From the point of view of one who is concerned with first amendment rights rather than selling cryptographic software as a commodity, the really unfortunate part is that this provision authorizes export contols on ``software''. Now the Leahy bill does not define software, but there is a definition of lying around in the International Traffic in Arms Regulations (``ITAR'') that I fear Commerce might adopt---it may even be the language that the draftsmen of the Leahy bill had in mind. And this definition of ``software'' includes a great deal of material that cannot constitutionally be controlled. Here is that definition from the ITAR \S 121,8(f): ``Software includes but is not

This is a preliminary draft of my preliminary analysis of the Leahy bill. In it I am primarily concerned with the affect---if any---of that bill on the constitutionally protected freedoms of speech and of the press. At times in this submission I may seem overly suspicious of some agencies of the government. That may be a consequence of this being merely a preliminary draft; it is more likely, however, that it is the result of years of studying the ITAR and the antics of the agents in the Office of Defense Trade Controls and the NSA as they relate to the licensing requirements for cryptographic software. Permission is granted to post this submission to other mailing lists and news groups, but only if it is posted in its entirety (except for headers other than the ``To'', ``From'', and ``Subject'' lines). ------------------------------------------------- The Leahy Bill known as the Encrypted Communications Privacy Act is certainly well intentioned and Senator Leahy and the other sponsors (Senators Burns, Dole, Murray, and Pressler) should be congratulated for their efforts. Those whose major goal is to be able to export mass-marketed cryptography have good reason to support this bill, even though it has features---and ambiguities---that they may find undesireable, and even though the bill may not actually make all mass marketed cryptographic hardware and software freely exportable. (There is even the danger that it might even be interpreted (for reasons that I will explain hereafter) as not making any change in the requirements for the export of cryptographic software, whether mass marketed or not). On the other hand, those like Daniel Bernstein and myself, who want to publish information---including algorithms and source code---that is subject to the licensing requirements of the International Traffic in Arms Regulations (``ITAR'') that apply to cryptographic devices and software---at least according to the National Security Agency's representatives and that agency's puppets in the Office of Defense Trade Controls---may find the bill more of a hindrance than a help in their efforts to assert the constitutional right of freedom of speech and of the press. My concern is not that the bill will somehow lead to mandatory key escrow. My concern is that in relaxing the restrictions on the export of software as a commodity it may actually give support to the efforts of the censors to keep Daniel Bernstein from publishing his article about his algorithm for converting a hash function into a cryptographic program---I hope that is a fair enough description of his article, an article that the censors have prevented me from ever seeing---and those censor's efforts to keep me from publishing my materials---which contain some cryptographic software---for my course in computers and the law, and to keep foreign students from taking that course. The major threat is that, for the first time, there would be at least colorable Congressional authority for the requirement that one obtain a license before publishing or otherwise disclosing information. And software is, after all, nothing but information. Let me go through the bill and attempt to explain my concerns. (I hope that the version of the bill that I am using is correct.) A BILL To affirm the rights of Americans to use and sell encryption products, to establish privacy standards for voluntary escrowed encryption systems, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Encrypted Communications Privacy Act of 1996". SEC. 2. PURPOSE. It is the purpose of this Act- (1) to ensure that Americans are able to have the maximum possible choice in encryption methods to protect the security, confidentiality, and privacy of their lawful wire or electronic communications; and (2) to establish privacy standards for key holders who are voluntarily entrusted with the means to decrypt such communications, and procedures by which investigative or law enforcement officers may obtain assistance in decrypting such communications. I have no objections to the provisions of this section---except possibly for the reference to procedures by which officers may obtain assistance in decrypting communications. But I am not happy that the purpose does not include protecting the freedoms of speech and of the press, and particularly the freedom to communicate information about cryptography. SEC. 3. FINDINGS. The Congress finds that- (1) the digitization of information and the explosion in the growth of computing and electronic networking offers tremendous potential benefits to the way Americans live, work, and are entertained, but also raises new threats to the privacy of American citizens and the competitiveness of American businesses; Notice that there is nothing here---at least not directly---about the freedom to distribute and to obtain access to information and that, therefore, there is no mention of the constitutional right to speak and publish information about cryptography. (2) a secure, private, and trusted national and global information infrastructure is essential to promote economic growth, protect citizens' privacy, and meet the needs of American citizens and businesses. Once again, there is nothing about the freedom to distribute and obtain access to information. (3) the rights of Americans to the privacy and security of their communications and in conducting their personal and business affairs should be preserved and