At 12:36 AM 3/3/97 -0800, Tim May wrote:

(These items may not be banned for general export, given the language about an "identfied individual or organization," but think of the new mischief this will cause. For example, if remailers are used to evade taxes by some individuals connecting to some sites, then exporters (like Eric Hughes, Lance Cottrell, whomever is writing remailers these days) may have to jump through large numbers of hoops to ensure that some specific site does not get the software...this will effectively make export of remailers impossible to legally do...as I read the language of the Bill.)

I don't think that Pro-CODE can be used to control the dissemination of remailers. The bit of Pro-CODE at issue here (section 5(c)(3)(B) "The Secretary shall prohibit the export or reexport of particular computer software and hardware *described in this subsection* to an identified individual or organization . . if the Secretary determines that there is substantial evidence that such software and computer hardware will be . . (iv) intentionally used to evade enforcement of US law or taxation by the US or by any State or local government." (emphasis added) I read "described in this subsection" to refer to Section 5(c), and the best description I can find in 5(c) of computer hardware and software is "computer hardware, computer software, and technology with encryption capabilities, except computer hardware, computer software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications", in section 5(c)(1). So I don't think that this creates a new ability to control the dissemination of non-crypto hardware or software. (The Mixmaster remailer software, which does include crypto, would still be controlled.) The prohibitions on export to named individuals and organizations will be effectively useless with respect to those parties getting strong crypto - the only utility I can see in such a clause is to be used as a club against domestic sympathizers/allies of unpopular groups/people abroad. It also seems likely to lead to yet another round of worrying about whether the format of a particular distribution site on the Internet is sufficiently configured - if ProCODE passes, instead of asking "Are you a US citizen?", distribution sites will ask "Are you on the list of forbidden people?" Same difference.

And the other language--about how companies have to advise the government about what they are doing, and the "review board"--are possibly ominous.

Indeed. The "Findings/Purpose" text (Section 2), includes the following: "(16) The Federal Government has legitimate law enforcement and national security objectives which necessitate the disclosure to the Federal Government of general information that is neither proprietary nor confidential by experts in information security industries, including cryptographers, engineers, and others designated in the design and development of information security products. *By relaxing export controls on encryption products and programs, this Act creates an obligation on the part of representatives of companies involved in the export of information security products to share information about these products to designated representatives of the Federal Government.*" (emphasis added) and Section 5(c)(4)(A) reads: "Exports. The publisher or manufacturer of computer software or hardware with encryption capabilities shall disclose (for reporting purposes only) within 30 days after export to the Secretary such information regarding a program's or product's encryption capabilities as would be required for an individual license to export that program or product." The former has no real force, as "findings" aren't enforceable, but are intended for use by courts who are interpreting or construing a statute. But I don't see a technical reason why the latter wouldn't be enforceable. (Modulo the First Amendment, of course.) Another feature of Pro-CODE that I haven't seen discussed is that it restricts the *private* dissemination of code - e.g., a US programmer may make his/her code globally available (if it is "generally available, as is, and designed for installation by the user or purchaser", section 5(c)(2)(a)(i)), but a US programmer may not (assuming the current regulations, or similar regs, are in force) share code privately (say, pre-release) with foreign programmers. My hunch is that the drafters didn't intend this consequence, but I think it's a logical conclusion given that (a) Pro-CODE doesn't define "export", (b) current regulations define "export" as, roughly, providing software to non-US persons, and (c) Pro-CODE only allows "generally available, as is, and designed for installation by the user" software to be exported. So it still won't be legal for a US person to work collaboratively with a foreigner on development (even if the development took place in a public forum, like sci.crypt, the intermediate drafts probably wouldn't be "designed for installation by the user"), nor for a US person to write crypto for internal corporate use, or to share crypto code with friends overseas without making a public release. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto. |