I just got off the phone with one of the customer service people at NAI, who informed me that "Encrypted e-mails from certain countries aren't accepted in the US" and that accepting encrypted email from one of the "black list" (i.e., North Korea, Libya, Iran, Iraq, China, etc.) is illegal under US law. When queried about the issue of *accepting* encrypted e-mail from a "black-list" country, the customer rep stated that this is what he was told by higher-ups in the company. Never mind the issue of web-based email, mail originating from the dot-com, dot-edu, dot-net or dot-org TLDs, spoofed headers or open relays. It was impossible to resist quoting Tim May on the transparency of national borders, and to point out that so far, anyway, there was no ubiquitous filter at the borders. The rep backpedaled and stated that "some" ISPs, specifically AOL, were choosing not to accept such email. Anyone have any idea if any ISPs are refusing to accept encrypted email from "black-listed" countries? Or is this just a matter of NAI cluelessness?
none of the rep's claims are true. note that AOL-Hong Kong would be in violation if this were true. the rep is probably confusing laws regarding export of encryption/munitions. also note that it's nearly impossible to detect encrypted email anyway as the methods (obfuscation, steg., etc.) available outnumber detection techniques available to isps. phillip
-----Original Message----- From: owner-cypherpunks@Algebra.COM [mailto:owner-cypherpunks@Algebra.COM]On Behalf Of codehead@ix.netcom.com Sent: Monday, July 16, 2001 5:29 PM To: cypherpunks@lne.com Subject: What NAI is telling people
I just got off the phone with one of the customer service people at NAI, who informed me that "Encrypted e-mails from certain countries aren't accepted in the US" and that accepting encrypted email from one of the "black list" (i.e., North Korea, Libya, Iran, Iraq, China, etc.) is illegal under US law.
When queried about the issue of *accepting* encrypted e-mail from a "black-list" country, the customer rep stated that this is what he was told by higher-ups in the company.
Never mind the issue of web-based email, mail originating from the dot-com, dot-edu, dot-net or dot-org TLDs, spoofed headers or open relays. It was impossible to resist quoting Tim May on the transparency of national borders, and to point out that so far, anyway, there was no ubiquitous filter at the borders. The rep backpedaled and stated that "some" ISPs, specifically AOL, were choosing not to accept such email.
Anyone have any idea if any ISPs are refusing to accept encrypted email from "black-listed" countries?
Or is this just a matter of NAI cluelessness?
Phillip Zakas wrote:
none of the rep's claims are true. note that AOL-Hong Kong would be in violation if this were true. the rep is probably confusing laws regarding export of encryption/munitions. also note that it's nearly impossible to detect encrypted email anyway as the methods (obfuscation, steg., etc.) available outnumber detection techniques available to isps.
You may be right, but it would be most informative to learn if the major ISPs, telcomms, routers and so forth have been assigned a covert task to sift for encryption using tools supplied by TLAs. NSA, for one, has the ability to spot encrypted communications -- most if not all of them. Recall that crypto data is the singular type of data that NSA is permitted under law to acquire and retain indefinitely for future study no matter the source, even if the sources are otherwise proscribed communications of US persons. This is set forth in USSID18, the NSA guideline for electronic interception: http://cryptome.org/nsa-ussid18.htm As security wizards have long noted, if you use encrypted communications anywhere in the world you will be intercepted, stored and studied. That the global ISPs may be lending a hand with this should be no surprise, for that would be continuing the long history of commercial communications companies providing covert help to those who regulate them -- despite promises to customers of confidentiality (and the banks as well). The legal departments of ISPs are the principal means by which covert cooperation is arranged, oft-times without written orders, again as in the history of communications and banking. To be sure, your lovers may not know of your betrayals but your masters always will -- that's why the intelligence oversight committees were set up in the 1970s, to assure that your privacy is forever violable, as with banking oversight of your booty.
