I sure hope some tells David Harris that his program is now export controlled. From my reading of his message, it seemed like he thinks he "beat the system" because he didn't include actual crypto code. Software that says "plug your own crypto here" is considered an anciliarry device according to the ITAR. Or, as I heard some NSA people call it, "the classic 'crypto with a hole'." Seems kinda silly that the hole is the crypto, but hey that anciliiary device clause, you just gotta love it. If Pegasus mail were written to support generic user-loadable content transforms, that would be different. But even then, you have to be careful how that's done. If just did some global search-and-replace and came up with "keyed compression" you wouldn't get past anyone. But if you had an opaque state block that the user modules could set/use/clear, and you passed that along with your in/out buffers, then you'd be safe. Of course, they'd know what is really going on, but are powerless to prevent it. /r$
On Nov 9, 7:52am, Rich Salz wrote:
Subject: Re: Pegasus Mail I sure hope some tells David Harris that his program is now export controlled. From my reading of his message, it seemed like he thinks he "beat the system" because he didn't include actual crypto code. Hm. David Harris lives in New Zealand.
This makes him a very good man to be writing mail software. Also makes Pegasus Mail our local software of choice. (We use it at school.) That it now has hooks for external encryption packages is very good news. richard -- Richard Martin Alias|Wavefront - Toronto Office [Co-op Software Developer, Games Team] rmartin@aw.sgi.com/g4frodo@cdf.toronto.edu http://www.io.org/~samwise Trinity College UofT ChemPhysCompSci 9T7+PEY=9T8 Shad Valley Waterloo 1992
I sure hope no one does. The ITARs seem to contain a 'scienter' requirement; that you must know (or have a reasonable idea) that you are breaking them for it to be criminal. If he thinks he's ok, he is until someone tells him otherwise. I am not a lawyer. That is not legal advice. Go consult a good ITAR attorney if you want to try that at home. :) Rich Salz wrote: | I sure hope some tells David Harris that his program is now export | controlled. From my reading of his message, it seemed like he thinks he | "beat the system" because he didn't include actual crypto code. -- "It is seldom that liberty of any kind is lost all at once." -Hume
Rich Salz <rsalz@osf.org> writes:
I sure hope some tells David Harris that his program is now export controlled. From my reading of his message, it seemed like he thinks he "beat the system" because he didn't include actual crypto code.
Even if he were in the US, I would hope that no one told him that. One of the elements of the offense of violating the arms export control act is that the violation be willful. The exporter has to violate a known legal duty not to export the item. One of the reasons for this is simply that the ITAR list is long and technical and average individuals cannot be expected to know all its details. This is mentioned in the Lizarraga case, at approximately 541 F2d 828: "Two features of 22 USC 1934 strongly indicate that Congress used the term 'willful' to require a showing of specific intent. First, the statute prohibits exportation of items listed by administrative regulation, not by the statute itself. Second, upon referring to the pertinent regulation, 22 CFR part 121, we find that the regulation contains an exhaustive list of items including amphibious vehicles, pressure-breathing suits, aerial cameras, 'privacy devices,' and concealment equipment (including paints). Unlike those substances which are known generally to be controlled by government regulation, such as heroin or like drugs, these items might be exported or imported innocently. Under such circumstances, it appears likely that Congress would have wanted to require a voluntary, intentional violation of a known legal duty not to export such items before predicating criminal liability." So in this case I think widespread publicity about the ITARs can be considered harmful. All those helpful people going around warning others that they are exporting software are actually removing a defense against charges of export. Hal
Hal writes: : One : of the elements of the offense of violating the arms export control act : is that the violation be willful. The exporter has to violate a known : legal duty not to export the item. One of the reasons for this is simply : that the ITAR list is long and technical and average individuals cannot be : expected to know all its details. This is mentioned in the Lizarraga : case, at approximately 541 F2d 828: . . . . : So in this case I think widespread publicity about the ITARs can be : considered harmful. All those helpful people going around warning others : that they are exporting software are actually removing a defense against : charges of export. This is a serious problem. On the other hand there are civil penalties for violating the ITAR that can be imposed without any showing of willfulness. So the non-willfull exporter is still at risk, even if he does not know it. And if people are not informed in general, then the boys from the Office of Defense Trade Controls and NSA, can selectively inform only those whom they wish to harass, which is perhaps the nastiest aspect of the ITAR. The only long term solution is to establish that the ITAR's provisions relating to cryptographic software are unconstitutional and void. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger@pdj2-ra.f-remote.cwru.edu junger@samsara.law.cwru.edu
participants (5)
-
Adam Shostack -
Hal -
Peter D. Junger -
Rich Salz -
Richard Martin