Bidzos on PGP and ITAR verbatim
Bidzos comments on PGP related to ITAR, from sci.crypt a while ago (not sure of date). Essential argument: it was illegally exported, and ITAR prohibits re entry of things illegally exported, therefore it is illegally imported. Relevant section, Software export: Section 123.2 of the ITAR reads:
"123.2 Imports.
No defense article may be imported into the United States unless (a) it was previously exported temporarily under a license issued by the Office of Munitions Control; or (b) it constitutes a temporary import/intransit shipment licensed under Section 123.3; or (c) its import is authorized by the Department of the Treasury (see 27 CFR parts 47, 178, and 179)."
There is a section on `illegal export of unclassified technical data to foreign nationals' (paraphrase) and Bidzos claims it applies to PGP export. But he appears to me to be using a bit of sleight of hand to conflate this category with *cryptographic software* mentioned elsewhere (sections also as quoted also by H. Finney). I'll let others pick it apart for the loopholes. ===cut=here=== Date: Mon, 20 Sep 93 19:31:08 PDT Message-Id: <9309210231.AA16113@RSA.COM> To: ld231782@longs.lance.colostate.edu In-Reply-To: "L. Detweiler"'s message of Mon, 20 Sep 93 19:57:35 -0600 <9309210157.AA04992@longs.lance.colostate.edu> Subject: PGP & ITAR Here's the ITAR part. (This was posted in 1992, so I don't know, since pgp has changed since then I understand, how it would apply.) Also, the ITAR has changed recently, and I haven't studied the changes to see how they would affect these comments. Risks of using pgp One should be careful about assuming that the documentation in electronically distributed software is accurate, especially where law is concerned. There are a few things the documentation for a program called "pgp" does not tell you about patent and export law that you should be aware of. Further, there are a number of claims and offered interpretations of patent and export law that are simply false. pgp seems to be an attempt to mislead netters into joining an illegal activity that violates patent and export law, letting them believe that they run no serious risk in doing so. EXPORT LAW pgp leads users to believe that it has circumvented export controls "...since it is not illegal to import..." You are led to believe that since you didn't import it, it's legal to use it. The "no import restrictions" claim has been made so many times, many people probably believe it. One would be well advised not to accept this legal opinion. While stated as if it were a well-known fact, the claim that "there are no import restrictions" is simply false. Section 123.2 of the ITAR (International Traffic in Arms Regulations) reads: "123.2 Imports. No defense article may be imported into the United States unless (a) it was previously exported temporarily under a license issued by the Office of Munitions Control; or (b) it constitutes a temporary import/intransit shipment licensed under Section 123.3; or (c) its import is authorized by the Department of the Treasury (see 27 CFR parts 47, 178, and 179)." Was pgp illegally exported? Was pgp illegally imported? Of course. It didn't export or import itself. pgp 1 was illegally exported from the U.S., and pgp 2, based on pgp 1, is illegally imported into the U.S. Is a license required? According to the ITAR, it is. 125.2 Exports of unclassified technical data. Paragraph (c) reads: "(c) Disclosures. Unless otherwise expressly exempted in this subchapter, a license is required for the oral, visual, or documentary disclosure of technical data to foreign nationals in connection with visits by U.S. persons to foreign countries, visits by foreign persons to the United States, or otherwise. A license is required regardless of the manner in which the technical data is transmitted (e.g., in person, by telephone, correspondence, electronic means, telex, etc.)." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ What is "export?" Section 120.10, "Export," begins: "'Export' means, for purposes of this subchapter: ...(c) Sending or taking technical data outside of the United States in any manner except that by mere travel outside of the United States by a person whose technical knowledge includes technical data; or..." Crypto software is controlled by the ITAR. See Part 121, the Munitions List, includes Category XIII, of which paragraph (b) reads, in part, "...privacy devices, cryptographic devices and software (encoding and decoding), and components specifically designed or modified therefore,..." A further definition in 121.8, paragraph (f) reads: "Software includes but is not limited to the system functional design, logic flow, algorithms, application programs, ..." pgp encourages you to post it on computer bulletin boards. Anybody who considers following this advice is taking quite a risk. When you make a defense item available on a BBS, you have exported it. pgp's obvious attempts to downplay any risk of violating export law won't help you a bit if you're ever charged under the ITAR. Penalties under the ITARs are quite serious. The ITARs were clearly designed to put teeth into laws that make exporting munitions illegal. It's unfortunate that cryptography is on the munitions list. But it is. pgp is software tainted by serious ITAR violations. ------- End of Forwarded Message
"L. Detweiler" <uunet!longs.lance.colostate.edu!ld231782> writes:
There is a section on `illegal export of unclassified technical data to foreign nationals' (paraphrase) and Bidzos claims it applies to PGP export. But he appears to me to be using a bit of sleight of hand to conflate this category with *cryptographic software* mentioned elsewhere (sections also as quoted also by H. Finney).
