1996-03-11 - A lengthy preliminary analysis of the Leahy bill.

Header Data

From: “Peter D. Junger” <junger@pdj2-ra.F-REMOTE.CWRU.Edu>
To: Cypherpunks <cypherpunks@toad.com>
Message Hash: c7ae6694c871fccb8021fc9cded8fdb47cec72def393288519c8aa52244eb0a6
Message ID: <m0twBMF-0004L1C@pdj2-ra.F-REMOTE.CWRU.Edu>
Reply To: N/A
UTC Datetime: 1996-03-11 21:13:15 UTC
Raw Date: Tue, 12 Mar 1996 05:13:15 +0800

Raw message

From: "Peter D. Junger" <junger@pdj2-ra.F-REMOTE.CWRU.Edu>
Date: Tue, 12 Mar 1996 05:13:15 +0800
To: Cypherpunks <cypherpunks@toad.com>
Subject: A lengthy preliminary analysis of the Leahy bill.
Message-ID: <m0twBMF-0004L1C@pdj2-ra.F-REMOTE.CWRU.Edu>
MIME-Version: 1.0
Content-Type: text/plain



This is a preliminary draft of my preliminary analysis of the Leahy
bill.  In it I am primarily concerned with the affect---if any---of
that bill on the constitutionally protected freedoms of speech and of
the press.

At times in this submission I may seem overly suspicious of some
agencies of the government.  That may be a consequence of this being
merely a preliminary draft; it is more likely, however, that it is the
result of years of studying the ITAR and the antics of the agents in
the Office of Defense Trade Controls and the NSA as they relate to the
licensing requirements for cryptographic software.

Permission is granted to post this submission to other mailing lists
and news groups, but only if it is posted in its entirety (except for
headers other than the ``To'', ``From'', and ``Subject'' lines).

     -------------------------------------------------

The Leahy Bill known as the Encrypted Communications Privacy Act is
certainly well intentioned and Senator Leahy and the other sponsors
(Senators Burns, Dole, Murray, and  Pressler) should be congratulated
for their efforts.  

Those whose major goal is to be able to export mass-marketed
cryptography have good reason to support this bill, even though it has
features---and ambiguities---that they may find undesireable, and even
though the bill may not actually make all mass marketed cryptographic
hardware and software freely exportable.  (There is even the danger
that it might even be interpreted (for reasons that I will explain
hereafter) as not making any change in the requirements for the export
of cryptographic software, whether mass marketed or not).

On the other hand, those like Daniel Bernstein and myself, who want to
publish information---including algorithms and source code---that is
subject to the licensing requirements of the International Traffic in
Arms Regulations (``ITAR'') that apply to cryptographic devices and
software---at least according to the National Security Agency's
representatives and that agency's puppets in the Office of Defense
Trade Controls---may find the bill more of a hindrance than a help in
their efforts to assert the constitutional right of freedom of speech
and of the press.

My concern is not that the bill will somehow lead to mandatory key
escrow.  My concern is that in relaxing the restrictions on the export
of software as a commodity it may actually give support to the efforts
of the censors to keep Daniel Bernstein from publishing his article
about his algorithm for converting a hash function into a
cryptographic program---I hope that is a fair enough description of
his article, an article that the censors have prevented me from ever
seeing---and those censor's efforts to keep me from publishing my
materials---which contain some cryptographic software---for my course
in computers and the law, and to keep foreign students from taking that
course.  

The major threat is that, for the first time, there would be
at least colorable Congressional authority for the requirement that
one obtain a license before publishing or otherwise disclosing
information.  And software is, after all, nothing but information.

Let me go through the bill and attempt to explain my concerns. (I hope
that the version of the bill that I am using is correct.)


   A BILL

   To affirm the rights of Americans to use and sell encryption products,
   to establish privacy standards for voluntary escrowed encryption
   systems, and for other purposes.

   Be it enacted by the Senate and House of Representatives of the United
   States of America in Congress assembled,

   SECTION 1. SHORT TITLE.

   This Act may be cited as the "Encrypted Communications Privacy Act of
   1996".

   SEC. 2. PURPOSE.

   It is the purpose of this Act-
   (1) to ensure that Americans are able to have the maximum possible
   choice in encryption methods to protect the security, confidentiality,
   and privacy of their lawful wire or electronic communications; and
   (2) to establish privacy standards for key holders who are voluntarily
   entrusted with the means to decrypt such communications, and
   procedures by which investigative or law enforcement officers may
   obtain assistance in decrypting such communications.