Companies with products or applications relevant to defense are wary of email from certain sovereigns. This is because they don't want clueless reps giving away bacon in an email pretext attack. The government has been harping on it lately. Maybe the rep got a talkie and is confused ...or something. I'm just guessing. What is the answer? ~Aimee
On Mon, Jul 16, 2001 at 06:41:22PM -0500, Aimee Farr wrote:
Companies with products or applications relevant to defense are wary of email from certain sovereigns. This is because they don't want clueless reps giving away bacon in an email pretext attack. The government has been harping on it lately. Maybe the rep got a talkie and is confused ...or something.
I'm just guessing.
What is the answer?
~Aimee
It's a mis-interpretation of the US export laws. It's common for people to think that they limit sending (or receiving in this case) encrypted data in addition to encryption devices and info. Eric
On Mon, 16 Jul 2001 16:46:20 -0700, Eric Murray
On Mon, Jul 16, 2001 at 06:41:22PM -0500, Aimee Farr wrote:
Companies with products or applications relevant to defense are wary of email from certain sovereigns. This is because they don't want clueless reps giving away bacon in an email pretext attack. The government has been harping on it lately. Maybe the rep got a talkie and is confused ...or something.
I'm just guessing.
What is the answer?
~Aimee
It's a mis-interpretation of the US export laws. It's common for people to think that they limit sending (or receiving in this case) encrypted data in addition to encryption devices and info.
That's exactly what I insisted to the NAI rep. I suggested that he talk to their corporate attorneys, pointing out that there was nothing in the EARs that prevented reception of such encrypted email by anyone in the US; that the EARs specifically prohibited *export* of encrypting *software*--not encrypted messages--to the black-listed countries. He, however, kept falling back on the Nuremburg defense ("I'm just following orders."). No indication that he would make any attempt to ask in spite of several suggestions. (Employment must still be pretty good in Silicon Valley, I suppose, if such people can hold a job.) It's very disheartening to see what NAI is doing/has done to PGP. It's especially disgusting in light of the pride that Phil Zimmerman and PGP, Inc., once took in enabling communications for human-rights activists in such "black-listed" countries. Now such activists, according to the NAI rep, can no longer be heard in the US if they communicate by encrypted email--which, of course, may be the only means by which they can communicate safely. Back to the original question: It's obvious that NAI is operating under the belief that some ISPs are complying with some unspoken BXA idea/wannabe-law and blocking encrypted messages from "no-no" originating domains. Is this really the case, or is NAI also full of it on this one?
On Mon, 16 Jul 2001 codehead@ix.netcom.com wrote:
Back to the original question: It's obvious that NAI is operating under the belief that some ISPs are complying with some unspoken BXA idea/wannabe-law and blocking encrypted messages from "no-no" originating domains. Is this really the case, or is NAI also full of it on this one?
Well, the easy way to find out would be to spoof the headers of an encrypted email so it appears to originate from one of those countries, send it to a tentacle or an anonymous account, and see if it falls into a black hole somewhere. Bear
At 02:29 PM 07/16/2001 -0700, codehead@ix.netcom.com wrote:
Anyone have any idea if any ISPs are refusing to accept encrypted email from "black-listed" countries?
Or is this just a matter of NAI cluelessness?
The usual principle of "Never attribute to malice what can adequately be explained by stupidity" applies here, though with governments having ample supplies of both commodities, you can't always be sure. NAI's US organizations can't sell directly to anyone in countries on the Yanqui Enemies List, be they freedom fighters, government thugs, or just everyday businessfolks, but even Official Enemies can still download freeware off the PGPi non-US-owned sites.
Of course there is no law or regulation that prohibits individuals from accepting encrypted email from the blacklist countries (or an ISP from forwarding it). Though perhaps government pressure or simple misunderstanding can explain the situation you encountered. I'd be interested in any verifiable info on this. -Declan On Mon, Jul 16, 2001 at 02:29:16PM -0700, codehead@ix.netcom.com wrote:
I just got off the phone with one of the customer service people at NAI, who informed me that "Encrypted e-mails from certain countries aren't accepted in the US" and that accepting encrypted email from one of the "black list" (i.e., North Korea, Libya, Iran, Iraq, China, etc.) is illegal under US law.
When queried about the issue of *accepting* encrypted e-mail from a "black-list" country, the customer rep stated that this is what he was told by higher-ups in the company.
