"L. Detweiler" <uunet!longs.lance.colostate.edu!ld231782> writes:
There is a section on `illegal export of unclassified technical data to foreign nationals' (paraphrase) and Bidzos claims it applies to PGP export. But he appears to me to be using a bit of sleight of hand to conflate this category with *cryptographic software* mentioned elsewhere (sections also as quoted also by H. Finney).
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"? The public (and published) nature of both IDEA and RSA seems to place them far away from the general thrust of the "technical data" definition, which seems oriented towards preventing disclosure of data/information that's not available to the general public. Def'n follows: $120.21 Technical data. Technical data means, for purposes of this subchapter: (a) Classified information relating to defense articles and defense services; (b) Information covered by an invention secrecy order; (c) Information, in any form, which is directly related to the design, engineering, development, production, processing, manufacture, use, operation, overhaul, repair, maintenance, modification, or reconstruction of defense articles. This includes, for example, information in the form of blueprints, drawings, photographs, plans, instructions, computer software, and documentation. This also includes information which advances the state of the art of articles on
the U.S. Munitions List. This definition does not include information concerning general scientific, mathematical, or engineering principles commonly taught in academia. It also does not include basic
marketing information or general system descriptions of defense articles. [emphasis added, of course] I'm working my way through the ITAR and am going to leave the majority of Bidzos' message alone until I feel like I have a stronger grasp on the legal issues here. He did, however, say two things which look pretty shaky to me:
When you make a defense item available on a BBS, you have exported it.
The definitions of export that I've seen have concerned transferring information or physical things, or providing services to, persons, corporations, or nations which are not U.S. citizens. They have not addressed placing these things where "foreign persons" might conceivably get them. Under Bidzos' interpretation, making RSAREF available via FTP sounds like export to me. My interpretation is based on ITAR; other relevant statutes may define it more broadly, but those definitions aren't relevant when talking about violations of the ITAR.
pgp is software tainted by serious ITAR violations.
I interpret this to mean, assuming that Bidzos is right on all points, that: (1) all copies (and their descendants?) of PGP 1.0 which have been taken outside of the U.S. are "tainted" and cannot be re-imported legally; and (2) all copies (and their descendants?) of PGP 2.x which were written outside of the U.S. are "tainted" once they enter the U.S.; U.S. citizens will need to re-write (sigh) PGP 2.x inside the U.S., using the published algorithms for IDEA and RSA. I can't see any basis for saying that "PGP", a standard for interoperable crypto software, is tainted - only particlar implementations of that standard are, depending on who wrote them and what country the author is from, where the copy is located, and where it's been before. Surely Bidzos won't claim that RSA licensees in the U.S. are somehow "tainted" by the illegal export of other copies of RSA, hmm? -- Greg Broiles greg@goldenbear.com Baked, not fried.