I have no objections to the provisions of this section---except
possibly for the reference to procedures by which officers may obtain
assistance in decrypting communications.  But I am not happy that the
purpose does not include protecting the freedoms of speech and of the
press, and particularly the freedom to communicate information about
cryptography.


   SEC. 3. FINDINGS.

     The Congress finds that-
     (1) the digitization of information and the explosion in the growth
     of computing and electronic networking offers tremendous potential
     benefits to the way Americans live, work, and are entertained, but
     also raises new threats to the privacy of American citizens and the
     competitiveness of American businesses;

Notice that there is nothing here---at least not directly---about the
freedom to distribute and to obtain access to information and that,
therefore, there is no mention of the constitutional right to speak
and publish information about cryptography.

     (2) a secure, private, and trusted national and global information
     infrastructure is essential to promote economic growth, protect
     citizens' privacy, and meet the needs of American citizens and
     businesses.

Once again, there is nothing about the freedom to distribute and
obtain access to information.

     (3) the rights of Americans to the privacy and security of their
     communications and in conducting their personal and business affairs
     should be preserved and protected;

I like this one.

     (4) the authority and ability of investigative and law enforcement
     officers to access and decipher, in a timely manner and as provided
     by law, wire and electronic communications necessary to provide for
     public safety and national security should also be preserved;

This is presumably included as a political compromise.  Those whose
concerns are primarily with marketing software can probably live with
it.  Those who are concerned with privacy and liberty and human
decency should, on the other hand, find this finding terrifying.  (Of
course, one can argue that the findings are just window dressing
without any substantive significance; I assure you, however, that they
can be used to interpret the substantive provisions of the statute and
that ultimately the interpretation is more important than the words of
the statute itself.)

     (5) individuals will not entrust their sensitive personal, medical,
     financial, and other information to computers and computer networks
     unless the security and privacy of that information is assured;

I have no problem with this as a finding, though I am not sure that I
want to encourage people to entrust sensitive information to computers
and computer networks, no matter what assurances they may be given.

     (6) business will not entrust their proprietary and sensitive
     corporate information, including information about products,
     processes, customers, finances, and employees, to computers and
     computer networks unless the security and privacy of that
     information is assured;

No problem.

     (7) encryption technology can enhance the privacy, security,
     confidentiality, integrity, and authenticity of wire and electronic
     communications and stored electronic information;

That is correct.

     (8) encryption techniques, technology, programs, and products are
     widely available worldwide;

Yep.

     (9) Americans should be free lawfully to use whatever particular
     encryption techniques, technologies, programs, or products developed
     in the marketplace they desire in order to interact electronically
     worldwide in a secure, private, and confidential manner;

The clumsiness of the language worries me.  That word ``lawfully'' may
just mean that Congress finds that people should be free to do
whatever the law allows, but that there are no restrictions on what
the law may forbid.

More troublesome is the reference to programs ``developed in the
market place''.  That might be read as suggesting that there is no
freedom to use products that were not developed in the market place.
(The small number of programs that I have written have all been
developed in my head, and in my head's extension, my computer; none of
them had anything to do with the market place.  Are the programs
produced by the Free Software Foundation produced in the market place?)

     (10) American companies should be free to compete and to sell
     encryption technology, programs, and products;

I have no objection to this finding, but notice that it has nothing to
do with the free speech issues that are my concerns.  I want to be
able to give away the programs that I have written, and to give away
encryption technology, programs, and products that are subject to
copylefts or are otherwise available.  And I want to be able to
explain to my law students about how encryption programs work and why
they may be ethically required to use them for electronic
communications with their clients (and where to get them).

     (11) there is a need to develop a national encryption policy that
     advances the development of the national and global information
     infrastructure, and preserves Americans' right to privacy and the
     Nation's public safety and national security;

I don't really object to this, but I suspect that the best policy
would be no policy.  There are powers within the government who would
use the reference to ``the Nation's public safety and national
security'' as a basis for continuing to restrict the export or
publication or other disclosure of any secure cryptographic software
and algorithms.

