[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ITAR financial crypto exception?



At 04:42 PM 10/30/96 -0800, Martin Minow wrote:

>At the Bernstein case oral arguments last September, I distinctly
>remember the government lawyer stating that the United States does
>not restrict "financial cryptography." Perhaps he should have
>qualified his argument somewhat.
>
>This statement bothered me, as I cannot understand how an encryption
>algorithm can "know" that it is encrypting a financial transaction,
>rather than some non-financial document that would be export-restricted.

According to the "United States Munitions List", 22 CFR 121.1, Category
XIII, "Auxiliary Military Equipment":

"Information Security Systems and equipment, cryptographic devices,
software, and components specifically designed or modified therefor" are
included in the munitions list; but not if they are 

"[s]pecially designed, developed or modified for use in machines for
banking or money transactions, and restricted to use only in such
transactions. Machines for banking or money transactions include automatic
teller machines, self-service statement printers, point of sale terminals
or equipment for the encryption of interbanking transactions." (22 CFR
121.1, Category XIII (b)(1)(ii)),

or if they are 

"[l]imited to access control, such as automatic teller machines,
self-service statement printers or point of sale terminals, which protects
password or personal identification numbers (PIN) or similar data to prevent
unauthorized access to facilities but does not allow for encryption of
files or
text, except as directly related to the password of PIN protection." (22
CFR 121.1, Category XIII (b)(1)(v)).

As I read this, people exporting ATM's and other commercial financial
equipment don't need to fuss over the ITARs; and probably not people
selling Bank-O-Matic software; the question is not whether or not the
software involved could be used for financial applications, or if it can
tell that it is (and turn on or off strong crypto), but whether or not the
system in question was "specially designed, developed, or modified" for
financial applications (or access control), and limited (by some means) to
only those uses; and this is a question that humans can (and must) answer
at the time of export.

(Also, I don't think that *documents* are ever export controlled; just the
applications/systems that read and write them. Nobody tell the State Dept
about John von Neumann and the interchangeability of code and data, ok? :)  

I understood Mr. Coppolino's remarks to be referring to the above; but if
his statement was as broad as you remember, he perhaps went a bit too far.
(Or maybe he was thinking of something else.) I don't remember the context
of his comments. Does anyone know if a transcript of the hearing is
available? It's my understanding that many court reporters are now making
transcriptions available on disk, facilitating easy transition to the Web.  

As always, my comments are provided not as legal advice (or even as an
authoritative understanding/interpretation of the ITARs/AECA) but as a
contribution towards a general discussion. I still don't have an especially
current source for the text of the ITARs at home; the above is from the
EFF's copy of the 1993 changes. Someday I'll remember to pop across the bay
and pick up a copy at the US Gov bookstore, but it hasn't happened yet.
(Looks like the paperback 22 CFR volume is around $30, from info I found on
the Web, if anyone else is interested. It'd make a good thing to set hot
things on when they come off of the stove. :) 


--
Greg Broiles                |  "We pretend to be their friends,
[email protected]         |   but they fuck with our heads."
http://www.io.com/~gbroiles |
                            |