1997-05-02 - Response to Alan Davidson

Header Data

From: Tim May <tcmay@got.net>
To: cypherpunks@cyberpass.net
Message Hash: 31b2449c1baec325245a310d45e604bafca1c28f0bc00dff10c23a78aeca1fe8
Message ID: <v0300780daf8f3cb776f3@[207.167.93.63]>
Reply To: N/A
UTC Datetime: 1997-05-02 05:50:58 UTC
Raw Date: Fri, 2 May 1997 13:50:58 +0800

Raw message

From: Tim May <tcmay@got.net>
Date: Fri, 2 May 1997 13:50:58 +0800
To: cypherpunks@cyberpass.net
Subject: Response to Alan Davidson
Message-ID: <v0300780daf8f3cb776f3@[207.167.93.63]>
MIME-Version: 1.0
Content-Type: text/plain


I posted this article to the newsgroups alt.cypherpunks,
talk.politics.crypto, comp.org.eff.talk, and copied this list on it from my
newsreader, but the article hasn't shown up here on the list. Sometimes the
newsreader/spooler/whateer runs into snags, so here it is, manually sent:

At 1:56 PM -0800 5/1/97, Alan Davidson wrote to the Cypherpunks list:

>SAFE would legalize the export (to all but a few countries such as Iran, N.
>Korea, and Cuba) of non-escrow encryption *of unlimited strength* that is
>designed for the mass market or is in the public domain, i.e.:
>
>        "(i) that is generally available, as is, and is
>                    designed for installation by the purchaser; or
>
>                    "(ii) that is in the public domain for which
>                    copyright or other protection is not available
>                    under title 17, United States Code, or that is
>                    available to the public because it is generally
>                    accessible to the interested public in any form;"
>         (See also Footnote below)

But of course this is not the complete quote. Here is the material above,
plus the surrounding context (and what I think are some "gotchas"):

[[My comments are in brackets like this.]]

"(2) ITEMS NOT REQUIRING LICENSES. -- No validated license may be required,
except pursuant to the Trading With the Enemy Act or the International
Emergency Economic Powers Act (but only to the extent that the authority of
such Act is not exercised to extend controls imposed under this Act), for
the export or reexport of--

[[And what limitations on export does the International Emergency Economic
Powers Act impose? This is a murky and complicated area of the law, and our
own Professor Froomkin, in his excellent "It Came from Planet Clipper"
review of Clipper, noted: "The only authorities noted in Executive Order
12,924 are the
President's inherent constitutional authority and the International
Emergency Economic Powers Act (IEEPA).{224} Assuming that the President
does
not have inherent constitutional authority to block exports in peacetime,
the authority for this action is IEEPA, which by its own terms applies to
"any
unusual and extraordinary threat, which has its source in whole or
substantial part outside the Untied States ... if the President declares a
national
emergency with respect to such threat."{225} While Executive Order 12,924
refers to the danger of "unrestricted access of foreign parties to U.S.
goods, technology and technical data," it seems that the real "unusual and
extraordinary" threat consists of Congress's failure to renew the EAA.
Indeed, the President's most recent renewal of the state of emergency
admits that the state of emergency must be extended "[b]ecause the Export
Administration Act has not been renewed by the Congress."{226}"

[[I take this quote to mean that the EEPA grants the Pres. authority to
limit exports. Thus, the "except pursuant to" provision could with the
stroke of a pen impose export limits on unbreakable crypto, even if the
later provisions, which I'll get to in a moment, are not the clauses
invoked to limit exports.]]


"(A) any software, including software with encryption capabilities --

"(i) that is generally available, as is, and is designed for installation
by the purchaser; or
"(ii) that is in the public domain for which copyright or other protection
is not available under title 17, United States Code, or that is available
to the public because it is generally accessible to the interested public
in any form; or
"(B) any computing device solely because it incorporates or employs in any
form software (including software with encryption capabilities) exempted
from any - requirement for a validated license under subparagraph (A).

[[The section above does seem to say that, unless EEPA is invoked, crypto
software is exportable. However, the next section states the following:]]


"(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. -- The Secretary shall
authorize the export or reexport of software with encryption capabilities
for nonmilitary end-uses in any country to which exports of software of
similar capability are permitted for use by financial institutions not
controlled in fact by United States persons, unless there is substantial
evidence that such software will be
       --

"(A) diverted to a military end-use or an end-use supporting international
terrorism;

[[So, if it is determined that PGP is being used by the Iraqi regime--as
some sources tell me is the case today!--does this not encompass "diverted
to a military end-use"? If it is obvious that Irish members of the IRA or
Sinn Fein are buying copies of "Mil-Grade PGP" at the Egghead in Boston and
shipping them back to Dublin on cargo pallets, will this satisfy the
"supporting international terrorism" clause? If the 'substantial evidence
that such software will be" part means that such exports are blocked only
if the exporter makes it clear that he will be exporting to the Iraqi High
Command, which he would be foolish to do, then this is an Alice in
Wonderland law. I surmise that the intended interpretation is to block
software with substantially military uses, even if not the primary uses. I
could be wrong, but the confluence of the EEPA and the "diverted to a
military" and "supporting international terrorism" bits lead me to
interpret the bill as saying military-grade PGP will be limited for export
even to countries which are not on the "hot list" of Trading with the Enemy
nations.]]