     (12) there is a need to clarify the legal rights and
     responsibilities of key holders who are voluntarily entrusted with
     the means to decrypt wire or electronic communications;

I am not sure that this would not best be left to private agreements
between the owners of the keys and their holders.  (But this is not in
the area of my concern.)

     (13) the Congress and the American people have recognized the need
     to balance the right to privacy and the protection of the public
     safety and national security;

This is most unfortunate.  In cases of extreem danger the courts may
allow the agents of the state to ignore the constitutional right of
privacy, but it is not a matter of ``balancing'' equally protected
interests.  The agents of the state always claim that they are acting
in order to protect public safety and national security, especially
when they are trying to destroy the safety of the constitution.  

     (14) the Congress has permitted lawful electronic surveillance by
     investigative or law enforcement officers only upon compliance with
     stringent statutory standards and procedures; and

I guess I don't object to this, except that I am not sure that it is
true.

     (15) there is a need to clarify the standards and procedures by
     which investigative or law enforcement officers obtain assistance
     from key holders who are voluntarily entrusted with the means to
     decrypt wire or electronic communications, including such
     communications in electronic storage.

This seems confused; what about encrypted data that is not a communication?

   SEC. 4. FREEDOM TO USE ENCRYPTION.

   (a) LAWFUL USE OF ENCRYPTION.-It shall be lawful for any person within
   any State of the United States, the District of Columbia, the
   Commonwealth of Puerto Rico, and any territory or possession of the
   United States, and by United States persons in a foreign country to
   use any encryption, regardless of encryption algorithm selected,
   encryption key length chosen, or implementation technique or medium
   used except as provided in this Act and the amendments made by this
   Act or in any other law.

This only says it is lawful to use encryption unless there is a law
forbidding it.  I hardly find that helpful.

   (b) GENERAL CONSTRUCTION.-Nothing in this Act or the amendments made
   by this Act shall be construed to-

     (1) require the use by any person of any form of encryption;

OK, but shouldn't it also cover requiring any person _not_ to use any
form of encryption?

     (2) limit or affect the ability of any person to use encryption
     without a key escrow function; or

OK, though the language is rather clumsy.

     (3) limit or affect the ability of any person who chooses to use
     encryption with a key escrow function not to use a key holder.

   SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.

   (a) IN GENERAL.-Part I of title 18, United States Code, is amended by
   inserting after chapter 121 the following new chapter:

   "CHAPTER 122-ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS

   "2801. Definitions.
   "2802. Prohibited acts by key holders.
   "2803. Reporting requirements.
   "2804. Unlawful use of encryption to obstruct justice.
   "2805. Freedom to sell encryption products.



These provisions are not my major concern at this time, but note that
``encryption'' by definition only applies to wire and electronic
communications.  It thus seems that these provisions have nothing to
do with data that is encrypted but that is not a communication.

Do you think that this was what was intended?


   "\S 2801. Definitions

     "As used in this chapter-
     "(1) the terms 'person', 'State', 'wire communication', 'electronic
     communication', 'investigative or law enforcement officer', 'judge
     of competent jurisdiction', and 'electronic storage' have the same
     meanings given such terms in section 2510 of this title;
     "(2) the term 'encryption' means the scrambling of wire or
     electronic communications using mathematical formulas or algorithms
     in order to preserve the confidentiality, integrity or authenticity
     and prevent unauthorized recipients from accessing or altering such
     communications;
     "(3) the term 'key holder' means a person located within the United
     States (which may, but is not required to, be a Federal agency) who
     is voluntarily entrusted by another independent person with the
     means to decrypt that person's wire or electronic communications for
     the purpose of subsequent decryption of such communications;
     "(4) the term 'decryption key' means the variable information used
     in a mathematical formula, code, or algorithm, or any component
     thereof, used to decrypt wire or electronic communications that have
     been encrypted; and
     "(5) the term 'decryption assistance' means providing access, to the
     extent possible, to the plain text of encrypted wire or electronic
     communications.


