[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I@Week on crypto export loophole 6/24/96



At 10:30 PM 7/11/96 -0400, Will Rodger wrote:

>Bidzos' pending deal brought forth several questions:
>1 - Could others try something like the DES deal with stuff under copyright
>and still make money doing it?
>2 - If so, was the administration aware of it? and;
>3 - Who, if anyone, would be the first to try it?
>
>The answers were:
>1 - Yes, someone else could try it.
>2- The administration wouldn't comment, but had an official reply that
>showed it grasped all the implications within 15 minutes of our asking.
>3 - No one's stepping forward, but Ken Bass, atty. for Phil Karn and Phil
>Zimmermann, among others, said he knew some folks were considering moves
>along those lines, though he gave few details.
>
>Steptoe & Johnson cyberspace atty. Stewart Baker suggested such a move would
>be "extremely aggressive advice," though "not quite insane." if I remember
>correctly.

Well, lawyers have to be really careful about appearing to endorse something 
that's on the edge of legality.  Also, it's obvious that the advice given 
would be vastly different depending on who was doing the asking.  If it were 
one of the two companies potentially involved, they'd probably be told that 
doing this would be frowned on.  If it were the individual considering 
secretly exporting the program, he'd be told "Don't tell us!  And whatever 
you do, don't get caught!"


>A few caveats to any US citizen who finds himself  trying to help such a
>situation occur:
>
>1) The loophole can be closed by executive order with little or no notice,

It's unclear if a foreign national on foreign soil can be considered within 
the jurisdiction of the US, especially merely for being the recipient of 
software whose export would have been illegal under US law.  If the copy is 
re-mailed to him from a third country, he doesn't even know for sure if the 
software was ever illegally exported.

And "executive orders" are already on constitutionally shaky ground anyway, 
as are export controls for crypto.  (As I understand it, "executive order" 
was originally considered binding only on government employees; it was akin 
to an order internal to a company.)  An executive order prohibiting a 
private-company's receipt of money for licensing fees on software which, IF 
EXPORTED, would require a license is straining credulity more than a bit.

And moreover, there's the question of whether or not this logic extends to 
any licensing regardless of how remote it is.  Could a US semiconductor 
company be barred from licensing ordinary semiconductor technology, if the 
foreign recipient of that license decides to use it for building an 
encryption chip?  What if they use it to build an ordinary DRAM chip that 
just happens to be installed into a crypto phone, perhaps by a third party?  
Could the writer of a C++ compiler be denied the right to export simply 
because one foreign customer used a copy of that program to compile an 
encryption program abroad?

And,  they should be able to turn the royalty payment into something that 
achieves the same payback (say, the use of a logo signifying approval) 
rather than the specific use of a particular piece of software.


 and
>2) Any citizen aiding the export of such software will of course, be brought
>up on some pretty serious felony charges if caught. Foreign nationals are
>doubtless subject to the same laws if on US soil while the deed gets done.

"Getting away with it" probably involves no more than writing a floppy with 
software, putting a few stamps on it and addressing it to a foreign country, 
putting either no return address or a fake one on it, and then tossing it in 
a convient USnail box.  (Taking all the usual precautions against 
fingerprints, DNA testing, etc.)  In practice, the likelihood of getting 
caught if you're careful is somewhere between zero and nil.  Pre-encrypting 
the data with the recipient's public key makes it that much more difficult 
for the USG to show that it's being illegally exported.


>Then again, Baker said, "if one gets away with it, dozens will try it, too."
>I won't be the first to try.

As I see it, the most important issue is not the legal status of the one 
actually doing the export/mailing, but in fact the organization which is the 
recipient and thus, the beneficiary of this act.  _THAT_ organization will 
be well-identified, yet will not have done anything obviously illegal.  Is 
there any indication that Baker was trying to distinguish between the one 
physically mailing it, and those receiving it?


Jim Bell
[email protected]