Netscape download requirements
Jeff Weinstein wrote:
We received written permission from the State Department for our download verification mechanism.
What exactly is the reason for Netscape asking for the name, address, e-mail address, and telephone number of anyone who wishes to download the US-browser? If I remember correctly MIT in distributing PGP only asks that you affirmatively assent to obeying export laws (and the terms of the rsa license). I have not heard at any point that the MIT system does not meet the legal requirements of ITAR. Is there perhaps some other reason Netscape wishes to have this information? --Julian Burke
Julian Burke wrote:
Jeff Weinstein wrote:
We received written permission from the State Department for our download verification mechanism.
What exactly is the reason for Netscape asking for the name, address, e-mail address, and telephone number of anyone who wishes to download the US-browser? If I remember correctly MIT in distributing PGP only asks that you affirmatively assent to obeying export laws (and the terms of the rsa license).
I have not heard at any point that the MIT system does not meet the legal requirements of ITAR. Is there perhaps some other reason Netscape wishes to have this information?
The Department of State tells us that permission was granted to MIT and others under the "old policy". The "new policy" has not been completed, which led to long delays in our getting approval. Our current approval is temporary, pending release of the "new policy". In order to get this permission we agreed to ask for and archive this information, in case law enforcement required it for some related investigation. The following statement is at the bottom of the page, near the submit button: ALL SUBMISSIONS ARE LOGGED Misrepresentation or omission of facts is covered under ITAR 127.2(a) and (b)(13). These data will only be released to satisfy lawful requests by government agencies, should such requests be made. That last sentance means that we won't be selling the list to telemarketers, or making it publicly available. If you are not comfortable providing this information, then you may either run the export version, or purchase the retail navigator package, which also includes the US only version when sold in the US. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Jeff Weinstein writes:
If you are not comfortable providing this information, then you may either run the export version, or purchase the retail navigator package, which also includes the US only version when sold in the US.
But you can't buy the Linux or other similar versions, so this is not an option for many of us. .pm
Perry E. Metzger wrote:
Jeff Weinstein writes:
If you are not comfortable providing this information, then you may either run the export version, or purchase the retail navigator package, which also includes the US only version when sold in the US.
But you can't buy the Linux or other similar versions, so this is not an option for many of us.
You can buy a supported version of Navigator for Linux from Caldera. I've been told that we have given them a US binary, but I'm not sure if they are shipping it yet. You should contact them to find out when it will be available. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Why is the 128-bit version available only in the United States? It can't be due to ITAR since export of crypto to Canada is ok. Does it have something to due with RSA only being patented in the United States so that's the only place RSADSI wants it used? I noticed that Netscape's SSL implementation is available only to developers in the U.S. as well. -- Leonard Janke (janke@unixg.ubc.ca) NEW pgp key id 0x6BF11645 (0xF4118611 eaten by /dev/fd0 :( )
janke@unixg.ubc.ca wrote:
Why is the 128-bit version available only in the United States? It can't be due to ITAR since export of crypto to Canada is ok. Does it have something to due with RSA only being patented in the United States so that's the only place RSADSI wants it used? I noticed that Netscape's SSL implementation is available only to developers in the U.S. as well.
Because we have not yet been able to obtain the address verification databases that we need for Canada. There is someone working on tracking this down right now. When we get the proper database we will add access to canada. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Because we have not yet been able to obtain the address verification databases that we need for Canada. There is someone working on tracking this down right now. When we get the proper database we will add access to canada.
