Subject: Re: distribution of sensitive software like DES
Date: 16 Feb 88 22:41:07 GMT
Organization: The Internet
This is a memo prepared by Digital's lawyers in response to John
Gilmore's note of last October. Please note that I am only passing this
along, without comment -- I know little if anything about the law, and
am not in the least interested in engaging in debate about this issue,
nor am I willing to pass such debate back to the lawyers piecemeal.
--------Begin Forwarded Message
From: email@example.com (TOM EHRGOOD, WNP, DTN 427-5698)
To: @cryptomemo.dis, ehrgood
Subject: Crypto Export Controls - Answer To Gilmore
| | | | | | | |
| d | i | g | i | t | a | l | I n t e r o f f i c e M e m o
TO: "TO" Distribution DATE: 16 February 1988
FROM: Tom Ehrgood
CC: "CC" Distribution DEPT: Corporate Law
TEL: (202) 383-5698
SUBJECT: Controls Over The Export Of Cryptographic Software
This memo answers points made in an October 27, 1987, memo by John
Gilmore, which we received on January 28th. Gilmore's memo, which I am
separately forwarding, argues that the posting of cryptographic software
to certain widely available bulletin boards places that software in the
"public domain," with the consequence that export licenses are not
required for the exports of that software. Gilmore's analysis has been
given wide distribution on various networks.
Gilmore is mistaken in his analysis and in his conclusion. Given the
high national security sensitivity of cryptography, generally, and DES
encryption, specifically, it is important to set the record straight.
The fundamental points that Gilmore gets wrong are:
o Exports of cryptographic software are governed by the State
Department's International Traffic in Arms Regulations ("ITAR"),
not by the Commerce Department's Export Administration
Regulations ("EAR"). Exports would be governed by Commerce's
EAR only if State waived jurisdiction.
o Although State Department regulations contain a "public domain"
exemption for technical data, cryptographic software does
not qualify as "technical data," and thus the "public domain"
exemption does not apply.
A legal analysis follows.
I. State Department Control Over Cryptographic Software
A. Cryptographic software is a "defense article"
Section 38 of the Arms Export Control Act authorizes the President to
control the export and import of "defense articles" and "defense
services." This statutory authority -- which includes the authority to
to "designate those items which shall be considered as defense articles
and defense services" -- was delegated to the Department of
State, which in turn has implemented the statutory authority through
promulgation of the International Traffic in Arms Regulations ("ITAR"),
22 C.F.R. Subch. M.
The term "defense article" is defined in section 120.7 of ITAR to mean
"any item designated in section 121.1," which contains the United States
Category XIII of the Munitions List provides in paragraph (b) as
Speech scramblers, privacy devices, CRYPTOGRAPHIC DEVICES AND
SOFTWARE (ENCODING AND DECODING), and components specifically
designed or modified therefore, ancillary equipment, and protective
apparatus specifically designed or modified for such devices,
components, and equipment. (Emphasis added.)
Since "cryptographic . . . software" is thus included on the United
States Munitions List, it is a "defense article" subject to the State
Department's ITAR controls over exports of such articles.
At certain low thresholds, it may not be clear whether software
containing certain encryption functionality in a technical sense
constitutes "cryptographic software" within the meaning of Category
XIII(b), above. Section 120.5 of ITAR establishes a procedure under
which "[t]he Office of Munitions Control will provide, upon written
request, a determination on whether a particular article is included on
the United States Munitions List." Questionable cases may be resolved
by following this procedure.
Assuming that encryption software does constitute "cryptographic
software" within the meaning of Category XIII(b), State Department
export licenses are required, REGARDLESS OF WHETHER THE ENCRYPTION IS
BASED ON THE DES ALGORITHM. The relevance of DES vs. non-DES lies in
the ease with which licenses can be obtained, not in whether licenses
B. The State Department's "public domain" exemption does not
apply to exports of "defense articles."
