From: jim bell <jimbell@pacifier.com>
To: Greg Broiles <cryptography@c2.net
Message Hash: baf74bf81acdad9b333fa8e0eacd0d43dacbe7cd853695319892b81a1574ba1b
Message ID: <199612260525.VAA20766@mail.pacifier.com>
Reply To: N/A
UTC Datetime: 1996-12-26 05:25:24 UTC
Raw Date: Wed, 25 Dec 1996 21:25:24 -0800 (PST)
From: jim bell <jimbell@pacifier.com>
Date: Wed, 25 Dec 1996 21:25:24 -0800 (PST)
To: Greg Broiles <cryptography@c2.net
Subject: Re: Reflections on the Bernstein ruling
Message-ID: <199612260525.VAA20766@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain
At 11:57 PM 12/20/96 -0800, Greg Broiles wrote:
>
>(Please keep in mind that I'm not a lawyer yet, and that my comments are
>intended only as the reflections of an amateur and are intended as
>discussion fodder, not legal advice.)
>
>Folks seem to be very excited about Judge Patel's ruling in the Bernstein
>case - and with good reason. It was, for example, a first-page
>above-the-fold item in both of the Bay Area's legal newspapers today.
>Unfortunately, most of the media reports have done a poor job of
>interpreting the ruling, and it's easy to draw bad conclusions from erratic
>news reports about the case. The decision is available online
><http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/961206.decision>
>thanks to the folks at EFF. I thought list members might appreciate a
>summary of the decision and its potential effects.
Please comment on my (layman's) proposal that no "mens rea" ("guilty mind") can be
attributed to a person who is relying on a not-yet-overturned judicial
decision. In other words, if a person has a genuine belief that what he's
doing has been upheld by the Patel ruling, he cannot be claimed to have had
"mens rea." (I am presuming, here, that before he does anything, he "clears
it" with a lawyer who assures him that what he's planning is at least
covered in the Patel decision as being okay. I understand, of course, that
"mens rea" may be irrelevant in CIVIL REGULATORY issues, but not in CRIMINAL ones.)
>1. What the ruling said
>In brief, Judge Patel ruled that Category XIII(b) (the category which
>refers to cryptographic equipment/software) is unconstitutional because it
>functions as a prior restraint upon speech without providing important
>procedural safeguards which are required when a prior restraint scheme is
>put into place. She ruled that the "technical data" provision of the ITAR
>is also unconstitutional when it refers to technical data about Category
>XIII(b) items because of the lack of procedural safeguards.
>
>Mopping up other points raised by the suit, Judge Patel ruled that the term
>"defense article" as defined in 22 CFR 120.6 should be read to elide the
>phrase "or technical data"; and that when interpreted that way, the terms
>"defense article", "defense service", and "technical data" are not
>unconstitutionally vague. She also ruled that the term "export" is not
>unconstitutionally vague, and writes (in 'dicta', which is legalese for
>"offhand comment", e.g., without precedential value but interesting as a
>hint re what's going on in the judge's mind) that placing software on an
>"Internet site" which can be accessed from a foreign country is an export
>for ITAR purposes.
What about leaving a floppy on a sidewalk in Des Moines, Iowa, which might
be picked up by a wandering foreign tourist who happened nearby?
Sheesh, these judges are real idiots, even when they accidently are coming
to (mostly) the right conclusion.
However, if being "on the Internet" is automatically presumed to be an
export, why can't we program using remote-control editors which might,
someday, be available on the Internet? (maybe they already are; somewhat
analogous to the old timesharing computers of yore. If the underlying files
were kept overseas, modified by specific editing commands sent to a remote
system, presumably Patel's dicta would suggest that those files were never
"exported" per se. They were formed and kept overseas, INTENTIONALLY, to
avoid the later necessity of exporting them had they been kept in the US.)
This would be an modifed and automated version of the way versions of PGP
later than 1.0 were supposed to have been developed: Actual coding was done
overseas, based on suggestions and comments from other countries.
(including, presumably, the US.)
Yes, realize that pessimism overtakes me here. "The system" never wants to
admit a contradiction. I would argue, however, that whereever the system
wishes to draw the line and call everything outside the line "an export,"
that decision should be considered binding on the government even when such
a conclusion leads to unexpected and undesireable consequences. (for the
government, at least...)
>She also ruled that the "fundamental research in science and engineering"
>(120.11(8)) and "general scientific, mathematical, or engineering
>principles" (120.10(5)) exceptions to the definition of "technical data"
>are void because they are too vague. As far as I can tell, they are thus no
>longer available to potential ITAR defendants.
Wouldn't it be more accurate to say that they are no longer considered
precisely defined exceptions, NOT that the exceptions no longer exist?
It seems to me that if the "burden of non-ambiguity" falls on those writing
the regulations, failure to eliminate ambiguity would have to be resolved in
favor of tolerating actions that fall into the grey area. For example, if a
law was passed that said, "pornographic writing is illegal," and the SC
later determined that "pornographic" was ambiguously defined, what they
WOULDN'T do is to make ALL writing illegal! (which would, obviously, be an
over-broad restriction, in an of itself.) Otherwise, what would on the
surface appear to be a overturning of a law would actually be a _broadening_
of it.
>It's also unclear that Judge Patel's ruling is enough to make export of
>crypto source legal by people/organizations located even in the Northern
>District of CA. Venue is proper, in an ITAR case, in any jurisdiction which
>the defense articles have moved through. (18 USC 3237(a); _US v. Durrani_
>659 F.Supp 1177, 1182 (D. Conn, 1987); an easy analogy is to the _US v.
>Thomas_ "Amateur Action" case, where Tennessee venue was proper for
>prosecution of California defendants who sent porn into Tennessee.) So it's
>at least arguable that the feds could simply bring an ITAR prosecution in
>another district, if exported crypto flowed through that district.
But again, deal with the mens rea issue. If Patel said, "It's okay to
export this software because the regulation is invalid," and you do so
relying on this ruling, wouldn't any subsequent (criminal) prosecution both
have to prove you did it, and ALSO prove that you were being unreasonable in
relying on the ruling? (Are rulings of illegality somehow more "reasonable"
than rulings of legality?)
I'm not suggesting that her decision can't be overturned in the future; I'm
suggesting that until it is overturned, each member the public is entitled
to act in reliance on it, perhaps at least the ones in her jurisdiction.
>So while the ruling has considerable historical, cultural, and symbolic
>significance, it's dangerous to assume that it means that export
>restrictions on crypto are dead.
However, wouldn't it be a good idea to take advantage of what is at least a
temporary decision? If I were a large corporation, having just developed an
excellent design for a crypto telephone, I might want to export it NOW,
which is in effect taking advantage of a temporary loosening of restrictions.
Jim Bell
jimbell@pacifier.com
Return to December 1996
Return to “jim bell <jimbell@pacifier.com>”