v2.6 for the rest of us
Jeff Barber wrote:
While creating a 2.6-like version from 2.3a seems a worthy goal, this supporting argument is flawed. The original PGP was written in the USA and, never having received the proper export approvals, must have been "illegally exported." Isn't Phil Zimmerman being "investigated" by a grand jury for this even now? So, it would seem to me that a bulletin board carrying any version of PGP holds illegally exported software (wrt US law). How does 2.3a differ from 2.6 in this respect?
Ok, you got me there! My supporting argument is indeed flawed. However, I would say that most people _regard_ v2.3a as a legal version outside the USA and so are willing to carry it on their systems; and at this time I believe nothing concrete to the contrary has been proved. Versions 2.5 and 2.6 however are obviously illegal exports, and I think that it is the fact that people think of one as legal and the other as illegal that makes the difference, and therefore we who are outside the USA need our own version to be brought up to date. I have, at this time, been informed of two separate people working on a new version that is compatible with 2.6, based on 2.3a code. Maybe everyone working on (or who know of people working on) such developments could post information regarding what exactly they are changing/upgrading/doing to 2.3a to make an 'international' v2.6. What do others think of everyone 'putting their cards on the table' to enable other knowledgeable cypherpunks to help and suggest things? Am I jumping the gun? Should we just let MIT's v2.6 reach an FTP site somewhere outside of the USA and let it slowly (and cautiously) get distributed to a small community of cypherpunks leaving the rest incompatible? All of those inside the USA, *PLEASE* get involved with this. It _is_ important! Thankyou for listening. ***************************************************************************** * Paul Strong Fidonet: 2:254/438 (weekly mail check) * * * * pauls@dcs.rhbnc.ac.uk Finger for PGP v2.3a public key * *****************************************************************************
However, I would say that most people _regard_ v2.3a as a legal version outside the USA and so are willing to carry it on their systems; ... Versions 2.5 and 2.6 however are obviously illegal exports,
If people feel this way, they are confused. Once the code escapes the U.S. it is legal to use, modulo local anti-privacy legislation. Someone exporting the code from the U.S. takes a legal risk; someone who uses already-exported code does not.
Am I jumping the gun? Should we just let MIT's v2.6 reach an FTP site somewhere outside of the USA and let it slowly (and cautiously) get distributed to a small community of cypherpunks [...]
Snarf it from ghost.dsi.unimi.it, as cautiously as you like. (Oh, actually, the ftp site has moved to goblin.something -- it will tell you when you try to log in.) Eli ebrandt@hmc.edu
Versions 2.5 and 2.6 however are obviously illegal exports, and I think that it is the fact that people think of one as legal and the other as illegal that makes the difference, and therefore we who are outside the USA need our own version to be brought up to date. Legality is always relative to some jurisdiction. Let us stipulate for discussion that export of PGP 2.6 from the USA was in violation of the ITAR. Is PGP 2.6 in Europe an "illegal export"? To wit, it is in the USA, but not in Europe, barring specific reciprocity agreements. Under USA law, it violates the ITAR (by stipulation--now may be the time to reach for the dictionary). So, if the USA could manage to extradite a 2.6-user from Europe, that person could be tried under USA law, convicted, and jailed. Think not? One word: Noriega. Noriega was tried under USA law for activities which never took place in the USA. You think that sucks? Well, expect the tendrils of law to extend past the nominal geographic borders more often. If individuals can become locationally ambiguous, there's no reason to expect governments to remain locationally confined. Now, is USA law a threat? Now is the time to estimate the cost of extradition, trial, incarceration, etc. relative to other law enforcement priorities. It's pretty unlikely, in the case of PGP-2.6. No need to lose sleep. So, is it illegal in Europe? Well, not usually. What law of any European state has a 2.6-user broken? The ITAR is a USA law, not, say, a German one. There may be other statutes, as in France, which could restrict its use, but they're not the ITAR. So if I were living in England, using PGP 2.6, I'd have nothing to fear from local authorities as such. (Maybe from them acting as extradition officers, but you can figure out that difference easily.) And I haven't even addressed detection yet. Eric
Eric said:
So, if the USA could manage to extradite a 2.6-user from Europe, that person could be tried under USA law, convicted, and jailed.
Convicted of what? The ITAR provides civil and criminal penalties for exporting defense articles or technical information, for providing defense services, etc. AFAIK (anybody OCRed it?), it contains no clause that would cover the use of software or rocket launchers that have already been exported. Eli ebrandt@hmc.edu
The issue is whether mere use of USA-illegally exported crypto is itself illegal. AFAIK (anybody OCRed it?), it contains no clause that would cover the use of software or rocket launchers that have already been exported. The text of the ITAR is available at one or both of eff.org or cpsr.org. I purposefully elided over this point in my first post in order to more clearly talk about jurisdiction. (This may not have been best.) I don't know if such use is illegal; for the purpose of discussion above, I assumed it was. It may be otherwise, however. Suppose it's not explicitly illegal. Does that mean you can't get prosecuted for it, or convicted? Whatever the answer is, it's not "clearly no". Inside every prosecutor's office is a legal hacker try to push the boundaries of criminal law, trying to make more things _illegal_. (Not exactly what you want to hear, I'm sure.) What creative arguments might an agressive prosecutor use? Conspiracy is a good one. The argument could be that there's so much publicity about PGP that any user must know that 2.6 was USA-illegally exported, and, therefore, was blindly conspiring with the original exporter. This is an apparently ludicrous argument, but could it fly? Ever heard of the twinkie defense? Eric
participants (3)
-
Eli Brandt -
hughes@ah.com -
Paul K. Strong