Re: CJR returned to sender
At 5:13 AM 10/25/95, Raph Levien wrote:
I got the CJR back today, envelope unopened (although the corner was torn so you could see there were t-shirts inside). "Returned to sender", it said, "Refused___, Unclaimed___".
The address on the envelope reads:
ATTN: Samuel L. Capino - 15 day CJR Defense Trade Analyst U.S. Dept. of State Office of Defense Trade Controls PM/DTC SA-6 Room 200 1701 N. Fort Meyer Drive Arlington, CA 22209-3113
Did I do something wrong, or did the Dept. of State decide it didn't want to deal with this CJR?
Raph, I mean no offense, but if _any_ request is ever to be deemed "frivolous," surely submitting a CJR for t-shirts is such a request. I won't belabor the point that the t-shirt is _at best_ comparable to a book, which generally needs no CJR (*), and _at worst_ is an illegible, confusing "work of art." (I personally am miffed at the imprecision of the "This shirt has been declared to be a munition"--or whatever, as I don't have one handy to check--and the language of the sales advertisements.) So the little joke was returned unopened. Not surprising. No offense intended to all those who think a CJR for a t-shirt is a worthy cause, but I think it's a pointless diversion. (* Hal Abelson of MIT says there are possible export problems with the MIT Press book on PGP, and MIT dropped plans for a version in a special OCR font. So, I agree that _some_ books cross the line and look like pure software. However, I continue to maintain that a badly-printed barcode is just a joke, nothing more.) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
Michael Froomkin wrote:
I agree strongly with Tim May that this (fun) little joke has gone far enough. I enjoyed it while it lasted, but the CJR was clearly frivolous, the T-Shirt was clearly not a munition, IMHO, and that's that. Write up the experience, post it on the web somewhere (I'll provide a space if you need it), and call it a day.
Should they also reject the same content (RSA-PERL) delivered in any of the following ways: Printed on paper Printed on paper in OCR font Printed on paper in barcode Printed on paper with magnetic ink (like checks) The lines being drawn here seem very arbitrary. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
software. However, I continue to maintain that a badly-printed barcode is just a joke, nothing more.)
Whether the t-shirt is a joke or not is irrelevant. If I shoot someone, as a joke, that doesn't mean I shouldn't go to jail for it. Unless the crypto export laws and the laws surrouding CJRs have a provision for 'jokes', then the return of Raph's properly formed CJR request seems to me rather, um, illegal? The law, in my opinion, is a joke. Does that mean I can ignore it? -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
I agree strongly with Tim May that this (fun) little joke has gone far enough. I enjoyed it while it lasted, but the CJR was clearly frivolous, the T-Shirt was clearly not a munition, IMHO, and that's that. Write up the experience, post it on the web somewhere (I'll provide a space if you need it), and call it a day. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
Michael Froomkin writes: : I agree strongly with Tim May that this (fun) little joke has gone far : enough. I enjoyed it while it lasted, but the CJR was clearly frivolous, : the T-Shirt was clearly not a munition, IMHO, and that's that. Write up : the experience, post it on the web somewhere (I'll provide a space if you : need it), and call it a day. I am afraid that I have to disagree with this. The T-Shirt, or rather the cryptographic software that is disclosed by the wearing of the shirt, is just as much an item that falls within the ITAR's definition of an item on the United States Munitions List as any other cryptographic software. The only way that wearing the T-Shirt without a license from the censors in the Office of Defense Trade Controls would _not_ be a violation of the ITAR would be if either (i) the censors, in their totally arbitrary discretion issue a commodity jurisdiction determination that the T-Shirt is not an item on the United States Munitions List or (ii) the ITAR are determined to be unconstitutional. There is no exception in the ITAR for printed materials. The fact that in one case a book got a favorable commodity jurisdiction determination and a CDrom did not is not evidence to the contrary, it just shows how completely arbitrary the the ODTC's commodity jurisdiction determinations are. Nor is there an exception in the ITAR for T-Shirts. Of course the cryptographic software on the T-Shirt is constitutionally protected, so it is not, in the constitutional sense, a violation of any law to wear the shirt in the presence of a foreigner. But then it wouldn't be a violation--in the constitutional sense--for me to disclose that cryptographic program to the foreigner who wrote it in a communication over the internet. And I assure you that when I have discussed their encryption programs with foreign authors by e-mail I have always been very careful not to disclose their own programs to them. It may not have much to do with cryptography, but it has everything to do with the First Amendment to the United States Constitution, that speech in any form, even on the backs of T-Shirts, is protected. Remember there is a leading First Amendment case involving a T-Shirt inscribed with the immortal words: ``Fuck the Draft''. Even if requiring one to obtain a license, or a non-obstat, from the censors before communicating cryptographic software to foreign persons by publishing that software were not to be held unconstitutional per se, a licensing scheme that does provide any way to get a license for a T-Shirt or a book is clearly unconstitutional. The government cannot refuse to license speech simply because the medium on which the speech is affixed is frivolous. And the message communicated by the T-Shirt is clearly political, so arguably that message is _more_ protected by the First Amendment than the PGP program on a floppy disk. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
Michael Froomkin writes:
I agree strongly with Tim May that this (fun) little joke has gone far enough. I enjoyed it while it lasted, but the CJR was clearly frivolous, the T-Shirt was clearly not a munition, IMHO, and that's that. Write up the experience, post it on the web somewhere (I'll provide a space if you need it), and call it a day.
