From: Marshall Clow <mclow@owl.csusm.edu>
Date: Wed, 16 Oct 1996 21:40:22 -0700 (PDT)
To: jim bell <stan_gibson@zd.com
Subject: Re: Your editorial in the 10/14 PCWeek
In-Reply-To: <199610170312.UAA03693@mail.pacifier.com>
Message-ID: <v03007806ae8b5d3d10dd@[207.67.246.99]>
MIME-Version: 1.0
Content-Type: text/plain


At 03:37 PM 10/16/96 -0800, Timothy C. May wrote:
>I wrote:
>>A) This is not a change in the law. There is no law regarding export of
>>encryption software.
>>Congress has never passed any such law. These are State Department
>>regulations and presidential decrees. These regulations, which have the
>>force of law to you and me, were never debated or voted upon by our
>>elected representatives. They can be changed tomorrow the same way. In
>>fact, they can be changed and the public need not even be notified.
>
>Actually, as Greg Broiles pointed out in an article (on the Cypherpunks
>list) several weeks ago, Congress deliberately chooses to delegate much
>regulatory authority to other agencies. There just is not enough time or
>expertise for them to pass specific laws covering the number and size of
>trashcans in the national parks, the type of equipment to be used on Navy
>ships, and so on. The State Department--and soon to be transferred to
>Commerce--has the regulatory authority to decide which exports are covered
>by the International Trafficking in Arms Regulations, the ITARs. These
>rules effectively have the full force of law, as many tens of thousands of
>laws not specifically passed by Congress have.
>
I never argued that these regulations did not have the force of law.
In fact, I conceded that they did.

Nevertheless, they are not laws.
They were neither debated nor voted upon by our elected representatives.
They can be changed at a moment's notice by the State Department, which takes its' orders from the President. The announcement that prompted Mr. Gibson's editorial did not come from the State Department, who putatively has authority over the ITAR.  Instead, the announcement was made from the office of the Vice President, and begins "President Clinton and I" and speaks throughout of "The Administration's initiative".

_That_ was the distinction that I was making.

FWIW, I was unable to find the announcement on the White House's web server, but it is availiable at <http://www.epic.org/crypto/key_escrow/clipper4_statement.html>


Here is another example (taken from the Clipper debate):

In a paper about privacy and the original Clipper proposal (in 1994) A. Michael Froomkin of the University of Miami School of Law pointed out that since the entire key-escrow infastructure was created by presidential decree, and the proposed key holders were part of the executive branch, the provisions for release of the keys could be changed at a moment's notice by another presidential decree, which need not ever be made public. [ Yo, key escrow dude! Email your key database to wiretappers@fbi.gov, and don't tell anyone! ]

See <http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/partIC.html#ToC29> for the following quote, and <http://www-swiss.ai.mit.edu/6095/articles/froomkin-metaphor/text.html> for the entire paper. (It's very long; but suprisingly readable, given that the author is a law professor ;-)

>The security precautions introduced by NIST in late 1994 are complex. To the nonspecialist they
>appear sufficient to prevent security breaches at the time the keys are "burned in" and to prevent
>surreptitious copying or theft of the key list from the escrow agents. But no amount of technical
>ingenuity will suffice to protect the key fragments from a change in the legal rules governing the
>escrow agents. Thus, even if the technical procedures are sound, the President could direct the
>Attorney General to change her rules regarding the escrow procedures. Because these rules were
>issued without notice or comment, affect no private rights, and (like all procedural rules) can
>therefore be amended or rescinded at any time without public notice, there is no legal obstacle to
>a secret amendment or supplement to the existing rules permitting or requiring that the keys be
>released to whomever, or according to whatever, the President directs. Because the President's
>order would be lawful, none of the security precautions outlined by NIST would protect the
>users of the EES system from disclosure of the key segments by the escrow agents. 

I

 -- Marshall

Marshall Clow     Aladdin Systems   <mailto:mclow@mailhost2.csusm.edu>

"The Singapore government isn't interested in controlling information, but wants a gradual phase-in of services to protect ourselves. It's not to control, but to protect the citizens of Singapore. In our society, you can state your views, but they have to be correct."
- Ernie Hai, coordinator of the Singapore Government Internet