Response to Alan Davidson
I posted this article to the newsgroups alt.cypherpunks, talk.politics.crypto, comp.org.eff.talk, and copied this list on it from my newsreader, but the article hasn't shown up here on the list. Sometimes the newsreader/spooler/whateer runs into snags, so here it is, manually sent: At 1:56 PM -0800 5/1/97, Alan Davidson wrote to the Cypherpunks list:
SAFE would legalize the export (to all but a few countries such as Iran, N. Korea, and Cuba) of non-escrow encryption *of unlimited strength* that is designed for the mass market or is in the public domain, i.e.:
"(i) that is generally available, as is, and is designed for installation by the purchaser; or
"(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form;" (See also Footnote below)
But of course this is not the complete quote. Here is the material above, plus the surrounding context (and what I think are some "gotchas"): [[My comments are in brackets like this.]] "(2) ITEMS NOT REQUIRING LICENSES. -- No validated license may be required, except pursuant to the Trading With the Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of-- [[And what limitations on export does the International Emergency Economic Powers Act impose? This is a murky and complicated area of the law, and our own Professor Froomkin, in his excellent "It Came from Planet Clipper" review of Clipper, noted: "The only authorities noted in Executive Order 12,924 are the President's inherent constitutional authority and the International Emergency Economic Powers Act (IEEPA).{224} Assuming that the President does not have inherent constitutional authority to block exports in peacetime, the authority for this action is IEEPA, which by its own terms applies to "any unusual and extraordinary threat, which has its source in whole or substantial part outside the Untied States ... if the President declares a national emergency with respect to such threat."{225} While Executive Order 12,924 refers to the danger of "unrestricted access of foreign parties to U.S. goods, technology and technical data," it seems that the real "unusual and extraordinary" threat consists of Congress's failure to renew the EAA. Indeed, the President's most recent renewal of the state of emergency admits that the state of emergency must be extended "[b]ecause the Export Administration Act has not been renewed by the Congress."{226}" [[I take this quote to mean that the EEPA grants the Pres. authority to limit exports. Thus, the "except pursuant to" provision could with the stroke of a pen impose export limits on unbreakable crypto, even if the later provisions, which I'll get to in a moment, are not the clauses invoked to limit exports.]] "(A) any software, including software with encryption capabilities -- "(i) that is generally available, as is, and is designed for installation by the purchaser; or "(ii) that is in the public domain for which copyright or other protection is not available under title 17, United States Code, or that is available to the public because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any - requirement for a validated license under subparagraph (A). [[The section above does seem to say that, unless EEPA is invoked, crypto software is exportable. However, the next section states the following:]] "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be -- "(A) diverted to a military end-use or an end-use supporting international terrorism; [[So, if it is determined that PGP is being used by the Iraqi regime--as some sources tell me is the case today!--does this not encompass "diverted to a military end-use"? If it is obvious that Irish members of the IRA or Sinn Fein are buying copies of "Mil-Grade PGP" at the Egghead in Boston and shipping them back to Dublin on cargo pallets, will this satisfy the "supporting international terrorism" clause? If the 'substantial evidence that such software will be" part means that such exports are blocked only if the exporter makes it clear that he will be exporting to the Iraqi High Command, which he would be foolish to do, then this is an Alice in Wonderland law. I surmise that the intended interpretation is to block software with substantially military uses, even if not the primary uses. I could be wrong, but the confluence of the EEPA and the "diverted to a military" and "supporting international terrorism" bits lead me to interpret the bill as saying military-grade PGP will be limited for export even to countries which are not on the "hot list" of Trading with the Enemy nations.]] "(B) modified for military or terrorist end-use; or [[And what does this mean? If I widely advocate and encourage use of PGP 3.0 as a tool for liberation of oppressed peoples under the bootheel of the American fascist regime, and show how PGP 3.0 is a tool for blowing up fascists and their lackeys, and there is even evidence that terrorist groups are indeed adopting PGP 3.0 in droves, is this clause then triggered? (Or must I actually purchase a software export license from PGP, Inc., alter the code to read "Pretty Good Terrorist Tool," stamp my boxes "Meant for International Terrorist Use," apply for an export license, and only then will the clause be triggered? Ha. The clear, to mek, interpretation of this language is that the SecDef and other such persons will notify the Pres., or Commerce, etc., that some particular program or product is easily capable of being used against putative American interests, as has long been the case with so many other export-limited products. (And the limits are not, Alan's implications to the contrary, limited to the "Hot List" of terrorist nations. The COCOM agreements, the CCL, and now the Wasenaar agreements, clearly are a very broad list of products. Hell, the Japanese are now citing the Wasenaar as the reason the RSA chip will not be given an export license! The real reason, looking deeper, is because David Aaron, Stuart Baker, and the other folks in the NSA orbit almost certainly asked them in very strong terms not to make the RSA chip available for products.)]]