   "\S 2802. Prohibited acts by key holders

   "(a) UNAUTHORIZED RELEASE OF KEY.-Except as provided in subsection
   (b), any key holder who releases a decryption key or provides
   decryption assistance shall be subject to the criminal penalties
   provided in subsection (e) and to civil liability as provided in
   subsection (f).
   "(b) AUTHORIZED RELEASE OF KEY.-A key holder shall only release a
   decryption key in its possession or control or provide decryption
   assistance-
     "(1) with the lawful consent of the person whose key is being held
     or managed by the key holder;
     "(2) as may be necessarily incident to the holding or management of
     the key by the key holder; or
     "(3) to investigative or law enforcement officers authorized by law
     to intercept wire or electronic communications under chapter 119, to
     obtain access to stored wire and electronic communications and
     transactional records under chapter 121, or to conduct electronic
     surveillance, as defined in section 101 of the Foreign Intelligence
     Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with
     subsection (c) of this section.

Except for subdivision (3) this seems totally unnecessary.  Let the
parties agree to any arrangement they want.  (And anyone who is
seriously going to use an outside key holder is going to want to have
them bonded, and will look to the bonding company for protection.
(Bonding companies are mean.))

    "(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE; OR
   LAW ENFORCEMENT OFFICER.-

     "(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.-A key holder is
     authorized to release a decryption key or provide decryption
     assistance to an investigative or law enforcement officer authorized
     by law to conduct electronic surveillance under chapter 119, only
     if-
     "(A) the key holder is given- "(i) a court order signed by a judge
     of competent jurisdiction directing such release or assistance; or
     "(ii) a certification in writing by a person specified in section
     2518(7) or the Attorney General stating that- "(I) no warrant or
     court order is required by law;
     "(II) all requirements under section 2518(7) have been met; and
     "(III) the specified release or assistance is required;
     "(B) the order or certification under paragraph (A)-
     "(i) specifies the decryption key or decryption assistance which is
     being sought; and
     "(ii) identifies the termination date of the period for which
     release or assistance has been authorized; and"(C) in compliance
     with an order or certification under subparagraph (A), the key
     holder shall provide only such key release or decryption assistance
     as is necessary for access to communications covered by subparagraph
     (B). "(2) STORED WIRE AND ELECTRONIC COMMUNICATIONS.-(A) A key
     holder is authorized to release a decryption key or provide
     decryption assistance to an investigative or law enforcement officer
     authorized by law to obtain access to stored wire and electronic
     communications and transactional records under chapter 121, only if
     the key holder is directed to give such assistance pursuant to the
     same lawful process (court warrant, order, subpoena, or
     certification) used to obtain access to the stored wire and
     electronic communications and transactional records.
     "(B) The notification required under section 2703(b) shall, in the
     event that encrypted wire or electronic communications were obtained
     from electronic storage, include notice of the fact that a key to
     such communications was or was not released or decryption assistance
     was or was not provided by a key holder.
     "(C) In compliance with the lawful process under subparagraph (A),
     the key holder shall provide only such key release or decryption
     assistance as is necessary for access to the communications covered
     by such lawful process.

Note once again that this applies only to _communications_.

     "(3) USE OF KEY.-(A) An investigative or law enforcement officer to
     whom a key has been released under this subsection may use the key
     only in the manner and for the purpose and duration that is
     expressly provided for in the court order or other provision of law
     authorizing such release and use, not to exceed the duration of the
     electronic surveillance for which the key was released.
     "(B) On or before completion of the authorized release period, the
     investigative or law enforcement officer to whom a key has been
     released shall destroy and not retain the released key.
     "(C) The inventory required to be served pursuant to section
     2518(8)(d) on persons named in the order or the application under
     section 2518(7)(b), and such other parties to intercepted
     communications as the judge may determine, in the interest of
     justice, shall, in the event that encrypted wire or electronic
     communications were intercepted, include notice of the fact that
     during the period of the order or extensions thereof a key to, or
     decryption assistance for, any encrypted wire or electronic
     communications of the person or party intercepted was or was not
     provided by a key holder.

     "(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or
     agent thereof shall disclose the key release or provision of
     decryption assistance pursuant to subsection (b), except as may
     otherwise be required by legal process and then only after prior
     notification to the Attorney General or to the principal prosecuting
     attorney of a State or any political subdivision of a State, as may
     be appropriate.

   "(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.-A key holder,
   shall not disclose a record or other information (not including the
   key) pertaining to any person whose key is being held or managed by
   the key holder, except-

     "(1) with the lawful consent of the person whose key is being held
     or managed by the key holder; or
     "(2) to an investigative or law enforcement officer pursuant to a
     subpoena authorized under Federal or State law, court order, or
     lawful process.

