From msuinfo!uwm.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!nagle Mon May 24 13:11:20 1993 Newsgroups: alt.security.pgp,sci.crypt Path: msuinfo!uwm.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!nagle From: nagle@netcom.com (John Nagle) Subject: Re: `Import Controls' on cryptography do not exist Message-ID: Organization: NETCOM On-line Communication Services (408 241-9760 guest) References: <1993Apr27.204235.21266@olias.linet.org> <34620@toad.com> Date: Wed, 19 May 1993 16:19:01 GMT Lines: 51 Xref: msuinfo alt.security.pgp:3074 sci.crypt:16588 wcs@cbnewsh.cb.att.com (Bill Stewart 1-908-949-0705) writes: >In article <34620@toad.com> gnu@toad.com (John Gilmore) writes: > wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) wrote: > > It does not appear to be illegal to import crypto software, > > though the rules are messy and obfuscatory enough that some people > > contend otherwise, and a US-written IDEA implementation would reduce > > the risk of harassment, though the fact that the NSA would not like a > > court ruling supporting legal imports also reduces that risk. > I have consistently challenged every person who comes to me with this > rumor or "import controls" to substantiate it. [.....] > NOBODY HAS! > They all slink off. Some promise to look it up, but never do. Others > just admit that they don't really know but they heard it from somebody. >I'm in the third category here; I've looked through the excerpts I >have of the law, and my county library's copy of the U.S.Code >has not been up to date even to 1985 levels on the Privacy Act laws, >so I haven't bothered checking there. There is such legislation. It's in the Arms Control Act. I have looked this up. Look in the index to the USC under Arms Control. Basically, there are two complete independent systems of export and import controls. The general export control system is administered by the Commerce Department, and, while a pain, can be dealt with. There's a separate system for "arms control", administered by State and Defense. This controls the import and export of items listed on the "Munitions List". The Munitions List (which is a real list, published in the Code of Federal Regulations) lists all the items for which "arms control" applies. Items like "battleships" and "rifles" appear. Unfortunately, so does "cryptographic equipment", because, when the Munitions List was created decades ago, civilian cryptography barely existed. Cryptographic equipment is the only "dual use" technology covered under arms control, and NSA has lobbied strongly to keep it that way. Importing or exporting "arms" is complicated. Among other things, you have to register as an "arms dealer" (Jim Bidzos of RSA had to do this). Then, for each transaction, you have to open a "munitions case" with the State Department. The general assumption with regular export controls is that you can export unless there's some explicit prohibition on doing what you want to do. The general assumption on arms controls is that you can't export or import unless State and Defense like what you're doing. Operationally, arms controls are administered by the Director for Munitions, Office of the Deputy Undersecretary for Trade Security Policy, Office of Policy, DOD. For information, contact their "Outreach unit", 703-697-7480. Exactly what current restrictions are I don't know. But that's where you find out. John Nagle From msuinfo!agate!ucbvax!silverton.berkeley.edu!djb Mon May 24 13:14:35 1993 Path: msuinfo!agate!ucbvax!silverton.berkeley.edu!djb From: djb@silverton.berkeley.edu (D. J. Bernstein) Newsgroups: alt.security.pgp,sci.crypt Subject: Re: `Import Controls' on cryptography do not exist Message-ID: <13557.May2409.37.4593@silverton.berkeley.edu> Date: 24 May 93 09:37:45 GMT References: <1993May23.201819.7697@convex.com> Organization: IR Lines: 41 Xref: msuinfo alt.security.pgp:3120 sci.crypt:16651 (This discussion belongs in talk.politics.crypto, a group for ``the relation between government and cryptography.'' As you can see, this group doesn't exist---yet. I do not want to handle the RFD and CFV for this. Loose ball; somebody pick it up, please. Thanks.) In article <1993May23.201819.7697@convex.com> hamrick@convex.com (Ed Hamrick) writes: > It's important to be quite clear that export and import controls on > publically-available / public-domain software do not exist. Let me preface my comments with the disclaimer that I am currently unable to speak in public about a number of issues highly relevant to this discussion. What I say below is necessarily incomplete. The ITAR does say that information in the ``public domain'' is not subject to any ITAR control. The ITAR defines ``public domain'' in a certain specific way. The ITAR definition of ``public domain'' does not cover a document which I have just created, even if I waive all copying rights to that document, and even if I intend to hand-deliver a copy of the document to every mailbox in the known universe. It covers only certain types of ``published'' information. The ITAR does not define the word ``published.'' Let me repeat that: The ITAR does _not_ define the word ``published.'' As this is an absolutely critical point, let me repeat it once more: ******** The ITAR does _not_ define the word ``published.'' ******** > The > following extract from "Defense Trade Regulations" from Federal Record, > March 26, 1992 (formerly International Traffic in Arms Regulations, or ITAR): At