Have you considered selling this export verification system? -- Sameer Parekh Voice: 510-986-8770 Community ConneXion, Inc. FAX: 510-986-8777 The Internet Privacy Provider http://www.c2.net/ sameer@c2.net
First off, I applaud Netscape for making the US version available for download. All of my comments here should be taken as questioning the why's, not suggesting that the implementation is so onerous Netscape shouldn't have done it. Although, you might want to add a link to a page decrying the kafka-esque experience; perhaps Matt's 'My life as an arms smuggler?' My question is, under what lawful authority would you release the data? The ITARs don't seem to contain anything special, so would you hand out lists on a subpeona? Individual names on a subpeona? Lists on a warrant? Incidentally, they seem to be doing a credit check sort of verification; I gave a decade old address, and it worked fine. I feel free to do this because I'm legally entitled to download strong crypto software, and see no need to hand out my unlisted phone number in doing so. Adam Jeff Weinstein wrote: | The Department of State tells us that permission was granted to | MIT and others under the "old policy". The "new policy" has not | been completed, which led to long delays in our getting approval. | Our current approval is temporary, pending release of the "new | policy". In order to get this permission we agreed to ask for and | archive this information, in case law enforcement required it for | some related investigation. The following statement is at the | bottom of the page, near the submit button: | | ALL SUBMISSIONS ARE LOGGED | Misrepresentation or omission of facts is covered under | ITAR 127.2(a) and (b)(13). | These data will only be released to satisfy lawful requests by | government agencies, should such requests be made. | | That last sentance means that we won't be selling the list to | telemarketers, or making it publicly available. | | If you are not comfortable providing this information, then you | may either run the export version, or purchase the retail navigator | package, which also includes the US only version when sold in the US. | | --Jeff | | -- | Jeff Weinstein - Electronic Munitions Specialist | Netscape Communication Corporation | jsw@netscape.com - http://home.netscape.com/people/jsw | Any opinions expressed above are mine. | -- "It is seldom that liberty of any kind is lost all at once." -Hume
Adam Shostack wrote:
First off, I applaud Netscape for making the US version available for download. All of my comments here should be taken as questioning the why's, not suggesting that the implementation is so onerous Netscape shouldn't have done it. Although, you might want to add a link to a page decrying the kafka-esque experience; perhaps Matt's 'My life as an arms smuggler?'
My question is, under what lawful authority would you release the data? The ITARs don't seem to contain anything special, so would you hand out lists on a subpeona? Individual names on a subpeona? Lists on a warrant?
This is from our US download FAQ at http://home.netscape.com/eng/US-Current/faq.html The information users provide when applying to download the 128-bit encryption software is used ONLY to verify eligibility. The U.S. government requires Netscape to maintain a log of software downloads should they deem it necessary under court order, to use this information in their investigations of illegal use or misrepresentation of information. If law enforcement got a court order to get the entire list, we would fight it in court as being over broad.
Incidentally, they seem to be doing a credit check sort of verification; I gave a decade old address, and it worked fine. I feel free to do this because I'm legally entitled to download strong crypto software, and see no need to hand out my unlisted phone number in doing so.
We are not doing any type of credit check. We are doing some address verification using local databases, so these queries don't go into anyones tracking database. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
At 4:26 PM -0400 7/16/96, Jeff Weinstein wrote:
We are not doing any type of credit check. We are doing some address verification using local databases, so these queries don't go into anyones tracking database.
Ah. <Lucky-mode> So they can find you later when they outlaw crypto? </Lucky-mode> ;-) No offense to our dear cypherpunk friends at Netscape, who are certainly just following orders. But, frankly, I don't feel like sending a sperm sample to Netscape, this time... When this goes across the old speed-bump, will someone post the URL here? Carefully, of course... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "'Bart Bucks' are not legal tender." -- Punishment, 100 times on a chalkboard, for Bart Simpson The e$ Home Page: http://www.vmeng.com/rah/
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 16 Jul 1996, Adam Shostack wrote:
First off, I applaud Netscape for making the US version available for download. All of my comments here should be taken as questioning the why's, not suggesting that the implementation is so onerous Netscape shouldn't have done it. Although, you might want to add a link to a page decrying the kafka-esque experience; perhaps Matt's 'My life as an arms smuggler?'
It's there, but it's subtle (they must be polite, you know). Read the download FAQ closely, especially the #bigbrother anchor. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMe0bE5NcNyVVy0jxAQFvPAIAiVyWQcu4O/cvYL5ws7FCTfHVVF9HTGYx jbSTQ+e3tSk10CrJQ8pqlGsissDjEhz135vKGy1cMlbqtv+/S8MHQw== =GWA5 -----END PGP SIGNATURE-----
Horse's mouth here, or mostly. First, the Weinsteins are right on the money in almost everything they say, so I won't repeat them. Second, I don't get to read this group much, so an apology for post-n-dash. Jeff and Tom W keep me informed, however, so here're some thoughts.
Well one 'ITAR gangsta' can alwas upload the linux version to a 'liberated ftp site'.
Great. Convince the government to withdraw our permission and never to give it again while the current laws stand. Please don't do this.
so why not do a 'whois netscape.com' and enter the Netscape Communications Corps. data ? Afterall whois to know ....
