INQUIRY: Export Classification Controls

INQUIRY: Export Classification Controls

[Hahn, Michelle]

Dear Cygwin,

My name is Michelle Hahn and I am a Tax Consultant I in the export controls practice at Deloitte. We are conducting an internal risk assessment of our client's third party software, which includes Cygwin. We would like to know if you have assigned an export control classification to Cygwin. If so, can you please share the ECCN with us. Export control classification numbers (sometimes called ECCNs) are specific alpha numeric codes that indicate whether the product or software needs an authorization to be exported. Some examples of export classification numbers for software could be 5A002, 5D002, or 5A992. If not, can you please answer the following questions related to the application and its capabilities:

1
What is the commercial purpose of the application?
2
Is one of the primary functions of the application communications/networking e.g. chatting or instant messaging using text, images and video?
3
Has the software been designed for use with any machinery? i.e. Operation of a device such as exploration equipment? If yes, please provide details
4
How can the software be purchased e.g. through a website or as part of a service provision?
5
Which devices is the software typically downloaded to? i.e. phone, tablet, asset shared computer?
6
Does the software (including any of the sub applications) contain, use or call encryption (information security) functionality?

Please in your answer provide details of the sub applications with such functionality.
7
How does the software utilize cryptography? (commercially, what is it used for - i.e.. sending and receiving information, etc.)
8
Is the encryption functionality of the software limited to performing any of the following:
1.a "Authentication"
1.b "Digital Signature"
1.c "Data integrity"
1.d "Non-repudiation"
1.e Digital rights management including the execution of copy-protected software 1.f Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or,
1.g Key management in support of any function described above
9
Can users access or change cryptographic functionality in the software?
10
Is the software designed or modified to perform cryptanalytic functions?

Thank you,

Michelle Hahn
She/Her/Hers
Tax Consultant I | Global Trade Advisory
Deloitte Tax LLP
30 Rockefeller Plz Fl 41, New York, NY 10112
Tel/Direct: +1 212 436 3673 | Fax: +1 866 834 8710
mhahn@deloitte.com<mailto:mhahn@deloitte.com> | www.deloitte.com<http://www.deloitte.com/>


*****Any tax advice included in this communication may not contain a full description of all relevant facts or a complete analysis of all relevant tax issues or authorities. This communication is solely for the intended recipient's benefit and may not be relied upon by any other person or entity. *****

This message (including any attachments)contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

v.T.1

Re: INQUIRY: Export Classification Controls

[Brian Inglis]

Hi Michelle,

Cygwin is a global, all-volunteer, open source project, offering free (in many
senses) packages of software from other global, often volunteer, open source
projects, which will run together and allow users to "Get that /Linux/ feeling -
on Windows".

The only answers you will likely get, will have to be from reading the
information on this web site and others, or by engaging open source software
consultants and consulting IP lawyers to do so, and answer your questions.
There may be some such folks working at Deloitte.

Anything any one says about the project are only our/their personal opinions,
and may bear no relation to the actuality, reality, or the truth.

Pointers below:
> Problem reports:      https://cygwin.com/problems.html
> FAQ:                  https://cygwin.com/faq/
> Documentation:        https://cygwin.com/docs.html
> Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

	https://cygwin.com/licensing.html

"Does Cygwin™ have an ECCN number?
No. Cygwin source and binary are made publicly available and free of charge to
download so Cygwin is provided under TSU/TSPA exemption. As a result, Cygwin
does not require an ECCN number."

Please note that the licensing terms require you to bundle, or make available
online, the exact copies of any Cygwin packages source code, that you distribute
in a binary form elsewhere. From the same web page:

"What are the licensing terms?
Most of the tools are covered by the GNU GPL, some are public domain, and others
have a X11 style license. To cover the GNU GPL requirements, the basic rule is
if you give out any binaries, you must also make the source available. For the
full details, be sure to read the text of the GNU General Public License (GPL).

	https://cygwin.com/COPYING

The Cygwin™ API library found in the winsup subdirectory of the source code is
covered by the GNU Lesser General Public License (LGPL) version 3 or later. For
details of the requirements of LGPLv3, please read the GNU Lesser General Public
License (LGPL).

	https://cygwin.com/COPYING.LIB

For more information on the GPL see the GPL FAQ.

	https://gnu.org/licenses/gpl-faq.html"

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]


On 2020-10-28 16:16, Hahn, Michelle via Cygwin wrote:
> Dear Cygwin,
> 
> My name is Michelle Hahn and I am a Tax Consultant I in the export controls practice at Deloitte. We are conducting an internal risk assessment of our client's third party software, which includes Cygwin. We would like to know if you have assigned an export control classification to Cygwin. If so, can you please share the ECCN with us. Export control classification numbers (sometimes called ECCNs) are specific alpha numeric codes that indicate whether the product or software needs an authorization to be exported. Some examples of export classification numbers for software could be 5A002, 5D002, or 5A992. If not, can you please answer the following questions related to the application and its capabilities:
> 
> 1
> What is the commercial purpose of the application?
> 2
> Is one of the primary functions of the application communications/networking e.g. chatting or instant messaging using text, images and video?
> 3
> Has the software been designed for use with any machinery? i.e. Operation of a device such as exploration equipment? If yes, please provide details
> 4
> How can the software be purchased e.g. through a website or as part of a service provision?
> 5
> Which devices is the software typically downloaded to? i.e. phone, tablet, asset shared computer?
> 6
> Does the software (including any of the sub applications) contain, use or call encryption (information security) functionality?
> 
> Please in your answer provide details of the sub applications with such functionality.
> 7
> How does the software utilize cryptography? (commercially, what is it used for - i.e.. sending and receiving information, etc.)
> 8
> Is the encryption functionality of the software limited to performing any of the following:
> 1.a "Authentication"
> 1.b "Digital Signature"
> 1.c "Data integrity"
> 1.d "Non-repudiation"
> 1.e Digital rights management including the execution of copy-protected software 1.f Encryption or decryption in support of entertainment, mass commercial broadcasts or medical records management; or,
> 1.g Key management in support of any function described above
> 9
> Can users access or change cryptographic functionality in the software?
> 10
> Is the software designed or modified to perform cryptanalytic functions?