At 04:42 PM 10/30/96 -0800, Martin Minow wrote:

At the Bernstein case oral arguments last September, I distinctly remember the government lawyer stating that the United States does not restrict "financial cryptography." Perhaps he should have qualified his argument somewhat.

This statement bothered me, as I cannot understand how an encryption algorithm can "know" that it is encrypting a financial transaction, rather than some non-financial document that would be export-restricted.

According to the "United States Munitions List", 22 CFR 121.1, Category XIII, "Auxiliary Military Equipment": "Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefor" are included in the munitions list; but not if they are "[s]pecially designed, developed or modified for use in machines for banking or money transactions, and restricted to use only in such transactions. Machines for banking or money transactions include automatic teller machines, self-service statement printers, point of sale terminals or equipment for the encryption of interbanking transactions." (22 CFR 121.1, Category XIII (b)(1)(ii)), or if they are "[l]imited to access control, such as automatic teller machines, self-service statement printers or point of sale terminals, which protects password or personal identification numbers (PIN) or similar data to prevent unauthorized access to facilities but does not allow for encryption of files or text, except as directly related to the password of PIN protection." (22 CFR 121.1, Category XIII (b)(1)(v)). As I read this, people exporting ATM's and other commercial financial equipment don't need to fuss over the ITARs; and probably not people selling Bank-O-Matic software; the question is not whether or not the software involved could be used for financial applications, or if it can tell that it is (and turn on or off strong crypto), but whether or not the system in question was "specially designed, developed, or modified" for financial applications (or access control), and limited (by some means) to only those uses; and this is a question that humans can (and must) answer at the time of export. (Also, I don't think that *documents* are ever export controlled; just the applications/systems that read and write them. Nobody tell the State Dept about John von Neumann and the interchangeability of code and data, ok? :) I understood Mr. Coppolino's remarks to be referring to the above; but if his statement was as broad as you remember, he perhaps went a bit too far. (Or maybe he was thinking of something else.) I don't remember the context of his comments. Does anyone know if a transcript of the hearing is available? It's my understanding that many court reporters are now making transcriptions available on disk, facilitating easy transition to the Web. As always, my comments are provided not as legal advice (or even as an authoritative understanding/interpretation of the ITARs/AECA) but as a contribution towards a general discussion. I still don't have an especially current source for the text of the ITARs at home; the above is from the EFF's copy of the 1993 changes. Someday I'll remember to pop across the bay and pick up a copy at the US Gov bookstore, but it hasn't happened yet. (Looks like the paperback 22 CFR volume is around $30, from info I found on the Web, if anyone else is interested. It'd make a good thing to set hot things on when they come off of the stove. :) -- Greg Broiles | "We pretend to be their friends, gbroiles@netbox.com | but they fuck with our heads." http://www.io.com/~gbroiles | |