[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A lengthy preliminary analysis of the Leahy bill.
This is a preliminary draft of my preliminary analysis of the Leahy
bill. In it I am primarily concerned with the affect---if any---of
that bill on the constitutionally protected freedoms of speech and of
the press.
At times in this submission I may seem overly suspicious of some
agencies of the government. That may be a consequence of this being
merely a preliminary draft; it is more likely, however, that it is the
result of years of studying the ITAR and the antics of the agents in
the Office of Defense Trade Controls and the NSA as they relate to the
licensing requirements for cryptographic software.
Permission is granted to post this submission to other mailing lists
and news groups, but only if it is posted in its entirety (except for
headers other than the ``To'', ``From'', and ``Subject'' lines).
-------------------------------------------------
The Leahy Bill known as the Encrypted Communications Privacy Act is
certainly well intentioned and Senator Leahy and the other sponsors
(Senators Burns, Dole, Murray, and Pressler) should be congratulated
for their efforts.
Those whose major goal is to be able to export mass-marketed
cryptography have good reason to support this bill, even though it has
features---and ambiguities---that they may find undesireable, and even
though the bill may not actually make all mass marketed cryptographic
hardware and software freely exportable. (There is even the danger
that it might even be interpreted (for reasons that I will explain
hereafter) as not making any change in the requirements for the export
of cryptographic software, whether mass marketed or not).
On the other hand, those like Daniel Bernstein and myself, who want to
publish information---including algorithms and source code---that is
subject to the licensing requirements of the International Traffic in
Arms Regulations (``ITAR'') that apply to cryptographic devices and
software---at least according to the National Security Agency's
representatives and that agency's puppets in the Office of Defense
Trade Controls---may find the bill more of a hindrance than a help in
their efforts to assert the constitutional right of freedom of speech
and of the press.
My concern is not that the bill will somehow lead to mandatory key
escrow. My concern is that in relaxing the restrictions on the export
of software as a commodity it may actually give support to the efforts
of the censors to keep Daniel Bernstein from publishing his article
about his algorithm for converting a hash function into a
cryptographic program---I hope that is a fair enough description of
his article, an article that the censors have prevented me from ever
seeing---and those censor's efforts to keep me from publishing my
materials---which contain some cryptographic software---for my course
in computers and the law, and to keep foreign students from taking that
course.
The major threat is that, for the first time, there would be
at least colorable Congressional authority for the requirement that
one obtain a license before publishing or otherwise disclosing
information. And software is, after all, nothing but information.
Let me go through the bill and attempt to explain my concerns. (I hope
that the version of the bill that I am using is correct.)
A BILL
To affirm the rights of Americans to use and sell encryption products,
to establish privacy standards for voluntary escrowed encryption
systems, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Encrypted Communications Privacy Act of
1996".
SEC. 2. PURPOSE.
It is the purpose of this Act-
(1) to ensure that Americans are able to have the maximum possible
choice in encryption methods to protect the security, confidentiality,
and privacy of their lawful wire or electronic communications; and
(2) to establish privacy standards for key holders who are voluntarily
entrusted with the means to decrypt such communications, and
procedures by which investigative or law enforcement officers may
obtain assistance in decrypting such communications.
I have no objections to the provisions of this section---except
possibly for the reference to procedures by which officers may obtain
assistance in decrypting communications. But I am not happy that the
purpose does not include protecting the freedoms of speech and of the
press, and particularly the freedom to communicate information about
cryptography.
SEC. 3. FINDINGS.
The Congress finds that-
(1) the digitization of information and the explosion in the growth
of computing and electronic networking offers tremendous potential
benefits to the way Americans live, work, and are entertained, but
also raises new threats to the privacy of American citizens and the
competitiveness of American businesses;
Notice that there is nothing here---at least not directly---about the
freedom to distribute and to obtain access to information and that,
therefore, there is no mention of the constitutional right to speak
and publish information about cryptography.
(2) a secure, private, and trusted national and global information
infrastructure is essential to promote economic growth, protect
citizens' privacy, and meet the needs of American citizens and
businesses.
