The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 67

Tuesday 1 June 1993

Contents

o Crypto as "Right to Bear Arms" issue
Larry Hunter
o Re: Peter D. Junger's risks of teaching...
Paul Robinson
Bill Murray [2]
Carl Ellison
Tim Poston
Jonathan Haruni
Martin Minow
Jerry Leichter
o Info on RISKS (comp.risks)

Crypto as "Right to Bear Arms" issue

Larry Hunter <hunter@ncbi.nlm.nih.gov>
Tue, 1 Jun 93 11:46:47 -0400
Following Peter Junger's depressingly Kafkaesque description of why US
export restrictions on cryptographic technology (or even technical data
related cryptography) makes it probably illegal to discuss his 174-byte
MSDOS program implementing a one-time pad in the law class he teaches, our
esteemed moderator said:

  Incidentally, at last week's IEEE Symposium on Research in Security and
  Privacy, a rump group decided that because crypto falls under munitions
  controls, the right to bear arms must sanction private uses of
  cryptography!

This is a point I have been making in private for some time.  I am
completely convinced that framers of the Constitution would have
wholeheartedly endorsed citizen access to effective encryption as a
fundamental right.  It's a natural part of the outlook that posits that the
citizenry should be able to publish subversive literature in their
basements, own enough weaponry so that a local militia should be able to
hold off the government, and that there is a positive obligation to rise up
in revolution against an unjust government.

However, there are several practical problems with the idea.  First of all,
constitutional rights must be balanced against each other.  Your right to
bear arms is balanced against the rights of your neighbors to pursue their
happiness in an orderly society.  One consequence of that balance is that
you cannot legally possess nuclear weapons or even, say, a .50 caliber
machine gun privately.  PGN's statement not withstanding, just because a
munition is export regulated does not mean that private US uses of these
weapons are allowed.  It is not hard to imagine the Supreme Court finding a
compelling state interest in regulating cryptologic technology in the same
manner it does machine guns.  So the "right to bear arms" strategy for
defending encryption doesn't seem likely to succeed practically.  Second,
the approach seems to stipulate that secure encryption is a "dangerous"
technology, which I suspect is a mistake.  After all, "arms" are weapons,
instruments of combat, something to fight with.  That is not how to envision
encryption.  To my mind, it is much more like a private place, or a refuge;
quite the opposite of an instrument of combat.  Encryption and related
technologies empower individuals and private associations, without
threatening anyone else.  Arms empower people precisely through direct
threats to others.  This distinction is not a small one.  We should be
fighting the claim that cryptography is useful primarily to criminals (and
is therefore threatening) for precisely the same reason.

On the other hand, perhaps we could enlist the NRA in defending effective
encryption.  Powerful allies are crucial in this fight, and I for one would
be willing to find common ground with all kinds of folks to ensure that
effective encryption technology becomes widely available.

[Please note explicitly that I do not speak for the the National Library of
Medicine or the US Government on this issue. Thanks.]

Larry Hunter, National Library of Medicine, Bethesda MD. hunter@nlm.nih.gov


Re: Peter D. Junger's risks of teaching... (RISKS-14.65)

Paul Robinson <TDARCOS@MCIMAIL.COM>
Sun, 30 May 1993 19:48:23 -0400 (EDT)
>         A fortnight ago, in order to postpone the necessity of
> grading final exams, I started writing a simple-minded encryption
> program, which uses a "one-time pad" as a key, for use this Fall in
> my class on Computers and the Law.

It's always nice to try things.  I'm working on writing an SMTP gateway
to run on PCs to make E-Mail much more accessible to them.  The stuff
out there is complicated and troublesome to use.  You mentioned that your
program is only 174 bytes: that's good; we need people to write things
small and tight.

>         As I was writing this program I realized that it itself,
> and any `technical data' relating to it, might be subject to
> federal export licensing regulations,

I suspect if this is what the law means, then the law is on
its face unconstitutional.

You might want to write to the EFF or the ACLU.

Try asking someone at the office the following question:  If a
reporter for the New York Times were to publish your algorithm
in the paper, would the reporter or the Times be required to get
a license before it could print the article?

If he says yes, then he is declaring the law is a law mandating prior
restraint.

Judges frown heavily on laws mandating prior restraint, and especially since
we are talking about the work of a private individual, not someone working on
a contract for a government agency.  If you know the law, you know that while
the courts usually uphold laws unless the other party can show that the
statute is unconstitutional, if a law is shown to constitute prior restraint,
the courts tend to strike down the law unless there is an extreme burden
proven by the government, i.e. that there is no other way to fix the problem
the law supposedly solves.

If the law would even be able to withstand challenge, it would have to do so
using the method going back to the censorship laws on motion pictures, it may
be that if the law in question is an attempt to license a particular type of
expression, the agency may be held to the same standard as that used in the
censorship laws, i.e. that the agency must promptly issue a license or file
suit to prevent distribution.  A law that permits an agency to restrict
publication of a work and use delay to hold it out of distribution is clearly
unconstitutional.