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"? The public (and published) nature of both IDEA and RSA seems to place them far away from the general thrust of the "technical data" definition, which seems oriented towards preventing disclosure of data/information that's not available to the general public. Def'n follows: $120.21 Technical data. Technical data means, for purposes of this subchapter: (a) Classified information relating to defense articles and defense services; (b) Information covered by an invention secrecy order; (c) Information, in any form, which is directly related to the design, engineering, development, production, processing, manufacture, use, operation, overhaul, repair, maintenance, modification, or reconstruction of defense articles. This includes, for example, information in the form of blueprints, drawings, photographs, plans, instructions, computer software, and documentation. This also includes information which advances the state of the art of articles on
the U.S. Munitions List. This definition does not include information concerning general scientific, mathematical, or engineering principles commonly taught in academia. It also does not include basic
marketing information or general system descriptions of defense articles. [emphasis added, of course] I'm working my way through the ITAR and am going to leave the majority of Bidzos' message alone until I feel like I have a stronger grasp on the legal issues here. He did, however, say two things which look pretty shaky to me:
When you make a defense item available on a BBS, you have exported it.
The definitions of export that I've seen have concerned transferring information or physical things, or providing services to, persons, corporations, or nations which are not U.S. citizens. They have not addressed placing these things where "foreign persons" might conceivably get them. Under Bidzos' interpretation, making RSAREF available via FTP sounds like export to me. My interpretation is based on ITAR; other relevant statutes may define it more broadly, but those definitions aren't relevant when talking about violations of the ITAR.
pgp is software tainted by serious ITAR violations.
I interpret this to mean, assuming that Bidzos is right on all points, that: (1) all copies (and their descendants?) of PGP 1.0 which have been taken outside of the U.S. are "tainted" and cannot be re-imported legally; and (2) all copies (and their descendants?) of PGP 2.x which were written outside of the U.S. are "tainted" once they enter the U.S.; U.S. citizens will need to re-write (sigh) PGP 2.x inside the U.S., using the published algorithms for IDEA and RSA. I can't see any basis for saying that "PGP", a standard for interoperable crypto software, is tainted - only particlar implementations of that standard are, depending on who wrote them and what country the author is from, where the copy is located, and where it's been before. Surely Bidzos won't claim that RSA licensees in the U.S. are somehow "tainted" by the illegal export of other copies of RSA, hmm? -- Greg Broiles greg@goldenbear.com Baked, not fried.
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"? The RSA public key algorithm is taught at MIT in the math course 18.063, which is required for an undergraduate computer science degree. That's one data point... - Bill
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"?
The RSA public key algorithm is taught at MIT in the math course 18.063, which is required for an undergraduate computer science degree.
That's one data point...
- Bill
It was taught in one of my digital design classes as an example of why (and how) we need modular arithmetic circuitry, and how it is made. If it is taught in such a non-related class what does that say to the commonness of it?
It was taught in one of my digital design classes as an example of why (and how) we need modular arithmetic circuitry, and how it is made. If it is taught in such a non-related class what does that say to the commonness of it?