   An investigative or law enforcement officer receiving a record or
   information under paragraph (2) is not required to provide notice to
   the person to whom the record or information pertains. Any disclosure
   in violation of this subsection shall render the person committing the
   violation liable for the civil damages provided for in subsection (f).


   "(e) CRIMINAL PENALTIES.-The punishment for an offense under
   subsection (a) of this section is-

     "(1) if the offense is committed for a tortious, malicious, or
     illegal purpose, or for purposes of direct or indirect commercial
     advantage or private commercial gain- "(A) a fine under this title
     or imprisonment for not more than 1 year, or both, in the case of a
     first offense under this subparagraph; or
     "(B) a fine under this title or imprisonment for not more than 2
     years, or both, for any second or subsequent offense; and"(2) in any
     other case where the offense is committed recklessly or
     intentionally, a fine of not more than $5,000 or imprisonment for
     not more than 6 months, or both.

   "(f) CIVIL DAMAGES.-

     "(1) IN GENERAL.-Any person aggrieved by any act of a person in
     violation of subsections (a) or (d) may in a civil action recover
     from such person appropriate relief.
     "(2) RELIEF.-In an action under this subsection, appropriate relief
     includes- "(A) such preliminary and other equitable or declaratory
     relief as may be appropriate;
     "(B) damages under paragraph (3) and punitive damages in appropriate
     cases; and
     "(C) a reasonable attorney's fee and other litigation costs
     reasonably incurred."(3) COMPUTATION OF DAMAGES.-The court may
     assess as damages whichever is the greater of-
     "(A) the sum of the actual damages suffered by the plaintiff and any
     profits made by the violator as a result of the violation; or
     "(B) statutory damages in the amount of $5,000."(4) LIMITATION.-A
     civil action under this subsection shall not be commenced later than
     2 years after the date upon which the plaintiff first knew or should
     have known of the violation.

   "(g) DEFENSE.-It shall be a complete defense against any civil or
   criminal action brought under this chapter that the defendant acted in
   good faith reliance upon a court warrant or order, grand jury or trial
   subpoena, or statutory authorization.

   "\S 2803. Reporting requirements

   "(a) IN GENERAL.-In reporting to the Administrative Office of the
   United States Courts as required under section 2519(2) of this title,
   the Attorney General, an Assistant Attorney General specially
   designated by the Attorney General, the principal prosecuting attorney
   of a State, or the principal prosecuting attorney of any political sub
   division of a State, shall report on the number of orders and
   extensions served on key holders to obtain access to decryption keys
   or decryption assistance.
   "(b) REQUIREMENTS.-The Director of the Administrative Office of the
   United States Courts shall include as part of the report transmitted
   to the Congress under section 2519(3) of this title, the number of
   orders and extensions served on key holders to obtain access to
   decryption keys or decryption assistance and the offenses for which
   the orders were obtained.

   "\S 2804. Unlawful use of encryption to obstruct justice

   "Whoever willfully endeavors by means of encryption to obstruct,
   impede, or prevent the communication of information in furtherance to
   a felony which may be prosecuted in a court of the United States, to
   an investigative or law enforcement officer shall-

     "(1) in the case of a first conviction, be sentenced to imprisonment
     for not more than 5 years, fined under this title, or both; or
     "(2) in the case of a second or subsequent conviction, be sentenced
     to imprisonment for not more than 10 years, fined under this title,
     or both.

This provision is completely incoherent.  There is no telling how the
government will interpret it, but at a guess they will use it to make
people reveal their keys:  ``if you don't tell us your key, we are
going to charge you with impeding the communication to me of
information about the felony I am investigating.''

   "§ 2805. Freedom to sell encryption products

   "(a) IN GENERAL.-It shall be lawful for any person within any State of
   the United States, the District of Columbia, the Commonwealth of
   Puerto Rico, and any territory or possession of the United States, to
   sell in interstate commerce any encryption, regardless of encryption
   algorithm selected, encryption key length chosen, or implementation
   technique or medium used.

This sounds nice, but remember that ``encryption'' is defined as:
``the scrambling of wire or electronic communications using
mathematical formulas or algorithms in order to preserve the
confidentiality, integrity or authenticity and prevent unauthorized
recipients from accessing or altering such communications''. So what
does it mean to sell ``any encryption''?

