Re: SAFE Bill is a Disaster--"Use a cipher, go to prison"
Tim - It's too bad we may not see eye-to-eye on this one. For what it's worth, CDT shares your concerns about the criminal provision in the SAFE bill. We believe that as currently written, the provision is overly broad and could create a chilling effect on the everyday use of encryption, and unnecessary because it duplicates existing obstruction of justice law. We have expressed these concerns both publicly (in a letter to the committee signed by EPIC, ACLU, EFF, VTW, CDT, and over 20 other organizations - see http://www.privacy.org/ipc/safe_letter.html) and privately in conversations with the committee staff. We hope to work with the authors of SAFE to address these concerns, but, as you know, we are not running this show and have to work with what the Congress gives us. However, despite our concerns about the criminal provisions, we believe strongly that the SAFE bill, and the bills in the Senate sponsored by Burns and Leahy, are vitally important and should be passed. As you know, the debate over encryption policy reform has been going on for more than 4 years. Despite all of our efforts to promote the use of encryption, crypto is still not widely used by the public. The Clinton administration has not backed off from their commitment to a global key-escrow/key-recovery system with guaranteed law enforcement access to private keys. And despite the brilliant work of EFF on the various legal challenges to the export restrictions, we feel this issue will only be fully resolved through legislation. The status quo, in our view, is not good enough. Because of the export controls and the lack of a coherent US encryption policy, Internet users do not have access to the privacy protecting encryption products they need. Congress needs to stand up to the Administration and say, with a strong voice, "your policy is a failure - we need a different solution". That's what SAFE, Pro-CODE, and ECPA II do. Best, Jonah ** THE FIGHT FOR FREE SPEECH ONLINE IS IN THE HANDS OF THE SUPREME COURT ** Find out the latest news and information about the case, visit <http://www.ciec.org> -- <ciec-info@cdt.org> -- Jonah Seiger, Communications Director (v) +1.202.637.9800 Center for Democracy and Technology pager +1.202.859.2151 <jseiger@cdt.org> PGP Key via finger http://www.cdt.org http://www.cdt.org/homes/jseiger
At 8:52 AM -0800 5/1/97, sameer wrote:
The status quo, in our view, is not good enough. Because of the export controls and the lack of a coherent US encryption policy, Internet users do not have access to the privacy protecting encryption products they need.
Yes they do. There is a growing international crypto development industry. The export controls have hampered access to the products they need, but it has not eliminated said access. SAFE is one step closer towards making *import* of cryptography illegal. It's a good thing Anguilla looks like a relatively reasonable place to live, with people like you "on our side".
In response to my post last night denouncing the SAFE Bill, some sources have informed me (by phone and e-mail) that the whole SAFE thing is of course not being driven by democratic or liberty motives. Rather, it's a move by certain factions of industry to ensure that _some_ of their crypto and Net commerce products can be more freely exported while also ensuring that certain of their foreign competitors cannot enter the U.S. market (hence the re-export clauses). At the risk of using certain cliches, this is a bit like Farben and Krupp getting special legislation making it easier for them to export certain of their products while the law cracks down on both imports of their competitors' products and on civil liberties in general. That CDT and other organizations with "democracy" in their names would shill for such a callow move to aid certain exports while suppressing basic freedoms is regrettable. I can't wait for those "Use a cipher, go to prison" billboards. I predict that the uproar over this "use a cipher, go to prison" bill will eventually equal the uproar over the EFF-supported Digital Telephony (CALEA) Act of 1994. CDT and other organizations leading the charge will never again be able to say their concerns are about civil liberties. Oh, and Sameer, those products you re-export, like Stronghold, may soon be banned by SAFE. It may not even be legal, even according to current law, for you to operate out of Anguilla. (Why, then, does the Administration oppose SAFE? And is this a reason for folks like us to support SAFE? The Administration wants even more draconian restrictions on basic freedoms, and SAFE does not go far enough in restricting freedoms. Besides, with no effective lobbying group for the "libertarian" side of the issue, the Administration knows it can safely (no pun intended) argue against SAFE...worse case, for them, it passes, and all the clauses about law enforcment needs and national security needs keep things at least as bad as they are today, and probably worse. Best case, for them, SAFE is defeated and the way is clear for them to introduce the "Safe Streets and Children's Protection Act of 1997.") --Tim May There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On May 1, 11:40am, Tim May wrote:
I'm no expert in these areas, but doesn't this consitute "providing hooks" for strong crypto? The EARs say that a "hook" for inserting crypto modules once a product is exported are essentially as bad as providing the crypto before the product is exported.
