[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Restrictions on crypto exports



Like L. Detweiler, I can't resist the temptation to speculate a little
bit on the apparent legal crackdown on export of crypto.

The relevant section of the law is the Arms Export Control Act of
1968, codified in sections 2751 and following of Title 22 of the U.S.
Code.  Section 2778 deals with control of arms exports and imports.  In
that section, the President is authorized to determine what are "defense
articles"; the articles so designated constitute the "Munitions List".

"Any person who willfully violates any provision of this section...
shall upon conviction be fined for each violation not more than
$1,000,000 or imprisoned not more than ten years, or both."

So there are potentially very serious sanctions for violations of this Act.

One interesting point is the use of the word "willfully".  This has been
held in several court cases to mean that the government must show that an
accused not only exported munitions, but that he did so knowing that it
was illegal.  Legally, this means that there must be a showing of "specific
intent".  For example, in U.S. v Lizarraga-Lizarraga, the appellate court
wrote (in 541 F2d 826),

"At trial and on appeal, the defendant admits that he purchased the
ammunition and that he intended to export it to Mexico.  His defense is
bsed on the contention that he had no knowledge that his conduct violated
the law.  Hence, the appellant claims that to be found guilty under
22 U.S.C. 1934 [the predecessor to 22 U.S.C. 2778], the government must
prove that he intended to violate the statute....  We agree, and hold
that he was entitled to a specific intent instruction.  Accordingly, we
reverse his conviction and remand for a new trial."

The justice discusses several reasons for concluding that "willfully"
implies a need to show specific intent, among them that the articles on
the Munitions List are not obviously illegal to export, finally concluding:

"Accordingly, we hold that in order for a defendant to be found guilty of
exporting under 22 U.S.C. 1934, the government must prove that the
defendant voluntarily and intentionally violated a known legal duty not
to export the proscribed articles, and the jury should be so instructed."

There are several other court cases which agree with this conclusion.

Therefore, the government will have to show not only that PGP was exported,
but that whoever did it knew that the export was illegal.  For example,
the headnotes to U.S. v Malsom state, "Conviction for violation of 22 USC
2778 requires showing of criminal intent; use of circuitous shipment
route to ship replacement parts for military airplanes supports finding
of criminal intent."  Apparently in that case the parts were shipped in a
circuitous manner designed to prevent detection, and this fact itself was
evidence that the defendants knew they were breaking the law.

If PGP were exported overseas in some straightforward manner, such as being
made available for FTP in the U.S., it would be much harder for the
government to show criminal intent than if it had been written onto a floppy
hidden in a crate of frozen vegetables or something.  So it will be interesting
to see how the government approaches the intent issue.

Other interesting points come from the ITARs themselves, which implement
this section of the U.S. Code.  Subchapter M of Title 22 of the Code of
Federal Regulations is the International Traffic in Arms Regulations.
This subchapter encompasses sections 120 and following of that Title.
Section 120 has mostly definitions, section 121 has the Munitions List
itself, and the remaining sections deal mostly with regulations and reporting
requirements.

Category XIII of the Munitions List, Auxiliary Military Equipment, includes:
"Cryptographic (including key management) systems, equipment, assemblies,
modules, integrated circuits, components or software with the capability
of maintaining secrecy or confidentiality of information or information
systems".  It is followed by a long list of exceptions, and exceptions to
the exceptions, none of which appear to apply to PGP or RSA.  So on the
face of it, this appears to be a fairly broad prohibition on the export
of cryptographic software.

However, there is an interesting sentence in part 125 of this subchapter.
In 125.1(a), it says, "Information which is in the 'public domain' (see
section 120.18) is not subject to the controls of this subchapter."  Note
that by "this subchapter" it must mean Subchapter M, the entire ITAR.

"Public domain" is defined in 120.18:  "Public domain means information
which is published and which is generally accessible to the public:
(a) Through sales at newsstands and bookstores; (b) Through subscriptions
which are available without restriction to any individual who desires
to obtain or purchase the published information; (c) Through second class
mailing privileges granted by the U.S. Government; or, (d) At libraries
open to the public."

