From: jya@pipeline.com
To: cypherpunks@toad.com
Message Hash: 51fd3263b84a40bcdce1c3c5666abb53143806568ed859eb2395493c07ddb23b
Message ID: <199605021908.PAA29631@pipe1.nyc.pipeline.com>
Reply To: N/A
UTC Datetime: 1996-05-03 04:32:36 UTC
Raw Date: Fri, 3 May 1996 12:32:36 +0800
From: jya@pipeline.com
Date: Fri, 3 May 1996 12:32:36 +0800
To: cypherpunks@toad.com
Subject: EET on PGP API Quash
Message-ID: <199605021908.PAA29631@pipe1.nyc.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain
[Thanks to BC]
Electronic Engineering Times, April 29, 1996, page 4
State Dept. Tries To Quash API's for PGP cryptography
By Loring Wirbel
Washington -- The Justice Department may have halted
attempts to bring criminal charges against Phil Zimmermann,
author of the Pretty Good Privacy (PGP) public-key
cryptography algorithms, but the State Department is taking
an increasingly hard line on PGP. Where once the State had
restricted itself to warning developers against exporting
source code with PGP file-encryption routines, it is now
arguing that application programming interfaces (API)
allowing PGP program insertion should be subject to control
under arms-trading statutes.
Warning letters sent out in the last few weeks reflect the
bizarre status of cryptography algorithms in the
government's Export Control Act. Under the International
Traffic in Arms Regulations (ITAR) promulgated under the
act, the government can restrict any encryption programs
the National Security Agency (NSA) is uncomfortable with.
The new moves represent the first time State has tried to
extend ITAR to software that only provides hooks for
encryption packages, however.
"There is some room to maneuver and make strong arguments
that the rules on crypto APIs have some serious
ambiquities," said Kenneth Bass, an attorney specializing
in export control with the Washington law firm of Venable
Attorneys at Law. Bass said several companies have received
warning letters from State, but most do not want to do
battle with the Federal government.
Meanwhile, wildly differing rulings in the U.S. District
Courts on the West and East coasts send mixed messages
about software embedding crypto algorithms. In refusing to
dismiss developer Daniel Bernstein's suit against the State
Department, Judge Marilyn Hall Patel of San Francisco ruled
in early April that source code can be protected free
speech.
"The particular language one chooses does not change the
nature of the language for First Amendment purposes," Patel
said. "This court can find no meaningful difference between
computer languages ... and German or French; ... whether
source code or object code is also functional is
immaterial." Bernstein seeks to establish that his
zero-delay private-key program, Snuffle, is not subject to
ITAR.
Opposite Rationale
But on March 22, Judge Charles Richey of Washington
dismissed Philip Karn's suit against State using almost
exactly the opposite rationale. Karn, an employee of
Qualcomm Inc. (San Diego), challenged a ruling that the
floppy disks accompanying some editions of Bruce Schneier's
book, *Applied Cryptography*, could be barred from export.
Judge Richey said the government was free to view
implemented source code as a munition that could be banned,
and said Defense Department decisions regarding materials
covered under export control were precluded from judicial
review. Karn appealed to the U.S. Circuit Court of Appeals
on April 19. "The stage is being set for some very basic
issues on souce code and free speech to be decided," said
attorney Bass.
So far the API issue has not spurred any suits. Network
Telesystems Inc. (Santa Clara, Calif.) a TCP/IP stack
specialist and the one company that has admitted receiving
a warning from State, said that a PGP API is not central
enough to its business to warrant making its preservation
a federal case.
Company president John Davidson said Network Telesystems
elected to make its new e-mail package, Confidante, "PGP
ready" by including a PGP API instead of licensing the
code. Davidson said the warning must have been the result
of government officials seeing the press release on the
package, which has not yet shipped, or a short article in
a national magazine.
"We thought it was a misunderstanding at first, since we
had no resident PGP code," Davidson said. "It didn't seem
possible that the government could really be talking about
an interface."
One computer-security expert said off the record that "NSA
has told State to watch out for any APIs outside NSA's own
effort to define a crypto API." NSA is embracing the API
work of companies like RSA Data Security Inc., the source
said, "but Zimmermann's PGP work has always been a
freelance effort, so a compromise is not seen as
necessary."
-----
Return to May 1996
Return to “jya@pipeline.com”
1996-05-03 (Fri, 3 May 1996 12:32:36 +0800) - EET on PGP API Quash - jya@pipeline.com