If the EAR says that, I would like to have a reference to the section, please, so I can look it up at jya.com. I am not saying it is not there, just that I haven't seen it, and I would like to see what the exact language is. -- Anil Das
Oh, and Sameer, those products you re-export, like Stronghold, may soon be banned by SAFE. It may not even be legal, even according to current law, for you to operate out of Anguilla.
We don't re-export anything. All development happens outside the US, and all sales to customers outside the US happen from outside the US. As far as operating from Anguilla -- it would require renouncing my US citizenship, yes. -- Sameer Parekh Voice: 510-986-8770 President FAX: 510-986-8777 C2Net http://www.c2.net/ sameer@c2.net
At 2:27 pm -0400 on 5/1/97, sameer wrote:
As far as operating from Anguilla -- it would require renouncing my US citizenship, yes.
Hoo, boy... Make sure you get (buy?) citizenship somewhere else first, okay, Sameer? :-). Seriously, it would be indeed a drag to have a whole bunch of cypherpunks-without-a-country out there, no matter what we all say about the evils of nation-states... Anyone out there have suggestions about a domicile of choice? Vince's old "perputual tourist" thing comes to mind, but I'm not conviced that's really practical. I heard someone talking about Belize at FC97. The Seychelles have come up around here, more than once, for those with $10million to throw around... However, I tend to agree with Tim about this whole regulatory arbitrage stuff. Nothing keeps the law honest like good software. :-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/
At 10:27 AM -0800 5/1/97, sameer wrote:
Oh, and Sameer, those products you re-export, like Stronghold, may soon be banned by SAFE. It may not even be legal, even according to current law, for you to operate out of Anguilla.
We don't re-export anything. All development happens outside the US, and all sales to customers outside the US happen from outside the US. As far as operating from Anguilla -- it would require renouncing my US citizenship, yes.
I'm no expert in these areas, but doesn't this consitute "providing hooks" for strong crypto? The EARs say that a "hook" for inserting crypto modules once a product is exported are essentially as bad as providing the crypto before the product is exported. Also, my understanding is that U.S. companies cannot send experts or programmers to non-U.S. sites with the intention of thereby violating U.S. export laws. (I once asked Jim Bidzos why he did not simply move his key developers beyond the borders, and this is the answer he gave, repeated by others at later times on the CP and other lists. So far as I know, this has never been tested in court. Such a test would be comparable to Bernstein, Junger, Karns, etc. in significance.) --Tim There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- In <v03007801af8ea0d7d7df@[207.167.93.63]>, on 05/01/97 at 01:40 PM, Tim May <tcmay@got.net> said:
At 10:27 AM -0800 5/1/97, sameer wrote:
Oh, and Sameer, those products you re-export, like Stronghold, may soon be banned by SAFE. It may not even be legal, even according to current law, for you to operate out of Anguilla.
We don't re-export anything. All development happens outside the US, and all sales to customers outside the US happen from outside the US. As far as operating from Anguilla -- it would require renouncing my US citizenship, yes.
I'm no expert in these areas, but doesn't this consitute "providing hooks" for strong crypto? The EARs say that a "hook" for inserting crypto modules once a product is exported are essentially as bad as providing the crypto before the product is exported.
Also, my understanding is that U.S. companies cannot send experts or programmers to non-U.S. sites with the intention of thereby violating U.S. export laws. (I once asked Jim Bidzos why he did not simply move his key developers beyond the borders, and this is the answer he gave, repeated by others at later times on the CP and other lists. So far as I know, this has never been tested in court. Such a test would be comparable to Bernstein, Junger, Karns, etc. in significance.)
It is my understanding that not only is the above true but the financing of the development of crypto off-shore is also made illegal by the new restrictions. So if C2Net were to hire an independent foreign co. to develop their international version it would be in volation of the current regs even if no code was exported. - -- - ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info - ----------------------------------------------------------- Tag-O-Matic: I don't do Windows, but OS/2 does. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Registered User E-Secure v1.1 ES000000 iQCVAwUBM2kBZI9Co1n+aLhhAQGMSgP8CzO+KYpsR+PWK2Ukxowxm6mCb+cfsmkm 7P8lakJ51Pvw19fR9lADPpNPkztjMRffIiY00sBZzq01xCyPS4IkK/+vwmfkmCSX 722rNi9ruP9yyJPMTxlqcxgcYrkKXdZtvmmhlVglu08cqp/rVOE6gotHZYHA1XEh wVPP4/CpANU= =Uny/ -----END PGP SIGNATURE-----
It is my understanding that not only is the above true but the financing of the development of crypto off-shore is also made illegal by the new restrictions. So if C2Net were to hire an independent foreign co. to develop their international version it would be in volation of the current regs even if no code was exported.
