From: “L. Detweiler” <ld231782@longs.lance.colostate.edu>
To: cypherpunks@toad.com
Message Hash: 93f454f5c7bf154db120a665db2cef4acb14a96a2e2c9bc3c55aa0007b55631e
Message ID: <9309210531.AA09003@longs.lance.colostate.edu>
Reply To: N/A
UTC Datetime: 1993-09-21 05:36:23 UTC
Raw Date: Mon, 20 Sep 93 22:36:23 PDT
From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Mon, 20 Sep 93 22:36:23 PDT
To: cypherpunks@toad.com
Subject: Bidzos on PGP and ITAR verbatim
Message-ID: <9309210531.AA09003@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain
Bidzos comments on PGP related to ITAR, from sci.crypt a while ago (not
sure of date). Essential argument: it was illegally exported, and ITAR
prohibits re entry of things illegally exported, therefore it is
illegally imported. Relevant section, Software export: Section 123.2 of
the ITAR reads:
>"123.2 Imports.
>
>No defense article may be imported into the United States unless (a)
>it was previously exported temporarily under a license issued by the
>Office of Munitions Control; or (b) it constitutes a temporary
>import/intransit shipment licensed under Section 123.3; or (c) its
>import is authorized by the Department of the Treasury (see 27 CFR
>parts 47, 178, and 179)."
There is a section on `illegal export of unclassified technical data to
foreign nationals' (paraphrase) and Bidzos claims it applies to PGP
export. But he appears to me to be using a bit of sleight of hand to
conflate this category with *cryptographic software* mentioned
elsewhere (sections also as quoted also by H. Finney).
I'll let others pick it apart for the loopholes.
===cut=here===
Date: Mon, 20 Sep 93 19:31:08 PDT
Message-Id: <9309210231.AA16113@RSA.COM>
To: ld231782@longs.lance.colostate.edu
In-Reply-To: "L. Detweiler"'s message of Mon, 20 Sep 93 19:57:35 -0600
<9309210157.AA04992@longs.lance.colostate.edu>
Subject: PGP & ITAR
Here's the ITAR part. (This was posted in 1992, so I don't know, since
pgp has changed since then I understand, how it would apply.) Also,
the ITAR has changed recently, and I haven't studied the changes to
see how they would affect these comments.
Risks of using pgp
One should be careful about assuming that the documentation in
electronically distributed software is accurate, especially where
law is concerned. There are a few things the documentation for
a program called "pgp" does not tell you about patent and export
law that you should be aware of. Further, there are a number of
claims and offered interpretations of patent and export law that
are simply false.
pgp seems to be an attempt to mislead netters into joining an
illegal activity that violates patent and export law, letting them
believe that they run no serious risk in doing so.
EXPORT LAW
pgp leads users to believe that it has circumvented export controls
"...since it is not illegal to import..." You are led to believe that
since you didn't import it, it's legal to use it. The "no import
restrictions" claim has been made so many times, many people probably
believe it.
One would be well advised not to accept this legal opinion. While
stated as if it were a well-known fact, the claim that "there are no
import restrictions" is simply false. Section 123.2 of the ITAR
(International Traffic in Arms Regulations) reads:
"123.2 Imports.
No defense article may be imported into the United States unless (a)
it was previously exported temporarily under a license issued by the
Office of Munitions Control; or (b) it constitutes a temporary
import/intransit shipment licensed under Section 123.3; or (c) its
import is authorized by the Department of the Treasury (see 27 CFR
parts 47, 178, and 179)."
Was pgp illegally exported? Was pgp illegally imported? Of course.
It didn't export or import itself. pgp 1 was illegally exported from
the U.S., and pgp 2, based on pgp 1, is illegally imported into the
U.S. Is a license required? According to the ITAR, it is.
125.2 Exports of unclassified technical data. Paragraph (c) reads:
"(c) Disclosures. Unless otherwise expressly exempted in this
subchapter, a license is required for the oral, visual, or documentary
disclosure of technical data to foreign nationals in connection with
visits by U.S. persons to foreign countries, visits by foreign persons
to the United States, or otherwise. A license is required regardless
of the manner in which the technical data is transmitted (e.g., in
person, by telephone, correspondence, electronic means, telex, etc.)."
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What is "export?" Section 120.10, "Export," begins:
"'Export' means, for purposes of this subchapter: ...(c) Sending or
taking technical data outside of the United States in any manner
except that by mere travel outside of the United States by a person
whose technical knowledge includes technical data; or..."
Crypto software is controlled by the ITAR. See Part 121, the Munitions
List, includes Category XIII, of which paragraph (b) reads, in part,
"...privacy devices, cryptographic devices and software (encoding and
decoding), and components specifically designed or modified
therefore,..."
A further definition in 121.8, paragraph (f) reads: "Software
includes but is not limited to the system functional design,
logic flow, algorithms, application programs, ..."
pgp encourages you to post it on computer bulletin boards. Anybody
who considers following this advice is taking quite a risk. When you
make a defense item available on a BBS, you have exported it.
pgp's obvious attempts to downplay any risk of violating export law
won't help you a bit if you're ever charged under the ITAR.
Penalties under the ITARs are quite serious. The ITARs were clearly
designed to put teeth into laws that make exporting munitions illegal.
It's unfortunate that cryptography is on the munitions list. But it
is. pgp is software tainted by serious ITAR violations.
------- End of Forwarded Message
Return to September 1993
Return to “Timothy Newsham <newsham@wiliki.eng.hawaii.edu>”