From msuinfo!uwm.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!nagle Mon May 24 13:11:20 1993
Newsgroups: alt.security.pgp,sci.crypt
Path: msuinfo!uwm.edu!cs.utexas.edu!swrinde!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!nagle
From: nagle@netcom.com (John Nagle)
Subject: Re: `Import Controls' on cryptography do not exist
Message-ID: <nagleC7A7zp.572@netcom.com>
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
References: <1993Apr27.204235.21266@olias.linet.org> <C6qqGy.2rE@adikia.sccsi.com> <WCS.93May12172911@rainier.ATT.COM> <34620@toad.com> <C771q7.n57@cbnewsh.cb.att.com>
Date: Wed, 19 May 1993 16:19:01 GMT
Lines: 51
Xref: msuinfo alt.security.pgp:3074 sci.crypt:16588

wcs@cbnewsh.cb.att.com (Bill Stewart 1-908-949-0705) writes:
>In article <34620@toad.com> gnu@toad.com (John Gilmore) writes:
> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) wrote:
> > It does not appear to be illegal to import crypto software,
> > though the rules are messy and obfuscatory enough that some people
> > contend otherwise, and a US-written IDEA implementation would reduce
> > the risk of harassment, though the fact that the NSA would not like a
> > court ruling supporting legal imports also reduces that risk.
> I have consistently challenged every person who comes to me with this
> rumor or "import controls" to substantiate it. [.....]
> NOBODY HAS!
> They all slink off. Some promise to look it up, but never do. Others
> just admit that they don't really know but they heard it from somebody.
>I'm in the third category here; I've looked through the excerpts I
>have of the law, and my county library's copy of the U.S.Code
>has not been up to date even to 1985 levels on the Privacy Act laws,
>so I haven't bothered checking there.

There is such legislation. It's in the Arms Control Act. I have
looked this up. Look in the index to the USC under Arms Control.

Basically, there are two complete independent systems of export
and import controls. The general export control system is administered
by the Commerce Department, and, while a pain, can be dealt with. There's
a separate system for "arms control", administered by State and Defense.
This controls the import and export of items listed on the "Munitions List".
The Munitions List (which is a real list, published in the Code of
Federal Regulations) lists all the items for which "arms control" applies.
Items like "battleships" and "rifles" appear. Unfortunately, so does
"cryptographic equipment", because, when the Munitions List was created
decades ago, civilian cryptography barely existed. Cryptographic
equipment is the only "dual use" technology covered under arms control,
and NSA has lobbied strongly to keep it that way.

Importing or exporting "arms" is complicated. Among other things,
you have to register as an "arms dealer" (Jim Bidzos of RSA had to do this).
Then, for each transaction, you have to open a "munitions case" with the
State Department. The general assumption with regular export controls is
that you can export unless there's some explicit prohibition on doing what
you want to do. The general assumption on arms controls is that you can't
export or import unless State and Defense like what you're doing.

Operationally, arms controls are administered by the Director
for Munitions, Office of the Deputy Undersecretary for Trade Security Policy,
Office of Policy, DOD. For information, contact their "Outreach unit",
703-697-7480.

Exactly what current restrictions are I don't know. But that's
where you find out.

John Nagle

From msuinfo!agate!ucbvax!silverton.berkeley.edu!djb Mon May 24 13:14:35 1993
Path: msuinfo!agate!ucbvax!silverton.berkeley.edu!djb
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Newsgroups: alt.security.pgp,sci.crypt
Subject: Re: `Import Controls' on cryptography do not exist
Message-ID: <13557.May2409.37.4593@silverton.berkeley.edu>
Date: 24 May 93 09:37:45 GMT
References: <1993May23.201819.7697@convex.com>
Organization: IR
Lines: 41
Xref: msuinfo alt.security.pgp:3120 sci.crypt:16651

(This discussion belongs in talk.politics.crypto, a group for ``the
relation between government and cryptography.'' As you can see, this
group doesn't exist---yet. I do not want to handle the RFD and CFV for
this. Loose ball; somebody pick it up, please. Thanks.)

In article <1993May23.201819.7697@convex.com>
hamrick@convex.com (Ed Hamrick) writes:
> It's important to be quite clear that export and import controls on
> publically-available / public-domain software do not exist.

Let me preface my comments with the disclaimer that I am currently
unable to speak in public about a number of issues highly relevant to
this discussion. What I say below is necessarily incomplete.

The ITAR does say that information in the ``public domain'' is not
subject to any ITAR control. The ITAR defines ``public domain'' in a
certain specific way. The ITAR definition of ``public domain'' does not
cover a document which I have just created, even if I waive all copying
rights to that document, and even if I intend to hand-deliver a copy of
the document to every mailbox in the known universe. It covers only
certain types of ``published'' information. The ITAR does not define the
word ``published.''

Let me repeat that: The ITAR does _not_ define the word ``published.''

As this is an absolutely critical point, let me repeat it once more:

******** The ITAR does _not_ define the word ``published.'' ********

> The
> following extract from "Defense Trade Regulations" from Federal Record,
> March 26, 1992 (formerly International Traffic in Arms Regulations, or ITAR):

At my last check with the NSA and the State Department, ITAR was still
current. The quotes which Ed gives, although not substantially
misleading, are simply not correct, and it is easy to draw certain
incorrect conclusions from his article.

