[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bidzos on PGP and ITAR verbatim




"L. Detweiler" <uunet!longs.lance.colostate.edu!ld231782> writes:

> There is a section on `illegal export of unclassified technical data to
> foreign nationals' (paraphrase) and Bidzos claims it applies to PGP
> export. But he appears to me to be using a bit of sleight of hand to
> conflate this category with *cryptographic software* mentioned
> elsewhere (sections also as quoted also by H. Finney).

If Bidzos is using the term "technical data" as it's defined in $120.21
of the ITAR, I think it's debatable. Can we come up with data to support
that IDEA and RSA are "commonly taught .. in academia"? The public (and
published) nature of both IDEA and RSA seems to place them far away from
the general thrust of the "technical data" definition, which seems oriented
towards preventing disclosure of data/information that's not available to
the general public. Def'n follows:

    $120.21 Technical data.

        Technical data means, for purposes of this subchapter:
            (a)     Classified information relating to defense articles
                    and defense services;
            (b)     Information covered by an invention secrecy order;
            (c)     Information, in any form, which is directly related
                    to the design, engineering, development, production,
                    processing, manufacture, use, operation, overhaul,
                    repair, maintenance, modification, or reconstruction
                    of defense articles. This includes, for example,
                    information in the form of blueprints, drawings,
                    photographs, plans, instructions, computer software,
                    and documentation. This also includes information
                    which advances the state of the art of articles on
>                   the U.S. Munitions List. This definition does not
>                   include information concerning general scientific,
>                   mathematical, or engineering principles commonly
>                   taught in academia. It also does not include basic
                    marketing information or general system descriptions
                    of defense articles.

        [emphasis added, of course]

I'm working my way through the ITAR and am going to leave the majority
of Bidzos' message alone until I feel like I have a stronger grasp on the
legal issues here.

He did, however, say two things which look pretty shaky to me:

> When you make a defense item available on a BBS, you have exported it.

The definitions of export that I've seen have concerned transferring
information or physical things, or providing services to, persons,
corporations, or nations which are not U.S. citizens. They have not
addressed placing these things where "foreign persons" might conceivably
get them. Under Bidzos' interpretation, making RSAREF available via FTP
sounds like export to me. My interpretation is based on ITAR; other
relevant statutes may define it more broadly, but those definitions
aren't relevant when talking about violations of the ITAR.

> pgp is software tainted by serious ITAR violations.

I interpret this to mean, assuming that Bidzos is right on all points, that:
(1) all copies (and their descendants?) of PGP 1.0 which have been taken
outside of the U.S. are "tainted" and cannot be re-imported legally; and
(2) all copies (and their descendants?) of PGP 2.x which were written outside
of the U.S. are "tainted" once they enter the U.S.; U.S. citizens will need
to re-write (sigh) PGP 2.x inside the U.S., using the published algorithms
for IDEA and RSA.

I can't see any basis for saying that "PGP", a standard for interoperable
crypto software, is tainted - only particlar implementations of that
standard are, depending on who wrote them and what country the author is
from, where the copy is located, and where it's been before.

Surely Bidzos won't claim that RSA licensees in the U.S. are somehow
"tainted" by the illegal export of other copies of RSA, hmm?


--
Greg Broiles
[email protected]                     Baked, not fried.