The Copyright office has already taken a look at this issue: a work expressed
on a computer does not become something different from a work printed on
paper.

Question: do you think the law would require you to get a license before
publishing this in a technical journal?  Or require the journal in question to
do so?

>         After a little quick research I have determined that my
> program may be--and, in fact, probably is--subject to such
> licensing,

I've never had to handle stuff I wrote but I sometimes have questions
regarding stuff which I've sent as E-Mail or mailed overseas to people.

I generally ignore such laws; I believe there is a general "public" exemption
for publicly published material or anything not subject to specialized
licensing, i.e. if something is put on a BBS or is sold over the counter in a
store, it can be shipped anywhere in the world (except Vietnam, Libya and
Cuba, and any of the countries with banns, such as Iraq, etc.)  PKWare has
encryption in it and the people there discovered that the restrictions don't
apply to it as long as they don't ship to Vietnam or Cuba.

> ... I have concluded that if I `export' my little program
> without first getting a license I may be subject to a fine
> of not more than $1,000,000, or imprisonment for not more
> than ten years, or both.

Do you really expect people who are involved in trying to keep anyone from
learning anything about encryption to admit that it's okay to export something
or to give out information?

There was a case a while back in which a man who left the CIA published
something without getting approval.  In a case that was decided by the Supreme
Court, the rules permitted them to require - since he had signed a contract -
him to get approval to write anything for publication, for life, it still did
not require him to get approval to give speeches extemporaneously.

Call (or better, write) the Office of the General Counsel for one of these
organizations and ask two simple question and ask a yes or no answer, "If
there was an encryption program written from scratch by a non-government
employee, published by a reporter in the New York Times, would the Times or
the reporter be required under the ITAR regulations or other federal laws, to
obtain a license before it could publish the article?"  "And would they be
subject to fines or imprisonment for doing so without a license?"  (There are
lots of people who are not American Citizens and not legal residents who read
the Times, as well as copies sent overseas.)

If they say no, you have a legal ruling from them.

If they say "yes" then you should put out a press release saying so:

  "X department claims it has right to require
   newspapers to obtain government licenses to print
   stories and can impose fines and imprisonment on
   reporters or newspapers who do not obtain
   government licenses in advance."

Quote from the letter, and name the source.  Send it to your local newspaper
and the Times and others.  To get reporters to notice, you have to hit them
where they live.

> Of course, if the program is considered to be my expression--which
> it must be if it is protected by the copyright laws--it is probably
> a violation of the First Amendment to require me to get a license
> before I can export it.

It also depends on the size.  A program that is only 174 bytes in length may
be so short that the application and expression merge, especially if it's the
only means available to perform the application at hand.  Also, something that
is minor and inconsequential in nature may not be subject to copyright
protection.

What that long item means is that a two-line poem is too short to be
copyrightable; a 5 note song is also too short.  With applications now
approaching 20 meg and more, 174 bytes might be considered so short it's not
copyrightable.

>         It is hard for me as a law teacher to believe that this
> regulatory scheme that requires me to get a prior license each time
> that I speak about, or publish the details of, my trivial program
> (or, in the alternative, to make sure that no foreigners get to
> hear or read what I have to say about it) can withstand a
> constitutional challenge on First Amendment grounds.

It wouldn't.  My guess is the law has never been enforced or challenged.  The
law is probably void as (1) prior restraint (2) vague (3) overly broad (4)
excessive fines (4th Amendment).

> [...]

That doesn't necessarily apply that the recipient is in the U.S.  Any site
that's on the Internet can be accessed by telephone which can be anywhere.
MCIMAIL is in the U.S. but anyone on a telex network or Datanet address
worldwide can call into it.

But I am, for the sake of argument, willing to declare that I am an
American Citizen and would like a copy.

Paul Robinson -- TDARCOS@MCIMAIL.COM


Export Controls on Cryptography

<WHMurray@DOCKMASTER.NCSC.MIL>
Mon, 31 May 93 09:13 EDT
Professor Peter Junger describes a program thus:

>The program is intended to demonstrate certain
>things that lawyers who are going to deal with the problems generated by
>computers should know:  things like the nature of an algorithm and the
>fact that any text (that is encoded in binary digits) of length n
>contains (if one just has the key) all other texts of length n.

Of course, if what he says above is true, and he asserts that he can so
demonstrate, then I can produce an algorithm and a key to demonstrate that the
program that he has described is encoded under the description.  Indeed, I can
produce an infinite number of such keys and algorithms, all of which decode to
the the same algorithm.  Surely, that should be sufficient to convince a jury
of twelve that it was his intent to do so.

He has already published this description on RISKS.  I think that his very
text offers evidence that he "knows" that RISKS is exported.  Surely, I can
offer "proof" that he had "reason to know."

