[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spam the Sign!



>>  Jeff Simmons <[email protected]> said...
>> 
>> >Then suppose you hand software to MIT to put on its export-controlled ftp
>> >site (which would seem to follow your requirements to take reasonable
>> >precautions to observe the ITAR, etc.) and you don't do the nudge, nudge,
>> >wink, wink - BUT you know that it's going to be available on major ftp
>> >sites in Europe within a few hours anyway.  The intent to export isn't 
>> >there, but the export occurs anyway.  Is it the intent, or the knowledge
>> >that's important?
>
>What's important to the government is that the crypto not be exported. 


Actually, that's not true.  What's REALLY important to the government is
that it not be AVAILABLE outside the country, or perhaps even more
accurately, not available anywhere.  Problem is, the government doesn't have
unlimited authority in this area.


>> >Or, to bring it down to a practical question, what's stopping Netscape?  How
>> >does Netscape setting up an 'export controlled' ftp site based on the MIT
>> >version lead to one of their executives going to jail?
>
>Maybe their executives don't want to deal with the possibility of going to
>jail and are staying far from the edge of the law.  Maybe they are too busy
>trying to find some way to make money.
>
>> I very much agree with the direction you appear to be headed in.  It seems
>> to me that Netscape should have no problem devising some sort of scenario in
>> which such a program eventually gets onto the nets, but in a way that is
>> squeaky clean, at least for THEM.  
>
>But why would they want to risk this? As squeeky clean as it is, we now
>all know that they know that making it available this way is exporting
>it. 

NO!  The government doesn't even pretend to have authority over non-exported
encryption, and they readily admit this.    And I'm sure they are also are
aware that they can't press their luck with an overbroad interpretation of ITAR.

Let's look at REALITY, okay?  Export controls on products have been around
for many decades.  Computers are a classic example.  If merely manufacturing
a product that (if exported to the wrong place) becomes a violation of such
laws/regulations, then practically every computer company that has ever
existed violated ITAR.

Here's the real "problem": Export regulations were intended to MINIMIZE the
number of controlled products "leaking through" the border.  There was never
any illusion that this could be entirely eliminated. So far so good: They
were happy to minimize the number of mainframe computers 1970 (for example)
USSR got.

Software, by its very nature, is infinitely copiable, which means that even
a single export  constitutes a complete failure of the system.  Thus, a
system of regulation that was useful for hardware becomes totally useless
for software.

 
>> In addition, why should they even need to write the encrytion part of their
>> software IN the US?  It occurs to me that one way to do this might be to
>> send one of their programmers to a conveniently-located place, such as
>> Vancouver BC , Montreal Canada, or a few other nearby places, with a great
>> deal of fanfare, and tell him to "write some crypto."  He does, and brings
>> it back into the US with him, leaving a copy of it "outside" the country for
>> international distribution.
>
>This is illegal as well. 

No, it isn't.

>The programmer is exporting the cryptosystem,

No, he isn't.  Exporting a book on encryption, including algorithms, for
example, is entirely LEGAL.  

And I think you're misusing the term, "cryptosystem."  The government may be
attempting to use ITAR to regulate exports of fully-functioning software,
but it apparently cannot touch books containing source code for such
programming.  Thus, "exporting the cryptosystem" is NOT always a violation
of ITAR if your definition of "cryptosystem" is so broad as to include
source-on-paper, and thus your statement is legally irrelevant.  If you
tighten up the term "cryptosystem" to  include only functioning software,
your statement becomes false because said programmer does not need to export
same.

Note that I'm assuming that the programmer GENUINELY writes the software
abroad, as opposed to faking it.   Of course, even "faking it" might be
legal:  If source-on-paper exporting is LEGAL, then taking a copy of an
encryption program outside the country on paper, then scanning it into a
computer and recompiling there should also be legal. 

>and may even be guilty of treason (probably not).  If you really want
>strong crypto, just buy it fom one of the hundreds of legitimate
>overseas suppliers.  If you want to export strong crypto Netscape,
>rewrite Netscape outside the US.  It's not that complex a program.

That's not a satisfactory solution.  The goal, I suggest, is to allow
Netscape (or any other manufacturer) to sell a SINGLE product around the
world, without violating (even arguably) ITAR.