10.10.1. "What are the laws and regulations about export of crypto,
and where can I find more information?"
- "The short answer is that the Department of State, Office
of Defense Trade Controls (DOS/DTC) and the National
Security Administration (NSA) won't allow unrestricted
export (like is being done with WinCrypt) for any
encryption program that the NSA can't crack with less than
a certain amount (that they are loathe to reveal) of
effort. For the long answer, see
ftp://ftp.csn.net/cryptusa.txt.gz and/or call DOS/DTC at
703-875-7041." [Michael Paul Johnson, sci.crypt, 1994-07-
08]
10.10.2. "Is it illegal to send encrypted stuff out of the U.S.?"
- This has come up several times, with folks claiming they've
heard this.
- In times of war, real war, sending encrypted messages may
indeed be suspect, perhaps even illegal.
- But the U.S. currently has no such laws, and many of us
send lots of encrypted stuff outside the U.S. To remailers,
to friends, etc.
- Encrypted files are often tough to distinguish from
ordinary compressed files (high entropy), so law
enforcement would have a hard time.
- However, other countries may have different laws.
10.10.3. "What's the situation about export of crypto?"
+ There's been much debate about this, with the case of Phil
Zimmermann possibly being an important test case, should
charges be filed.
- as of 1994-09, the Grand Jury in San Jose has not said
anything (it's been about 7-9 months since they started
on this issue)
- Dan Bernstein has argued that ITAR covers nearly all
aspects of exporting crypto material, including codes,
documentation, and even "knowledge." (Controversially, it
may be in violation of ITAR for knowledgeable crypto people
to even leave the country with the intention of developing
crypto tools overseas.)
- The various distributions of PGP that have occurred via
anonymous ftp sources don't imply that ITAR is not being
enforced, or won't be in the future.
10.10.4. Why and How Crypto is Not the Same as Armaments
- the gun comparison has advantages and disadvantages
- "right to keep and bear arms"
- but then this opens the door wide to restrictions,
regulations, comparisons of crypto to nuclear weapons, etc.
-
+ "Crypto is not capable of killing people directly. Crypto
consists
- entirely of information (speech, if you must) that cannot
be
- interdicted. Crypto has civilian use.
- -
- <Robert Krawitz <rlk@think.com>, 4-11-94, sci.crypt>
10.10.5. "What's ITAR and what does it cover?"
+ ITAR, the International Trafficking in Arms Regulations, is
the defining set of rules for export of munitions--and
crypto is treated as munitions.
- regulations for interpreting export laws
+ NSA may have doubts that ITAR would hold up in court
- Some might argue that this contravenes the Constitution,
and hence would fail in court. Again, there have been few
if any solid tests of ITAR in court, and some indications
that NSA lawyers are reluctant to see it tested, fearing
it would not pass muster.
- doubts about legality (Carl Nicolai saw papers, since
confirmed in a FOIA)
- Brooks statement
- Cantwell Bill
- not fully tested in court
+ reports of NSA worries that it wouldn't hold up in court if
ever challenged
- Carl Nicolai, later FOIA results, conversations with Phil
+ Legal Actions Surrounding ITAR
- The ITAR laws may be used to fight hackers and
Cypherpunks...the outcome of the Zimmermann indictment
will be an important sign.
+ What ITAR covers
- "ITAR 121.8(f): ``Software includes but is not limited to
the system functional design, logic flow, algorithms,
application programs, operating systems and support
software for design, implementation, test, operation,
diagnosis and repair.'' [quoted by Dan Bernstein,
talk.politics.crypto, 1994-07-14]
- joke by Bidzos about registering as an international arms
dealer
+ ITAR and code (can code be published on the Net?)
- "Why does ITAR matter?"
- Phil Karn is involved with this, as are several others
here
+ Dan Bernstein has some strongly held views, based on his
long history of fighting the ITAR
- "Let's assume that the algorithm is capable of
maintaining secrecy of information, and that it is not
restricted to decryption, banking, analog scrambling,
special smart cards, user authentication, data
authentication, data compression, or virus protection.
"The algorithm is then in USML Category XIII(b)(1).
"It is thus a defense article. ITAR 120.6. " [Dan
Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- "Sending a defense article out of the United States in
any manner (except as knowledge in your head) is
export. ITAR 120.17(1).
"So posting the algorithm constitutes export. There are
other forms of export, but I won't go into them here.
"The algorithm itself, without any source code, is
software." [Dan Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- "The statute is the Arms Export Control Act; the
regulations are the
International Traffic in Arms Regulations. For precise
references, see
my ``International Traffic in Arms Regulations: A
Publisher's Guide.''" [Dan Bernstein, posting code to
sci.crypt, talk.politics.crypto, 1994-08-22]
+ "Posting code is fine. We do it all the time; we have
the right to do it; no one seems to be trying to stop us
from doing it." [Bryan G. Olson, posting code to
sci.crypt, talk.politics.crypto, 1994-08-20]
- Bernstein agrees that few busts have occurred, but
warns: "Thousands of people have distributed crypto in
violation of ITAR; only two, to my knowledge, have been
convicted. On the other hand, the guv'mint is rapidly
catching up with reality, and the Phil Zimmermann case
may be the start of a serious crackdown." [Dan
Bernstein, posting code to sci.crypt,
talk.politics.crypto, 1994-08-22]
- The common view that academic freedom means one is OK is
probably not true.
+ Hal Finney neatly summarized the debate between Bernstein
and Olsen:
- "1) No one has ever been prosecuted for posting code on
sci.crypt. The Zimmermann case, if anything ever comes
of it, was not about posting code on Usenet, AFAIK.
"2) No relevant government official has publically
expressed an opinion on whether posting code on
sci.crypt would be legal. The conversations Dan
Bernstein posted dealt with his requests for permission
to export his algorithm, not to post code on sci.crypt.
"3) We don't know whether anyone will ever be
prosecuted for posting code on sci.crypt, and we don't
know what the outcome of any such prosecution would
be." [Hal Finney, talk.politics.crypto, 1994-008-30]
10.10.6. "Can ITAR and other export laws be bypassed or skirted by
doing development offshore and then _importing_ strong crypto
into the U.S.?"
- IBM is reportedly doing just this: developing strong crypto
products for OS/2 at its overseas labs, thus skirting the
export laws (which have weakened the keys to some of their
network security products to the 40 bits that are allowed).
+ Some problems:
- can't send docs and knowhow to offshore facilities (some
obvious enforcement problems, but this is how the law
reads)
- may not even be able to transfer knowledgeable people to
offshore facilities, if the chief intent is to then have
them develop crypto products offshore (some deep
Constitutional issues, I would think...some shades of how
the U.S.S.R. justified denying departure visas for
"needed" workers)
- As with so many cases invovling crypto, there are no
defining legal cases that I am aware of.
By Tim May, see README
HTML by Jonathan Rochkind