Once again, there is nothing about the freedom to distribute and
obtain access to information.
(3) the rights of Americans to the privacy and security of their
communications and in conducting their personal and business affairs
should be preserved and protected;
I like this one.
(4) the authority and ability of investigative and law enforcement
officers to access and decipher, in a timely manner and as provided
by law, wire and electronic communications necessary to provide for
public safety and national security should also be preserved;
This is presumably included as a political compromise. Those whose
concerns are primarily with marketing software can probably live with
it. Those who are concerned with privacy and liberty and human
decency should, on the other hand, find this finding terrifying. (Of
course, one can argue that the findings are just window dressing
without any substantive significance; I assure you, however, that they
can be used to interpret the substantive provisions of the statute and
that ultimately the interpretation is more important than the words of
the statute itself.)
(5) individuals will not entrust their sensitive personal, medical,
financial, and other information to computers and computer networks
unless the security and privacy of that information is assured;
I have no problem with this as a finding, though I am not sure that I
want to encourage people to entrust sensitive information to computers
and computer networks, no matter what assurances they may be given.
(6) business will not entrust their proprietary and sensitive
corporate information, including information about products,
processes, customers, finances, and employees, to computers and
computer networks unless the security and privacy of that
information is assured;
No problem.
(7) encryption technology can enhance the privacy, security,
confidentiality, integrity, and authenticity of wire and electronic
communications and stored electronic information;
That is correct.
(8) encryption techniques, technology, programs, and products are
widely available worldwide;
Yep.
(9) Americans should be free lawfully to use whatever particular
encryption techniques, technologies, programs, or products developed
in the marketplace they desire in order to interact electronically
worldwide in a secure, private, and confidential manner;
The clumsiness of the language worries me. That word ``lawfully'' may
just mean that Congress finds that people should be free to do
whatever the law allows, but that there are no restrictions on what
the law may forbid.
More troublesome is the reference to programs ``developed in the
market place''. That might be read as suggesting that there is no
freedom to use products that were not developed in the market place.
(The small number of programs that I have written have all been
developed in my head, and in my head's extension, my computer; none of
them had anything to do with the market place. Are the programs
produced by the Free Software Foundation produced in the market place?)
(10) American companies should be free to compete and to sell
encryption technology, programs, and products;
I have no objection to this finding, but notice that it has nothing to
do with the free speech issues that are my concerns. I want to be
able to give away the programs that I have written, and to give away
encryption technology, programs, and products that are subject to
copylefts or are otherwise available. And I want to be able to
explain to my law students about how encryption programs work and why
they may be ethically required to use them for electronic
communications with their clients (and where to get them).
(11) there is a need to develop a national encryption policy that
advances the development of the national and global information
infrastructure, and preserves Americans' right to privacy and the
Nation's public safety and national security;
I don't really object to this, but I suspect that the best policy
would be no policy. There are powers within the government who would
use the reference to ``the Nation's public safety and national
security'' as a basis for continuing to restrict the export or
publication or other disclosure of any secure cryptographic software
and algorithms.
(12) there is a need to clarify the legal rights and
responsibilities of key holders who are voluntarily entrusted with
the means to decrypt wire or electronic communications;
I am not sure that this would not best be left to private agreements
between the owners of the keys and their holders. (But this is not in
the area of my concern.)
(13) the Congress and the American people have recognized the need
to balance the right to privacy and the protection of the public
safety and national security;
This is most unfortunate. In cases of extreem danger the courts may
allow the agents of the state to ignore the constitutional right of
privacy, but it is not a matter of ``balancing'' equally protected
interests. The agents of the state always claim that they are acting
in order to protect public safety and national security, especially
when they are trying to destroy the safety of the constitution.
(14) the Congress has permitted lawful electronic surveillance by
investigative or law enforcement officers only upon compliance with
stringent statutory standards and procedures; and
I guess I don't object to this, except that I am not sure that it is
true.