That is an incorrect understanding of the law. -- Sameer Parekh Voice: 510-986-8770 President FAX: 510-986-8777 C2Net http://www.c2.net/ sameer@c2.net
-----BEGIN PGP SIGNED MESSAGE----- In <199705011947.MAA17020@gabber.c2.net>, on 05/01/97 at 01:47 PM, sameer <sameer@c2.net> said:
It is my understanding that not only is the above true but the financing of the development of crypto off-shore is also made illegal by the new restrictions. So if C2Net were to hire an independent foreign co. to develop their international version it would be in volation of the current regs even if no code was exported.
That is an incorrect understanding of the law.
Below is the paragraph of the EAR that I am refering to: PART 736--[AMENDED] 19. Section 736.2 is amended by revising paragraph (b)(7) to read as follows: Sec. 736.2 General prohibitions and determination of applicability. * * * * * (7) General Prohibition Seven--Support of Certain Activities by U.S. persons--(i) Support of Proliferation Activities (U.S. Person Proliferation Activity). If you are a U.S. Person as that term is defined in Sec. 744.6(c) of the EAR, you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR which prohibits the performance, without a license from BXA, of certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR. There are no License Exceptions to this General Prohibition Seven in part 740 of the EAR unless specifically authorized in that part. (ii) You may not, without a license from BXA, provide certain technical assistance to foreign persons with respect to encryption items, as described in Sec. 744.9 of the EAR. * * * * * It clearly states that such activity is Illegal. I would recomend that your lawers take a second read of the EAR. I personaly don't care if you are in voilation of the EAR or not but you should be aware of where you stand inreguards to this regulation so there are no "suprises" latter on. - -- - ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info - ----------------------------------------------------------- Tag-O-Matic: I went window shopping...and bought OS/2! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Registered User E-Secure v1.1 ES000000 iQCVAwUBM2kLNY9Co1n+aLhhAQF+RgQAlQ+hN4fWiFYZLqoay7WA3BD1vP59ksSB +adrplsz7ndr7J+Zn/2hzKC+/++3/q857eGSi2eR0wrLmJshrUiHDMdBLWt+5/Rd oEvt2q436Mt/c2Cg+IlHpVagxqXS6H7SLj+eeeLMjAHRAYMXU426tLxNYbexpmxj rVuR0EVf0gM= =91jP -----END PGP SIGNATURE-----
described further in part 744 of the EAR. There are no License Exceptions
Read part 744 before you try to be a net.laywer. -- Sameer Parekh Voice: 510-986-8770 President FAX: 510-986-8777 C2Net http://www.c2.net/ sameer@c2.net
The crucial part here is "you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR" I you read 744.6 EAR you will find the the provisions cited below only apply to nukes and missiles, not crypto. Why the quote you are citing even made it into 736 EAR is beyond me. I asked Commerce and they couldn't give me an answer either. I would assume it was either for FUD or perhaps more likely wishful thinking leading to a screw up. Regardless, the financing, etc. provisions *do not apply to crypto*. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred On Thu, 1 May 1997, William H. Geiger III wrote:
-----BEGIN PGP SIGNED MESSAGE-----
In <199705011947.MAA17020@gabber.c2.net>, on 05/01/97 at 01:47 PM, sameer <sameer@c2.net> said:
It is my understanding that not only is the above true but the financing of the development of crypto off-shore is also made illegal by the new restrictions. So if C2Net were to hire an independent foreign co. to develop their international version it would be in volation of the current regs even if no code was exported.
That is an incorrect understanding of the law.
Below is the paragraph of the EAR that I am refering to:
PART 736--[AMENDED]
19. Section 736.2 is amended by revising paragraph (b)(7) to read as follows:
Sec. 736.2 General prohibitions and determination of applicability.
* * * * * (7) General Prohibition Seven--Support of Certain Activities by U.S. persons--(i) Support of Proliferation Activities (U.S. Person Proliferation Activity). If you are a U.S. Person as that term is defined in Sec. 744.6(c) of the EAR, you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR which prohibits the performance, without a license from BXA, of certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR. There are no License Exceptions to this General Prohibition Seven in part 740 of the EAR unless specifically authorized in that part. (ii) You may not, without a license from BXA, provide certain technical assistance to foreign persons with respect to encryption items, as described in Sec. 744.9 of the EAR. * * * * *
It clearly states that such activity is Illegal. I would recomend that your lawers take a second read of the EAR.
I personaly don't care if you are in voilation of the EAR or not but you should be aware of where you stand inreguards to this regulation so there are no "suprises" latter on.
- -- - ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail.
Finger whgiii@amaranth.com for PGP Key and other info - -----------------------------------------------------------
Tag-O-Matic: I went window shopping...and bought OS/2!
