Re: FROM A FRIEND . . .
Updating Customers: Netscape will provide the fix for Export (40 bit) versions of Netscape Navigator later this week for downloading by customers on the Internet. Similarly, the Commerce Server patch for Export versions (40 bit) will be made available from our home page. Because downloading of 128 bit versions of the software is still not permitted by U.S. law, U.S. customers of Netscape Navigator, Netscape Navigator Personal Edition and Netscape Commerce Server using 128 bit versions can request the replacement from Netscape for delivery through the regular mail.
Funny, MIT and MPJ and others manage to enable the downloading of export-controlled software. Also, wasn't there some sort of promise by Netscape after we broke the 40-bit version to make the 128-bit version available to US users under the Beta/freeware system? What happened to that plan? DCF "This encryption thing is a lot harder than it looks."
In article <199509201648.MAA14624@panix.com>, frissell@panix.com (Duncan Frissell) writes:
Updating Customers: Netscape will provide the fix for Export (40 bit) versions of Netscape Navigator later this week for downloading by customers on the Internet. Similarly, the Commerce Server patch for Export versions (40 bit) will be made available from our home page. Because downloading of 128 bit versions of the software . >is still not permitted by U.S. law, U.S. customers of Netscape Navigator, Netscape Navigator Personal Edition and Netscape Commerce Server using 128 bit versions can request the replacement from Netscape for delivery through the regular mail.
Funny, MIT and MPJ and others manage to enable the downloading of export-controlled software. Also, wasn't there some sort of promise by Netscape after we broke the 40-bit version to make the 128-bit version available to US users under the Beta/freeware system? What happened to that plan?
We are also examining some sort of binary patch technology, so that folks with the US-only version can easily download and apply the patch. I think that the general opinion of engineers and management here at Netscape is that it would be A Really Good Thing to have our US-only 128+ bit version of Netscape Navigator available for download by US citizens and others who are not legally prohibited from using it. As a matter of fact, up until the RNG thing hit on sunday night, I had been making myself a major pain in the ass to netscape managers and executive, bugging them every day for at least the past several weeks, to get a decision about making the US version available for free download. I know that MIT, RSA, and others make crypto code available for download with various mechanism. I'm sure that these institutions did not make the decision lightly. This issue is now a very high priority for our lawyers, but it will take some time for them to reach a legal opinion about Netscape's legal exposure. The fact that MIT and RSA have done it does not mean that the government will not go after Netscape for similar behavior. We all know what a juicy target Netscape is these days... :-) We have submitted our proposal for download checking to the State Dept. I think that our process does more validation than what others have done. The State Dept. has so far refused to send us any kind of written approval of our proposed methods. I know that many of you think that this is futile, and I won't dispute that, but I think we do have to make the effort in order for our case to hold up later. We do share your frustration at being forced to use weak crypto. This has been a major pain for us, but I believe that we are committed to continuing to produce a version with strong crypto (as long as it remains legal - sigh). I for one will always fight to ensure that we have a version of our Navigator that supports "strong" crypto, and to make that version easily and widely available. The governments attempts to get companies to produce watered down versions for the US because it is easier will not succeed here as long as I have any say in the matter. Also, the company has taken a vocal public position against the current ITAR restrictions and any sort of mandatory or government controlled key escrow. We are working on it. Please try to be patient. It is just as hard for us as it is for you... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
In article <43qrhf$gd5@tera.mcom.com>, Jeff Weinstein <jsw@neon.netscape.com> wrote:
I think that the general opinion of engineers and management here at Netscape is that it would be A Really Good Thing to have our US-only 128+ bit version of Netscape Navigator available for download by US citizens and others who are not legally prohibited from using it.
Who _is_ legally prohibited from using it? I think there are some countries where the very use of crypto is illegal (could someone please list them?), but who else? There are some people that may be legally prohibited from _obtaining_ it from a US site (ITAR yadda), but even so, if JRFurriner downloads crypto from company C's site in the US, who's guilty of ITAR-violation? Company C for making it available, or JRF for initiating the action that caused the bits to be send out of the country? - Ian "my, I seem to be posting a lot tonight"
(ITAR yadda), but even so, if JRFurriner downloads crypto from company C's site in the US, who's guilty of ITAR-violation? Company C for making it available, or JRF for initiating the action that caused the bits to be send out of the country?
