[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EET on PGP API Quash



   [Thanks to BC]
   
   Electronic Engineering Times, April 29, 1996, page 4

   State Dept. Tries To Quash API's for PGP cryptography

   By Loring Wirbel


   Washington -- The Justice Department may have halted
   attempts to bring criminal charges against Phil Zimmermann,
   author of the Pretty Good Privacy (PGP) public-key
   cryptography algorithms, but the State Department is taking
   an increasingly hard line on PGP. Where once the State had
   restricted itself to warning developers against exporting
   source code with PGP file-encryption routines, it is now
   arguing that application programming interfaces (API)
   allowing PGP program insertion should be subject to control
   under arms-trading statutes.

   Warning letters sent out in the last few weeks reflect the
   bizarre status of cryptography algorithms in the
   government's Export Control Act. Under the International
   Traffic in Arms Regulations (ITAR) promulgated under the
   act, the government can restrict any encryption programs
   the National Security Agency (NSA) is uncomfortable with.
   The new moves represent the first time State has tried to
   extend ITAR to software that only provides hooks for
   encryption packages, however.

   "There is some room to maneuver and make strong arguments
   that the rules on crypto APIs have some serious
   ambiquities," said Kenneth Bass, an attorney specializing
   in export control with the Washington law firm of Venable
   Attorneys at Law. Bass said several companies have received
   warning letters from State, but most do not want to do
   battle with the Federal government.

   Meanwhile, wildly differing rulings in the U.S. District
   Courts on the West and East coasts send mixed messages
   about software embedding crypto algorithms. In refusing to
   dismiss developer Daniel Bernstein's suit against the State
   Department, Judge Marilyn Hall Patel of San Francisco ruled
   in early April that source code can be protected free
   speech.

   "The particular language one chooses  does not  change the
   nature of the language for First Amendment purposes," Patel
   said. "This court can find no meaningful difference between
   computer languages ... and German or French; ... whether
   source code or object code is also functional is
   immaterial." Bernstein seeks to establish that his
   zero-delay private-key program, Snuffle, is not subject to
   ITAR.

   Opposite Rationale

   But on March 22, Judge Charles Richey of Washington
   dismissed Philip Karn's suit against State using almost
   exactly the opposite rationale. Karn, an employee of
   Qualcomm Inc. (San Diego), challenged a ruling that the
   floppy disks accompanying some editions of Bruce Schneier's
   book, *Applied Cryptography*, could be barred from export.

   Judge Richey said the government was free to view
   implemented source code as a munition that could be banned,
   and said Defense Department decisions regarding materials
   covered under export control were precluded from judicial
   review. Karn appealed to the U.S. Circuit Court of Appeals
   on April 19. "The stage is being set for some very basic
   issues on souce code and free speech to be decided," said
   attorney Bass.

   So far the API issue has not spurred any suits. Network
   Telesystems Inc. (Santa Clara, Calif.) a TCP/IP stack
   specialist and the one company that has admitted receiving
   a warning from State, said that a PGP API is not central
   enough to its business to warrant making its preservation
   a federal case.

   Company president John Davidson said Network Telesystems
   elected to make its new e-mail package, Confidante, "PGP
   ready" by including a PGP API instead of licensing the
   code. Davidson said the warning must have been the result
   of government officials seeing the press release on the
   package, which has not yet shipped, or a short article in
   a national magazine.

   "We thought it was a misunderstanding at first, since we
   had no resident PGP code," Davidson said. "It didn't seem
   possible that the government could really be talking about
   an interface."

   One computer-security expert said off the record that "NSA
   has told State to watch out for any APIs outside NSA's own
   effort to define a crypto API." NSA is embracing the API
   work of companies like RSA Data Security Inc., the source
   said, "but Zimmermann's PGP work has always been a
   freelance effort, so a compromise is not seen as
   necessary."

   -----