Cyphernomicon Top
Cyphernomicon 10.10

Legal Issues:
Export of Crypto, ITAR, and Similar Laws


  10.10.1. "What are the laws and regulations about export of crypto,
            and where can I find more information?"
           - "The short answer is that the Department of State, Office
              of Defense Trade Controls (DOS/DTC) and the National
              Security Administration (NSA) won't allow unrestricted
              export (like is being done with WinCrypt) for any
              encryption program that the NSA can't crack with less than
              a certain amount (that they are loathe to reveal) of
              effort.  For the long answer, see
              ftp://ftp.csn.net/cryptusa.txt.gz and/or call DOS/DTC at
              703-875-7041." [Michael Paul Johnson,  sci.crypt, 1994-07-
              08]
  10.10.2. "Is it illegal to send encrypted stuff out of the U.S.?"
           - This has come up several times, with folks claiming they've
              heard this.
           - In times of war, real war, sending encrypted messages may
              indeed be suspect, perhaps even illegal.
           - But the U.S. currently has no such laws, and many of us
              send lots of encrypted stuff outside the U.S. To remailers,
              to friends, etc.
           - Encrypted files are often tough to distinguish from
              ordinary compressed files (high entropy), so law
              enforcement would have a hard time.
           - However, other countries may have different laws.
  10.10.3. "What's the situation about export of crypto?"
           + There's been much debate about this, with the case of Phil
              Zimmermann possibly being an important test case, should
              charges be filed.
             - as of 1994-09, the Grand Jury in San Jose has not said
                anything (it's been about 7-9 months since they started
                on this issue)
           - Dan Bernstein has argued that ITAR covers nearly all
              aspects of exporting crypto material, including codes,
              documentation, and even "knowledge." (Controversially, it
              may be in violation of ITAR for knowledgeable crypto people
              to even leave the country with the intention of developing
              crypto tools overseas.)
           - The various distributions of PGP that have occurred via
              anonymous ftp sources don't imply that ITAR is not being
              enforced, or won't be in the future.
  10.10.4. Why and How Crypto is Not the Same as Armaments
           - the gun comparison has advantages and disadvantages
           - "right to keep and bear arms"
           - but then this opens the door wide to restrictions,
              regulations, comparisons of crypto to nuclear weapons, etc.
           -
           + "Crypto is not capable of killing people directly.  Crypto
              consists
             - entirely of information (speech, if you must) that cannot
                be
             - interdicted.  Crypto has civilian use.
             - -
             - <Robert Krawitz <rlk@think.com>, 4-11-94, sci.crypt>
  10.10.5. "What's ITAR and what does it cover?"
           + ITAR, the International Trafficking in Arms Regulations, is
              the defining set of rules for export of munitions--and
              crypto is treated as munitions.
             - regulations for interpreting export laws
           + NSA may have doubts that ITAR would hold up in court
             - Some might argue that this contravenes the Constitution,
                and hence would fail in court. Again, there have been few
                if any solid tests of ITAR in court, and some indications
                that NSA lawyers are reluctant to see it tested, fearing
                it would not pass muster.
             - doubts about legality (Carl Nicolai saw papers, since
                confirmed in a FOIA)
             - Brooks statement
             - Cantwell Bill
             - not fully tested in court
           + reports of NSA worries that it wouldn't hold up in court if
              ever challenged
             - Carl Nicolai, later FOIA results, conversations with Phil
           + Legal Actions Surrounding ITAR
             - The ITAR laws may be used to fight hackers and
                Cypherpunks...the outcome of the Zimmermann indictment
                will be an important sign.
           + What ITAR covers
             - "ITAR 121.8(f): ``Software includes but is not limited to
                the system functional design, logic flow, algorithms,
                application programs, operating systems and support
                software for design, implementation, test, operation,
                diagnosis and repair.'' [quoted by Dan Bernstein,
                talk.politics.crypto, 1994-07-14]
           - joke by Bidzos about registering as an international arms
              dealer
           + ITAR and code (can code be published on the Net?)
             - "Why does ITAR matter?"
             - Phil Karn is involved with this, as are several others
                here
             + Dan Bernstein has some strongly held views, based on his
                long history of fighting the ITAR
               - "Let's assume that the algorithm is capable of
                  maintaining secrecy of information, and that it is not
                  restricted to decryption, banking, analog scrambling,
                  special smart cards, user authentication, data
                  authentication, data compression, or virus protection.
                  
