1997-01-31 - Re: Complying with the EAR [was: More Circumventing the ITAR]

Header Data

From: Michael Paul Johnson <mikej2@exabyte.com>
To: Sean Roach <roach_s@alph.swosu.edu>
Message Hash: 26f8d517509db4f9bc26033b1e243b9663a7b9a52060d7f4ea42194f7ed74c1b
Message ID: <199701311706.JAA17979@toad.com>
Reply To: N/A
UTC Datetime: 1997-01-31 17:06:26 UTC
Raw Date: Fri, 31 Jan 1997 09:06:26 -0800 (PST)

Raw message

From: Michael Paul Johnson <mikej2@exabyte.com>
Date: Fri, 31 Jan 1997 09:06:26 -0800 (PST)
To: Sean Roach <roach_s@alph.swosu.edu>
Subject: Re: Complying with the EAR [was: More Circumventing the ITAR]
Message-ID: <199701311706.JAA17979@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 30 Jan 1997, Sean Roach wrote:
> At 11:14 AM 1/29/97 -0700, Michael Paul Johnson wrote:
> >On Tue, 28 Jan 1997, Mark Rosen wrote:
> >
> >> 	I'm curious as to exactly what the ITAR/EAR/Whatever says specifically
> >> about "unrestricted FTP sites." My program, Kremlin, is available for
> >
> >You should check the exact text yourself, but the way I read the EAR, you
> >are not "exporting" strong cryptographic software without a license (exept
> >to Canada, which needs no license) if you do things "such as"
> >(1) have the guests to your site acknowledge that the EAR restricts
> >export, (2) have the guests affirm that they can legally get the software
> >(proper citizenship or residency & location), and (3) "check the address
> >of the destination computer to see if it is in the USA" or Canada. The
> >last one, I interpret rather loosely to mean that if the guest's email
> >address domain isn't one commonly used in the USA or Canada, then I deny
> >access. We all know that not all .com addresses are North American, but
> >chances are really good that if the address ends in .ru, then the
> >destination machine is probably not in North America. This is not a
> >perfect way to prevent export, of course, but it is what the regulations
> >say, as I read them. For a pointer to the regulations and to my access
> >request form and crypto site, see http://www.sni.net/~mpj/crypto.htm
> ...
> An easy crack to that would be to request access from a hotmail, or
> similair, account.  This account would show up as being on US soil while the
> account holder would not necessarily be so.  In this way, someone with an
> account ending in your .ru would get through because h[is/er] e-mail request
> originated from inside the U.S.

If that is the only chink in the armor you see, then you aren't looking
very hard. The point of this system is not to prevent exports, but to (1) 
comply with the letter of the law by discouraging export in the specified
manner, (2) to comply with the spirit of the law by reducing the number of
exports of cryptographic software from the USA, while (3) making
publication of strong cryptographic software in North America easy and
safe from legal persecution. Without point (3), the national security of
the USA would be harmed, IMHO, by the fact that proportionally more
dishonest people (the ones the NSA and FBI are quict to draw attention to)
than honest ones (the majority of the people who want to use strong
cryptography to protect their privacy and business interests from the
dishonest folks) would use strong cryptography. 

The only reason I can think of that the U. S. Commander-in-Chief and
President of the United States of America and his staff have determined
that export of strong cryptographic software can harm "national security" 
even when such software already is available outside of the USA, is that
they are really more concerned about the numbers of people that use such
software regularly, and therefore, they want to limit the total bandwidth
of distribution capacity and ease of retrieval of such software. Export
controls can effectively do both, even if they cannot realistically
prevent export.

Think about it. It was a pain to set up the EAR-compliant site that I set
up compared to a simple site for global distribution, and few people would
go through the hassle. Many major information services and ftp sites
simply disallow strong cryptographic software rather than go through the
hassle. Because of this, it is probably true that fewer people find,
download, and use strong cryptographic software.

Until more people set up more strong cryptographic software distribution
sites and write more good, secure, robust, easy-to-use cryptographic
software such that it is about as easy to find and use it as not to, the
Feds win. Their point is proven. Fewer people use strong cryptography than
would otherwise, and some small (but, to them, significant) percentage of
those people who were discouraged from using strong cryptographic software
might have used that software in a criminal activity. Too bad about the
good guys who could have prevented computer crime or worse with the same
technology, huh?

http://www.sni.net/~mpj/crypto.htm

 Michael Paul Johnson      Opinions herein are not necessarily Exabyte's.
 Work:     mpj@exabyte.com http://www.exabyte.com
 Personal: mpj@csn.net     http://www.csn.net/~mpj       BBS 303-772-1062







Thread