(15) there is a need to clarify the standards and procedures by
which investigative or law enforcement officers obtain assistance
from key holders who are voluntarily entrusted with the means to
decrypt wire or electronic communications, including such
communications in electronic storage.
This seems confused; what about encrypted data that is not a communication?
SEC. 4. FREEDOM TO USE ENCRYPTION.
(a) LAWFUL USE OF ENCRYPTION.-It shall be lawful for any person within
any State of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, and any territory or possession of the
United States, and by United States persons in a foreign country to
use any encryption, regardless of encryption algorithm selected,
encryption key length chosen, or implementation technique or medium
used except as provided in this Act and the amendments made by this
Act or in any other law.
This only says it is lawful to use encryption unless there is a law
forbidding it. I hardly find that helpful.
(b) GENERAL CONSTRUCTION.-Nothing in this Act or the amendments made
by this Act shall be construed to-
(1) require the use by any person of any form of encryption;
OK, but shouldn't it also cover requiring any person _not_ to use any
form of encryption?
(2) limit or affect the ability of any person to use encryption
without a key escrow function; or
OK, though the language is rather clumsy.
(3) limit or affect the ability of any person who chooses to use
encryption with a key escrow function not to use a key holder.
SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS.
(a) IN GENERAL.-Part I of title 18, United States Code, is amended by
inserting after chapter 121 the following new chapter:
"CHAPTER 122-ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS
"2801. Definitions.
"2802. Prohibited acts by key holders.
"2803. Reporting requirements.
"2804. Unlawful use of encryption to obstruct justice.
"2805. Freedom to sell encryption products.
These provisions are not my major concern at this time, but note that
``encryption'' by definition only applies to wire and electronic
communications. It thus seems that these provisions have nothing to
do with data that is encrypted but that is not a communication.
Do you think that this was what was intended?
"\S 2801. Definitions
"As used in this chapter-
"(1) the terms 'person', 'State', 'wire communication', 'electronic
communication', 'investigative or law enforcement officer', 'judge
of competent jurisdiction', and 'electronic storage' have the same
meanings given such terms in section 2510 of this title;
"(2) the term 'encryption' means the scrambling of wire or
electronic communications using mathematical formulas or algorithms
in order to preserve the confidentiality, integrity or authenticity
and prevent unauthorized recipients from accessing or altering such
communications;
"(3) the term 'key holder' means a person located within the United
States (which may, but is not required to, be a Federal agency) who
is voluntarily entrusted by another independent person with the
means to decrypt that person's wire or electronic communications for
the purpose of subsequent decryption of such communications;
"(4) the term 'decryption key' means the variable information used
in a mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire or electronic communications that have
been encrypted; and
"(5) the term 'decryption assistance' means providing access, to the
extent possible, to the plain text of encrypted wire or electronic
communications.
"\S 2802. Prohibited acts by key holders
"(a) UNAUTHORIZED RELEASE OF KEY.-Except as provided in subsection
(b), any key holder who releases a decryption key or provides
decryption assistance shall be subject to the criminal penalties
provided in subsection (e) and to civil liability as provided in
subsection (f).
"(b) AUTHORIZED RELEASE OF KEY.-A key holder shall only release a
decryption key in its possession or control or provide decryption
assistance-
"(1) with the lawful consent of the person whose key is being held
or managed by the key holder;
"(2) as may be necessarily incident to the holding or management of
the key by the key holder; or
"(3) to investigative or law enforcement officers authorized by law
to intercept wire or electronic communications under chapter 119, to
obtain access to stored wire and electronic communications and
transactional records under chapter 121, or to conduct electronic
surveillance, as defined in section 101 of the Foreign Intelligence
Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with
subsection (c) of this section.
Except for subdivision (3) this seems totally unnecessary. Let the
parties agree to any arrangement they want. (And anyone who is
seriously going to use an outside key holder is going to want to have
them bonded, and will look to the bonding company for protection.
(Bonding companies are mean.))