protected; I like this one. (4) the authority and ability of investigative and law enforcement officers to access and decipher, in a timely manner and as provided by law, wire and electronic communications necessary to provide for public safety and national security should also be preserved; This is presumably included as a political compromise. Those whose concerns are primarily with marketing software can probably live with it. Those who are concerned with privacy and liberty and human decency should, on the other hand, find this finding terrifying. (Of course, one can argue that the findings are just window dressing without any substantive significance; I assure you, however, that they can be used to interpret the substantive provisions of the statute and that ultimately the interpretation is more important than the words of the statute itself.) (5) individuals will not entrust their sensitive personal, medical, financial, and other information to computers and computer networks unless the security and privacy of that information is assured; I have no problem with this as a finding, though I am not sure that I want to encourage people to entrust sensitive information to computers and computer networks, no matter what assurances they may be given. (6) business will not entrust their proprietary and sensitive corporate information, including information about products, processes, customers, finances, and employees, to computers and computer networks unless the security and privacy of that information is assured; No problem. (7) encryption technology can enhance the privacy, security, confidentiality, integrity, and authenticity of wire and electronic communications and stored electronic information; That is correct. (8) encryption techniques, technology, programs, and products are widely available worldwide; Yep. (9) Americans should be free lawfully to use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure, private, and confidential manner; The clumsiness of the language worries me. That word ``lawfully'' may just mean that Congress finds that people should be free to do whatever the law allows, but that there are no restrictions on what the law may forbid. More troublesome is the reference to programs ``developed in the market place''. That might be read as suggesting that there is no freedom to use products that were not developed in the market place. (The small number of programs that I have written have all been developed in my head, and in my head's extension, my computer; none of them had anything to do with the market place. Are the programs produced by the Free Software Foundation produced in the market place?) (10) American companies should be free to compete and to sell encryption technology, programs, and products; I have no objection to this finding, but notice that it has nothing to do with the free speech issues that are my concerns. I want to be able to give away the programs that I have written, and to give away encryption technology, programs, and products that are subject to copylefts or are otherwise available. And I want to be able to explain to my law students about how encryption programs work and why they may be ethically required to use them for electronic communications with their clients (and where to get them). (11) there is a need to develop a national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security; I don't really object to this, but I suspect that the best policy would be no policy. There are powers within the government who would use the reference to ``the Nation's public safety and national security'' as a basis for continuing to restrict the export or publication or other disclosure of any secure cryptographic software and algorithms. (12) there is a need to clarify the legal rights and responsibilities of key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications; I am not sure that this would not best be left to private agreements between the owners of the keys and their holders. (But this is not in the area of my concern.) (13) the Congress and the American people have recognized the need to balance the right to privacy and the protection of the public safety and national security; This is most unfortunate. In cases of extreem danger the courts may allow the agents of the state to ignore the constitutional right of privacy, but it is not a matter of ``balancing'' equally protected interests. The agents of the state always claim that they are acting in order to protect public safety and national security, especially when they are trying to destroy the safety of the constitution. (14) the Congress has permitted lawful electronic surveillance by investigative or law enforcement officers only upon compliance with stringent statutory standards and procedures; and I guess I don't object to this, except that I am not sure that it is true. (15) there is a need to clarify the standards and procedures by which investigative or law enforcement officers obtain assistance from key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications, including such communications in electronic storage. This seems confused; what about encrypted data that is not a communication? SEC. 4. FREEDOM TO USE ENCRYPTION. (a) LAWFUL USE OF ENCRYPTION.-It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, and by United States persons in a foreign country to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used except as provided in this Act and the amendments made by this Act or in any other law. This only says it is lawful to use encryption unless there is a law forbidding it. I hardly find that helpful. (b) GENERAL CONSTRUCTION.-Nothing in this Act or the amendments made by this Act shall be construed to- (1) require the use by any person of any form of encryption; OK, but shouldn't it also cover requiring any person _not_ to use any form of encryption? (2) limit or affect the ability of any person to use encryption without a key escrow function; or OK, though the language is rather clumsy. (3) limit or affect the ability of any person who chooses to use encryption with a key escrow function not to use a key holder. SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS. (a) IN GENERAL.-Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter: "CHAPTER 122-ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS "2801. Definitions. "2802. Prohibited acts by key holders. "2803. Reporting requirements. "2804. Unlawful use of encryption to obstruct justice. "2805. Freedom to sell encryption products. These provisions are not my major concern at this time, but note that ``encryption'' by definition only applies to wire and electronic communications. It thus seems that these provisions have nothing to do with data that is encrypted but that is not a communication. Do you think that this was what was intended? "\S 2801. Definitions "As used in this chapter- "(1) the terms 'person', 'State', 'wire communication', 'electronic communication', 'investigative or law enforcement officer', 'judge of competent jurisdiction', and 'electronic storage' have the same meanings given such terms in section 2510 of this title; "(2) the term 'encryption' means the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications; "(3) the term 'key holder' means a person located within the United States (which may, but is not required to, be a Federal agency) who is voluntarily entrusted by another independent person with the means to decrypt that person's wire or electronic communications for the purpose of subsequent decryption of such communications; "(4) the term 'decryption key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic communications that have been encrypted; and "(5) the term 'decryption assistance' means providing access, to the extent possible, to the plain text of encrypted wire or electronic communications. "\S 2802. Prohibited acts by key holders "(a) UNAUTHORIZED RELEASE OF KEY.-Except as provided in subsection (b), any key holder who releases a decryption key or provides decryption assistance shall be subject to the criminal penalties provided in subsection (e) and to civil liability as provided in subsection (f). "(b) AUTHORIZED RELEASE OF KEY.-A key holder shall only release a decryption key in its possession or control or provide decryption assistance- "(1) with the lawful consent of the person whose key is being held or managed by the key holder; "(2) as may be necessarily incident to the holding or management of the key by the key holder; or "(3) to investigative or law enforcement officers authorized by law to intercept wire or electronic communications under chapter 119, to obtain access to stored wire and electronic communications and transactional records under chapter 121, or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with subsection (c) of this section. Except for subdivision (3) this seems totally unnecessary. Let the parties agree to any arrangement they want. (And anyone who is seriously going to use an outside key holder is going to want to have them bonded, and will look to the bonding company for protection. (Bonding companies are mean.)) "(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE; OR LAW ENFORCEMENT OFFICER.- "(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.-A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to conduct electronic surveillance under chapter 119, only if- "(A) the key holder is given- "(i) a court order signed by a judge of competent jurisdiction directing such release or assistance; or "(ii) a certification in writing by a person specified in section 2518(7) or the Attorney General stating that- "(I) no warrant or court order is required by law; "(II) all requirements under section 2518(7) have been met; and "(III) the specified release or assistance is required; "(B) the order or certification under paragraph (A)- "(i) specifies the decryption key or decryption assistance which is being sought; and "(ii) identifies the termination date of the period for which release or assistance has been authorized; and"(C) in compliance with an order or certification under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to communications covered by subparagraph (B). "(2) STORED WIRE AND ELECTRONIC COMMUNICATIONS.-(A) A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to obtain access to stored wire and electronic communications and transactional records under chapter 121, only if the key holder is directed to give such assistance pursuant to the same lawful process (court warrant, order, subpoena, or certification) used to obtain access to the stored wire and electronic communications and transactional records. "(B) The notification required under section 2703(b) shall, in the event that encrypted wire or electronic communications were obtained from electronic storage, include notice of the fact that a key to such communications was or was not released or decryption assistance was or was not provided by a key holder. "(C) In compliance with the lawful process under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to the communications covered by such lawful process. Note once again that this applies only to _communications_. "(3) USE OF KEY.-(A) An investigative or law enforcement officer to whom a key has been released under this subsection may use the key only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use, not to exceed the duration of the electronic surveillance for which the key was released. "(B) On or before completion of the authorized release period, the investigative or law enforcement officer to whom a key has been released shall destroy and not retain the released key. "(C) The inventory required to be served pursuant to section 2518(8)(d) on persons named in the order or the application under section 2518(7)(b), and such other parties to intercepted communications as the judge may determine, in the interest of justice, shall, in the event that encrypted wire or electronic communications were intercepted, include notice of the fact that during the period of the order or extensions thereof a key to, or decryption assistance for, any encrypted wire or electronic communications of the person or party intercepted was or was not provided by a key holder. "(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or agent thereof shall disclose the key release or provision of decryption assistance pursuant to subsection (b), except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate. "(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.