Tech Insider					     Technology and Trends


			      USENET Archives

Path: utzoo!utgpu!water!watmath!clyde!rutgers!gatech!bloom-beacon!
husc6!bbn!uwmcsd1!ig!agate!ucbvax!DECWRL.DEC.COM!kent
From: ke...@DECWRL.DEC.COM
Newsgroups: comp.society.futures
Subject: Re: distribution of sensitive software like DES
Message-ID: <8802162241.AA16997@armagnac.DEC.COM>
Date: 16 Feb 88 22:41:07 GMT
References: <8801281211.AA13780@decwrl.dec.com>
Sender: dae...@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 284

This is a memo prepared by Digital's lawyers in response to John
Gilmore's note of last October. Please note that I am only passing this
along, without comment -- I know little if anything about the law, and
am not in the least interested in engaging in debate about this issue,
nor am I willing to pass such debate back to the lawyers piecemeal. 

chris

--------Begin Forwarded Message
From: ehrgood@wnpv01.enet (TOM EHRGOOD, WNP, DTN 427-5698)
To: @cryptomemo.dis, ehrgood
Subject: Crypto Export Controls - Answer To Gilmore


    _____________________________
    |   |   |   |   |   |   |   |
    | d | i | g | i | t | a | l |    I n t e r o f f i c e  M e m o
    |___|___|___|___|___|___|___|


TO:  "TO" Distribution               DATE:  16 February 1988  
                                     FROM:  Tom Ehrgood
CC:  "CC" Distribution               DEPT:  Corporate Law
                                     TEL:   (202) 383-5698
                                     LOC:   WNP

SUBJECT: Controls Over The Export Of Cryptographic Software



This memo answers points made in an October 27, 1987, memo by John
Gilmore, which we received on January 28th.  Gilmore's memo, which I am
separately forwarding, argues that the posting of cryptographic software
to certain widely available bulletin boards places that software in the
"public domain," with the consequence that export licenses are not
required for the exports of that software.  Gilmore's analysis has been
given wide distribution on various networks. 

Gilmore is mistaken in his analysis and in his conclusion.  Given the
high national security sensitivity of cryptography, generally, and DES
encryption, specifically, it is important to set the record straight.

The fundamental points that Gilmore gets wrong are:

  o  Exports of cryptographic software are governed by the State
     Department's International Traffic in Arms Regulations ("ITAR"),
     not by the Commerce Department's Export Administration
     Regulations ("EAR").  Exports would be governed by Commerce's
     EAR only if State waived jurisdiction.
     
  o  Although State Department regulations contain a "public domain"
     exemption for technical data, cryptographic software does
     not qualify as "technical data," and thus the "public domain" 
     exemption does not apply.

A legal analysis follows.




                              DISCUSSION


I.  State Department Control Over Cryptographic Software
    ----------------------------------------------------
  
    A.  Cryptographic software is a "defense article" 
        ---------------------------------------------

Section 38 of the Arms Export Control Act authorizes the President to
control the export and import of "defense articles" and "defense
services."  This statutory authority -- which includes the authority to 
to "designate those items which shall be considered as defense articles 
and defense services" -- was delegated to the Department of
State, which in turn has implemented the statutory authority through
promulgation of the International Traffic in Arms Regulations ("ITAR"),
22 C.F.R. Subch. M.  

The term "defense article" is defined in section 120.7 of ITAR to mean 
"any item designated in section 121.1," which contains the United States 
Munitions List.  

Category XIII of the Munitions List provides in paragraph (b) as 
follows:

    Speech scramblers, privacy devices, CRYPTOGRAPHIC DEVICES AND 
    SOFTWARE (ENCODING AND DECODING), and components specifically
    designed or modified therefore, ancillary equipment, and protective
    apparatus specifically designed or modified for such devices, 
    components, and equipment.  (Emphasis added.)

Since "cryptographic . . . software" is thus included on the United 
States Munitions List, it is a "defense article" subject to the State 
Department's ITAR controls over exports of such articles.

At certain low thresholds, it may not be clear whether software
containing certain encryption functionality in a technical sense
constitutes "cryptographic software" within the meaning of Category
XIII(b), above.  Section 120.5 of ITAR establishes a procedure under
which "[t]he Office of Munitions Control will provide, upon written
request, a determination on whether a particular article is included on
the United States Munitions List."  Questionable cases may be resolved 
by following this procedure.

Assuming that encryption software does constitute "cryptographic 
software" within the meaning of Category XIII(b), State Department 
export licenses are required, REGARDLESS OF WHETHER THE ENCRYPTION IS 
BASED ON THE DES ALGORITHM.  The relevance of DES vs. non-DES lies in 
the ease with which licenses can be obtained, not in whether licenses
are required. 