"(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE; OR
LAW ENFORCEMENT OFFICER.-
"(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.-A key holder is
authorized to release a decryption key or provide decryption
assistance to an investigative or law enforcement officer authorized
by law to conduct electronic surveillance under chapter 119, only
if-
"(A) the key holder is given- "(i) a court order signed by a judge
of competent jurisdiction directing such release or assistance; or
"(ii) a certification in writing by a person specified in section
2518(7) or the Attorney General stating that- "(I) no warrant or
court order is required by law;
"(II) all requirements under section 2518(7) have been met; and
"(III) the specified release or assistance is required;
"(B) the order or certification under paragraph (A)-
"(i) specifies the decryption key or decryption assistance which is
being sought; and
"(ii) identifies the termination date of the period for which
release or assistance has been authorized; and"(C) in compliance
with an order or certification under subparagraph (A), the key
holder shall provide only such key release or decryption assistance
as is necessary for access to communications covered by subparagraph
(B). "(2) STORED WIRE AND ELECTRONIC COMMUNICATIONS.-(A) A key
holder is authorized to release a decryption key or provide
decryption assistance to an investigative or law enforcement officer
authorized by law to obtain access to stored wire and electronic
communications and transactional records under chapter 121, only if
the key holder is directed to give such assistance pursuant to the
same lawful process (court warrant, order, subpoena, or
certification) used to obtain access to the stored wire and
electronic communications and transactional records.
"(B) The notification required under section 2703(b) shall, in the
event that encrypted wire or electronic communications were obtained
from electronic storage, include notice of the fact that a key to
such communications was or was not released or decryption assistance
was or was not provided by a key holder.
"(C) In compliance with the lawful process under subparagraph (A),
the key holder shall provide only such key release or decryption
assistance as is necessary for access to the communications covered
by such lawful process.
Note once again that this applies only to _communications_.
"(3) USE OF KEY.-(A) An investigative or law enforcement officer to
whom a key has been released under this subsection may use the key
only in the manner and for the purpose and duration that is
expressly provided for in the court order or other provision of law
authorizing such release and use, not to exceed the duration of the
electronic surveillance for which the key was released.
"(B) On or before completion of the authorized release period, the
investigative or law enforcement officer to whom a key has been
released shall destroy and not retain the released key.
"(C) The inventory required to be served pursuant to section
2518(8)(d) on persons named in the order or the application under
section 2518(7)(b), and such other parties to intercepted
communications as the judge may determine, in the interest of
justice, shall, in the event that encrypted wire or electronic
communications were intercepted, include notice of the fact that
during the period of the order or extensions thereof a key to, or
decryption assistance for, any encrypted wire or electronic
communications of the person or party intercepted was or was not
provided by a key holder.
"(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or
agent thereof shall disclose the key release or provision of
decryption assistance pursuant to subsection (b), except as may
otherwise be required by legal process and then only after prior
notification to the Attorney General or to the principal prosecuting
attorney of a State or any political subdivision of a State, as may
be appropriate.
"(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.-A key holder,
shall not disclose a record or other information (not including the
key) pertaining to any person whose key is being held or managed by
the key holder, except-
"(1) with the lawful consent of the person whose key is being held
or managed by the key holder; or
"(2) to an investigative or law enforcement officer pursuant to a
subpoena authorized under Federal or State law, court order, or
lawful process.
An investigative or law enforcement officer receiving a record or
information under paragraph (2) is not required to provide notice to
the person to whom the record or information pertains. Any disclosure
in violation of this subsection shall render the person committing the
violation liable for the civil damages provided for in subsection (f).
"(e) CRIMINAL PENALTIES.-The punishment for an offense under
subsection (a) of this section is-
"(1) if the offense is committed for a tortious, malicious, or
illegal purpose, or for purposes of direct or indirect commercial
advantage or private commercial gain- "(A) a fine under this title
or imprisonment for not more than 1 year, or both, in the case of a
first offense under this subparagraph; or
"(B) a fine under this title or imprisonment for not more than 2
years, or both, for any second or subsequent offense; and"(2) in any
other case where the offense is committed recklessly or
intentionally, a fine of not more than $5,000 or imprisonment for
not more than 6 months, or both.
