Included: - why PGP, not Moby Crypto, is (probably) the focus - including more juicy rumors about the *overall* customs office investigation - I open my mailbag and talk about Bidzos & the ITAR again - points and questions about grand jury investigations in general * * * First, some (e.g. Steve Bellovin) have raised the point that Grady Ward just days ago announced on the newsgroups that he was looking for people to `drop ship' Moby Crypto to in apparent violation of the ITAR. Now, this does sound very incriminating and subversive, but the fact is that our legal system grinds with the utmost sluggishness, as one lately rather vocal cypherpunk (to say the least) pointed out. I think it is *highly* unlikely that these subpoenas were due directly to this *particular* statement at all. The grand jury has probably been convened weeks, or at least many days, ago. There has already probably been some deliberations just to get a basic familiarity with the case -- remember, these are regular citizens as jurors, right? surely, all this cryptography and export business sounds pretty abstruse, bizarre, and convoluted -- even to people who dwell on it daily! Furthermore, other clues I've come across suggest that the customs' office investigation or inquiry has been in progress for *many months* if not even a *year*, and that this grand jury convening and subpoena serving is simply the latest development. Not only that, but at least one other highly prominent and reputable cryptographic company *apparently* has been `visited' under the same general inquiry -- moreover, the agents were requesting information on *PGP*. And get this: there was supposedly some confusion over PGP (private software by PRZ) and the public company itself by the visiting agents! This from a *top* source: ``When they came to see us, they already had a lot of documents from the net, but I don't think they knew how to make sense of them.'' Again, *all* this supports the conjecture that *international distribution of PGP* is the primary target and Moby Crypto, G. Ward mostly secondary, or perhaps even just a bystander. We track this stuff every day, but we have to understand that to government bureacrats and the average citizen, ``any sufficiently advanced technology is indistinguishable from magic'' -- A. C. Clark -- and the details of the last few year's `cryptographic fault slips & earthquakes' are very formidable, overwhelming, and sometimes impenetrable even to experts. In fact, if the specifics of the E911 document were confusing to a jury, imagine them trying to grasp the epic tale of PGP, RSA, PKP, NSA, ITAR, ad infinitum ad nauseam... * * * I've been getting a wide variety of hot and emotional reaction lately, both public and private, directly or indirectly, by prominent heroes and lowly villains, both electronic back-pats and flames. The last, from someone I deeply respect:

what's going on?

It feels like you're inviting a flame war not much unlike our favorite-enemy David Sternlight.

Yikes. My stomach turns. This was apparently in reaction (the sole one so far, a wretched return) to my report that Bidzos of PKP believed that software was *specifically exempt* from the `public domain' exception clauses of the ITAR, commenting on H. Finney's exceptional and thoroughly researched (but of course not exhaustively authoritative by admission) ITAR analysis posted herein. The point of my posting was: I grudgingly accede that Bidzos is an *extremely knowledgeable expert* of the *highest caliber* on the ITAR code, and others should recognize this too. His company and its army of lawyers deals with it daily. They have explored every nook and cranny. They live and die by it. (In fact, I've urged him to share the company's extremely valuable knowledge and experience in the area with EFF this week--perhaps there is something already going on, I don't know.) Hence, if software is `exempt' from `public domain' exceptions to the restrictions on cryptographic export, according to Bidzos, that's quite shocking. So far no one has responded. Is the claim groundless? Or is there something in the ITAR that supports it? Cypherpunk extraordinaire H. Finney has tracked this very closely in his posting, but did not note any such exception. (I'm still trying to track down Bidzos' posting that claimed that PGP export was illegal under the ITAR, as well as possible archives for the ITAR itself. I hope some cypherpunk hears the call.) * * * S. Steele of EFF & others have been kind enough to correct some of my misunderstandings about grand jury investigations. Since nobody else has previously volunteered any information, I will feel free to ignore rude flames criticizing me for its ``obviousness'', which for some unfathomable reason have increased tremendously lately. I'm unfazed because I find this all a great educational opportunity. First, I was grasping at straws (I knew it, but I just wanted to know what could be done). Of course there's no such thing as a `overbroad subpoena' (although some warrants are ruled that). The grand jury investigation is simply a fact-finding mission to determine whether indictments are necessary. This is a bit surprising -- In a grand jury hearing, e.g. what PRZ and G. Ward face on Wednesday, the person summoned is *not* entitled to an attorney. The hearings are broad in their scope. She notes that `information that would be excluded from evidence in a trial is perfectly proper to put before a grand jury.' I still wonder what kind of legal tactics are available at this point in investigations of this type to the subpoenaed. I would like some more information on the following: how are jurors on the grand jury selected? by the head Attorney of the State? what are his requirements and constraints in selecting them? Is there any kind of judge involved at this point? (That reminds me -- I wonder why California of all places is the site of the grand jury. What is the significance of that? it is not the location of either PGP or Grady Ward. Isn't PKP in California? just curious :) Secondly, under what situations does the State Prosecutor have the authority to convene a grand jury? can he convene them anytime there is some suspicion? here is a situation where there can be a burden on the `subjects' *prior* to even there being a court trial. Everyone has to fly to California in this case -- not quite as simple as paying a parking ticket (note: Grady Ward was subpoenaed to appear, but PRZ was not so far, only the president of ViaCrypt, Leonard Mikus, although at this point it seems *highly likely* PRZ will be subpoenaed). This is one of those situations & compromises in our judicial system wherein people have to sacrifice some rights just to exist in the system, without even being accused (I certainly acknowledge that these tradeoffs are crucial to law enforcement and a functional judicial system, but its a delicate balance). Also, I'm curious: what is known about previous Customs investigations of this type? have there ever been grand juries convened before for cryptographic inquiries? what were the circumstances and cases? is this a typical thing for the Customs Office to be doing, or is this current situation fundamentally novel? Somehow, I just can't picture the Customs Office regularly going about and investigating and hassling cryptography companies. From my point of view, the present situation appears extremely unique, to say the least.