   "(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.-

     "(1) GENERAL RULE.-Notwithstanding any other law, subject to
     paragraphs (2), (3), and (4), the Secretary of Commerce shall have
     exclusive authority to control exports of all computer hardware,
     software, and technology for information security (including
     encryption), except computer hardware, software, and technology that
     is specifically designed or modified for military use, including
     command, control, and intelligence applications.

OK, here is where the problems that concern me arise.

This provision sounds quite nice, but it covers up several big
problems.

In the first place, the delegation to the Secretary of Commerce sounds
like a good idea, because, at the present time the people in the
Commerce department who enforce export controls are very nice and
helpful, and operate reasonably under reasonable regulations, while
the puppets who front for the NSA (or are actually agents of the NSA)
in the Office of Defense Trade Controls are not very nice, are
exceptionally unhelpful, and specialize in unreasonable---and down
right irrational---interpretations of unreasonable regulations.  But
if the jurisdiction is handed over to Commerce, I predict that the the
puppet masters will turn their attention to Commerce, and shortly
thereafter---if only because of Presidential pressure---Commerce will
have its own incoherent regulations and its own unpleasent people and
it won't be as easy to export software as one might hope.  

Note that the transfer is to Commerce but there is nothing that
expressly specifies what law is to be applied by Commerce.  Thus in
theory at least there is nothing to stop Commerce from enforcing the
same old provisions of the ITAR

>From the point of view of one who is concerned with first amendment
rights rather than selling cryptographic software as a commodity, the
really unfortunate part is that this provision authorizes export
contols on ``software''.  Now the Leahy bill does not define software,
but there is a definition of lying around in the International Traffic
in Arms Regulations (``ITAR'') that I fear Commerce might adopt---it
may even be the language that the draftsmen of the Leahy bill had in
mind.  And this definition of ``software'' includes a great deal of
material that cannot constitutionally be controlled.  Here is that
definition from the ITAR \S 121,8(f): ``Software includes but is not
limited to the system functional design, logic flow, algorithms,
application programs, operating systems and support software for
design, implementation, test, operation, diagnosis and repair.''

Note that what is covered here is nothing but information, and that
that information includes algorithms, _i.e._ recipes.  If the
government can constitutionally ``control'' the ``export'' of
cryptographic algorithms by requiring a license before one can publish
them or otherwise disclose them to a foreign person, then they can
require a license before one publishes Julia Child's recipe for a
_bombe surprise_ or a recipe for winning a Presidential election
without actually committing any felonies.

Even if that definition is adopted, the fact remains that software is
still nothing but information, and that it is the communication of
information that is protectected by the first amendment to the United
States constitution.  (If you aren't convinced that software is
protected by the first amendment, notice that software is
copyrightable as a ``literary work''.)  Note that the paradigmatic
violation of the first amendment is a scheme under which the
government requires publishers to obtain a license before publishing.

Part of what I fear is that, were the Leahy bill to be passed in its
present form is that the President, in conformance with that bill,
would simply transfer the licensing and rule making powers with
respect to cryptographic devices and software to the Department of
Commerce, but would still leave them controlled by the ITAR and the
Arms Export Control Act just as they are now, including all of the
cryptic and unconstitional interpretations of ITAR that up to now have
been imposed upon the Office of Defense Trade Controls by the National
Security Agency.  There is nothing in the Leahy bill that forbids that
sort of shell game.  The trouble is that there is nothing in the bill
that specifies the law under which Commerce is to ``control''
cryptographic devices and software.

The real problem, however, is simply that the Leahy bill appears to
authorize control (including licensing) of cryptographic software and
thus to authorize the imposition of licensing requirements for the
constitutionally protected communication of information.  At the
present time, on the other hand, although the Arms Export Control Act
does, quite constitutionally, require licensing of physical devices,
the provisions in the ITAR requiring licenses for the communication of
information are not authorized by any act of congress.  (The point is
of practical importance because the courts may be willing to strike
down the ITAR's licensing requirements on software on the grounds that
they are _ultra vires_ simply to avoid having to decide the
constitutional issues.)

Thus the major problem with the Leahy bill, from the point of view of
those concerned with the freedoms of speech and of the press, is that
it conflates hardware, which can be regulated constitutionally, with
software, which is text that cannot be constitutionally regulated, and
certainly cannot be subjected to a licensing scheme.  (The agents of
the NSA in the Office of Defense Trade Controls try to confuse this
distinction, claiming that cryptographic software is hardware, not
information that is in the public domain under the provisions of the
ITAR.)

