New crypto regs outlaw financing non-US development
As you know, the President has transferred most crypto from State to Commerce. We were all waiting in anticipation for the text of new regulations to take effect on 12/30/96. Not because we thought that the new regs will be more favorable to industry and the individual (we know better), but so we could assess the damage. I will try to give a brief look at some interesting provisions in the new regs. I assume the reader is familiar with the carrot and stick (export of single DES and key escrow) provision of the new regs. IANAL. This post refers to the text of the regulations available at http://jya.com/bxa123096.txt and http://jya.com/itar123096.txt The above URL's mirror [Federal Register: December 30, 1996 (Volume 61, Number 251)], also available via http://www.access.gpo.gov/su_docs/aces/aces140.html First the good news: the export controls mentioned in the draft of the regs on any kind of data security software, regardless if it uses crypto or not did not carry into the final version. Now to the rest of the news.
equests for one-time review of recoverable products which allow government officials to obtain, under proper legal authority and without the cooperation or knowledge of the user, the plaintext of the encrypted data and communications will also receive favorable consideration.
The GAK provisions require that the keys are made available without knowledge of the user. This disqualifies some of the suggested key recovery schemes alerting the user to the fact that keys are being requested.
A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.3(b)(3)). The administration continues to review whether and to what extent scannable encryption source or object code in printed form should be subject to the EAR and reserves the option to impose export controls on such software for national security and foreign policy reasons.
Printed source can still be exported. Source printed in special OCR fonts will eventually be banned. Finally, to the big one:
Sec. 736.2 General prohibitions and determination of applicability.
* * * * * (7) General Prohibition Seven--Support of Certain Activities by U.S. persons--(i) Support of Proliferation Activities (U.S. Person Proliferation Activity). If you are a U.S. Person as that term is defined in Sec. 744.6(c) of the EAR, you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR which prohibits the performance, without a license from BXA, of certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR. There are no License Exceptions to this General Prohibition Seven in part 740 of the EAR unless specifically authorized in that part.
IMHO, this closes the door on the foreign contracting loophole used by C2 and others. It is now illegal for US persons to finance or contract out overseas crypto development, since doing so will obviously assist in proliferation. While not unexpected (I offered a bet on Cypherpunks that this would happen. Nobody took the bet.), this provision sets a dangerous precedence. The technical assistance prohibitions of the past have been transformed into general prohibitions against "financing, contracting, service, support, transportation, freight forwarding, or employment". Again, IANAL. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred Make your mark in the history of mathematics. Use the spare cycles of your PC/PPC/UNIX box to help find a new prime. http://www.mersenne.org/prime.htm
At 10:57 PM -0800 12/28/96, Lucky Green wrote:
IMHO, this closes the door on the foreign contracting loophole used by C2 and others. It is now illegal for US persons to finance or contract out overseas crypto development, since doing so will obviously assist in proliferation. While not unexpected (I offered a bet on Cypherpunks that this would happen. Nobody took the bet.), this provision sets a dangerous precedence. The technical assistance prohibitions of the past have been transformed into general prohibitions against "financing, contracting, service, support, transportation, freight forwarding, or employment".
Again, IANAL.
Nor am I, but I have a "prediction" to make in the spirit of Lucky's types of predictions of doom. I predict that we will see within two years a law making it illegal to "structure communications" with the intent to avoid traceability, accountability, etc. This would be along the lines of the laws making it illegal to "structure" financial transactions with the (apparent) intent to avoid or evade certain laws about reporting of income, reporting of transactions, etc. As I was wading through the 500 accumulated Cypherpunks messages upon my return, and after I discarded hundreds of spam and loop messages, and all of the Vulisgrams--and about 50 others my filter kicked into the trash--I was struck by the discussion by our former Federal prosecutor, Brian Davis, about a "structuring" case he personally handled--the gambling lawyer ("IANAL--not") who arranged to receive his winnings as three separate $9000 checks. He paid all of his taxes, perhaps because he was alerted to the invwestigation, but he nevertheless paid them. And yet, as Brian notes, he forfeited the $27,000 in income. (Brian has noted that the guy voluntarily agreed to this outcome, to avoid a court battle. The effect is that he lost his income for the crime of structuring transactions, not for evading taxes.) How long before the U.S. Code declares "attempting to obscure or hide the origin of a communication" to be a felony? That would rule out orninary mail without return adresses, but I think there are ample signs we're already moving toward this situation (packages that could be bombs putatively require ID, talk of the Postal Service handling the citizen-unit authentication/signature system, etc.). While this would not stop all uses of remailers, sendmail-type hacks a la Port 25 obfuscation, and so on, it would give the Feds a powerful tool in the suppression of remailer networks. "The operator of Anonymizer.com failed to file adequate "Reports of Suspicious Communications" with the Internet Regulatory Commission. He has agreed to settle the case by forfeiting his machines, his office furniture, and $225,000 in alleged profits from past uses of his remailer service." The various lawyers on this list may point out flaws in my prediction. Please do! And there are still workarounds to such laws. But I think the use of such regulations to "get" those the government wants "got" is a time-honored strategy in our modern state. As Whit Diffie notes, the War on Drugs certainly did not stop drug use, but it most assuredly caused _corporations_ to be pressed into service as de facto drug policy enforcers. (How, you ask? The threat of forfeiture of corporation-owned properties if drugs were ever found on them. And the loss of government business if urine samples were not taken regularly. "Just say no" posters up in the company cafeterias.) Similar restrictions on cryptography--including the "suspicious communications" reporting item discussed here--will have a similar effect: casual or "underground" users will of course not be directly affected, but corporate or institutional users will find their institutions are actings as the cops. The large corporations will dare not use "rogue" crypto, for fear of being hit with tax evasion or SEC or FTC charges (think about it--that undecodable communication using remailer networks could have been about price-fixing, or collusion). And companies offering anonymizing services, like the old business model of Community Connexion (C2), will likely be hit with the "structuring" rules. This will force strong, unescrowed crypto to the margins, to the underground. Exactly the desired intent, of course. You heard it here. --Tim May Just say "No" to "Big Brother Inside" We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
This fascist move by the U.S. government is a huge threat to our liberty. It may be time to simply give up on communicating with these assholes and give them the treatment they have earned. At 10:57 PM -0800 12/28/96, Lucky Green wrote:
Finally, to the big one:
And this a very big one indeed. Not only does it probably put organizations like C2 out of business, at least in terms of supporting the development of things like the South African and British Web products, but it also may mean the *Cypherpunks list itself*, and some of its members, are ipso facto in violation of this "giving comfort to the enemy" (to paraphrase) language!
