New crypto regulations
Concerning the new crypto regulations: " Note to paragraphs (b)(2) and (b)(3) of this section: A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.3(b)(3))." This is a big question for me. How does the fact that the same exact information, when stored on magnetic media, cause it to lose its freedom of press protection? Has magnetic media never been tested in court for freedom of press applicability? What are the laws that outline the differences between magnetic media and printed media? Specifically, the one(s) that permit the non-protection of magnetic media? Does this mean that if a journal published an article on some strong non-key escrow encryption algorithm that included source code, it could not later offer that same article on a CD-ROM collection? or provide that same source code online?
|> Concerning the new crypto regulations: |> " Note to paragraphs (b)(2) and (b)(3) of this section: A printed |> book or other printed material setting forth encryption source code |> is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, |> notwithstanding Sec. 734.3(b)(2), encryption source code in |> electronic form or media (e.g., computer diskette or CD ROM) remains |> subject to the EAR (see Sec. 734.3(b)(3))." |> This is a big question for me. How does the fact that the same exact |> information, when stored on magnetic media, cause it to lose its |> freedom of press protection? All media, all forms of expression are protected by the first amendment. It's just that this protection is not absolute. If the government wants to curtail freedom of speach it has to demonstrate a compelling interest and further demonstrate that the means used are narrowly tailored to achieve that compelling interest in the least restricitve manner possible. Both have to be demonstrated to the courts' satisfaction, a task quite different from (and, methinks, easier than) demonstrating this to our own satisfaction. These regulations explicitly say that you can transport printed information including source code out of the country. No prior approval of any sort is required. These regulations do not prohibit communication that requires source code to be effective. The government's claim is that in the interests of national security, export of cryptography must be prevented. By limiting the policy's applicability to media which are in, or can easily be converted to, electronic form, the government has narrowly tailored this component of the policy to prevent crytographic source code from appearing in foreign computers without preventing the communication of that source code. Cheers, Jason W. Solinsky
Gemini Thunder sez:
This is a big question for me. How does the fact that the same exact information, when stored on magnetic media, cause it to lose its freedom of press protection?
You must understand that the USG faces a VERY big hurtle in attempting to ban the book. Books have a history; one as old as the Founding Fathers, older than the country and the Constitution, of being protected. In fact, this extends to other printed material; i.e newspapers. They tried and failed to get "prior restraint" in the Pentagon Papers case. But in their quest to sandbag an already submerged dike, they hope they can draw a line at magnetic media. It's untested, IMHO likely to fail, but it's a hell of a lot better than trying to ban books. They'd get laughed out of court. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
" Note to paragraphs (b)(2) and (b)(3) of this section: A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.3(b)(3))."
What this means is that the government is afraid that a ban on printed material would be considerably more difficult to uphold in court. It's far easier for them to argue that a floppy disk is a mechinism presenting a clear and present danger than it would be to argue the same for a book. So why don't we take this debate where the Government least wants to fight it--the realm of printed matter. Someone should start a crypto export business that takes crypto source code, prints it, and mails it overseas where someone else scans the source code and deliveres it in electronic form to a recipient. We could some important crypto source code (for example some of the IPv6 IPsec stuff being developed domestically), print it, export it (legally), scan it, and then distribute it overseas. If we repeat this process enough, it will first cause a lot of useful crypto software to be exported legally from the US. Then, when the govenrment wants to stop this, they will be forced to place a prior restraint on publication of printed technical pamphlets, which is exactly the restriction they don't want to be stuck defending.
We could some important crypto source code (for example some of the IPv6 IPsec stuff being developed domestically), print it, export it (legally), scan it, and then distribute it overseas. If we repeat this process enough, it will first cause a lot of useful crypto software to be exported legally from the US.
PGP, Inc. is already exporting their source in this fashion.
Then, when the govenrment wants to stop this, they will be forced to place a prior restraint on publication of printed technical pamphlets, which is exactly the restriction they don't want to be stuck defending.
Stewart Baker has been quoted as saying that banned "easily scanned printed texts" isn't far away. (Rebecca Vesely's Wired News article) "National Security is the root password to the Constitution." -- I've forgotten who said this. We are now just one step away from non-GAK crypto being illegal in the US. -- Sameer Parekh Voice: 510-986-8770 President FAX: 510-986-8777 C2Net C2Net is having a party: http://www.c2.net/party/ http://www.c2.net/ sameer@c2.net
At 9:02 PM -0800 12/29/96, Huge Cajones Remailer wrote:
What this means is that the government is afraid that a ban on printed material would be considerably more difficult to uphold in court. It's far easier for them to argue that a floppy disk is a mechinism presenting a clear and present danger than it would be to argue the same for a book.