"(f) CIVIL DAMAGES.-
"(1) IN GENERAL.-Any person aggrieved by any act of a person in
violation of subsections (a) or (d) may in a civil action recover
from such person appropriate relief.
"(2) RELIEF.-In an action under this subsection, appropriate relief
includes- "(A) such preliminary and other equitable or declaratory
relief as may be appropriate;
"(B) damages under paragraph (3) and punitive damages in appropriate
cases; and
"(C) a reasonable attorney's fee and other litigation costs
reasonably incurred."(3) COMPUTATION OF DAMAGES.-The court may
assess as damages whichever is the greater of-
"(A) the sum of the actual damages suffered by the plaintiff and any
profits made by the violator as a result of the violation; or
"(B) statutory damages in the amount of $5,000."(4) LIMITATION.-A
civil action under this subsection shall not be commenced later than
2 years after the date upon which the plaintiff first knew or should
have known of the violation.
"(g) DEFENSE.-It shall be a complete defense against any civil or
criminal action brought under this chapter that the defendant acted in
good faith reliance upon a court warrant or order, grand jury or trial
subpoena, or statutory authorization.
"\S 2803. Reporting requirements
"(a) IN GENERAL.-In reporting to the Administrative Office of the
United States Courts as required under section 2519(2) of this title,
the Attorney General, an Assistant Attorney General specially
designated by the Attorney General, the principal prosecuting attorney
of a State, or the principal prosecuting attorney of any political sub
division of a State, shall report on the number of orders and
extensions served on key holders to obtain access to decryption keys
or decryption assistance.
"(b) REQUIREMENTS.-The Director of the Administrative Office of the
United States Courts shall include as part of the report transmitted
to the Congress under section 2519(3) of this title, the number of
orders and extensions served on key holders to obtain access to
decryption keys or decryption assistance and the offenses for which
the orders were obtained.
"\S 2804. Unlawful use of encryption to obstruct justice
"Whoever willfully endeavors by means of encryption to obstruct,
impede, or prevent the communication of information in furtherance to
a felony which may be prosecuted in a court of the United States, to
an investigative or law enforcement officer shall-
"(1) in the case of a first conviction, be sentenced to imprisonment
for not more than 5 years, fined under this title, or both; or
"(2) in the case of a second or subsequent conviction, be sentenced
to imprisonment for not more than 10 years, fined under this title,
or both.
This provision is completely incoherent. There is no telling how the
government will interpret it, but at a guess they will use it to make
people reveal their keys: ``if you don't tell us your key, we are
going to charge you with impeding the communication to me of
information about the felony I am investigating.''
"� 2805. Freedom to sell encryption products
"(a) IN GENERAL.-It shall be lawful for any person within any State of
the United States, the District of Columbia, the Commonwealth of
Puerto Rico, and any territory or possession of the United States, to
sell in interstate commerce any encryption, regardless of encryption
algorithm selected, encryption key length chosen, or implementation
technique or medium used.
This sounds nice, but remember that ``encryption'' is defined as:
``the scrambling of wire or electronic communications using
mathematical formulas or algorithms in order to preserve the
confidentiality, integrity or authenticity and prevent unauthorized
recipients from accessing or altering such communications''. So what
does it mean to sell ``any encryption''?
"(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.-
"(1) GENERAL RULE.-Notwithstanding any other law, subject to
paragraphs (2), (3), and (4), the Secretary of Commerce shall have
exclusive authority to control exports of all computer hardware,
software, and technology for information security (including
encryption), except computer hardware, software, and technology that
is specifically designed or modified for military use, including
command, control, and intelligence applications.
OK, here is where the problems that concern me arise.
This provision sounds quite nice, but it covers up several big
problems.