my last check with the NSA and the State Department, ITAR was still current. The quotes which Ed gives, although not substantially misleading, are simply not correct, and it is easy to draw certain incorrect conclusions from his article. Sorry to be so vague. ---Dan From msuinfo!agate!howland.reston.ans.net!darwin.sura.net!convex!hamrick Mon May 24 13:15:15 1993 Newsgroups: alt.security.pgp,sci.crypt Path: msuinfo!agate!howland.reston.ans.net!darwin.sura.net!convex!hamrick From: hamrick@convex.com (Ed Hamrick) Subject: Re: `Import Controls' on cryptography do not exist Message-ID: <1993May24.131526.27164@convex.com> Sender: usenet@convex.com (news access account) Nntp-Posting-Host: convex1.convex.com Organization: CONVEX Computer Corporation, Richardson, Tx., USA References: <1993May23.201819.7697@convex.com> <13557.May2409.37.4593@silverton.berkeley.edu> Date: Mon, 24 May 1993 13:15:26 GMT X-Disclaimer: This message was written by a user at CONVEX Computer Corp. The opinions expressed are those of the user and not necessarily those of CONVEX. Lines: 91 Xref: msuinfo alt.security.pgp:3123 sci.crypt:16653 In article <13557.May2409.37.4593@silverton.berkeley.edu> djb@silverton.berkeley.edu (D. J. Bernstein) writes: >In article <1993May23.201819.7697@convex.com> >hamrick@convex.com (Ed Hamrick) writes: >> It's important to be quite clear that export and import controls on >> publically-available / public-domain software do not exist. > >Let me preface my comments with the disclaimer that I am currently >unable to speak in public about a number of issues highly relevant to >this discussion. What I say below is necessarily incomplete. I must respectfully disagree with your interpretation of the regulations. If you'd like a copy of the actual text of the Defense Trade Regulations (ITAR doesn't exist any more), I'd be happy to e-mail them to you. >The ITAR does say that information in the ``public domain'' is not >subject to any ITAR control. The ITAR defines ``public domain'' in a >certain specific way. The ITAR definition of ``public domain'' does not >cover a document which I have just created, even if I waive all copying >rights to that document, and even if I intend to hand-deliver a copy of >the document to every mailbox in the known universe. It covers only >certain types of ``published'' information. The ITAR does not define the >word ``published.'' > >Let me repeat that: The ITAR does _not_ define the word ``published.'' > >As this is an absolutely critical point, let me repeat it once more: > >******** The ITAR does _not_ define the word ``published.'' ******** Here is the definition from the Defense Trade Regulations: DTR> Sec. 120.19 *Public* domain. DTR> DTR> *Public* domain means information which is published and which is DTR> generally accessible or available to the *public*: DTR> DTR> (1) Through sales at newsstands and bookstores; DTR> DTR> (2) Through subscriptions which are available without restriction to DTR> any individual who desires to obtain or purchase the published information; DTR> DTR> (3) Through second class mailing privileges granted by the U.S. DTR> Government; DTR> (4) At libraries open to the *public* or from which the *public* can DTR> obtain documents; DTR> DTR> (5) Through patents available at any patent office; DTR> DTR> (6) Through unlimited distribution at a conference, meeting, seminar, DTR> trade show or exhibition, generally accessible to the *public*, in the DTR> United States; DTR> DTR> (7) Through *public* release (i.e., unlimited distribution) in any form DTR> (e.g., not necessarily in published form) after approval by the cognizant DTR> U.S. government department or agency (see also Sec. 125.4(b)(13)). It seems pretty clear that DES code that is available via anonymous ftp meets this criteria. You may choose to quibble about whether making something available via anonymous ftp constitutes publishing, but consider what percentage of jurors would laugh at anybody asserting that information available via anonymous ftp doesn't meet the intent of 120.19. I myself would tend to focus on subparagraph (5) referring to libraries open to the public or from which the public can obtain documents. Asserting that the ITAR doesn't define the word "published" is as meaningless as asserting that the ITAR doesn't define the word "exhibition", or "trade show", or "libraries", etc. This kind of quibbling is completely meaningless - are you saying that you need to print out the DES source code and put it in a University library before it can be distributed via anonymous ftp? If so, this is a triviality. Anybody can open up a "library" to the public (item (4) above). Most people would claim that anonymous ftp constitutes an electronic public library. >> The >> following extract from "Defense Trade Regulations" from Federal Record, >> March 26, 1992 (formerly International Traffic in Arms Regulations, or ITAR): > >At my last check with the NSA and the State Department, ITAR was still >current. The quotes which Ed gives, although not substantially >misleading, are simply not correct, and it is easy to draw certain >incorrect conclusions from his article. > >Sorry to be so vague. U. S. government rules are always written. Please refer to specific rules published in the Federal Record, or specific legal cases. Are you saying that the "Defense Trade Regulations" have not superceded the ITAR, as clearly noted in the Federal Record? Regards, Ed Hamrick