    B.  The State Department's "public domain" exemption does not
        apply to exports of "defense articles."
        ---------------------------------------------------------

Part 123 of ITAR contains rules governing export licenses for the export 
of "defense articles."  The basic rule is stated in Section 123.1(a) as
follows:

    Any person who intends to export a defense article must obtain a
    license from the Office of Munitions Control prior to the export 
    unless the export qualifies for an exemption under the provisions 
    of this Subchapter.

Part 123 sets forth a number of exemptions in sections 123.16 through
123.22.  None is these exemptions covers the posting of cryptographic
software on a bulletin board. 

Section 126.5 exempts from the licensing requirement any exports of
unclassified defense articles or unclassified technical data to Canada
for end-use in Canada or return to the United States.  This exemption 
would be potentially applicable only if the ONLY exports that might take 
place as a result of the bulletin board posting were exports to Canada.  
(See section 120.10, which defines "export" to include "[s]ending or
taking defense articles outside the United States in any manner.")  In
any event, care would have to be taken to ensure that applicable
documentation requirements are met to invoke properly the exemption. 

Part 125 of ITAR contains rules governing exports of technical data.  
Section 125.1(a) provides:

    The export controls of this part apply to the export of technical
    data . . . . Information which is in the "public domain" (see 
    section 120.18) is not subject to the controls of this chapter.

Section 120.18 defines "public domain" as follows:

      "Public domain" means information which is published AND WHICH 
    IS GENERALLY ACCESSIBLE TO THE PUBLIC:
      (a) Through sales at newstands and bookstores;
      (b) Through subscriptions which are available without restriction
    to any individual who desires to obtain or purchase the published
    information; 
      (c) Through second class mailing privileges granted by the U.S.
    Government; or,
      (d) At liberaries open to the public.

(Emphasis added.)  This definition is a much more restrictive one than 
the analogous Commerce GTDA regulation analyzed by Gilmore:  a bulletin 
board posting of information would not fall within ITAR's public domain 
unless that posting qualified under paragraphs (a)-(d) of section 
120.18.  A posting would not appear to so qualify.  (This memo does not
take any position on whether bulletin board posting would place
Commerce-controlled technical data into Commerce's public domain;
specific information about the technical data and the bulletin board
would be necessary.) 

Regardless of how the ITAR "public domain" applies to bulletin board
postings in general, the posting of cryptographic software cannot fall
within the "public domain" provision, because, per section 125.1(a) 
above, the "public domain" provision applies to "technical data."
Cryptographic software -- a "defense article" (see Section I.A above) --
does not constitute "technical data" under ITAR.  More on that below.

The term "technical data" is defined in section 120.21 as follows:

      "Technical data" means for purposes of this subchapter:
      (a) Classified information relating to defense articles and
    defense services;
      (b) Information covered by an invention secrecy order;
      (c) Information which is directly related to the design,
    engineering, development, production, processing, manufacture,
    use, operation, overhaul, repair, maintenance, modification, or
    reconstruction of defense articles.  This includes, for example,
    information in the form of blueprints, drawings, photographs,
    plans, instructions, computer software and documentation.  This
    also includes information which advances that state of the art of
    articles on the U.S. Munitions List.  This does not include 
    information concerning general scientific, mathematical or 
    engineering principles.

"Technical data" per this definition thus consists either of 
information "relating to defense articles" (par. (a)) or information 
directly related to the doing of things to "defense articles" (par. (c)).
[Paragraph (c) is not relevant here.]  Since cryptographic software is
itself a "defense article," it cannot simultaneously qualify as
"technical data."  Moreover, different ITAR Parts govern exports of
"defense articles" (Part 123) and exports of "technical data" (Part
125). 

Of course, not all encryption materials (DES or otherwise) necessarily
take the form of "cryptographic software" controlled under Category
XIII(b) of the Munitions List.  Non-Category XIII(b) materials will
qualify as "technical data" within the meaning of the section 120.21 and
will thus be eligible for "public domain" treatment if the specific ITAR
conditions apply. 


II.  Commerce Department Controls Over Cryptographic Software
     -------------------------------------------------------- 

Section 370.10 of Commerce's Export Administration Regulations state the
general rule that Commerce does not control exports of State
Department-controlled items.  Specifically, subsection (a) provides: 

    (a) U.S. Munitions List.  Regulations administered by the Office of
    Munitions Control, U.S. Department of State, Washington, D.C. 20520,
    govern the export of defense articles and defense services on the U.S.
    Munitions List. 

Thus, Gilmore's statement that the State Department's concerns about 
exports of crypt commands are "enforced" by Commerce is wrong.

What has complicated the picture and confused Gilmore is that Commerce's
Commodity Control List -- Commerce's counterpart to the United States
Munitions List -- contains a category 1527A covering "cryptographic
equipment . . . and software controlling or performing the function of
such cryptographic equipment."   Gilmore identified this regulatory control 
provision, but he misinterpreted it.  