I was unaware, Mr. Froomkin, that the legal system of our country had the right to arbitrarily ignore its own rules and refuse to answer a question. The munitions T-Shirt was not, in my opinion, substantially more frivolous than Phil Karn's floppy, which was rejected. I do not believe that the state department has the right to reject such things by refusing to accept their mail, and I do not believe that they have the right to violate their own proceedures. If someone asks "is this captain midnight decoder ring exportable" they are legally obligated to answer, one way or the other, unless we live under a government of men, and not laws. Perry
On Wed, 25 Oct 1995, Perry E. Metzger wrote:
Michael Froomkin writes: {words to the effect of "enough already"}
I was unaware, Mr. Froomkin, that the legal system of our country had the right to arbitrarily ignore its own rules and refuse to answer a question. The munitions T-Shirt was not, in my opinion, substantially
Yes, it has an obligation to answer.
more frivolous than Phil Karn's floppy, which was rejected. I do not
We disagree.
believe that the state department has the right to reject such things by refusing to accept their mail, and I do not believe that they have
This assumes a conscious decision was made; I'm more inclined to think it's a screw up. In any case, sending it registered mail, or by courrier, would remove the doubt.
the right to violate their own proceedures. If someone asks "is this captain midnight decoder ring exportable" they are legally obligated to answer, one way or the other, unless we live under a government of men, and not laws.
Yes. I just hope the members of this list have more sense than to do frivolous things, although of course I defend their legal right to do so. Of course, one part of being wise is picking the right fights. This will be my last comment on this thread. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
Jeff Weinstein <jsw@netscape.com> writes:
Should they also reject the same content (RSA-PERL) delivered in any of the following ways:
Printed on paper Printed on paper in OCR font Printed on paper in barcode Printed on paper with magnetic ink (like checks)
The lines being drawn here seem very arbitrary.
But lines are always arbitrary. I posted about this a long time ago: it is assault to hit a man with a baseball bat, but presumably not to hit him with a feather. Should we then ask if it is assault to hit him with a straw hat, with a pillow, with a loaf of bread? The lines which will end up being drawn will also be quite arbitrary. The line between day and night is arbitrary but that does not mean that there is no difference between day and night. This whole exercise in line-drawing doesn't seem that productive to me. The appellate court has already ruled that restrictions on export of printed materials do not violate First Amendment rights. I wrote up one of these, the Posey case, in <URL:http://www.portal.com/~hfinney/cryp_export2.html>. In that instance the materials being exported were some manuals obtained from the US government itself via the Freedom of Information Act! The law in question was not actually the ITARs but rather another one which applied specifically to exports to South Africa, and which did not have the public domain exemption. The point though is that the court did not agree that the First Amendment was relevant since the restrictions were specifically on export and did not have any effect on domestic distribution of the information. Hal
Hal writes:
But lines are always arbitrary. [...] This whole exercise in line-drawing doesn't seem that productive to me.
The purpose of this exercise is to find out where the arbitrary line is, and to note that it is a silly and idiotic place to put the line, in the hopes of eliminating the line and the law with it. Perry
Hal wrote:
The appellate court has already ruled that restrictions on export of printed materials do not violate First Amendment rights. I wrote up one of these, the Posey case, in <URL:http://www.portal.com/~hfinney/cryp_export2.html>. In that instance the materials being exported were some manuals obtained from the US government itself via the Freedom of Information Act! The law in question was not actually the ITARs but rather another one which applied specifically to exports to South Africa, and which did not have the public domain exemption. The point though is that the court did not agree that the First Amendment was relevant since the restrictions were specifically on export and did not have any effect on domestic distribution of the information.
