From: Greg Broiles <gbroiles@netbox.com>
Date: Wed, 5 Mar 1997 06:38:27 -0800 (PST)
To: tcmay@got.net (Tim May)
Subject: Re: The Pro-CODE Bill could make things worse!
In-Reply-To: <199703030817.AAA24224@you.got.net>
Message-ID: <3.0.1.32.19970305064441.00d70e08@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain


At 12:36 AM 3/3/97 -0800, Tim May wrote:
>(These items may not be banned for general export, given the language about
>an "identfied individual or organization," but think of the new mischief
>this will cause. For example, if remailers are used to evade taxes by some
>individuals connecting to some sites, then exporters (like Eric Hughes,
>Lance Cottrell, whomever is writing remailers these days) may have to jump
>through large numbers of hoops to ensure that some specific site does not
>get the software...this will effectively make export of remailers
>impossible to legally do...as I read the language of the Bill.)

I don't think that Pro-CODE can be used to control the dissemination of
remailers. The bit of Pro-CODE at issue here (section 5(c)(3)(B) "The
Secretary shall prohibit the export or reexport of particular computer
software and hardware *described in this subsection* to an identified
individual or organization . . if the Secretary determines that there is
substantial evidence that such software and computer hardware will be . .
(iv) intentionally used to evade enforcement of US law or taxation by the
US or by any State or local government." (emphasis added)

I read "described in this subsection" to refer to Section 5(c), and the
best description I can find in 5(c) of computer hardware and software is
"computer hardware, computer software, and technology with encryption
capabilities, except computer hardware, computer software, and technology
that is specifically designed or modified for military use, including
command, control, and intelligence applications", in section 5(c)(1).

So I don't think that this creates a new ability to control the
dissemination of non-crypto hardware or software. (The Mixmaster remailer
software, which does include crypto, would still be controlled.) 

The prohibitions on export to named individuals and organizations will be
effectively useless with respect to those parties getting strong crypto -
the only utility I can see in such a clause is to be used as a club against
domestic sympathizers/allies of unpopular groups/people abroad. It also
seems likely to lead to yet another round of worrying about whether the
format of a particular distribution site on the Internet is sufficiently
configured - if ProCODE passes, instead of asking "Are you a US citizen?",
distribution sites will ask "Are you on the list of forbidden people?" Same
difference. 

>And the other language--about how companies have to advise the government
>about what they are doing, and the "review board"--are possibly ominous.

Indeed. The "Findings/Purpose" text (Section 2), includes the following:

"(16) The Federal Government has legitimate law enforcement and national
security objectives which necessitate the disclosure to the Federal
Government of general information that is neither proprietary nor
confidential by experts in information security industries, including
cryptographers, engineers, and others designated in the design and
development of information security products. *By relaxing export controls
on encryption products and programs, this Act creates an obligation on the
part of representatives of companies involved in the export of information
security products to share information about these products to designated
representatives of the Federal Government.*" (emphasis added)

and Section 5(c)(4)(A) reads:

"Exports. The publisher or manufacturer of computer software or hardware
with encryption capabilities shall disclose (for reporting purposes only)
within 30 days after export to the Secretary such information regarding a
program's or product's encryption capabilities as would be required for an
individual license to export that program or product." 

The former has no real force, as "findings" aren't enforceable, but are
intended for use by courts who are interpreting or construing a statute.
But I don't see a technical reason why the latter wouldn't be enforceable.
(Modulo the First Amendment, of course.) 

Another feature of Pro-CODE that I haven't seen discussed is that it
restricts the *private* dissemination of code - e.g., a US programmer may
make his/her code globally available (if it is "generally available, as is,
and designed for installation by the user or purchaser", section
5(c)(2)(a)(i)), but a US programmer may not (assuming the current
regulations, or similar regs, are in force) share code privately (say,
pre-release) with foreign programmers. My hunch is that the drafters didn't
intend this consequence, but I think it's a logical conclusion given that
(a) Pro-CODE doesn't define "export", (b) current regulations define
"export" as, roughly, providing software to non-US persons, and (c)
Pro-CODE only allows "generally available, as is, and designed for
installation by the user" software to be exported. So it still won't be
legal for a US person to work collaboratively with a foreigner on
development (even if the development took place in a public forum, like
sci.crypt, the intermediate drafts probably wouldn't be "designed for
installation by the user"), nor for a US person to write crypto for
internal corporate use, or to share crypto code with friends overseas
without making a public release.  


--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | 
http://www.io.com/~gbroiles | Export jobs, not crypto.
                            |