-A key holder, shall not disclose a record or other information (not including the key) pertaining to any person whose key is being held or managed by the key holder, except- "(1) with the lawful consent of the person whose key is being held or managed by the key holder; or "(2) to an investigative or law enforcement officer pursuant to a subpoena authorized under Federal or State law, court order, or lawful process. An investigative or law enforcement officer receiving a record or information under paragraph (2) is not required to provide notice to the person to whom the record or information pertains. Any disclosure in violation of this subsection shall render the person committing the violation liable for the civil damages provided for in subsection (f). "(e) CRIMINAL PENALTIES.-The punishment for an offense under subsection (a) of this section is- "(1) if the offense is committed for a tortious, malicious, or illegal purpose, or for purposes of direct or indirect commercial advantage or private commercial gain- "(A) a fine under this title or imprisonment for not more than 1 year, or both, in the case of a first offense under this subparagraph; or "(B) a fine under this title or imprisonment for not more than 2 years, or both, for any second or subsequent offense; and"(2) in any other case where the offense is committed recklessly or intentionally, a fine of not more than $5,000 or imprisonment for not more than 6 months, or both. "(f) CIVIL DAMAGES.- "(1) IN GENERAL.-Any person aggrieved by any act of a person in violation of subsections (a) or (d) may in a civil action recover from such person appropriate relief. "(2) RELIEF.-In an action under this subsection, appropriate relief includes- "(A) such preliminary and other equitable or declaratory relief as may be appropriate; "(B) damages under paragraph (3) and punitive damages in appropriate cases; and "(C) a reasonable attorney's fee and other litigation costs reasonably incurred."(3) COMPUTATION OF DAMAGES.-The court may assess as damages whichever is the greater of- "(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or "(B) statutory damages in the amount of $5,000."(4) LIMITATION.-A civil action under this subsection shall not be commenced later than 2 years after the date upon which the plaintiff first knew or should have known of the violation. "(g) DEFENSE.-It shall be a complete defense against any civil or criminal action brought under this chapter that the defendant acted in good faith reliance upon a court warrant or order, grand jury or trial subpoena, or statutory authorization. "\S 2803. Reporting requirements "(a) IN GENERAL.-In reporting to the Administrative Office of the United States Courts as required under section 2519(2) of this title, the Attorney General, an Assistant Attorney General specially designated by the Attorney General, the principal prosecuting attorney of a State, or the principal prosecuting attorney of any political sub division of a State, shall report on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance. "(b) REQUIREMENTS.-The Director of the Administrative Office of the United States Courts shall include as part of the report transmitted to the Congress under section 2519(3) of this title, the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance and the offenses for which the orders were obtained. "\S 2804. Unlawful use of encryption to obstruct justice "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall- "(1) in the case of a first conviction, be sentenced to imprisonment for not more than 5 years, fined under this title, or both; or "(2) in the case of a second or subsequent conviction, be sentenced to imprisonment for not more than 10 years, fined under this title, or both. This provision is completely incoherent. There is no telling how the government will interpret it, but at a guess they will use it to make people reveal their keys: ``if you don't tell us your key, we are going to charge you with impeding the communication to me of information about the felony I am investigating.'' "§ 2805. Freedom to sell encryption products "(a) IN GENERAL.-It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, to sell in interstate commerce any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. This sounds nice, but remember that ``encryption'' is defined as: ``the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications''. So what does it mean to sell ``any encryption''? "(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.- "(1) GENERAL RULE.-Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications. OK, here is where the problems that concern me arise. This provision sounds quite nice, but it covers up several big problems. In the first place, the delegation to the Secretary of Commerce sounds like a good idea, because, at the present time the people in the Commerce department who enforce export controls are very nice and helpful, and operate reasonably under reasonable regulations, while the puppets who front for the NSA (or are actually agents of the NSA) in the Office of Defense Trade Controls are not very nice, are exceptionally unhelpful, and specialize in unreasonable---and down right irrational---interpretations of unreasonable regulations. But if the jurisdiction is handed over to Commerce, I predict that the the puppet masters will turn their attention to Commerce, and shortly thereafter---if only because of Presidential pressure---Commerce will have its own incoherent regulations and its own unpleasent people and it won't be as easy to export software as one might hope. Note that the transfer is to Commerce but there is nothing that expressly specifies what law is to be applied by Commerce. Thus in theory at least there is nothing to stop Commerce from