The ITARs are currently keeping us(Netscape) from distributing our US-only products to people within the United States. We have asked for clarification from the government about network distribution, such as how much verification of location and citizenship of the recipient we must do, and have yet to receive a response. That makes it more than just an export issue, at least for us. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Jeff Weinstein writes: : The ITARs are currently keeping us(Netscape) from distributing : our US-only products to people within the United States. We have : asked for clarification from the government about network distribution, : such as how much verification of location and citizenship of the : recipient we must do, and have yet to receive a response. That : makes it more than just an export issue, at least for us. : : --Jeff : : -- : Jeff Weinstein - Electronic Munitions Specialist : Netscape Communication Corporation : jsw@netscape.com - http://home.netscape.com/people/jsw : Any opinions expressed above are mine. Don't hold your breath. I just had a chat with the NSA person at the Office of Defense Trade Controls who is supposed to answer all questions about the export of cryptography and she took the position that whether posting materials on a server is an export ``is an interesting question.'' I specifically asked her if her office had come up with the rigamarole that some servers use to make sure you are a citizen and then give you an address that expires faster than I can type where one can get the cryptographic software. She denied that that rigamarole was invented or approved by her office; and said that it was an interesting question, not only for cryptography, whether a server on the internet was a ``point of export.'' She told me that as a law professor I would be interested in that question. (I think that the implication was that someone really in business would be terribly frustrated.) Of course, this is just my impression of a conversation that was not really directed to any specific issues. She did tell me thoughh that since cryptographic software does the same thing as cryptographic hardware, such software was treated as hardware. I asked where the regulations said that, and she never was able to give me a direct citation to anything in the regs. I am sorry to be the bearer of bad news. Ciao, Peter -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
And yet people like MIT get approval for the release of PGP this way. It is clear that 1) the government will (verbally?) clear the "PGP procedure" when pushed. 2) they need to be pushed. If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal. Publicizing this information would lay the groundwork for APA (or, given the way the ITAR is written, maybe no...) and 5th Amendment / due process challenges by other parties unable to get the straight answers they deserve. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
Michael Froomkin writes:
And yet people like MIT get approval for the release of PGP this way. [...]
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
I don't think they got any sort of approval from State or Commerce -- I think they just discussed it with their own lawyers. Perry
Perry E. Metzger wrote:
Michael Froomkin writes:
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
I don't think they got any sort of approval from State or Commerce -- I think they just discussed it with their own lawyers.
Last July *hobbit* (hobbit@avian.org) presented to this list a description of "The FTP Bounce Attack" and stated that it's trivial to hack past a defense like this (well, it didn't seem trivial to me, but I'm not a unix wizard). Obviously, there is no real need for such attacks with PGP and 'everything' else available at non-US sites, and I guess it would leave traces? But it would be interesting to know if anybody have successfully tried it at MIT or some other export-restricted FTP site. Mats
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
I can explain (and have explained in this forum) the technical aspect of how the MIT PGP site works. I was not involved in the law aspect of the debate, so I cannot answer legal questions. There is a two-tiered protection scheme. The first scheme is that you need to know the secret directory where PGP resides. This directory changes location every 30 minutes, so any attacker has a 30 minute window in which a name will be valid. Not 30 minutes from the time they receive it, 30 minutes from the time the directory last changed names. The second scheme involves using reverse DNS lookups and comparing the DNS hostname to a list of know US-valid hostnames/domains. An attacker needs to be able to circumvent both schemes at once in order to get to PGP. I can go into more detail if people want, or I can take this offline if people prefer. -derek
On Fri, 27 Oct 1995 10:05:10 -0400 (EDT), you wrote:
And yet people like MIT get approval for the release of PGP this way.
It is clear that 1) the government will (verbally?) clear the "PGP procedure" when pushed.
Yes, I believe that they have only ever given verbal agreement to this sort of thing, which is worth the air it is written on.
2) they need to be pushed.
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
You are assuming that because the government has chosen not to prosecute MIT that they will not prosecute anyone else. This is a faulty assumption, laws are not invalidated if they are not enforced, only if they are repealed or overturned.
Publicizing this information would lay the groundwork for APA (or, given the way the ITAR is written, maybe no...) and 5th Amendment / due process challenges by other parties unable to get the straight answers they deserve.
Their are certainly issues that need to be discussed here, and before any such discussion can take place we need a determination from the government as to what sort of verification is adiquite. Dan Weinstein djw@pdcorp.com http://www.earthlink.net/~danjw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche
Dan Weinstein writes:
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
You are assuming that because the government has chosen not to prosecute MIT that they will not prosecute anyone else. This is a faulty assumption, laws are not invalidated if they are not enforced, only if they are repealed or overturned.
IANAL, but this seems implausible. If MIT has received assurances (written or oral) from the DoJ that indicate that their scheme is adequate, then another organization prosecuted while following an identical scheme can admit this as evidence. There isn't, to my knowledge, a specific law which defines the act of export over the 'net. The DoJ, in effect, determines the definition by their actions. Failure to prosecute MIT should lead a responsible judge to dismiss actions against a subsequent defendant that follows the same practice. I agree that things would be different in cases like traffic laws: the fact that millions of people exceed legal speed limits every day doesn't make speeding laws invalid, but this is a matter where there is no question whether the act broke the law. Where the line is drawn by the legislature, failure of the executive does not invalidate the law --- it merely tarnishes the reputation of the executive. Where the line is drawn by the executive, failure to prosecute moves the line, IMHO.