                  "The algorithm is then in USML Category XIII(b)(1).
                  
                  "It is thus a defense article. ITAR 120.6. " [Dan
                  Bernstein, posting code to sci.crypt,
                  talk.politics.crypto, 1994-08-22]
               - "Sending a defense article out of the United States in
                  any manner (except as knowledge in your head) is
                  export. ITAR 120.17(1).
                  
                  "So posting the algorithm constitutes export. There are
                  other forms of export, but I won't go into them here.
                  
                  "The algorithm itself, without any source code, is
                  software."  [Dan Bernstein, posting code to sci.crypt,
                  talk.politics.crypto, 1994-08-22]
             - "The statute is the Arms Export Control Act; the
                regulations are the
                International Traffic in Arms Regulations. For precise
                references, see
                my ``International Traffic in Arms Regulations: A
                Publisher's Guide.''"  [Dan Bernstein, posting code to
                sci.crypt, talk.politics.crypto, 1994-08-22]
             + "Posting code is fine.  We do it all the time; we have
                the right to do it; no one seems to be trying to stop us
                from doing it." [Bryan G. Olson, posting code to
                sci.crypt, talk.politics.crypto, 1994-08-20]
               - Bernstein agrees that few busts have occurred, but
                  warns: "Thousands of people have distributed crypto in
                  violation of ITAR; only two, to my knowledge, have been
                  convicted. On the other hand, the guv'mint is rapidly
                  catching up with reality, and the Phil Zimmermann case
                  may be the start of a serious crackdown." [Dan
                  Bernstein, posting code to sci.crypt,
                  talk.politics.crypto, 1994-08-22]
             - The common view that academic freedom means one is OK is
                probably not true.
             + Hal Finney neatly summarized the debate between Bernstein
                and Olsen:
               - "1) No one has ever been prosecuted for posting code on
                  sci.crypt. The Zimmermann case, if anything ever comes
                  of it, was not about posting code on Usenet, AFAIK.
                  
                  "2) No relevant government official has publically
                  expressed an opinion on whether posting code on
                  sci.crypt would be legal.  The conversations Dan
                  Bernstein posted dealt with his requests for permission
                  to export his algorithm, not to post code on sci.crypt.
                  
                  "3) We don't know whether anyone will ever be
                  prosecuted for posting code on sci.crypt, and we don't
                  know what the outcome of any such prosecution would
                  be." [Hal Finney, talk.politics.crypto, 1994-008-30]
  10.10.6. "Can ITAR and other export laws be bypassed or skirted by
            doing development offshore and then _importing_ strong crypto
            into the U.S.?"
           - IBM is reportedly doing just this: developing strong crypto
              products for OS/2 at its overseas labs, thus skirting the
              export laws (which have weakened the keys to some of their
              network security products to the 40 bits that are allowed).
           + Some problems:
             - can't send docs and knowhow to offshore facilities (some
                obvious enforcement problems, but this is how the law
                reads)
             - may not even be able to transfer knowledgeable people to
                offshore facilities, if the chief intent is to then have
                them develop crypto products offshore (some deep
                Constitutional issues, I would think...some shades of how
                the U.S.S.R. justified denying departure visas for
                "needed" workers)
           - As with so many cases invovling crypto, there are no
              defining legal cases that I am aware of.


Next Page: 10.11 Regulatory Arbitrage
Previous Page: 10.9 Legality of Digital Banks and Digital Cash?

By Tim May, see README

HTML by Jonathan Rochkind