enforcing the same old provisions of the ITAR limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test, operation, diagnosis and repair.'' Note that what is covered here is nothing but information, and that that information includes algorithms, _i.e._ recipes. If the government can constitutionally ``control'' the ``export'' of cryptographic algorithms by requiring a license before one can publish them or otherwise disclose them to a foreign person, then they can require a license before one publishes Julia Child's recipe for a _bombe surprise_ or a recipe for winning a Presidential election without actually committing any felonies. Even if that definition is adopted, the fact remains that software is still nothing but information, and that it is the communication of information that is protectected by the first amendment to the United States constitution. (If you aren't convinced that software is protected by the first amendment, notice that software is copyrightable as a ``literary work''.) Note that the paradigmatic violation of the first amendment is a scheme under which the government requires publishers to obtain a license before publishing. Part of what I fear is that, were the Leahy bill to be passed in its present form is that the President, in conformance with that bill, would simply transfer the licensing and rule making powers with respect to cryptographic devices and software to the Department of Commerce, but would still leave them controlled by the ITAR and the Arms Export Control Act just as they are now, including all of the cryptic and unconstitional interpretations of ITAR that up to now have been imposed upon the Office of Defense Trade Controls by the National Security Agency. There is nothing in the Leahy bill that forbids that sort of shell game. The trouble is that there is nothing in the bill that specifies the law under which Commerce is to ``control'' cryptographic devices and software. The real problem, however, is simply that the Leahy bill appears to authorize control (including licensing) of cryptographic software and thus to authorize the imposition of licensing requirements for the constitutionally protected communication of information. At the present time, on the other hand, although the Arms Export Control Act does, quite constitutionally, require licensing of physical devices, the provisions in the ITAR requiring licenses for the communication of information are not authorized by any act of congress. (The point is of practical importance because the courts may be willing to strike down the ITAR's licensing requirements on software on the grounds that they are _ultra vires_ simply to avoid having to decide the constitutional issues.) Thus the major problem with the Leahy bill, from the point of view of those concerned with the freedoms of speech and of the press, is that it conflates hardware, which can be regulated constitutionally, with software, which is text that cannot be constitutionally regulated, and certainly cannot be subjected to a licensing scheme. (The agents of the NSA in the Office of Defense Trade Controls try to confuse this distinction, claiming that cryptographic software is hardware, not information that is in the public domain under the provisions of the ITAR.) The only satisfactory bill, from the point of view of those of us who are concerned with freedom of speech and of the press would be a bill that says that export licensing controls do not apply, and recognizes that export controls cannot be applied constitutionally, to the publication or other disclosure or communication of software. Another problem is that the Leahy bill expressly does not apply to ``computer hardware, software, and technology that is _specifically designed or modified for military use_, including command, control, and intelligence applications''. This may sound harmless, but the emphasized language is almost exactly the language that is used in the ITAR to define what can be included on the United States Munition List in the ITAR. The major prerequisite for the designation of an article or service on the United States Munitions List, according to ITAR \S 120.3, is that it is: ``specifically designed, developed, configured, adapted, or modified for a military application''. This strongly suggests that, if the Leahy bill were adopted, the NSA and the Office of Defense Trade Controls would simply take the position that cryptographic devices and software still are specifically designed for military use and thus remain on the Munitions List and under the control of the Office of Defense Trade Controls in the State Department. This would seem to inconsistent with the intent of the Leah bill, but that is hardly going to bother the rather spooky people in the Office of Defense Trade Controls since the law expressly provides that the courts may not review the designation of an item on the United States Munitions List. (Even before that provision forbidding judicial review was adopted, one federal district court held that the defendant in a criminal case---whose alleged crime was exporting cable or satellite TV descrambler boxes---could not challenge the inclusion of descramblers on the Munitions List, because their inclusion was an unreviewable ``political'' determination.) Thus I predict that the passage of the Leahy amendment would have no affect whatsoever on the licensing requirements that are presently applied by the Office of Defense Trade Controls to cryptographic devices and software. The people who enforce those requirements are not now governed by law or logic; the Leahy bill is not likely to change that, not when it contains such a gaping loophole. But let us look at the particular provisions of the Leahy bill that will supposedly ease the burden on both cryptographic hardware and software: "(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of- ``Validated license'' is a term that is not used in the Arms Export Control Act and the ITAR, so to the extent that that act and those regulations remain applicable to cryptographic devices and software---and, as has been pointed