-----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Registered User E-Secure v1.1 ES000000
iQCVAwUBM2kLNY9Co1n+aLhhAQF+RgQAlQ+hN4fWiFYZLqoay7WA3BD1vP59ksSB +adrplsz7ndr7J+Zn/2hzKC+/++3/q857eGSi2eR0wrLmJshrUiHDMdBLWt+5/Rd oEvt2q436Mt/c2Cg+IlHpVagxqXS6H7SLj+eeeLMjAHRAYMXU426tLxNYbexpmxj rVuR0EVf0gM= =91jP -----END PGP SIGNATURE-----
At 11:43 AM -0800 5/1/97, William H. Geiger III wrote:
It is my understanding that not only is the above true but the financing of the development of crypto off-shore is also made illegal by the new restrictions. So if C2Net were to hire an independent foreign co. to develop their international version it would be in volation of the current regs even if no code was exported.
Yes, that's what the language said when the ITARs got switched over to EARs and Commerce took over. I have no idea how Sameer's C2Net finances the offshore development of Stronghold development, etc., but it's possible the Administration could decide to make an example of them. The gist of the laws is that "loopholes" are being closed down one by one. --Tim May There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- In <v03020900af8e49aa795c@[207.226.3.4]>, on 05/01/97 at 08:09 AM, Jonah Seiger <jseiger@cdt.org> said:
Tim -
It's too bad we may not see eye-to-eye on this one.
For what it's worth, CDT shares your concerns about the criminal provision in the SAFE bill. We believe that as currently written, the provision is overly broad and could create a chilling effect on the everyday use of encryption, and unnecessary because it duplicates existing obstruction of justice law.
We have expressed these concerns both publicly (in a letter to the committee signed by EPIC, ACLU, EFF, VTW, CDT, and over 20 other organizations - see http://www.privacy.org/ipc/safe_letter.html) and privately in conversations with the committee staff. We hope to work with the authors of SAFE to address these concerns, but, as you know, we are not running this show and have to work with what the Congress gives us.
However, despite our concerns about the criminal provisions, we believe strongly that the SAFE bill, and the bills in the Senate sponsored by Burns and Leahy, are vitally important and should be passed.
As you know, the debate over encryption policy reform has been going on for more than 4 years. Despite all of our efforts to promote the use of encryption, crypto is still not widely used by the public.
The Clinton administration has not backed off from their commitment to a global key-escrow/key-recovery system with guaranteed law enforcement access to private keys. And despite the brilliant work of EFF on the various legal challenges to the export restrictions, we feel this issue will only be fully resolved through legislation.
The status quo, in our view, is not good enough. Because of the export controls and the lack of a coherent US encryption policy, Internet users do not have access to the privacy protecting encryption products they need.
Congress needs to stand up to the Administration and say, with a strong voice, "your policy is a failure - we need a different solution". That's what SAFE, Pro-CODE, and ECPA II do.
No that is not what they do. :( In addition to *RESTRICTING* the use of *DOMESTIC* crypto it provides a rather scary president: An Admendment to the Constitution of the United States is only valid if Congress says it is and only if the Rights provided by those Admendments are exercised by The People in a manner that meets Congress's approval. If Congress really want's to do somthing then let them pass a resolution that the export restrictions of crypto in the EAR is unconstitional and therfore null & void. Anything less or more is unneeded, unwanted, and unconstitional. - -- - ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info - ----------------------------------------------------------- Tag-O-Matic: I went window shopping...and bought OS/2! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Registered User E-Secure v1.1 ES000000 iQCVAwUBM2kwo49Co1n+aLhhAQHM2QQAuLR47UFIQdk5oipCO7sngTtz2Z0xkSsp vlVd9/fAY3lvxtIpGj0NdTjxgjBMNeGcExZO1NIZsEhqF9FAt12w8/6cNm3i5rL4 JE8JSUGLCzYgVB9HFBmkbC0J7qyKBJD4k5VVoDAYXIjxYLsKqL1S0+EnMMCbBpCQ bhzFxCMZ5A0= =iEJa -----END PGP SIGNATURE-----
The status quo, in our view, is not good enough. Because of the export controls and the lack of a coherent US encryption policy, Internet users do not have access to the privacy protecting encryption products they need.
Yes they do. There is a growing international crypto development industry. The export controls have hampered access to the products they need, but it has not eliminated said access. SAFE is one step closer towards making *import* of cryptography illegal. It's a good thing Anguilla looks like a relatively reasonable place to live, with people like you "on our side". -- Sameer Parekh Voice: 510-986-8770 President FAX: 510-986-8777 C2Net http://www.c2.net/ sameer@c2.net
participants (7)
-
das@razor.engr.sgi.com -
Jonah Seiger -
Lucky Green -
Robert Hettinga -
sameer -
Tim May -
William H. Geiger III