Sorry to be so vague.

---Dan

From msuinfo!agate!howland.reston.ans.net!darwin.sura.net!convex!hamrick Mon May 24 13:15:15 1993
Newsgroups: alt.security.pgp,sci.crypt
Path: msuinfo!agate!howland.reston.ans.net!darwin.sura.net!convex!hamrick
From: hamrick@convex.com (Ed Hamrick)
Subject: Re: `Import Controls' on cryptography do not exist
Message-ID: <1993May24.131526.27164@convex.com>
Sender: usenet@convex.com (news access account)
Nntp-Posting-Host: convex1.convex.com
Organization: CONVEX Computer Corporation, Richardson, Tx., USA
References: <1993May23.201819.7697@convex.com> <13557.May2409.37.4593@silverton.berkeley.edu>
Date: Mon, 24 May 1993 13:15:26 GMT
X-Disclaimer: This message was written by a user at CONVEX Computer
Corp. The opinions expressed are those of the user and
not necessarily those of CONVEX.
Lines: 91
Xref: msuinfo alt.security.pgp:3123 sci.crypt:16653

In article <13557.May2409.37.4593@silverton.berkeley.edu> djb@silverton.berkeley.edu (D. J. Bernstein) writes:
>In article <1993May23.201819.7697@convex.com>
>hamrick@convex.com (Ed Hamrick) writes:
>> It's important to be quite clear that export and import controls on
>> publically-available / public-domain software do not exist.
>
>Let me preface my comments with the disclaimer that I am currently
>unable to speak in public about a number of issues highly relevant to
>this discussion. What I say below is necessarily incomplete.

I must respectfully disagree with your interpretation of the regulations.
If you'd like a copy of the actual text of the Defense Trade Regulations
(ITAR doesn't exist any more), I'd be happy to e-mail them to you.

>The ITAR does say that information in the ``public domain'' is not
>subject to any ITAR control. The ITAR defines ``public domain'' in a
>certain specific way. The ITAR definition of ``public domain'' does not
>cover a document which I have just created, even if I waive all copying
>rights to that document, and even if I intend to hand-deliver a copy of
>the document to every mailbox in the known universe. It covers only
>certain types of ``published'' information. The ITAR does not define the
>word ``published.''
>
>Let me repeat that: The ITAR does _not_ define the word ``published.''
>
>As this is an absolutely critical point, let me repeat it once more:
>
>******** The ITAR does _not_ define the word ``published.'' ********

Here is the definition from the Defense Trade Regulations:

DTR> Sec. 120.19 *Public* domain.
DTR>
DTR> *Public* domain means information which is published and which is
DTR> generally accessible or available to the *public*:
DTR>
DTR> (1) Through sales at newsstands and bookstores;
DTR>
DTR> (2) Through subscriptions which are available without restriction to
DTR> any individual who desires to obtain or purchase the published information;
DTR>
DTR> (3) Through second class mailing privileges granted by the U.S.
DTR> Government;
DTR> (4) At libraries open to the *public* or from which the *public* can
DTR> obtain documents;
DTR>
DTR> (5) Through patents available at any patent office;
DTR>
DTR> (6) Through unlimited distribution at a conference, meeting, seminar,
DTR> trade show or exhibition, generally accessible to the *public*, in the
DTR> United States;
DTR>
DTR> (7) Through *public* release (i.e., unlimited distribution) in any form
DTR> (e.g., not necessarily in published form) after approval by the cognizant
DTR> U.S. government department or agency (see also Sec. 125.4(b)(13)).

It seems pretty clear that DES code that is available via anonymous ftp
meets this criteria. You may choose to quibble about whether making
something available via anonymous ftp constitutes publishing, but consider
what percentage of jurors would laugh at anybody asserting that information
available via anonymous ftp doesn't meet the intent of 120.19. I myself
would tend to focus on subparagraph (5) referring to libraries open to the
public or from which the public can obtain documents.

Asserting that the ITAR doesn't define the word "published" is as meaningless
as asserting that the ITAR doesn't define the word "exhibition",
or "trade show", or "libraries", etc. This kind of quibbling is completely
meaningless - are you saying that you need to print out the DES source code
and put it in a University library before it can be distributed via
anonymous ftp? If so, this is a triviality. Anybody can open up a "library"
to the public (item (4) above). Most people would claim that anonymous ftp
constitutes an electronic public library.

>> The
>> following extract from "Defense Trade Regulations" from Federal Record,
>> March 26, 1992 (formerly International Traffic in Arms Regulations, or ITAR):
>
>At my last check with the NSA and the State Department, ITAR was still
>current. The quotes which Ed gives, although not substantially
>misleading, are simply not correct, and it is easy to draw certain
>incorrect conclusions from his article.
>
>Sorry to be so vague.

U. S. government rules are always written. Please refer to specific rules
published in the Federal Record, or specific legal cases. Are you saying
that the "Defense Trade Regulations" have not superceded the ITAR, as clearly
noted in the Federal Record?

Regards,
Ed Hamrick