out, nothing in the Leahy bill purports to change that---, this provision will have no affect whatsoever. On the other hand, the term ``validated license'' is used in the regulations of the Bureau of Export Administration of the Department of Commerce. Thus 15 Code of Federal Regulations \S 770.2 defines ``Validated license'' as: ``A document issued by or under the authority of the Bureau of Export Administration, authorizing export.'' So perhaps this provision of the Leahy bill does give some protection, but only if the powers of the Commerce Department to regulate software are deligated to Commerce's Bureau of Export Administration and even then only if this definition is not amended. It would, moreover, have been preferable if the bill had provided that cryptographic hardware and software are entitled to a ``general license'', which is defined in 15 CFR \S 770.2 as follows: ``A license established by the U.S. Department of Commerce for which no application is required and for which no document is granted or issued. It is available for use by all persons, except those listed in and prohibited by the provisions of Supplement No. 1 to part 788, and permits export within the provisions thereof as prescribed in the Export Administration Regulations. These general licenses are not applicable to exports under the licensing jurisdiction of agencies other than the Department of Commerce.'' (But note the last provision.) "(A) any software, including software with encryption capabilities, that is- "(i) generally available, as is, and designed for installation by the purchaser; or "(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). This provision at first glance looks pretty good, but it arguably offers no protection to people like Daniel Bernstein and myself who want to publish new (even if, as is ture in my case, also trivial) software with encryption capabilities. The ITAR also has a public domain exemption, but the censors in the Office of Defense Trade Controls take the position that one would violate the ITAR by the act of putting matter in the public domain or making it generally available. (The Office of Defense Trade Controls also takes the position that cryptographic software is not information that can fall within the public domain exception in the ITAR.) Note that though no validated license can be required for such software and related hardware under the Leahy bill, there is nothing that says that such software and hardware is entitled to a general license. One may thus find oneself in the situation---that happened for example to Daniel Bernstein under the ITAR---that one has written software that cannot be exported without a license, but for which no possible license is available. "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be- "(A) diverted to a military end-use or an end-use supporting international terrorism; "(B) modified for military or terrorist end-use; or "(C) reexported without requisite United States authorization. Here we see what appears to be authority for the Secretary of Commerce to regulate the export of software, a provision that probably violates the first amendment of the United States constitution, unless the definition of ``export or rexport of software'' is limited in a manner that would make the regulation quite ineffective. The Leahy bill, however, makes no effort to define what is an ``export'' of software. One thus has reason to fear that the Secretary of Commerce will simply adopt the definitions which have been used to restrain the publication or other disclosure of cryptographic software under the ITAR. "(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States. This applies only to hardware, and so is not subject to attack on first amendment grounds. I am willing to bet, however, that if this provision is passed, the National Security Agency would be delegated the job of determing whether products of comparable security are available outside the United States and that very few products would be found by the NSA to be comparable (and that it would take years to get a determination of any sort). "(5) DEFINITIONS.-As used in this subsection- "(A) the term 'generally available' means, in the case of software (including software with encryption capabilities), software that is widely offered for sale, license, or transfer including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; Notice that this gives no protection to those who do not widely offer their software for sale, license, or transfer---persons like Daniel Bernstein and almost all academic cryptographers, for example. Those who are interested in mass marketing cryptographic software may be happy with this provision, but it is no consolation to those of us who are not mass marketers. (Note that mass marketed software may be entitled to less constitutional protection, as commercial speech, than is the software that academics like Dan Bernstein or myself may desire to publish as part of our research or educational activities.) "(B) the term 'as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software company for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; "(C) the term 'is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities)- "(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the company may also provide telephone help-line services for software installation, electronic transmission, or basic operations; and "(ii) that the software program is designed for installation by the purchaser without further substantial support by the supplier; Note that those of us who are not a ``software company'' that sells software to a ``purchaser'' are apparently excluded from the benefits of this definition. "(D) the term 'computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and "(E) the term 'computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits.". I do not have any comments on the remaining portions of the bill, and so I have deleted them from this already too lengthy submission. I look forward to your reactions and corrections. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu