[I'm leaving stan_gibson@zd.com on the distribution list, though this letter is not meant to be a "letter to the editor" for PC Week. I just disagree with some points Marshall Clow brings up, and feel Mr. Gibson ought to get a copy of this, as he cc:ed the Cypherpunks on his letter.] At 10:56 AM -0700 10/16/96, Marshall Clow wrote:
Mr Gibson --
I'm afraid that I must disagree with your editorial in the October 14th issue of PC Week titled "Encryption Law Change: Good News" <http://www.pcweek.com/opinion/1014/14edit.html>. This is not a good change, but rather another attempt by the government to get it's "key escrow" (now renamed 'key recovery') agenda added to commercial software products.
Let's start with the facts.
A) This is not a change in the law. There is no law regarding export of encryption software. Congress has never passed any such law. These are State Department regulations, and presidential decrees. These regulations, which have the force of law to you and me, were never debated or voted upon by our elected representatives. They can be changed tomorrow the same way. In fact, they can be changed and the public need not even be notified.
Actually, as Greg Broiles pointed out in an article (on the Cypherpunks list) several weeks ago, Congress deliberately chooses to delegate much regulatory authority to other agencies. There just is not enough time or expertise for them to pass specific laws covering the number and size of trashcans in the national parks, the type of equipment to be used on Navy ships, and so on. The State Department--and soon to be transferred to Commerce--has the regulatory authority to decide which exports are covered by the International Trafficking in Arms Regulations, the ITARs. These rules effectively have the full force of law, as many tens of thousands of laws not specifically passed by Congress have. (It is true that the ITARs may well end up being overturned by the courts, as the Bernstein and Junger cases proceed, but this could happen to laws passed by Congress, and does.) Also--and I am not an expert on this--some of the basis of the ITARs is closely related to the "Munitions Act," which was, I am almost certain, an actual Act of Congress, some decades back. Certainly Congress knows full well what the ITARs are about, and could change them if it thought the State Department or Commerce Department were overstepping their bounds. (As it may do, some day. Not this term, obviously. "Pro-Code" got tabled, so Congress effectively spoke.) (Understand that I am not arguing in favor of the ITARs, nor their application to crypto, just taking issue with Marshall's opening point that the ITARs are not real laws. I mostly believed they were real laws before, but Greg Broiles' analysis several weeks ago cinched it for me.) I don't have the time right now to respond to the rest of Marshall's letter, though I agree with his basic sentiments. --Tim May "The government announcement is disastrous," said Jim Bidzos,.."We warned IBM that the National Security Agency would try to twist their technology." [NYT, 1996-10-02] We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."