This is a question that has never been answered by a court. Personally I think that the Congress can't constitutionally set up a scheme that restricts US citizens from communicating with each other to transfer software. Even if it makes it harder to catch foreigners who break the law. Prior restraints on US citizens' communications can only be done if they are "incidental" to a greater government purpose. When their purpose is to restrain the act of communication itself, they lose. It's even clear that they can't prevent US citizens from communicating with foreigners, so the entire crypto software export regime may be unconstitutional. The more research we do on the First Amendment law, the more it looks this way to me. If some hardy soul wants to set up a nice clean situation, like Phil Karn did for the paper-vs-magnetic-media distinction, I'm sure we can find some more pro-bono (zero cost) lawyers who'll take the case for the fun and notoriety. You don't have to break the law to get into court; Phil didn't, for example. You make a situation where the law restricts you, then sue to have the restriction declared invalid. And if you have ever been in court, it's a lot more fun being the Plaintiff than being the Defendant. Doing this will take significant time on your part. Even if the lawyers do 95% of the work, you have to talk with them, review what they write, explain the details in gory detail, and believe in what they're doing for you. And sometimes do things in a way that they are sure is right, even though you yourself aren't sure. And stick with the case even though it would drag on for years through several courts. So it's not something to do lightly. But it's worth it. And it's a lot safer and easier to enforce your civil rights now, than to try to live through the civil war that would follow the slide into authoritarian government. I'd do this case myself, except that I think we should have few single points of failure. If we spread the work around, it's more likely to happen. And your civil rights are safer, because you yourself have learned how to defend them. John
...
This is a question that has never been answered by a court.
Personally I think that the Congress can't constitutionally set up a scheme that restricts US citizens from communicating with each other ...
If some hardy soul wants to set up a nice clean situation, like Phil Karn did for the paper-vs-magnetic-media distinction, I'm sure we can find some more pro-bono (zero cost) lawyers who'll take the case for the fun and notoriety. You don't have to break the law to get into court; Phil didn't, for example. You make a situation where the law restricts you, then sue to have the restriction declared invalid. And if you have ever been in court, it's a lot more fun being the Plaintiff than being the Defendant.
Doing this will take significant time on your part. Even if the lawyers do 95% of the work, you have to talk with them, review what they write, explain the details in gory detail, and believe in what they're doing for you. And sometimes do things in a way that they are sure is right, even though you yourself aren't sure. And stick with the case even though it would drag on for years through several courts. So it's not something to do lightly. But it's worth it. And it's a lot safer and easier to enforce your civil rights now, than to try to live through the civil war that would follow the slide into authoritarian government.
I'd do this case myself, except that I think we should have few single points of failure. If we spread the work around, it's more likely to happen. And your civil rights are safer, because you yourself have learned how to defend them.
John
I recently moved to the DC area (N VA) and might be amenable to a relatively harmless scenario like this. (Not that I have much time, but I'm flexible.) sdw -- Stephen D. Williams 25Feb1965 VW,OH (FBI ID) sdw@lig.net http://www.lig.net/sdw Consultant, Vienna,VA Mar95- 703-918-1491W 43392 Wayside Cir.,Ashburn, VA 22011 OO/Unix/Comm/NN ICBM/GPS: 39 02 37N, 77 29 16W home, 38 54 04N, 77 15 56W Pres.:Concinnous Consulting,Inc.;SDW Systems;Local Internet Gateway Co.;28May95
Ian Goldberg writes: : In article <43qrhf$gd5@tera.mcom.com>, : Jeff Weinstein <jsw@neon.netscape.com> wrote: : > I think that the general opinion of engineers and management here at : >Netscape is that it would be A Really Good Thing to have our US-only : >128+ bit version of Netscape Navigator available for download by US : >citizens and others who are not legally prohibited from using it. : : Who _is_ legally prohibited from using it? I think there are some countries : where the very use of crypto is illegal (could someone please list them?), : but who else? : : There are some people that may be legally prohibited from _obtaining_ it : from a US site (ITAR yadda), but even so, if JRFurriner downloads : crypto from company C's site in the US, who's guilty of ITAR-violation? : Company C for making it available, or JRF for initiating the action : that caused the bits to be send out of the country? : : - Ian "my, I seem to be posting a lot tonight" Probably both have violated the ITAR, but neither will be actually prosecuted. On the other hand, Company C will be threatened and harassed until it stops making the software available. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
In article <43qvn4$mm@calum.csclub.uwaterloo.ca>, iagoldbe@calum.csclub.uwaterloo.ca (Ian Goldberg) writes:
In article <43qrhf$gd5@tera.mcom.com>, Jeff Weinstein <jsw@neon.netscape.com> wrote:
I think that the general opinion of engineers and management here at Netscape is that it would be A Really Good Thing to have our US-only 128+ bit version of Netscape Navigator available for download by US citizens and others who are not legally prohibited from using it.