Gilmore found the note in category 1527A, which states that 

    Exporters requesting a validated license from the Department of 
    Commerce must provide a statement from the Department of State,
    Office of Munitions Control, verifying that the equipment 
    intended for export is under the licensing jurisdiction of the
    Department of Commerce.

Gilmore mistakingly says, however, that "we are not requesting a
validated license, we are using the general license, so this requirement
does not apply . . . ."  Gilmore missed the 1527A heading: "Validated
License Required:  Country Groups QSTVWYZ."  These designated country 
groups comprise every country in the world except Canada.  Consequently, 
a validated license issued by Commerce is required in order to make any 
export of 1527A-controlled cryptographic software.  And because a
validated license is required, exporters seeking such a license must,
per the note quoted above, submit a State Department statement
"verifying" that Commerce has jurisidiction over that cryptographic
software.  Such a statement would generally take the form of an ITAR
section 120.5 commodity jurisdication determination. 

In sum, unless the State Department has issued a statement verifying
Commerce jurisdiction over the cryptographic software that Gilmore has
in mind, Commerce's controls do not apply.  And without such a
statement, Gilmore's analysis of section 379.3 of EAR (General License
GTDA) is completely irrelevant. 


III.  Conclusions
      -----------

Gilmore's conclusion that the posting of cryptographic software to a 
bulletin board places it in the public domain and thus exempts it from 
export licensing controls is flat-out wrong.  U.S. law is clear:  in 
order to export "cryptographic software" within the meaning of 
Category XIII(b) of the United States Munitions List to any country 
other than Canada, a State Department export license is required.
If there is any reason to believe or suspect that a non-U.S. or 
non-Canadian national will gain access to that bulletin board, an export 
to a third country should be assumed and a license is required..

If there is any question whether specific encryption software 
constitutes "cryptographic software" within the meaning of 
Category XIII(b), clarification can be obtained under procedures 
established pursuant to section 120.5 of ITAR.

A determination from State under 120.5 that it does not have 
jurisdiction is the prerequisite to bringing the control question into 
Commerce's export regulations.  

IT IS IMPERATIVE THAT NO DIGITAL EMPLOYEE ACT IN RELIANCE ON GILMORE'S
ANALYSIS OR HIS CONCLUSIONS. 

--------End Forwarded Message

Path: utzoo!mnetor!uunet!unisoft!hoptoad!gnu
From: gnu@hoptoad.uucp (John Gilmore)
Newsgroups: sci.crypt
Subject: Re: distribution of sensitive software like DES
Message-ID: <4106@hoptoad.uucp>
Date: 22 Feb 88 06:07:50 GMT
References: <8801281211.AA13780@decwrl.dec.com> <2275@geac.UUCP>
Organization: Nebula Consultants in San Francisco
Lines: 27

I'm glad to see that a lawyer has finally looked over the analysis of
PD cryptographic software export controls that I did a while ago.  I
still think we have a free country but will go look up the regulations
they quote, to make sure.  It may be that before we post something, we
have to put it in a magazine or newsletter, or offer it on floppies to
anyone who sends in $5 -- no big deal.  I would prefer to have a court
rule that posting something to 8000 machines, many of which are
public-access, and including it in a software library accessible to
anyone, is making it "freely available to the public".  But for that to
happen, somebody will have to take somebody to court, and so far there
are no volunteers.

The point is that information which is freely available to anyone in
the US can be exported.  If any Tom, Dick, or Harry in the states can
get it, there should be no grounds to hassle somebody over exporting
it.

Realize that the lawyer who came up with this opinion is paid by DEC to
keep DEC out of trouble.  The safest thing to do, in the short term,
is to turn and run from any kind of trouble.  I just think that the long
term trouble caused by only the government having privacy is worth
facing the short term trouble.

I'll have more to say later.
-- 
{pyramid,ptsfa,amdahl,sun,ihnp4}!hoptoad!gnu			  g...@toad.com
		"Watch me change my world..." -- Liquid Theatre

			        About USENET

USENET (Users’ Network) was a bulletin board shared among many computer
systems around the world. USENET was a logical network, sitting on top
of several physical networks, among them UUCP, BLICN, BERKNET, X.25, and
the ARPANET. Sites on USENET included many universities, private companies
and research organizations. See USENET Archives.

		       SCO Files Lawsuit Against IBM

March 7, 2003 - The SCO Group filed legal action against IBM in the State 
Court of Utah for trade secrets misappropriation, tortious interference, 
unfair competition and breach of contract. The complaint alleges that IBM 
made concentrated efforts to improperly destroy the economic value of 
UNIX, particularly UNIX on Intel, to benefit IBM's Linux services 
business. See SCO v IBM.

The materials and information included in this website may only be used
for purposes such as criticism, review, private study, scholarship, or
research.

Electronic mail:			       WorldWideWeb:
   tech-insider@outlook.com			  http://tech-insider.org/