Part 123 of ITAR contains rules governing export licenses for the export
of "defense articles." The basic rule is stated in Section 123.1(a) as
Any person who intends to export a defense article must obtain a
license from the Office of Munitions Control prior to the export
unless the export qualifies for an exemption under the provisions
of this Subchapter.
Part 123 sets forth a number of exemptions in sections 123.16 through
123.22. None is these exemptions covers the posting of cryptographic
software on a bulletin board.
Section 126.5 exempts from the licensing requirement any exports of
unclassified defense articles or unclassified technical data to Canada
for end-use in Canada or return to the United States. This exemption
would be potentially applicable only if the ONLY exports that might take
place as a result of the bulletin board posting were exports to Canada.
(See section 120.10, which defines "export" to include "[s]ending or
taking defense articles outside the United States in any manner.") In
any event, care would have to be taken to ensure that applicable
documentation requirements are met to invoke properly the exemption.
Part 125 of ITAR contains rules governing exports of technical data.
Section 125.1(a) provides:
The export controls of this part apply to the export of technical
data . . . . Information which is in the "public domain" (see
section 120.18) is not subject to the controls of this chapter.
Section 120.18 defines "public domain" as follows:
"Public domain" means information which is published AND WHICH
IS GENERALLY ACCESSIBLE TO THE PUBLIC:
(a) Through sales at newstands and bookstores;
(b) Through subscriptions which are available without restriction
to any individual who desires to obtain or purchase the published
(c) Through second class mailing privileges granted by the U.S.
(d) At liberaries open to the public.
(Emphasis added.) This definition is a much more restrictive one than
the analogous Commerce GTDA regulation analyzed by Gilmore: a bulletin
board posting of information would not fall within ITAR's public domain
unless that posting qualified under paragraphs (a)-(d) of section
120.18. A posting would not appear to so qualify. (This memo does not
take any position on whether bulletin board posting would place
Commerce-controlled technical data into Commerce's public domain;
specific information about the technical data and the bulletin board
would be necessary.)
Regardless of how the ITAR "public domain" applies to bulletin board
postings in general, the posting of cryptographic software cannot fall
within the "public domain" provision, because, per section 125.1(a)
above, the "public domain" provision applies to "technical data."
Cryptographic software -- a "defense article" (see Section I.A above) --
does not constitute "technical data" under ITAR. More on that below.
The term "technical data" is defined in section 120.21 as follows:
"Technical data" means for purposes of this subchapter:
(a) Classified information relating to defense articles and
(b) Information covered by an invention secrecy order;
(c) Information which is directly related to the design,
engineering, development, production, processing, manufacture,
use, operation, overhaul, repair, maintenance, modification, or
reconstruction of defense articles. This includes, for example,
information in the form of blueprints, drawings, photographs,
plans, instructions, computer software and documentation. This
also includes information which advances that state of the art of
articles on the U.S. Munitions List. This does not include
information concerning general scientific, mathematical or
"Technical data" per this definition thus consists either of
information "relating to defense articles" (par. (a)) or information
directly related to the doing of things to "defense articles" (par. (c)).
[Paragraph (c) is not relevant here.] Since cryptographic software is
itself a "defense article," it cannot simultaneously qualify as
"technical data." Moreover, different ITAR Parts govern exports of
"defense articles" (Part 123) and exports of "technical data" (Part
Of course, not all encryption materials (DES or otherwise) necessarily
take the form of "cryptographic software" controlled under Category
XIII(b) of the Munitions List. Non-Category XIII(b) materials will
qualify as "technical data" within the meaning of the section 120.21 and
will thus be eligible for "public domain" treatment if the specific ITAR
II. Commerce Department Controls Over Cryptographic Software
Section 370.10 of Commerce's Export Administration Regulations state the
general rule that Commerce does not control exports of State
Department-controlled items. Specifically, subsection (a) provides:
(a) U.S. Munitions List. Regulations administered by the Office of
Munitions Control, U.S. Department of State, Washington, D.C. 20520,
govern the export of defense articles and defense services on the U.S.