Similarly, it was taught in an advanced discrete math course at the Univ. of Massachusetts as an application of the Chinese-remainder bignum system we'd been working with. Eli ebrandt@jarthur.claremont.edu
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"?
the U.S. Munitions List. This definition does not include information concerning general scientific, mathematical, or engineering principles commonly taught in academia. It also does not include basic
Well, I learned about the RSA algorithms in 18.063 (Introduction to Algebraic Systems), which is a required mathematics course at MIT for an undergraduate CS degree. It is normally taken by sophomores and juniors. MIT isn't exactly a "common" school, but it's certainly academia. Unfortunately, there is no textbook for this course. Public Key Cryptosystems are also discussed in the textbook (Introduction to Algorithms, Corman/Leiserson/Rivest, MIT Press) for 6.046 (Introduction to Algorithms), but are not discussed extensively in the class. As I know foreign nationals who have graduated, they must have taken these courses. Marc
Marc Horowitz says:
If Bidzos is using the term "technical data" as it's defined in $120.21 of the ITAR, I think it's debatable. Can we come up with data to support that IDEA and RSA are "commonly taught .. in academia"?
Well, I learned about the RSA algorithms in 18.063 (Introduction to Algebraic Systems), which is a required mathematics course at MIT for an undergraduate CS degree.
I learned about lots of this stuff in an advanced course in cryptography taught by Zvi Galil and some of his students and colleagues (like Stu Haber and Joan Feigenbaum) at Columbia. I suspect that there is an academic discipline here (lots of PhDs specializing in cryptography) and papers and academic journals and conferences make it fairly clear that this data is common in academia. Perry
FTP site for complete ITAR is: ripem.msu.edu:/pub/crypt/docs/itar-july-93.txt. sci.crypt archives are there also. Thanks to M. Riordan for this valuable service. I also understand that D. Bernstein may have helped in getting the ITAR on specifically. Both are sci.crypt FAQ contributors & maintainers. * * * greg@ideath.goldenbear.com (Greg Broiles) quotes an *extremely* interesting section of the ITAR, perhaps the *critical section* for this issue at hand. But he seemed to skip right over a critical piece. The thread, as it stands: we have seen the ITAR sections that bar disclosure (export) of `technical data' to `foreign nationals' and sections that state that anything illegally exported cannot be legally imported, and now we find technical data defined as: $120.21 Technical data. Technical data means, for purposes of this subchapter: (a) Classified information relating to defense articles and defense services; (b) Information covered by an invention secrecy order; (c) Information, in any form, which is directly related to the design, engineering, development, production, processing, manufacture, use, operation, overhaul, repair, maintenance, modification, or reconstruction of defense articles. This includes, for example, information in the form of blueprints, drawings, 1 photographs, plans, instructions, computer software, 1 and documentation. This also includes information which advances the state of the art of articles on 2 the U.S. Munitions List. This definition does not 2 include information concerning general scientific, 2 mathematical, or engineering principles commonly 2 taught in academia. It also does not include basic marketing information or general system descriptions of defense articles. *wow* -- we find that (1) `computer software and documentation' `related to [verb1,verb2,verb3 ad infinitum] of defense articles' is *banned*. but in the same paragraph, (2) `general scientific or commonly taught mathematical or engineering principles' are *not* banned. Surely, (1) is the clause that Bidzos would claim applies -- restricting the export of technical data in the form of software. The $64K Question: Is PGP `computer software related to defense' or `technical documentation encompassing general scientific & engineering principles'? so, likely, that paragraph will be the focus of attention, and perhaps the fulcrum of the case, for both the prosecution and defense, of a hypothetical trial. another point to make: the naive prejudices of those who crafted this list are apparent as being from the agency-which-will-remain-anonymous-but-has-the-initials-NSA. They seem to think that `defense articles' and `general scientific, mathematical, and engineering principles' are mutually exclusive. Hee, hee. They might as well just have a law that bans `everything we don't approve of' with no loss of ambiguity. G.B. again
The definitions of export that I've seen have concerned transferring information or physical things, or providing services to, persons, corporations, or nations which are not U.S. citizens. They have not addressed placing these things where "foreign persons" might conceivably get them.
