From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Mon, 20 Sep 93 22:26:23 PDT
To: cypherpunks@toad.com
Subject: more musings
Message-ID: <9309210522.AA08729@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


Included:

- why PGP, not Moby Crypto, is (probably) the focus
- including more juicy rumors about the *overall* customs office investigation
- I open my mailbag and talk about Bidzos & the ITAR again
- points and questions about grand jury investigations in general

* * *

First, some (e.g. Steve Bellovin) have raised the point that Grady Ward
just days ago announced on the newsgroups that he was looking for
people to `drop ship' Moby Crypto to in apparent violation of the ITAR.
Now, this does sound very incriminating and subversive, but the fact is
that our legal system grinds with the utmost sluggishness, as one
lately rather vocal cypherpunk (to say the least) pointed out. I think
it is *highly* unlikely that these subpoenas were due directly to this
*particular* statement at all. The grand jury has probably been
convened weeks, or at least many days, ago. There has already probably
been some deliberations just to get a basic familiarity with the case
-- remember, these are regular citizens as jurors, right? surely, all
this cryptography and export business sounds pretty abstruse, bizarre,
and convoluted -- even to people who dwell on it daily!

Furthermore, other clues I've come across suggest that the customs'
office investigation or inquiry has been in progress for *many months*
if not even a *year*, and that this grand jury convening and subpoena
serving is simply the latest development. Not only that, but at least
one other highly prominent and reputable cryptographic company
*apparently* has been `visited' under the same general inquiry --
moreover, the agents were requesting information on *PGP*.

And get this: there was supposedly some confusion over PGP (private
software by PRZ) and the public company itself by the visiting agents!
This from a *top* source: ``When they came to see us, they already had
a lot of documents from the net, but I don't think they knew how to
make sense of them.''  Again, *all* this supports the conjecture that
*international distribution of PGP* is the primary target and Moby
Crypto, G. Ward mostly secondary, or perhaps even just a bystander.

We track this stuff every day, but we have to understand that to
government bureacrats and the average citizen, ``any sufficiently
advanced technology is indistinguishable from magic'' -- A. C. Clark --
and the details of the last few year's `cryptographic fault slips &
earthquakes' are very formidable, overwhelming, and sometimes
impenetrable even to experts. In fact, if the specifics of the E911
document were confusing to a jury, imagine them trying to grasp the
epic tale of PGP, RSA, PKP, NSA, ITAR, ad infinitum ad nauseam...

* * *

I've been getting a wide variety of hot and emotional reaction lately,
both public and private, directly or indirectly, by prominent heroes
and lowly villains, both electronic back-pats and flames. The last,
from someone I deeply respect:

>what's going on?
>
>It feels like you're inviting a flame war not much unlike our
>favorite-enemy David Sternlight.

Yikes. My stomach turns. This was apparently in reaction (the sole one
so far, a wretched return) to my report that Bidzos of PKP believed
that software was *specifically exempt* from the `public domain'
exception clauses of the ITAR, commenting on H. Finney's exceptional
and thoroughly researched (but of course not exhaustively authoritative
by admission) ITAR analysis posted herein. The point of my posting was:

I grudgingly accede that Bidzos is an *extremely knowledgeable expert*
of the *highest caliber* on the ITAR code, and others should recognize
this too. His company and its army of lawyers deals with it daily. They
have explored every nook and cranny. They live and die by it. (In fact,
I've urged him to share the company's extremely valuable knowledge and
experience in the area with EFF this week--perhaps there is something
already going on, I don't know.)

Hence, if software is `exempt' from `public domain' exceptions to the
restrictions on cryptographic export, according to Bidzos, that's quite
shocking. So far no one has responded. Is the claim groundless? Or is
there something in the ITAR that supports it? Cypherpunk extraordinaire
H. Finney has tracked this very closely in his posting, but did not
note any such exception.

(I'm still trying to track down Bidzos' posting that claimed that PGP
export was illegal under the ITAR, as well as possible archives for the
ITAR itself. I hope some cypherpunk hears the call.)

* * *

S. Steele of EFF & others have been kind enough to correct some of my
misunderstandings about grand jury investigations. Since nobody else
has previously volunteered any information, I will feel free to ignore
rude flames criticizing me for its ``obviousness'', which for some
unfathomable reason have increased tremendously lately. I'm unfazed
because I find this all a great educational opportunity.

First, I was grasping at straws (I knew it, but I just wanted to know
what could be done). Of course there's no such thing as a `overbroad
subpoena' (although some warrants are ruled that). The grand jury
investigation is simply a fact-finding mission to determine whether
indictments are necessary. This is a bit surprising -- In a grand jury
hearing, e.g. what PRZ and G. Ward face on Wednesday, the person
summoned is *not* entitled to an attorney. The hearings are broad in
their scope. She notes that `information that would be excluded from
evidence in a trial is perfectly proper to put before a grand jury.' I
still wonder what kind of legal tactics are available at this point in
investigations of this type to the subpoenaed.

I would like some more information on the following: how are jurors on
the grand jury selected? by the head Attorney of the State? what are
his requirements and constraints in selecting them? Is there any kind
of judge involved at this point? (That reminds me -- I wonder why
California of all places is the site of the grand jury. What is the
significance of that? it is not the location of either PGP or Grady
Ward.  Isn't PKP in California? just curious :)

Secondly, under what situations does the State Prosecutor have the
authority to convene a grand jury? can he convene them anytime there is
some suspicion? here is a situation where there can be a burden on the
`subjects' *prior* to even there being a court trial. Everyone has to
fly to California in this case -- not quite as simple as paying a
parking ticket (note: Grady Ward was subpoenaed to appear, but PRZ was
not so far, only the president of ViaCrypt, Leonard Mikus, although at
this point it seems *highly likely* PRZ will be subpoenaed). This is
one of those situations & compromises in our judicial system wherein
people have to sacrifice some rights just to exist in the system,
without even being accused (I certainly acknowledge that these
tradeoffs are crucial to law enforcement and a functional judicial
system, but its a delicate balance).

Also, I'm curious: what is known about previous Customs investigations
of this type? have there ever been grand juries convened before for
cryptographic inquiries? what were the circumstances and cases? is this
a typical thing for the Customs Office to be doing, or is this current
situation fundamentally novel? Somehow, I just can't picture the
Customs Office regularly going about and investigating and hassling
cryptography companies. From my point of view, the present situation
appears extremely unique, to say the least.