaking.)

Yet you can be sure that some laws apply. There are places where no law from any specific country applies (high sea, outer space above 80km from Earth surface, maybe Antarctica) but even if the systems running the "cloud" were located on, say, an offshore platform, yourself and your computer would still physically reside in a more "mainstream" country, whose laws certainly apply.

At that point it becomes complex, because every country has its own set of laws and regulations on cryptographic systems and/or cryptographic keys. See this site for an extensive survey of crypto laws. At a minimum, consider the laws from the country you are, and those from the country where the cloud systems are located; if only because software you develop and upload to the could will go from the former to the latter.

Remember also that I am not entitled in any way to give legal advice. (I do not even really know whether such a disclaimer protects me or not.)

I appreciate the response and understand the vagueness of international laws with respect to software. However, in this case I am pretty confident we can find a more concrete answer. — David Savage, Jul 14 '11 at 13:19
@davids - I'm pretty sure you won't, as these sort of things haven't been tested well in courst of law, and even for those cases that have gone to court don't necessarily have any bearing in other countries. However, see my answer for a possible practical solution. — Rory Alsop, Jul 14 '11 at 14:02

Export laws on the cloud (key size)

2 Answers2