So why don't we take this debate where the Government least wants to fight it--the realm of printed matter. Someone should start a crypto export business that takes crypto source code, prints it, and mails it overseas where someone else scans the source code and deliveres it in electronic form to a recipient.
Ah, but the clause which says:
(7) General Prohibition Seven--Support of Certain Activities by U.S. persons--(i) Support of Proliferation Activities (U.S. Person Proliferation Activity). If you are a U.S. Person as that term is defined in Sec. 744.6(c) of the EAR, you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR which prohibits the performance, without a license from BXA, of certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR.
would appear to make such a "conspiracy" itself a crime, regardless of First Amendment issues. This is why this new law is so pernicious: it declares a broad class of behaviors (contracting, support, financing, etc.) to be criminal acts. And "prior restraint" isn't even really needed...all they have to do is to prosecute those who provide aid and comfort to the enemy, _after_ the publication, and the effect will be to suppress further such publications of code. (Note of course that the government does not practice prior restraint as a means of stopping spies and traitors, generally. Nor are such acts of treason or espionage protected on First Amendment grounds....I see no reason to expect that publication of crypto code would be treated much differently, should this new crypto law be upheld.) --Tim May Just say "No" to "Big Brother Inside" We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
solman@MIT.EDU wrote:
The government's claim is that in the interests of national security, export of cryptography must be prevented. By limiting the policy's applicability to media which are in, or can easily be converted to, electronic form ...
Does anybody seriously believe that nbody writing these policies has an understanding of OCR software? An on-line form of code printed in a book is just a quick trip to a scanner away. They know that. -- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Mike McNally -- Egregiously Pointy -- Tivoli Systems, "IBM" -- Austin mailto:m5@tivoli.com mailto:m101@io.com http://www.io.com/~m101 ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
Gemini Thunder writes: : How does the fact that the same exact : information, when stored on magnetic media, cause it to lose its : freedom of press protection? : : Has magnetic media never been tested in court for freedom of press : applicability? What are the laws that outline the differences between : magnetic media and printed media? Specifically, the one(s) that : permit the non-protection of magnetic media? With the exception of the Karn case, which says little that is clear on this exact subject, there is, in so far as I know, no law on the subject. : Does this mean that if a journal published an article on some strong : non-key escrow encryption algorithm that included source code, it : could not later offer that same article on a CD-ROM collection? or : provide that same source code online? That is exactly what the new regulations seem to provide. An interesting question is what is the status of all those issues of Byte and Dr. Dobb's that do have cryptopraphic source code and that are currently available on the net. Or are there any such articles? These issues directly affect my case seeking to strike down the ITAR restrictions, which will be amended shortly to also challenge these new regulations. One of the things that I want to do is publish a law review article that includes cryptographic software (in the form of source code). These now regulations will allow the printed version of the journal containing to be published without the law review or myself having to get a license, but today almost all law review articles are mirrored on the internet in the Lexis and Westlaw databases and many also appear on their author's world wide web pages. So I would be very interested if anyone could give me examples of computer journal articles that are already on the net and that contain source code of any sort, and especially those that contain cryptographic source code. Thanks. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH EMAIL: junger@samsara.law.cwru.edu URL: http://samsara.law.cwru.edu NOTE: junger@pdj2-ra.f-remote.cwru.edu will soon cease to exist
Huge Cajones Remailer wrote:
" Note to paragraphs (b)(2) and (b)(3) of this section: A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.3(b)(3))."
What this means is that the government is afraid that a ban on printed material would be considerably more difficult to uphold in court. It's far easier for them to argue that a floppy disk is a mechinism presenting a clear and present danger than it would be to argue the same for a book.
What about a fax? That has to make things more complicated, yes?
At 6:24 AM -0600 12/30/96, Mike McNally wrote:
solman@MIT.EDU wrote:
The government's claim is that in the interests of national security, export of cryptography must be prevented. By limiting the policy's applicability to media which are in, or can easily be converted to, electronic form ...
Does anybody seriously believe that nbody writing these policies has an understanding of OCR software? An on-line form of code printed in a book is just a quick trip to a scanner away. They know that.