Scott Brickner <sjb@universe.digex.net> writes:
Dan Weinstein writes: [unknown writes:]
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
You are assuming that because the government has chosen not to prosecute MIT that they will not prosecute anyone else. This is a faulty assumption, laws are not invalidated if they are not enforced, only if they are repealed or overturned.
IANAL, but this seems implausible. If MIT has received assurances (written or oral) from the DoJ that indicate that their scheme is adequate, then another organization prosecuted while following an identical scheme can admit this as evidence.
There isn't, to my knowledge, a specific law which defines the act of export over the 'net. The DoJ, in effect, determines the definition by their actions. Failure to prosecute MIT should lead a responsible judge to dismiss actions against a subsequent defendant that follows the same practice.
It is also worth noting that the ITAR violation is worded somewhat differently from some laws, requiring "willful" violation, a "specific intent" to break the law. In this situation, good faith efforts to apply with what the law appears to be would seem to me to be a strong defense. See <URL:http://www.portal.com/~hfinney/cryp_export1.html> for a writeup I did on this a couple of years ago. An excerpt, from U.S. v Lizarraga-Lizarraga (541 F2d 826): "Accordingly, we hold that in order for a defendant to be found guilty of exporting under 22 U.S.C. 1934, the government must prove that the defendant voluntarily and intentionally violated a known legal duty not to export the proscribed articles, and the jury should be so instructed." I am not a lawyer, however. It would be interesting to hear what our legal exports think of this argument. Hal
Scott Brickner <sjb@universe.digex.net> writes:
Dan Weinstein writes: [unknown writes:]
If anyone from MIT is reading this, it would be a real public service to put on a web site (a) what the system used for the release of PGP is exactly and (b) what assurances (oral, written, names & dates) was received from State/Commerce that this was legal.
You are assuming that because the government has chosen not to prosecute MIT that they will not prosecute anyone else. This is a faulty assumption, laws are not invalidated if they are not enforced, only if they are repealed or overturned.
From what I have been told the NSA have never squeaked about the PGP server. No correspondence whatsoever. But then again MIT has some pretty meaty lawyers and never gives in to nuisance suits (they recently paid $2 million to fight one). Besides I doubt the head of the CIA would be too happy with the NSA if they went of beating up MIT. NCSA got pretty well beaten up however.
I think that at the moment they are far to wound up trying to hope the Zimmerman case goes away that they want to start another. Its simply a bunch of beureacrats looking to keep their jobs after the war. Each time someone in congress yelps more money for "defence" you get more of those people. They now have to justify their pay packet. Before too long someone will clue in on a way to save 150 million a year. Actually they have done already but it takes a while for things to happen. What do you expect? The US constitution is not designed to create an efficient government, its meant to stop them getting much done. Phill
On Tue, 24 Oct 1995, Timothy C. May wrote:
I won't belabor the point that the t-shirt is _at best_ comparable to a book, which generally needs no CJR (*), and _at worst_ is an illegible, confusing "work of art." (I personally am miffed at the imprecision of the "This shirt has been declared to be a munition"--or whatever, as I don't have one handy to check--and the language of the sales advertisements.) <snip>
No offense intended to all those who think a CJR for a t-shirt is a worthy cause, but I think it's a pointless diversion.
<snip> I've found that the real value of my shirt is the fact that it's a valuable cypherpunk detector device for strangers who have come up to me and said,"Wow! Is that the shirt I've heard so much about.. are you really a cypherpunk... hey there nice perl... " etc. etc. etc. I've been approached about it at a Taco Bell, at the movies, and at a favorite coffee house of mine (several times, in fact). One night I wore it to a dance club here in Baltimore, and no less than 6 people, all of whom I had never met before, approached me about it and wanted to talk about cypherpunk issues. None of them were on the list. Furthermore, it's an excellent conversation starter among friends and acquaintences who don't know anything about crypto or ITAR. It's an easy segue into a topic that really needs to be talked about, IMHO (and probably in your humble opinion, too). To me, the price of the shirt is well worth the interesting discussions I've had with people I'd never talk to about crypto or at all otherwise. kelli@zeus.towson.edu http://zeus.towson.edu/~kelli/ Diverse Sexual Orientation Coll.Towson State University DSOC@zeus.towson.edu "There's a word for people who have solved the riddle of the opposite sex: gay." -Pateric J.
participants (13)
-
Derek Atkins -
djw@pdcorp.com -
Hal -
hallam@w3.org -
Jeff Weinstein -
K. M. Ellis -
Mats Bergstrom -
Michael Froomkin -
Perry E. Metzger -
Peter D. Junger -
sameer -
Scott Brickner -
tcmay@got.net