Sec. 736.2 General prohibitions and determination of applicability.
* * * * * (7) General Prohibition Seven--Support of Certain Activities by U.S. persons--(i) Support of Proliferation Activities (U.S. Person Proliferation Activity). If you are a U.S. Person as that term is defined in Sec. 744.6(c) of the EAR, you may not engage in any activities prohibited by Sec. 744.6 (a) or (b) of the EAR which prohibits the performance, without a license from BXA, of certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR. There are no License Exceptions to this General Prohibition Seven in part 740 of the EAR unless specifically authorized in that part.
This may mean, subject to the usual legal system review (a scapegoat is targetted, a court case is filed, several years of Zimmermann limbo follow, etc.), that members of this list may be construed to be engaging in "certain financing, contracting, service, support, transportation, freight forwarding, or employment that you know will assist in certain proliferation activities described further in part 744 of the EAR." Certainly "support" and "service" of these products. Is giving a user advice on "Stronghold" now to be a felony? How about PGP, which certainly has not received export approval? And so on. This very list advocates violation of the ITARs in various ways (I speak of "the list" as a person in the sense of the consensus of the list...there may not be unanimity, but the consensus of the vocal members of the list is obvious). It may be time for us to go underground. It may be time to take much, much, much, much more extreme steps. This fascism is unacceptable. --Tim May Just say "No" to "Big Brother Inside" We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
"Timothy C. May" <tcmay@got.net> writes:
This fascist move by the U.S. government is a huge threat to our liberty. It may be time to simply give up on communicating with these assholes and give them the treatment they have earned.
I said it recently on another forum: U.S. today reminds me not of Nazi Germany (which would have existed for hundreds of years if it hadn't foolishly attacked more neighbors than it could fight at the same time), but of the former Soviet Union under late Brezhnev, Chernenko, and Andropov. Nothing needs to be done; just wait for it to collapse and try not to get hit by the falling debris. :-) --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
At 5:15 PM -0800 12/29/96, Timothy C. May wrote:
This very list advocates violation of the ITARs in various ways (I speak of "the list" as a person in the sense of the consensus of the list...there may not be unanimity, but the consensus of the vocal members of the list is obvious).
Gee, I always thought that people on this list only advocated changing the ITAR thru legal means. The fact that strong crypto is widely available outside the USA is merely supporting evidence for this view. :-) It's nice to see some signal back instead of just the noise sent during the Christmas attack on the list. Thanks to all of you who provided the signal. ------------------------------------------------------------------------- Bill Frantz | Client in California, POP3 | Periwinkle -- Consulting (408)356-8506 | in Pittsburgh, Packets in | 16345 Englewood Ave. frantz@netcom.com | Pakistan. - me | Los Gatos, CA 95032, USA
-----BEGIN PGP SIGNED MESSAGE----- In article <3.0.32.19961228225731.006b3080@netcom13.netcom.com>, Lucky Green <shamrock@netcom.com> wrote:
First the good news: the export controls mentioned in the draft of the regs on any kind of data security software, regardless if it uses crypto or not did not carry into the final version.
But it _specifically_ restricts virus-checkers (and, also, it would seem, backup programs, but that could be stretching it): ECCN 5D002.c.3: # ``Software'' designed or modified to protect against malicious # computer damage, e.g., viruses - Ian "_not_ a U.S. Person" -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMsl//0ZRiTErSPb1AQH3UgP/a9usiLoJbIpn1XNzSvqDftGPxeuoHO00 WRlaYxm4xIsADedp8xheTQB+cl0gjb10HLwBJ5FUGdbzZkGTEbsW9RQe7OX2t4vB /6t75K+N6le7A/uJN0oNkmNz+5v5JaaDcsmjOHADzHsGEUFkN3JhRa7YUz83PVOk zAAyHoSECNs= =aLLo -----END PGP SIGNATURE-----
participants (5)
-
Bill Frantz -
dlv@bwalk.dm.com -
iang@cs.berkeley.edu -
Lucky Green -
Timothy C. May