Adam Shostack wrote:
First off, I applaud Netscape for making the US version available for download. All of my comments here should be taken as questioning the why's, not suggesting that the implementation is so onerous Netscape shouldn't have done it. Although, you might want to add a link to a page decrying the kafka-esque experience; perhaps Matt's 'My life as an arms smuggler?'
My question is, under what lawful authority would you release the data? The ITARs don't seem to contain anything special, so would you hand out lists on a subpeona? Individual names on a subpeona? Lists on a warrant?
This is from our US download FAQ at http://home.netscape.com/eng/US-Current/faq.html The information users provide when applying to download the 128-bit encryption software is used ONLY to verify eligibility. The U.S. government requires Netscape to maintain a log of software downloads should they deem it necessary under court order, to use this information in their investigations of illegal use or misrepresentation of information. If law enforcement got a court order to get the entire list, we would fight it in court as being over broad.
Incidentally, they seem to be doing a credit check sort of verification; I gave a decade old address, and it worked fine. I feel free to do this because I'm legally entitled to download strong crypto software, and see no need to hand out my unlisted phone number in doing so.
We are not doing any type of credit check. We are doing some address verification using local databases, so these queries don't go into anyones tracking database. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.