And not only is OCR able these days to handle general fonts easily enough, but almost all printed code is in fixed-width fonts, i.e., non-proportional fonts. This makes OCR easy. (I'm no longer a heavy duty OCR inputter, but I used to get nearly 100% accuracy even on things like Times Roman proportional fonts...Courier and other fixed fonts were child's play.) But there's an even bigger issue: human inputting of text is _cheap_, especially in various Third World nations which have a thriving industry doing this. (For example, various credict card companies ship their paper copies of credit trasnsactions to warehouses of people in places like Barbados for manual keying in of data.) For just the amount of money we've spent (in our consulting fees) on discussing just this issue of OCRing, the entire content of the MIT PGP source code book AND Schneier's AC could have been manually inputted by Barbadans or Botswanas, or probably even by Europeans. Of course, there are vastly easier and cheaper routes, such as just sending the stuff directly, but this makes the point that there is no difference between text and machine readable text. --Tim May Just say "No" to "Big Brother Inside" We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
|> Does anybody seriously believe that nbody writing these policies has |> an understanding of OCR software? An on-line form of code printed |> in a book is just a quick trip to a scanner away. They know that. It has been stated, if not here then elsewhere, that the government intends to update the recently released policy by also prohibiting the printing of source code in special OCR fonts. If true, this would corroborate my assertion as to the reason for the government's explicity exemption of printed media. JWS
On Mon, 30 Dec 1996, Timothy C. May wrote:
Of course, there are vastly easier and cheaper routes, such as just sending the stuff directly, but this makes the point that there is no difference between text and machine readable text.
Someone else mentioned it, but consider...sending faxes of the printed text. Or scanning in a document to fax format and attaching the fax document to an outgoing e-mail. How would putting up a fax document for FTP be considered? (Much less PDF and/or Postscript) The line is so shaky, it's non-existent. The whole thing is so absurd and the intent so clear. Lucky has predicted that a pro-GAK bill will be introduced into Congress within the New Year. Considering the language in this latest executive order, anyone have any insights into how this bill might be worded and the provisions it might contain? The biggest question: will GAK be mandated for import as well as export? (What are the current regs on import of munitions, anyway?) _______________________________________________________________ Omegaman mailto:omega@bigeasy.com PGP Key fingerprint = 6D 31 C3 00 77 8C D1 C2 59 0A 01 E3 AF 81 94 63 Send e-mail with "get key" in the "Subject:" field to get a copy of my public key _______________________________________________________________
gt@kdn0.attnet.or.jp (Gemini Thunder) wrote:
Has magnetic media never been tested in court for freedom of press applicability? What are the laws that outline the differences between magnetic media and printed media? Specifically, the one(s) that permit the non-protection of magnetic media?
I have been thinking on this. The government obviously does not want strong crypto in the hands of the public. I see no reason why they will stop at the current legislation.
From the present point I can see 2 alternatives: (1) The ban on crypto source is extended to printed media. (2) The ban on crypto source in magnetic media is tested in court and
struck down as a violation of freedom of press/speech. I still have enough faith to believe that (1) is unlikely. What are the odds on (2)? (I can't imagine it being upheld) What are other alternatives? (I am of the opinon that the "non-OCR-able" font scheme is unlikely.) Also, what qualifies as "encryption" here? Basic implementation of an algorithm? Full-blown programs? Hash functions? Steganography (with/without additional encryption)? Data after a CTRL-Z? (Sorry, couldn't help it)
Gemini Thunder wrote:
gt@kdn0.attnet.or.jp (Gemini Thunder) wrote:
Has magnetic media never been tested in court for freedom of press applicability? What are the laws that outline the differences between magnetic media and printed media? Specifically, the one(s) that permit the non-protection of magnetic media?[snippo] Also, what qualifies as "encryption" here? Basic implementation of an algorithm? Full-blown programs? Hash functions? Steganography (with/without additional encryption)? Data after a CTRL-Z? (Sorry, couldn't help it)
Actually, on MS-DOS computers (UNIX too?), the data following end-of- file is real enough, even when the file header *doesn't* recognize it. Paste a few of these together, and presto-stego, there you are.
In article <199612301517.KAA01543@pdj2-ra.F-REMOTE.CWRU.Edu>,
Peter D. Junger
: Does this mean that if a journal published an article on some strong : non-key escrow encryption algorithm that included source code, it : could not later offer that same article on a CD-ROM collection? or : provide that same source code online?
That is exactly what the new regulations seem to provide. An interesting question is what is the status of all those issues of Byte and Dr. Dobb's that do have cryptopraphic source code and that are currently available on the net. Or are there any such articles?
Here's one. Ian Goldberg and I wrote a Dr. Dobb's Journal article on Netscape's insecure random number generation. It contained a few short snippets of code that described how Netsape's PRNG seeding process worked. I believe that they may fall under the category of 'cryptographic source code'. And...guess what... DDJ in fact published the article online at http://www.ddj.com/ddj/1996/1996.01/wagner.htm Here's a citation: Ian Goldberg and David Wagner. "Randomness and the Netscape Browser". Dr. Dobb's Journal, January 1996.
participants (11)
-
Dale Thorn -
David Lesher / hated by RBOC's in 5 states -
daw@cs.berkeley.edu -
gt@kdn0.attnet.or.jp -
Mike McNally -
nobody@huge.cajones.com -
Omegaman -
Peter D. Junger -
sameer -
solman@MIT.EDU -
Timothy C. May