Anonymous wrote:
Tim you may use this as entry data:
There are ways to spoof this but without serious IP spoofing and SSL hacking you'll leave a trail which could be followed if someone wanted to. I have no idea what the probabilities of an investigation are, but looking at the data we log, every lie we've received would be trivially tracked down if a motivated government agency came along. There isn't much about your connections that we don't log. If you all hack us, one of three things will happen: (1) someone will make us stop doing this (2) someone will slow it down more by forcing me to check more -or- (3) they'll let us stay up so they can (try to) come get you I'd bet on the first. Why screw with this? We worked hard to make this possible and you want to ruin it. Sheesh. "I hate the government so I'll blow up a federal building and then the FBI will get more money and attention and power and, um, that'll show 'em, er, ah....." sameer wrote:
Have you considered selling this export verification system?
No. I don't have redistribution rights to all of it. If someone were really interested, I'd talk to them, but the government would probably need to be told before any tech transfer took place, I'd bet. Also, our govt permission is pretty specialized; I don't think anyone can just go use it unless they are willing to brave those untested waters I keep getting reminded about.
Have you heard any reports of anyone successfully downloading it period? Netscape always times out in the middle of a download. I think the server is so overloaded that it's actually impossible to download the software.
Yeah, we're getting clobbered. We're working on it. Lots of people are making it, though. The site management guys know about the problem and are scurrying, anyway.
I sure wish there were an ftp site overseas somewhere, then I could actually get the damned thing.
If you get NoCookie: please check your system clock. I'm hoping that's most people's problems (those who don't have cookies disabled or r/o). For those of you who think some of our info requests go too far: well, my position to the US was: I want to do a download. I'll do what it takes. Given all the ITAR vagueness and total lack of case law, I think both sides did very well. While I don't agree with the usefulness of the laws in place, I think the guys in ODTC had their public service hats on very firmly the day they said OK to us. It would have been quite easy for them to maintain the old line but they wanted, in their way, to do the public a service. This is something I would like more of in Washington. This is the wrong place to wage battle. Rather than attack some odd piece of enforcement, participate in the debate over the regulations themselves. Strides are being made. This is a good time for your voice to be heard. If you don't like this mechanism, don't use it. It's your choice. -- Tom Paquin Netscape Communications Corp about:paquin
Tom Paquin writes: : sameer wrote: : > : > Have you considered selling this export verification system? : : No. I don't have redistribution rights to all of it. If : someone were really interested, I'd talk to them, but the : government would probably need to be told before any tech transfer : took place, I'd bet. : : Also, our govt permission is pretty specialized; I don't think : anyone can just go use it unless they are willing to brave those : untested waters I keep getting reminded about. Would it be possible to get a copy of the terms of the written permission that I gather Netscape has received from the government? Or is this another area where the government insists on obscurity? (I do want to thank Netscape--and especially Tom Weinstein who tried to give me a lot of assistance--for making the downloading possible. On the other hand, I certainly don't think that we owe any thanks to the government agencies that made all this rigamarole necessary.) -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
Peter D. Junger wrote:
Would it be possible to get a copy of the terms of the written permission that I gather Netscape has received from the government? Or is this another area where the government insists on obscurity?
I don't know. Some people here are asking to release that. If I recall, the letter only says something like "using the mechanism defined in our meeting of M/D/Y." I could be wrong. Everyone in the room took copious notes, so this is not an "opportunity" if you're inclined to think that way. -- Tom Paquin Netscape Communications Corp about:paquin
"Julian Burke" writes: : : Jeff Weinstein wrote: : : > We received written permission from the State Department for our : >download verification mechanism. : : What exactly is the reason for Netscape asking for the name, address, : e-mail address, and telephone number of anyone who wishes to download : the US-browser? If I remember correctly MIT in distributing PGP only : asks that you affirmatively assent to obeying export laws (and the : terms of the rsa license). : : I have not heard at any point that the MIT system does not meet the : legal requirements of ITAR. Is there perhaps some other reason : Netscape wishes to have this information? When I asked the agent of the NSA who is seconded to the Office of Defense Trade Controls to answer questions about the application of the ITAR to the cryptographic software what the authority for the MIT system was, she denied that the MIT system had been approved (or disapproved) by the Office of Defense Trade Controls, although I gather that the people at MIT may have spoken informally with someone. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
participants (10)
-
Adam Shostack -
janke@unixg.ubc.ca -
Jeff Weinstein -
Julian Burke -
Perry E. Metzger -
Peter D. Junger -
Rich Graves -
Robert Hettinga -
sameer -
Tom Paquin