Never mind the issue of web-based email, mail originating from the dot-com, dot-edu, dot-net or dot-org TLDs, spoofed headers or open relays. It was impossible to resist quoting Tim May on the transparency of national borders, and to point out that so far, anyway, there was no ubiquitous filter at the borders. The rep backpedaled and stated that "some" ISPs, specifically AOL, were choosing not to accept such email.
Anyone have any idea if any ISPs are refusing to accept encrypted email from "black-listed" countries?
Or is this just a matter of NAI cluelessness?
Well, you can try calling the NAI number at 972-308-9960, and see what kind of story you get. I'm still trying to get an upgrade, which is what I called about in the first place. I've been having trouble dealing with one of their resellers, so had to go back to the source. This matter came up when the rep told me that I had to answer "yes" to the three export questions, and I asked "Do you really think that such software can be kept out of the hands of those black-listed countires?" He told me that it could because even if the people in those countries got the software, that it would be useless to them because nobody in the US could receive encrypted messages from those countries. Why, I asked. There's nothing in the EARs to prohibit reception of encrypted messages. There's no big filter at the borders checking for messages. After all, (quoting Tim May) national borders aren't even speed bumps on the information superhighway. He conceded that while there was no big filter at the border, ISPs wouldn't accept such email. Which ISPs, I asked. He mentioned AOL. Any others? He didn't know. I asked under what law they were required to filter such incoming messages. He didn't know, but replied this is what the customer support people had been told by NAI management. I suggested (more than once) that he ask the NAI legal department if this was indeed the case. Might be also worthwhile to call AOL corporate. This could evolve into a very interesting PR incident for them if they are indeed blocking such messages, when it's pointed out that PGP usage is essential to the work of human rights, relief, charitable, and even religious organizations in those countries. On the other hand, what's one more nasty PR incident to AOL? --CH
Of course there is no law or regulation that prohibits individuals from accepting encrypted email from the blacklist countries (or an ISP from forwarding it).
Though perhaps government pressure or simple misunderstanding can explain the situation you encountered. I'd be interested in any verifiable info on this.
-Declan
On Mon, Jul 16, 2001 at 02:29:16PM -0700, codehead@ix.netcom.com wrote:
I just got off the phone with one of the customer service people at NAI, who informed me that "Encrypted e-mails from certain countries aren't accepted in the US" and that accepting encrypted email from one of the "black list" (i.e., North Korea, Libya, Iran, Iraq, China, etc.) is illegal under US law.
When queried about the issue of *accepting* encrypted e-mail from a "black-list" country, the customer rep stated that this is what he was told by higher-ups in the company.
Never mind the issue of web-based email, mail originating from the dot-com, dot-edu, dot-net or dot-org TLDs, spoofed headers or open relays. It was impossible to resist quoting Tim May on the transparency of national borders, and to point out that so far, anyway, there was no ubiquitous filter at the borders. The rep backpedaled and stated that "some" ISPs, specifically AOL, were choosing not to accept such email.
Anyone have any idea if any ISPs are refusing to accept encrypted email from "black-listed" countries?
Or is this just a matter of NAI cluelessness?
At 09:06 PM 7/16/01 -0400, Declan McCullagh wrote:
Of course there is no law or regulation that prohibits individuals from accepting encrypted email from the blacklist countries (or an ISP from forwarding it).
Though perhaps government pressure or simple misunderstanding can explain the situation you encountered. I'd be interested in any verifiable info on this.
-Declan
I did encounter a law firm in Bermuda who's server was set to block "binaries" that bounced PGP messages because they are "binary." It was allegedly concerned about bandwidth, viruses, and inappropriate content.. Not the same thing of course. DCF ---- You may argue that the government can guarantee the success of the vital institutions that it subsidies. But you cannot argue that government can guarantee their failure. Government has no mechanism for guaranteeing the failure of powerful politically-connected institutions. But these institutions *must* fail if
participants (9)
-
Aimee Farr -
Bill Stewart -
codehead@ix.netcom.com -
Declan McCullagh -
Duncan Frissell -
Eric Murray -
John Young -
Phillip H. Zakas -
Ray Dillinger