Who _is_ legally prohibited from using it? I think there are some countries where the very use of crypto is illegal (could someone please list them?), but who else?
There are some people that may be legally prohibited from _obtaining_ it from a US site (ITAR yadda), but even so, if JRFurriner downloads crypto from company C's site in the US, who's guilty of ITAR-violation? Company C for making it available, or JRF for initiating the action that caused the bits to be send out of the country?
Poor choice of words on my part. My understanding is that we can not export our US-only product, except to canada - for the use of canadian citizens. I also believe that it is illegal for anyone except US citizens, permanent residents of the US (green card holders) and Canadian citizens to use it, even within the US. I'm not a lawyer, and I've not read all of ITAR myself, so I could be totally wrong... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
On 21 Sep 1995, Jeff Weinstein wrote:
Poor choice of words on my part. My understanding is that we can not export our US-only product, except to canada - for the use of canadian citizens. I also believe that it is illegal for anyone except US citizens, permanent residents of the US (green card holders) and Canadian citizens to use it, even within the US. I'm not a lawyer, and I've not read all of ITAR myself, so I could be totally wrong...
--Jeff
And from what the folks at the Export Controls division of the Department of External Affairs in Ottawa told me, Canadians can't export export-controlled American software, including pgp and other freeware, without a license. OTOH we can export non-US=origin software license-free (well freeware for sure, anyway, I didn't get the whole thing quite right). Of course there are a few countries for which you would need a license, and some UN embargoed countries to which you can't make any exports (both sets are dictatorships or warzones, so not much net access anyway and the crypto laws would make France's look cpunk). They're also waiting to see what happens to Phil Z. to decide whether or not ftp's are exports. All the same, if anyone wants an easy and economical way to get around ITAR, have someone do your cypto software development just north of the border (Vancouver's just north of Seattle and close enough to Silicon Valley, with excellent net-access) or at least just publish it here first. Phil could have saved himself an immense amount of trouble with a short car ride. You Americans on the list could too. Wanna nag your bosses some more Jeff? You'd be doing everyone a favor and get your wish. You can get "A guide to Canada's export controls" from: Foreign Affairs and international trade Canada. Export controls division 125 Sussex Drive, C-4 P.O. Box 481, Station A Ottawa, Ontario K1N 9K6 Fax: (613) 996-9933 Tel: (613) 996-2387 Remember to also ask for the "general software note" For the West Coasters on the list there's also an address closer to home (they have addresses in all the major Canadians cities, if anyone wants visit them personally, send me a msg and I'll mail you nearest address) International Trade Centre Scotia Tower 900-650 West Georgia Street P.O. Box 11610 Vancouver, British Columbia V6B 5H8 Fax: (604) 666-8330 Tel: (604) 666-0434
[plug plug plug] If you're impatient, much of the relevant text of the the "Canada's Export Controls" booklet is available at http://www.io.org/~samwise/crypto/ frodo =) -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin@aw.sgi.com/g4frodo@cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992
Jeff Weinstein writes: : Poor choice of words on my part. My understanding is that we can not : export our US-only product, except to canada - for the use of canadian : citizens. I also believe that it is illegal for anyone except US citizens, : permanent residents of the US (green card holders) and Canadian citizens : to use it, even within the US. I'm not a lawyer, and I've not read : all of ITAR myself, so I could be totally wrong... There is nothing in U.S. law that prohibits anyone from using a cryptographic product, much to the frustration of the NSA, FBI, etc. That is why they try to forbid speaking about it by pretending that communication of information is exporting something. There is a law that forbids exporting munitions without a license and that is the basis for the ITAR regulations. The funny thing is that a law forbidding the use of cryptography just might be constitutional--though I, for one, am convinced that it would not be--while forbidding communication of information about cryptography without a license is a blatant violation of the First Amendment of the United States constitution. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
participants (8)
-
Duncan Frissell -
iagoldbe@csclub.uwaterloo.ca -
John Gilmore -
jsw@neon.netscape.com -
Peter D. Junger -
Richard Martin -
s675570@aix2.uottawa.ca -
sdw@lig.net