In the first place, the delegation to the Secretary of Commerce sounds
like a good idea, because, at the present time the people in the
Commerce department who enforce export controls are very nice and
helpful, and operate reasonably under reasonable regulations, while
the puppets who front for the NSA (or are actually agents of the NSA)
in the Office of Defense Trade Controls are not very nice, are
exceptionally unhelpful, and specialize in unreasonable---and down
right irrational---interpretations of unreasonable regulations. But
if the jurisdiction is handed over to Commerce, I predict that the the
puppet masters will turn their attention to Commerce, and shortly
thereafter---if only because of Presidential pressure---Commerce will
have its own incoherent regulations and its own unpleasent people and
it won't be as easy to export software as one might hope.
Note that the transfer is to Commerce but there is nothing that
expressly specifies what law is to be applied by Commerce. Thus in
theory at least there is nothing to stop Commerce from enforcing the
same old provisions of the ITAR
>From the point of view of one who is concerned with first amendment
rights rather than selling cryptographic software as a commodity, the
really unfortunate part is that this provision authorizes export
contols on ``software''. Now the Leahy bill does not define software,
but there is a definition of lying around in the International Traffic
in Arms Regulations (``ITAR'') that I fear Commerce might adopt---it
may even be the language that the draftsmen of the Leahy bill had in
mind. And this definition of ``software'' includes a great deal of
material that cannot constitutionally be controlled. Here is that
definition from the ITAR \S 121,8(f): ``Software includes but is not
limited to the system functional design, logic flow, algorithms,
application programs, operating systems and support software for
design, implementation, test, operation, diagnosis and repair.''
Note that what is covered here is nothing but information, and that
that information includes algorithms, _i.e._ recipes. If the
government can constitutionally ``control'' the ``export'' of
cryptographic algorithms by requiring a license before one can publish
them or otherwise disclose them to a foreign person, then they can
require a license before one publishes Julia Child's recipe for a
_bombe surprise_ or a recipe for winning a Presidential election
without actually committing any felonies.
Even if that definition is adopted, the fact remains that software is
still nothing but information, and that it is the communication of
information that is protectected by the first amendment to the United
States constitution. (If you aren't convinced that software is
protected by the first amendment, notice that software is
copyrightable as a ``literary work''.) Note that the paradigmatic
violation of the first amendment is a scheme under which the
government requires publishers to obtain a license before publishing.
Part of what I fear is that, were the Leahy bill to be passed in its
present form is that the President, in conformance with that bill,
would simply transfer the licensing and rule making powers with
respect to cryptographic devices and software to the Department of
Commerce, but would still leave them controlled by the ITAR and the
Arms Export Control Act just as they are now, including all of the
cryptic and unconstitional interpretations of ITAR that up to now have
been imposed upon the Office of Defense Trade Controls by the National
Security Agency. There is nothing in the Leahy bill that forbids that
sort of shell game. The trouble is that there is nothing in the bill
that specifies the law under which Commerce is to ``control''
cryptographic devices and software.
The real problem, however, is simply that the Leahy bill appears to
authorize control (including licensing) of cryptographic software and
thus to authorize the imposition of licensing requirements for the
constitutionally protected communication of information. At the
present time, on the other hand, although the Arms Export Control Act
does, quite constitutionally, require licensing of physical devices,
the provisions in the ITAR requiring licenses for the communication of
information are not authorized by any act of congress. (The point is
of practical importance because the courts may be willing to strike
down the ITAR's licensing requirements on software on the grounds that
they are _ultra vires_ simply to avoid having to decide the
constitutional issues.)
Thus the major problem with the Leahy bill, from the point of view of
those concerned with the freedoms of speech and of the press, is that
it conflates hardware, which can be regulated constitutionally, with
software, which is text that cannot be constitutionally regulated, and
certainly cannot be subjected to a licensing scheme. (The agents of
the NSA in the Office of Defense Trade Controls try to confuse this
distinction, claiming that cryptographic software is hardware, not
information that is in the public domain under the provisions of the
ITAR.)
The only satisfactory bill, from the point of view of those of us who
are concerned with freedom of speech and of the press would be a bill
that says that export licensing controls do not apply, and recognizes
that export controls cannot be applied constitutionally, to the
publication or other disclosure or communication of software.