The only satisfactory bill, from the point of view of those of us who
are concerned with freedom of speech and of the press would be a bill
that says that export licensing controls do not apply, and recognizes
that export controls cannot be applied constitutionally, to the
publication or other disclosure or communication of software.

Another problem is that the Leahy bill expressly does not apply to
``computer hardware, software, and technology that is _specifically
designed or modified for military use_, including command, control,
and intelligence applications''.  

This may sound harmless, but the emphasized language is almost exactly
the language that is used in the ITAR to define what can be included
on the United States Munition List in the ITAR.  The major
prerequisite for the designation of an article or service on the
United States Munitions List, according to ITAR \S 120.3, is that it
is: ``specifically designed, developed, configured, adapted, or
modified for a military application''.  

This strongly suggests that, if the Leahy bill were adopted, the NSA
and the Office of Defense Trade Controls would simply take the
position that cryptographic devices and software still are
specifically designed for military use and thus remain on the
Munitions List and under the control of the Office of Defense Trade
Controls in the State Department.  This would seem to inconsistent
with the intent of the Leah bill, but that is hardly going to bother
the rather spooky people in the Office of Defense Trade Controls since
the law expressly provides that the courts may not review the
designation of an item on the United States Munitions List.  (Even
before that provision forbidding judicial review was adopted, one
federal district court held that the defendant in a criminal
case---whose alleged crime was exporting cable or satellite TV
descrambler boxes---could not challenge the inclusion of descramblers
on the Munitions List, because their inclusion was an unreviewable
``political'' determination.)

Thus I predict that the passage of the Leahy amendment would have no
affect whatsoever on the licensing requirements that are presently
applied by the Office of Defense Trade Controls to cryptographic
devices and software.  The people who enforce those requirements are
not now governed by law or logic; the Leahy bill is not likely to
change that, not when it contains such a gaping loophole.

But let us look at the particular provisions of the Leahy bill that
will supposedly ease the burden on both cryptographic hardware and
software: 

     "(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be
     required, except pursuant to the Trading With The Enemy Act or the
     International Emergency Economic Powers Act (but only to the extent
     that the authority of such Act is not exercised to extend controls
     imposed under this Act), for the export or reexport of- 

``Validated license'' is a term that is not used in the Arms Export
Control Act and the ITAR, so to the extent that that act and those
regulations remain applicable to cryptographic devices and
software---and, as has been pointed out, nothing in the Leahy bill
purports to change that---, this provision will have no affect
whatsoever.

On the other hand, the term ``validated license'' is used in the
regulations of the Bureau of Export Administration of the Department
of Commerce.  Thus 15 Code of Federal Regulations \S 770.2 defines
``Validated license'' as: ``A document issued by or under the
authority of the Bureau of Export Administration, authorizing
export.''  So perhaps this provision of the Leahy bill does give some
protection, but only if the powers of the Commerce Department to
regulate software are deligated to Commerce's Bureau of Export
Administration and even then only if this definition is not amended.


It would, moreover, have been preferable if the bill had provided that
cryptographic hardware and software are entitled to a ``general
license'', which is defined in 15 CFR \S 770.2 as follows: ``A license
established by the U.S. Department of Commerce for which no
application is required and for which no document is granted or
issued. It is available for use by all persons, except those listed in
and prohibited by the provisions of Supplement No. 1 to part 788, and
permits export within the provisions thereof as prescribed in the
Export Administration Regulations. These general licenses are not
applicable to exports under the licensing jurisdiction of agencies
other than the Department of Commerce.''  (But note the last
provision.)

     "(A) any software, including software with encryption
     capabilities, that is-
     "(i) generally available, as is, and designed for installation by
     the purchaser; or
     "(ii) in the public domain or publicly available because it is
     generally accessible to the interested public in any form; or
     "(B) any computing device solely because it incorporates or employs in 
     any form software (including software with encryption capabilities)
     exempted from any requirement for a validated license under
     subparagraph (A). 

This provision at first glance looks pretty good, but it arguably
offers no protection to people like Daniel Bernstein and myself who
want to publish new (even if, as is ture in my case, also trivial)
software with encryption capabilities.  The ITAR also has a public
domain exemption, but the censors in the Office of Defense Trade
Controls take the position that one would violate the ITAR by the act
of putting matter in the public domain or making it generally
available.  (The Office of Defense Trade Controls also takes the
position that cryptographic software is not information that can fall
within the public domain exception in the ITAR.)