another *very* critical aspect of the case, noted also by H. Finney and others. I have a theory about this (surprise! :) Bidzos indicated how the ITAR is very recent. It appears to be being updated all the time. This is a bit scary how easy it is for `the powers that be' (the most verminous expression, hence my use) to slip in to modifications to the ITAR. I wonder how much these various paragraphs have changed between versions of the ITAR -- I suspect that if we looked at it in a linear historical progression, we would find an increasing desperation in the writing, representing the futile attempt to encompass all the data leaking all over cyberspace, like trying to hold onto a handful of greased vibrating marbles, or chain down electrons. This is another `conspicuous omission' that suggests the likelihood that it is `in the works' to get in clauses that *specifically address* the concept of `broadcast' of information similar to an FTP site, perhaps even underway at this moment in the labyrinthine catacombs of our government. * * * My sincere thanks to everyone who has contributed to the ITAR analysis associated with the case dispassionately. We shouldn't delude ourselves in thinking all this is happening in anything other than a mailing list vacuum, and the EFF/PRZ laywers (`the Professionals') surely have entirely different perspectives on the matter, but for me at least I find it extraordinarily educational and intellectually stimulating -- in a sort of depraved way. On the other hand, reading between the lines of our comments, the ITAR itself is probably close to the most totalitarian document our country has yet produced. It is sort of like `constitutional antimatter'. Look at how pliant this enterprise-constricting law is to burdensome and insideous modifications, in total defiance of open and public legislative procedure! The people that are *experts* on it can't keep up with all the shadowy knob-twiddling. In restricting *technical data* to `foreign nationals' (the latter phrase a rather atrocious coinage in itself) we seem to find the same institutionalized paranoia against the spread of simple *information* that was associated with copier machines in the cold-war-era Soviet Union. The irony is that to a totalitarian state, that paranoia is not comical -- it is entirely justified and critical to its self preservation.
"L. Detweiler" <uunet!longs.lance.colostate.edu!ld231782> writes:
*wow* -- we find that (1) `computer software and documentation' `related to [verb1,verb2,verb3 ad infinitum] of defense articles' is *banned*. but in the same paragraph, (2) `general scientific or commonly taught mathematical or engineering principles' are *not* banned. Surely, (1) is the clause that Bidzos would claim applies -- restricting the export of technical data in the form of software.
ITAR seems to contemplate (at least) two different classes of things relevant here: "defense articles" and "technical data". While RSA and IDEA implementations may well escape being technical data by way of the academic exemption, they are pretty clearly defense articles. $121.1 General. The United States Muntions List. (a) The following articles, services, and related technical data are designated as defense articles and defense services pursuant to sections 38 and 47(7) of the Arms Export Control Act (22 USC 2778 and 2794(7)). Changes in designations will be published in the Federal Register. [ . . .] (c) [. . .] Category XIII - Auxiliary Military Equipment (b) Information Security Systems and equipment, cryptographic devices, software, and components, specifically designed or modified therefore, including: (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment of software as follows: (long list of narrow applications of crypto deleted, none seem relevant.) (2) [Crypto systems making use of spread spectrum tech.] (3) Cryptanalytic systems, equipment, assemblies, modules, integrated circuits, components, or software. (4) [Systems for multiuser security of B2 or better, or certification software] (5) Ancillary equipment specifically designed or modified for paragraphs (b) (1), (2), (3), (4), or (5) of this category; [. . .] [end of quoted ITAR text] Sorry if the subdivisions/deleted text there is confusing - will snarf the full ITAR text tomorrow, perhaps it'll be more nicely formatted. -- Greg Broiles greg@goldenbear.com Baked, not fried.
participants (7)
-
Eli Brandt -
greg@ideath.goldenbear.com -
L. Detweiler -
Marc Horowitz -
Perry E. Metzger -
sommerfeld@orchard.medford.ma.us -
Timothy Newsham