Another problem is that the Leahy bill expressly does not apply to
``computer hardware, software, and technology that is _specifically
designed or modified for military use_, including command, control,
and intelligence applications''.
This may sound harmless, but the emphasized language is almost exactly
the language that is used in the ITAR to define what can be included
on the United States Munition List in the ITAR. The major
prerequisite for the designation of an article or service on the
United States Munitions List, according to ITAR \S 120.3, is that it
is: ``specifically designed, developed, configured, adapted, or
modified for a military application''.
This strongly suggests that, if the Leahy bill were adopted, the NSA
and the Office of Defense Trade Controls would simply take the
position that cryptographic devices and software still are
specifically designed for military use and thus remain on the
Munitions List and under the control of the Office of Defense Trade
Controls in the State Department. This would seem to inconsistent
with the intent of the Leah bill, but that is hardly going to bother
the rather spooky people in the Office of Defense Trade Controls since
the law expressly provides that the courts may not review the
designation of an item on the United States Munitions List. (Even
before that provision forbidding judicial review was adopted, one
federal district court held that the defendant in a criminal
case---whose alleged crime was exporting cable or satellite TV
descrambler boxes---could not challenge the inclusion of descramblers
on the Munitions List, because their inclusion was an unreviewable
``political'' determination.)
Thus I predict that the passage of the Leahy amendment would have no
affect whatsoever on the licensing requirements that are presently
applied by the Office of Defense Trade Controls to cryptographic
devices and software. The people who enforce those requirements are
not now governed by law or logic; the Leahy bill is not likely to
change that, not when it contains such a gaping loophole.
But let us look at the particular provisions of the Leahy bill that
will supposedly ease the burden on both cryptographic hardware and
software:
"(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be
required, except pursuant to the Trading With The Enemy Act or the
International Emergency Economic Powers Act (but only to the extent
that the authority of such Act is not exercised to extend controls
imposed under this Act), for the export or reexport of-
``Validated license'' is a term that is not used in the Arms Export
Control Act and the ITAR, so to the extent that that act and those
regulations remain applicable to cryptographic devices and
software---and, as has been pointed out, nothing in the Leahy bill
purports to change that---, this provision will have no affect
whatsoever.
On the other hand, the term ``validated license'' is used in the
regulations of the Bureau of Export Administration of the Department
of Commerce. Thus 15 Code of Federal Regulations \S 770.2 defines
``Validated license'' as: ``A document issued by or under the
authority of the Bureau of Export Administration, authorizing
export.'' So perhaps this provision of the Leahy bill does give some
protection, but only if the powers of the Commerce Department to
regulate software are deligated to Commerce's Bureau of Export
Administration and even then only if this definition is not amended.
It would, moreover, have been preferable if the bill had provided that
cryptographic hardware and software are entitled to a ``general
license'', which is defined in 15 CFR \S 770.2 as follows: ``A license
established by the U.S. Department of Commerce for which no
application is required and for which no document is granted or
issued. It is available for use by all persons, except those listed in
and prohibited by the provisions of Supplement No. 1 to part 788, and
permits export within the provisions thereof as prescribed in the
Export Administration Regulations. These general licenses are not
applicable to exports under the licensing jurisdiction of agencies
other than the Department of Commerce.'' (But note the last
provision.)
"(A) any software, including software with encryption
capabilities, that is-
"(i) generally available, as is, and designed for installation by
the purchaser; or
"(ii) in the public domain or publicly available because it is
generally accessible to the interested public in any form; or
"(B) any computing device solely because it incorporates or employs in
any form software (including software with encryption capabilities)
exempted from any requirement for a validated license under
subparagraph (A).
This provision at first glance looks pretty good, but it arguably
offers no protection to people like Daniel Bernstein and myself who
want to publish new (even if, as is ture in my case, also trivial)
software with encryption capabilities. The ITAR also has a public
domain exemption, but the censors in the Office of Defense Trade
Controls take the position that one would violate the ITAR by the act
of putting matter in the public domain or making it generally
available. (The Office of Defense Trade Controls also takes the
position that cryptographic software is not information that can fall
within the public domain exception in the ITAR.)