Note that though no validated license can be required for such
software and related hardware under the Leahy bill, there is nothing
that says that such software and hardware is entitled to a general
license.  One may thus find oneself in the situation---that happened
for example to Daniel Bernstein under the ITAR---that one has written
software that cannot be exported without a license, but for which no
possible license is available.

     "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The
     Secretary of Commerce shall authorize the export or reexport of
     software with encryption capabilities for nonmilitary end-uses in
     any country to which exports of software of similar capability are
     permitted for use by financial institutions not controlled in fact
     by United States persons, unless there is substantial evidence that
     such software will be- 
     "(A) diverted to a military end-use or an end-use supporting 
     international terrorism;
     "(B) modified for military or terrorist end-use; or
     "(C) reexported without requisite United States authorization.

Here we see what appears to be authority for the Secretary of Commerce
to regulate the export of software, a provision that probably violates
the first amendment of the United States constitution, unless the
definition of ``export or rexport of software'' is limited in a manner
that would make the regulation quite ineffective.  The Leahy bill,
however, makes no effort to define what is an ``export'' of software.
One thus has reason to fear that the Secretary of Commerce will simply
adopt the definitions which have been used to restrain the publication
or other disclosure of cryptographic software under the ITAR.  


     "(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall 
     authorize the export or reexport of computer hardware with encryption
     capabilities if the Secretary determines that a product offering
     comparable security is commercially available from a foreign
     supplier without effective restrictions outside the United States.

This applies only to hardware, and so is not subject to attack on
first amendment grounds.  I am willing to bet, however, that if this
provision is passed, the National Security Agency would be delegated
the job of determing whether products of comparable security are
available outside the United States and that very few products would
be found by the NSA to be comparable (and that it would take years to
get a determination of any sort).

     "(5) DEFINITIONS.-As used in this subsection- 
     "(A) the term 'generally available' means, in the case of
     software (including software with encryption capabilities),
     software that is widely offered for sale, license, or transfer
     including, but not limited to, over-the-counter retail sales,
     mail order transactions, phone order transactions, electronic
     distribution, or sale on approval;

Notice that this gives no protection to those who do not widely offer
their software for sale, license, or transfer---persons like Daniel
Bernstein and almost all academic cryptographers, for example.  Those
who are interested in mass marketing cryptographic software may be
happy with this provision, but it is no consolation to those of us who
are not mass marketers.  (Note that mass marketed software may be
entitled to less constitutional protection, as commercial speech, than
is the software that academics like Dan Bernstein or myself may desire
to publish as part of our research or educational activities.)

     "(B) the term 'as is' means, in the case of software (including
     software with encryption capabilities), a software program that is
     not designed, developed, or tailored by the software company for
     specific purchasers, except that such purchasers may supply certain
     installation parameters needed by the software program to function
     properly with the purchaser's system and may customize the software
     program by choosing among options contained in the software program;
     "(C) the term 'is designed for installation by the purchaser' means,
     in the case of software (including software with encryption
     capabilities)- 
     "(i) the software company intends for the purchaser
     (including any licensee or transferee), who may not be the actual
     program user, to install the software program on a computing device
     and has supplied the necessary instructions to do so, except that
     the company may also provide telephone help-line services for
     software installation, electronic transmission, or basic operations;
     and
     "(ii) that the software program is designed for installation by the
     purchaser without further substantial support by the supplier;

Note that those of us who are not a ``software company'' that sells
software to a ``purchaser'' are apparently excluded from the benefits
of this definition.

     "(D) the term 'computing device' means a device which
     incorporates one or more microprocessor-based central processing
     units that can accept, store, process, or provide output of data; and
     "(E) the term 'computer hardware', when used in conjunction with
     information security, includes, but is not limited to, computer
     systems, equipment, application-specific assemblies, modules, and
     integrated circuits.".


I do not have any comments on the remaining portions of the bill, and
so I have deleted them from this already too lengthy submission.

I look forward to your reactions and corrections.

--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
Internet:  junger@pdj2-ra.f-remote.cwru.edu    junger@samsara.law.cwru.edu






Thread