Bidzos comments on PGP related to ITAR, from sci.crypt a while ago (not sure of date). Essential argument: it was illegally exported, and ITAR prohibits re entry of things illegally exported, therefore it is illegally imported. Relevant section, Software export: Section 123.2 of the ITAR reads:
"123.2 Imports.
No defense article may be imported into the United States unless (a) it was previously exported temporarily under a license issued by the Office of Munitions Control; or (b) it constitutes a temporary import/intransit shipment licensed under Section 123.3; or (c) its import is authorized by the Department of the Treasury (see 27 CFR parts 47, 178, and 179)."
There is a section on `illegal export of unclassified technical data to foreign nationals' (paraphrase) and Bidzos claims it applies to PGP export. But he appears to me to be using a bit of sleight of hand to conflate this category with *cryptographic software* mentioned elsewhere (sections also as quoted also by H. Finney). I'll let others pick it apart for the loopholes. ===cut=here=== Date: Mon, 20 Sep 93 19:31:08 PDT Message-Id: <9309210231.AA16113@RSA.COM> To: ld231782@longs.lance.colostate.edu In-Reply-To: "L. Detweiler"'s message of Mon, 20 Sep 93 19:57:35 -0600 <9309210157.AA04992@longs.lance.colostate.edu> Subject: PGP & ITAR Here's the ITAR part. (This was posted in 1992, so I don't know, since pgp has changed since then I understand, how it would apply.) Also, the ITAR has changed recently, and I haven't studied the changes to see how they would affect these comments. Risks of using pgp One should be careful about assuming that the documentation in electronically distributed software is accurate, especially where law is concerned. There are a few things the documentation for a program called "pgp" does not tell you about patent and export law that you should be aware of. Further, there are a number of claims and offered interpretations of patent and export law that are simply false. pgp seems to be an attempt to mislead netters into joining an illegal activity that violates patent and export law, letting them believe that they run no serious risk in doing so. EXPORT LAW pgp leads users to believe that it has circumvented export controls "...since it is not illegal to import..." You are led to believe that since you didn't import it, it's legal to use it. The "no import restrictions" claim has been made so many times, many people probably believe it. One would be well advised not to accept this legal opinion. While stated as if it were a well-known fact, the claim that "there are no import restrictions" is simply false. Section 123.2 of the ITAR (International Traffic in Arms Regulations) reads: "123.2 Imports. No defense article may be imported into the United States unless (a) it was previously exported temporarily under a license issued by the Office of Munitions Control; or (b) it constitutes a temporary import/intransit shipment licensed under Section 123.3; or (c) its import is authorized by the Department of the Treasury (see 27 CFR parts 47, 178, and 179)." Was pgp illegally exported? Was pgp illegally imported? Of course. It didn't export or import itself. pgp 1 was illegally exported from the U.S., and pgp 2, based on pgp 1, is illegally imported into the U.S. Is a license required? According to the ITAR, it is. 125.2 Exports of unclassified technical data. Paragraph (c) reads: "(c) Disclosures. Unless otherwise expressly exempted in this subchapter, a license is required for the oral, visual, or documentary disclosure of technical data to foreign nationals in connection with visits by U.S. persons to foreign countries, visits by foreign persons to the United States, or otherwise. A license is required regardless of the manner in which the technical data is transmitted (e.g., in person, by telephone, correspondence, electronic means, telex, etc.)." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ What is "export?" Section 120.10, "Export," begins: "'Export' means, for purposes of this subchapter: ...(c) Sending or taking technical data outside of the United States in any manner except that by mere travel outside of the United States by a person whose technical knowledge includes technical data; or..." Crypto software is controlled by the ITAR. See Part 121, the Munitions List, includes Category XIII, of which paragraph (b) reads, in part, "...privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed or modified therefore,..." A further definition in 121.8, paragraph (f) reads: "Software includes but is not limited to the system functional design, logic flow, algorithms, application programs, ..." pgp encourages you to post it on computer bulletin boards. Anybody who considers following this advice is taking quite a risk. When you make a defense item available on a BBS, you have exported it. pgp's obvious attempts to downplay any risk of violating export law won't help you a bit if you're ever charged under the ITAR. Penalties under the ITARs are quite serious. The ITARs were clearly designed to put teeth into laws that make exporting munitions illegal. It's unfortunate that cryptography is on the munitions list. But it is. pgp is software tainted by serious ITAR violations. ------- End of Forwarded Message