"(B) modified for military or terrorist end-use; or

[[And what does this mean? If I widely advocate and encourage use of PGP
3.0 as a tool for liberation of oppressed peoples under the bootheel of the
American fascist regime, and show how PGP 3.0 is a tool for blowing up
fascists and their lackeys, and there is even evidence that terrorist
groups are indeed adopting PGP 3.0 in droves, is this clause then
triggered?

(Or must I actually purchase a software export license from PGP, Inc.,
alter the code to read "Pretty Good Terrorist Tool," stamp my boxes "Meant
for International Terrorist Use," apply for an export license, and only
then will the clause be triggered? Ha.

The clear, to mek, interpretation of this language is that the SecDef and
other such persons will notify the Pres., or Commerce, etc., that some
particular program or product is easily capable of being used against
putative American interests, as has long been the case with so many other
export-limited products.

(And the limits are not, Alan's implications to the contrary, limited to
the "Hot List" of terrorist nations. The COCOM agreements, the CCL, and now
the Wasenaar agreements, clearly are a very broad list of products. Hell,
the Japanese are now citing the Wasenaar as the reason the RSA chip will
not be given an export license! The real reason, looking deeper, is because
David Aaron, Stuart Baker, and the other folks in the NSA orbit almost
certainly asked them in very strong terms not to make the RSA chip
available for products.)]]


>SAFE's export control relief is not unlimited. The bill does not allow
>export to Iran, Iraq,  Cuba, or N. Korea (that's what the "Trading With The
>Enemy" provision is about); Congress is not likely to pass a law saying you
>can export strong crypto to Saddam Hussein.  Relief is also limited for

And what of the EEPA provisions? Will the Wasenaar list simply cease to
exist? My recollection, refreshed by skimming the Froomkin article a few
minutes ago, is that the EEPA, semi-perpetually in effect, is the reason
products are already on the list of controlled exports. As Froomkin writes,
"Given, however, that IEEPA provides the current authority for the
continuance of the EAA regime, and that the Clinton Administration proposes
to
move DES, however temporarily, off the USML and onto the CCL, a creation of
the EAA,{229}..."

On to another topic:

>Contrary to reports, the SAFE bill does not say: "Use a cipher, go to
>prison."  It does say: "Use cryptography TO COMMIT A CRIME, go to prison":

This is being disingenuous. I stated very clearly, in two places very
prominently, that the chilling effect of the criminalization section is
analogous to the "use a gun, go to prison" language (and billboards) used
in the War on Crime.

I'd've thought that analogies are a basic skill, not to mention a necessary
skill for doing well on the Verbal section of the SATs. To wit:

"Use a gun, go to prison" is to "Use a gun when committing a crime, go to
prison" as "Use a cipher, go to prison" is to "Use a cipher when committing
a crime, go to prison."

The point is that such criminalization of crypto will have a chilling effect.

In fact, why not support another modification of the First Amendment? (The
crypto modification being one involving speech.) Let's extend it to
religion:

"Religious beliefs are not allowed, but the holding of certain religious
beliefs when a crime is committed may in itself be criminal."

So, if someone bombs and abortion clinic, surely a crime by our laws, and
is found to be a Roman Catholic, this could add 5 years to their sentence.
This is what the criminalization of crypto is comparable to.

Or in the precise language of the SAFE bill:

>   2805. Unlawful use of religious beliefs in furtherance of a criminal act
>
>     "Any person who willfully uses religious beliefs in furtherance
>  of the commission of a criminal offense for which the
>  person may be prosecuted in a court of competent jurisdiction...
>  [may be imprisoned or fined]"


>CDT opposes both these provisions because they are unnecessary and could
>chill the use of encryption (especially by self-confessed felons like Tim
>May!).  But they are not as sweeping as some on this list have said.

Not as sweeping? Where is this "not as sweeping" spelled out? The SAFE text
is itself very short, so I don't see where this comes from. Is it from the
infamous "assurances" which are so often given verbally, but never in
ironclad written form attached as part of the bill? Is it an
"understanding" that this criminalization clause will actually not be
applied except certain classes of criminals? (Who are they, by the way,
that _would_ have the law applied to them?)

I take laws to mean what they say. Al Capone was gotten on income tax
evasion. If the law says using crypto in connection with a crime can result
in a 5-year sentence for a first offense, etc., I take the law to mean just
that. If that's _not_ what was intended, then change the language!!!!

Meanwhile, the crimininalization of crypto use in connection with any of
the ever-increasing array of prosecutable offenses is reason enough to
reject SAFE. That PGP, Inc. or Netscape has an easier time exporting
browers to foreigners is no reason to sacrifice basic liberties.


>Passage of the SAFE Bill would put strong security tools in the hands of
>many more people.  That's why CDT supports SAFE, and why we think people
>who care about privacy and security online should support it too.

Strong crypto, with no criminal penalties attached, is about to become
widely available in the U.S. with the incorporation of S/MIME into
Netscape's and Microsoft's products. Netscape has already said, and I
presume MS has or will too, that they will if necessary have multiple
versions of their products, with a "policy statement" enforcement mechanism
for foreigners.

So, what does SAFE buy us? There are no crypto laws in the U.S., and crypto
is avialable, and will soon be built into tens of millions of browsers.
Looks like we're getting what we need.

Why give up basic liberties so that Netscape can ship just one version?

A bad deal, I say.

"Use a cipher, go to prison."

--Tim May

--
There's something wrong when I'm a felon under an increasing number of laws.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1398269     | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."

There's something wrong when I'm a felon under an increasing number of laws.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1398269     | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."









Thread