Note that though no validated license can be required for such
software and related hardware under the Leahy bill, there is nothing
that says that such software and hardware is entitled to a general
license. One may thus find oneself in the situation---that happened
for example to Daniel Bernstein under the ITAR---that one has written
software that cannot be exported without a license, but for which no
possible license is available.
"(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The
Secretary of Commerce shall authorize the export or reexport of
software with encryption capabilities for nonmilitary end-uses in
any country to which exports of software of similar capability are
permitted for use by financial institutions not controlled in fact
by United States persons, unless there is substantial evidence that
such software will be-
"(A) diverted to a military end-use or an end-use supporting
international terrorism;
"(B) modified for military or terrorist end-use; or
"(C) reexported without requisite United States authorization.
Here we see what appears to be authority for the Secretary of Commerce
to regulate the export of software, a provision that probably violates
the first amendment of the United States constitution, unless the
definition of ``export or rexport of software'' is limited in a manner
that would make the regulation quite ineffective. The Leahy bill,
however, makes no effort to define what is an ``export'' of software.
One thus has reason to fear that the Secretary of Commerce will simply
adopt the definitions which have been used to restrain the publication
or other disclosure of cryptographic software under the ITAR.
"(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall
authorize the export or reexport of computer hardware with encryption
capabilities if the Secretary determines that a product offering
comparable security is commercially available from a foreign
supplier without effective restrictions outside the United States.
This applies only to hardware, and so is not subject to attack on
first amendment grounds. I am willing to bet, however, that if this
provision is passed, the National Security Agency would be delegated
the job of determing whether products of comparable security are
available outside the United States and that very few products would
be found by the NSA to be comparable (and that it would take years to
get a determination of any sort).
"(5) DEFINITIONS.-As used in this subsection-
"(A) the term 'generally available' means, in the case of
software (including software with encryption capabilities),
software that is widely offered for sale, license, or transfer
including, but not limited to, over-the-counter retail sales,
mail order transactions, phone order transactions, electronic
distribution, or sale on approval;
Notice that this gives no protection to those who do not widely offer
their software for sale, license, or transfer---persons like Daniel
Bernstein and almost all academic cryptographers, for example. Those
who are interested in mass marketing cryptographic software may be
happy with this provision, but it is no consolation to those of us who
are not mass marketers. (Note that mass marketed software may be
entitled to less constitutional protection, as commercial speech, than
is the software that academics like Dan Bernstein or myself may desire
to publish as part of our research or educational activities.)
"(B) the term 'as is' means, in the case of software (including
software with encryption capabilities), a software program that is
not designed, developed, or tailored by the software company for
specific purchasers, except that such purchasers may supply certain
installation parameters needed by the software program to function
properly with the purchaser's system and may customize the software
program by choosing among options contained in the software program;
"(C) the term 'is designed for installation by the purchaser' means,
in the case of software (including software with encryption
capabilities)-
"(i) the software company intends for the purchaser
(including any licensee or transferee), who may not be the actual
program user, to install the software program on a computing device
and has supplied the necessary instructions to do so, except that
the company may also provide telephone help-line services for
software installation, electronic transmission, or basic operations;
and
"(ii) that the software program is designed for installation by the
purchaser without further substantial support by the supplier;
Note that those of us who are not a ``software company'' that sells
software to a ``purchaser'' are apparently excluded from the benefits
of this definition.
"(D) the term 'computing device' means a device which
incorporates one or more microprocessor-based central processing
units that can accept, store, process, or provide output of data; and
"(E) the term 'computer hardware', when used in conjunction with
information security, includes, but is not limited to, computer
systems, equipment, application-specific assemblies, modules, and
integrated circuits.".
I do not have any comments on the remaining portions of the bill, and
so I have deleted them from this already too lengthy submission.
I look forward to your reactions and corrections.
--
Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH
Internet: [email protected] [email protected]