SAFE's export control relief is not unlimited. The bill does not allow export to Iran, Iraq, Cuba, or N. Korea (that's what the "Trading With The Enemy" provision is about); Congress is not likely to pass a law saying you can export strong crypto to Saddam Hussein. Relief is also limited for
And what of the EEPA provisions? Will the Wasenaar list simply cease to exist? My recollection, refreshed by skimming the Froomkin article a few minutes ago, is that the EEPA, semi-perpetually in effect, is the reason products are already on the list of controlled exports. As Froomkin writes, "Given, however, that IEEPA provides the current authority for the continuance of the EAA regime, and that the Clinton Administration proposes to move DES, however temporarily, off the USML and onto the CCL, a creation of the EAA,{229}..." On to another topic:
Contrary to reports, the SAFE bill does not say: "Use a cipher, go to prison." It does say: "Use cryptography TO COMMIT A CRIME, go to prison":
This is being disingenuous. I stated very clearly, in two places very prominently, that the chilling effect of the criminalization section is analogous to the "use a gun, go to prison" language (and billboards) used in the War on Crime. I'd've thought that analogies are a basic skill, not to mention a necessary skill for doing well on the Verbal section of the SATs. To wit: "Use a gun, go to prison" is to "Use a gun when committing a crime, go to prison" as "Use a cipher, go to prison" is to "Use a cipher when committing a crime, go to prison." The point is that such criminalization of crypto will have a chilling effect. In fact, why not support another modification of the First Amendment? (The crypto modification being one involving speech.) Let's extend it to religion: "Religious beliefs are not allowed, but the holding of certain religious beliefs when a crime is committed may in itself be criminal." So, if someone bombs and abortion clinic, surely a crime by our laws, and is found to be a Roman Catholic, this could add 5 years to their sentence. This is what the criminalization of crypto is comparable to. Or in the precise language of the SAFE bill:
2805. Unlawful use of religious beliefs in furtherance of a criminal act
"Any person who willfully uses religious beliefs in furtherance of the commission of a criminal offense for which the person may be prosecuted in a court of competent jurisdiction... [may be imprisoned or fined]"
CDT opposes both these provisions because they are unnecessary and could chill the use of encryption (especially by self-confessed felons like Tim May!). But they are not as sweeping as some on this list have said.
Not as sweeping? Where is this "not as sweeping" spelled out? The SAFE text is itself very short, so I don't see where this comes from. Is it from the infamous "assurances" which are so often given verbally, but never in ironclad written form attached as part of the bill? Is it an "understanding" that this criminalization clause will actually not be applied except certain classes of criminals? (Who are they, by the way, that _would_ have the law applied to them?) I take laws to mean what they say. Al Capone was gotten on income tax evasion. If the law says using crypto in connection with a crime can result in a 5-year sentence for a first offense, etc., I take the law to mean just that. If that's _not_ what was intended, then change the language!!!! Meanwhile, the crimininalization of crypto use in connection with any of the ever-increasing array of prosecutable offenses is reason enough to reject SAFE. That PGP, Inc. or Netscape has an easier time exporting browers to foreigners is no reason to sacrifice basic liberties.
Passage of the SAFE Bill would put strong security tools in the hands of many more people. That's why CDT supports SAFE, and why we think people who care about privacy and security online should support it too.
Strong crypto, with no criminal penalties attached, is about to become widely available in the U.S. with the incorporation of S/MIME into Netscape's and Microsoft's products. Netscape has already said, and I presume MS has or will too, that they will if necessary have multiple versions of their products, with a "policy statement" enforcement mechanism for foreigners. So, what does SAFE buy us? There are no crypto laws in the U.S., and crypto is avialable, and will soon be built into tens of millions of browsers. Looks like we're getting what we need. Why give up basic liberties so that Netscape can ship just one version? A bad deal, I say. "Use a cipher, go to prison." --Tim May -- There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
participants (1)
-
Tim May