So, this is a possible defense against a charge that exporting PGP or
other RSA software violates the ITARs.  If one could argue that the software
was public domain, and that the software could be considered "information"
(hard to argue against if it was exported electronically), then it is
not covered by the ITARs.

The public domain issue is not completely clear, but one could certainly
make a case that software available on BBS sites or by FTP fell into
categories (b) or (d) of the public domain definition, or at a minimum
that the degree of public availability in these situations is very similar
to that envisioned by the authors of this definition.

Alternatively, the defense could argue that irrespective of whether a
particular implementation was public domain, that the main cryptographic
algorithm involved, the RSA cryptosystem, was certainly public domain by
the letter of the definition.

So, if there is a court case, I'd expect that this might be one of the main
issues of contention between defense and prosecution.

The last issue I'll mention is the meaning of "Export".  This is defined
in 120.10.  "Export means, for purposes of this subchapter: (a) Sending
or taking defense articles out of the United States in any manner, or...
(d) Disclosing or transferring technical data to a foreign person,
whether in the United states or abroad..."

I've just listed the most relevant parts here.  Several months ago, Jim
Bidzos of RSADSI published a document attacking the legality
of PGP, and in that document he claimed that making PGP available for
FTP constituted export, and in fact that posting it to your neighborhood
BBS also constituted export.  (Ironically, a few weeks later there was
a flap when RSADSI made its own RSA software available for FTP, and some
foreign nationals downloaded it.)  The presumed justification for this
reasoning would be that making the information publically available in
this way could "disclose" it to a foreign person.

A similar argument was described in a very interesting post Dan Bernstein
made to sci.crypt a few months ago.  Dan was trying to get permission to
export information about a cryptographic technique he had developed:

   Excerpts from a State Department conversation
   Daniel J. Bernstein
   22 July 1993
   
   Here are some excerpts, edited for legibility, from a conversation I had 
   with Charles Ray of the Office of Defense Trade Controls on 26 March 
   1993. These excerpts are now in the public record. Please do not assume 
   that the comments below reflect any official State Department position, 
   although my notes list Charles Ray as a ``special assistant'' to DTC 
   Director William B. Robinson.
   
   Dots represent omissions, not pauses. DJB means me. CR means Ray.
   
   DJB: What I'm trying to understand is: Suppose somebody makes some
   technical data which is a defense article, it's on the Munitions List,
   and goes to a library. The library agrees, and puts it on their shelves.
   Then ... doesn't that make it public domain, assuming that there are no 
   contractual problems or anything?
   
   CR: Actually, that could be argued a number of ways. But it could also
   be argued that if the person made something that was a Munitions List
   item, and particularly if they did it knowingly and they put it in a
   public library where anyone has access to it, that it could be 
   considered a violation of the Arms Export Control Act. It would I think
   depend a lot on their motives for doing it.
   
   [Material elided]
   
   CR: ... Hypothetically, if a person deliberately created a Munitions 
   List item, and deliberately placed it in a public library so as to evade 
   the restrictions ... I think that person might still find himself or 
   herself subject to certain sanctions should there be an incident of this 
   information falling into the hands of a foreign entity.

So, here Ray is basically making that same argument, that putting something
into the public domain by putting it into a library could itself be
considered "export" if it resulted in a foreign entity getting access.

So, the government may be trying to set up a "Catch 22" situation here,
where any attempt to make information "public domain" will be automatically
considered an attempt to export it.

I would think that the defense could come up with some good replies to
any attempt by the prosecution to make this argument.  The ITARs are
intended to control foreign export, and it appears to be a large extension
of their power to attempt to control what things American citizens may take
to their own domestic libraries.

Of course, people should remember that the investigation is still at
an early stage now.  The grand jury may or may not decide to issue criminal
charges; if they do, the accused may choose to plead guilty to a lesser
charge rather than take the risk of a court battle; even if the matter
goes to court, the accused will of course choose his defense based on
his own considerations of advantage.  It's not clear that even a favorable
court decision will free the flow of cryptographic software.

Hal Finney
[email protected]