1996-11-08 - Free software could not threaten purpose of ITAR …

Header Data

From: Ernest Hua <hua@chromatic.com>
To: cypherpunks@toad.com
Message Hash: 034d81c89bb90f6f6c9b8e71904a5545f9918bf2ad955f05734020ca7a97fde8
Message ID: <199611082301.PAA09398@ohio.chromatic.com>
Reply To: N/A
UTC Datetime: 1996-11-08 23:02:38 UTC
Raw Date: Fri, 8 Nov 1996 15:02:38 -0800 (PST)

Raw message

From: Ernest Hua <hua@chromatic.com>
Date: Fri, 8 Nov 1996 15:02:38 -0800 (PST)
To: cypherpunks@toad.com
Subject: Free software could not threaten purpose of ITAR ...
Message-ID: <199611082301.PAA09398@ohio.chromatic.com>
MIME-Version: 1.0
Content-Type: text/plain



It never ceases to amaze me how inconsistent the anti-crypto
people are on this issue ...

I just took a look at VADM McConnell's answers during a Senate
hearing on May 3, 1994 ...

    http://csrc.nist.gov/keyrecovery/ees_q-a.txt

Questions from Senator Murray:

    Q: In my office in the Hart building this February, I downloaded
    from the Internet an Austrian program that uses DES encryption.
    This was on a laptop computer, using a modem over a phone line.
    The Software Publishers' Association says there are at least 120
    DES or comparable programs world wide.  However, U.S. export
    control laws prohibit American exporters from selling comparable
    DES programs abroad.

    With at least 20 million people hooked up to the Internet, how do
    U.S. export controls actually prevent criminals, terrorists, or
    whoever from obtaining DES encryption software?

    A: Serious users of encryption do not entrust their security to
    software distributed via networks o bulletin boards.  There is
    simply too much risk that viruses, Trojan Horses, programming
    errors, and other security flaws may exist in such software which
    could not be detected by the user.  Serious users of encryption,
    those who depend on encryption to protect valuable data and cannot
    afford to take such chances, instead turn to other sources in
    which they can have greater confidence.  Such serious users
    include not only entitles which may threaten U.S. national
    security interests, but also businesses and other major consumers
    of encryption products.  Encryption software distribution via
    Internet, bulletin board, or modem does not undermine the
    effectiveness of encryption export controls.

Why is it, then, that we don't just allow non-commercial software to
be exported?

1.  I don't believe, for a moment that "serious users" of cryptography
    cannot entrust their security to "software distributed via
    networks o bulletin boards".  Those are precisely the mediums
    through which PGP became popular.

2.  Phil Z was being harassed precisely because PGP is most definitely
    a serious threat in the trend toward undermining ITAR.

3.  Phil K's export request was rejected, and MIT was harassed over
    the PGP source book, precisely because source code is source code.
    It does not matter if it came on a disk or through a network or
    through a bulletin board or on a book.

The point is that the NSA DOES view this as a serious threat, so they
are fighting this tooth and nail.

Ern





Thread