Thus, Gilmore's statement that the State Department's concerns about
exports of crypt commands are "enforced" by Commerce is wrong.
What has complicated the picture and confused Gilmore is that Commerce's
Commodity Control List -- Commerce's counterpart to the United States
Munitions List -- contains a category 1527A covering "cryptographic
equipment . . . and software controlling or performing the function of
such cryptographic equipment." Gilmore identified this regulatory control
provision, but he misinterpreted it.
Gilmore found the note in category 1527A, which states that
Exporters requesting a validated license from the Department of
Commerce must provide a statement from the Department of State,
Office of Munitions Control, verifying that the equipment
intended for export is under the licensing jurisdiction of the
Department of Commerce.
Gilmore mistakingly says, however, that "we are not requesting a
validated license, we are using the general license, so this requirement
does not apply . . . ." Gilmore missed the 1527A heading: "Validated
License Required: Country Groups QSTVWYZ." These designated country
groups comprise every country in the world except Canada. Consequently,
a validated license issued by Commerce is required in order to make any
export of 1527A-controlled cryptographic software. And because a
validated license is required, exporters seeking such a license must,
per the note quoted above, submit a State Department statement
"verifying" that Commerce has jurisidiction over that cryptographic
software. Such a statement would generally take the form of an ITAR
section 120.5 commodity jurisdication determination.
In sum, unless the State Department has issued a statement verifying
Commerce jurisdiction over the cryptographic software that Gilmore has
in mind, Commerce's controls do not apply. And without such a
statement, Gilmore's analysis of section 379.3 of EAR (General License
GTDA) is completely irrelevant.
Gilmore's conclusion that the posting of cryptographic software to a
bulletin board places it in the public domain and thus exempts it from
export licensing controls is flat-out wrong. U.S. law is clear: in
order to export "cryptographic software" within the meaning of
Category XIII(b) of the United States Munitions List to any country
other than Canada, a State Department export license is required.
If there is any reason to believe or suspect that a non-U.S. or
non-Canadian national will gain access to that bulletin board, an export
to a third country should be assumed and a license is required..
If there is any question whether specific encryption software
constitutes "cryptographic software" within the meaning of
Category XIII(b), clarification can be obtained under procedures
established pursuant to section 120.5 of ITAR.
A determination from State under 120.5 that it does not have
jurisdiction is the prerequisite to bringing the control question into
Commerce's export regulations.
IT IS IMPERATIVE THAT NO DIGITAL EMPLOYEE ACT IN RELIANCE ON GILMORE'S
ANALYSIS OR HIS CONCLUSIONS.
--------End Forwarded Message
From: firstname.lastname@example.org (John Gilmore)
Subject: Re: distribution of sensitive software like DES
Date: 22 Feb 88 06:07:50 GMT
References: <8801281211.AA13780@decwrl.dec.com> <2275@geac.UUCP>
Organization: Nebula Consultants in San Francisco
I'm glad to see that a lawyer has finally looked over the analysis of
PD cryptographic software export controls that I did a while ago. I
still think we have a free country but will go look up the regulations
they quote, to make sure. It may be that before we post something, we
have to put it in a magazine or newsletter, or offer it on floppies to
anyone who sends in $5 -- no big deal. I would prefer to have a court
rule that posting something to 8000 machines, many of which are
public-access, and including it in a software library accessible to
anyone, is making it "freely available to the public". But for that to
happen, somebody will have to take somebody to court, and so far there
are no volunteers.
The point is that information which is freely available to anyone in
the US can be exported. If any Tom, Dick, or Harry in the states can
get it, there should be no grounds to hassle somebody over exporting
Realize that the lawyer who came up with this opinion is paid by DEC to
keep DEC out of trouble. The safest thing to do, in the short term,
is to turn and run from any kind of trouble. I just think that the long
term trouble caused by only the government having privacy is worth
facing the short term trouble.
I'll have more to say later.
"Watch me change my world..." -- Liquid Theatre