Dan Weinstein writes:
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
You are assuming that because the government has chosen not to prosecute MIT that they will not prosecute anyone else. This is a faulty assumption, laws are not invalidated if they are not enforced, only if they are repealed or overturned.
IANAL, but this seems implausible. If MIT has received assurances (written or oral) from the DoJ that indicate that their scheme is adequate, then another organization prosecuted while following an identical scheme can admit this as evidence. There isn't, to my knowledge, a specific law which defines the act of export over the 'net. The DoJ, in effect, determines the definition by their actions. Failure to prosecute MIT should lead a responsible judge to dismiss actions against a subsequent defendant that follows the same practice. I agree that things would be different in cases like traffic laws: the fact that millions of people exceed legal speed limits every day doesn't make speeding laws invalid, but this is a matter where there is no question whether the act broke the law. Where the line is drawn by the legislature, failure of the executive does not invalidate the law --- it merely tarnishes the reputation of the executive. Where the line is drawn by the executive, failure to prosecute moves the line, IMHO.