Do I not now have a prima facia case?  Out of his own mouth, pen, keyboard!?
Have I not now succeeded in shifting the burden of proof to him?  What defense
might he offer?  (That someone else can produce an equal number of algorithms
and keys that do not decode to such a program?)  Will it convince?  Am I not
now in a position to convict, at least in many cases, on mere accusation?

Junger, you still have time to deny that you wrote that post.  If you fail to
recant on a timely basis, I plan to denounce you to the thought police.

And for those of you who think that I have failed to make my case, I suggest
that you read the history dealing with the thought police.  History is clearly
on my side.

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL


Crypto Export Controls

<WHMurray@DOCKMASTER.NCSC.MIL>
Mon, 31 May 93 09:31 EDT
> [...]

Is there anyone out there who can find grounds to exclude my notebook,
or any other modern computer, from this definition, whether or not it
contains encryption software?  Is it the intent of the law to include
my computer?  It is possible to arrive at a definition that includes
what the law intends and excludes my computer?  Can we safely leave the
the discretion to distinguish to the signals intelligence elite?

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL


Re: Peter D. Junger's risks of teaching... (RISKS-14.65)

Carl Ellison <cme@ellisun.sw.stratus.com>
Mon, 31 May 93 12:27:37 EDT
It sounds to me like you're trying to publish, not export.

Back in the bad old days, the NSA tried to prevent publication of
information about cryptology including lectures to foreign students,
conferences with foreign nationals present, ....  This attempt was soundly
defeated (and that may be why we've had these less obvious struggles in the
years since then).

Publication is legal -- happens all the time -- no license.  International
meetings are legal -- happen all the time -- no license.  You can buy a
full technical description of the DES algorithm from the US Govt
(FIPS-PUB-46), with no export controls and then write code from that.  RS&A
published their algorithm as equations in the Feb 1978 CACM and to a user
of Mathematica, what they published was perfectly good code.

You tell me:  is an anonymous FTP node a publication or an export medium?
What about a magazine which includes a floppy disk?

>   [Incidentally, at last week's IEEE Symposium on Research in Security
>   and Privacy, a rump group decided that because crypto falls under
>   munitions controls, the right to bear arms must sanction private uses of
>   cryptography!  PGN]

That's one approach.

I prefer distinguishing between cryptographic munitions (eg., crypto devices
which are specially hardened for battlefield use or crypto devices containing
secret NSA algorithms or algorithms created by companies and sold to the
government as alternatives for secret NSA algorithms), standard commercial
cryptography (crypto algorithms (devices or software) invented in the private
sector and intended for private sector customers) and free cryptography
(algorithms invented by individuals, often in academia, fully published,
available anywhere in the world that there are programmers (eg., DES and RSA,
(for non-commercial use))).

Clearly, the first should be considered arms and controlled by the State
Department, the second a product of commerce and controlled by the Commerce
Department, and the third a product of free speech and totally
uncontrolled.

Meanwhile, a good reading of David Kahn's "The Codebreakers" shows that
cryptosystems in the latter two categories have traditionally been at least
as strong as those in the first category, so it makes no sense to try to
categorize these systems based on someone's (eg., NSA's) opinion of their
cryptographic strength.

[My comments to NIST for this week's conference made essentially these
points, although in those I referred to two classes instead of the three
there clearly are.]

Carl Ellison, Stratus Computer Inc., 55 Fairbanks Boulevard ; Marlborough MA
01752-1298    (508)460-2783   cme@sw.stratus.com  [RIPEM PUBLIC KEY DELETED]


Re: Peter D. Junger's risks of teaching... (RISKS-14.65)

Tim Poston <tim@iss.nus.sg>
Tue, 1 Jun 1993 13:06:34 GMT
risks@CSL.SRI.COM (RISKS Forum) writes:
Peter D. Junger's posting had
: There is no exception for encryption software that is so simple minded
: that a law teacher, whose only degrees are in English and law, can hack
: it out in about six hours, most of which time was spent chasing bugs
: that were the result of typos.  I estimate that the average computer
: literate 12-year old could have written the program in about 20 minutes.

Surely this is covered by the sensible supralegal principle
"De minimis non curat lex"? (The law does not concern itself with trifles.)
Without this principle, almost any law stated in natural language can be run
into the ground.  With it, a sane court would throw out any case that a
deranged prosecutor might bring.

Granted that law and sanity can be far apart, that often "The law is an ass",
and so on, but surely one must assume it is not _completely_ psychotic to make
(as P. D. Junger has) the decision to spend one's working life teaching and/or
practising it?

Tim Poston


Re: Peter D. Junger's risks of teaching... (RISKS-14.6)5

Jonathan Haruni <jharuni@micrognosis.co.uk>
Tue, 1 Jun 93 14:17:52 BST
Peter D. Junger (junger@samsara.law.cwru.edu) wrote:
> [ about his amusing and sad conundrum of being unable to teach law students
>   about a law without breaking it. ]

I think that if you give your students copies of your comp.risks article,
they should all be sufficiently disheartened with American law that they
will quit the program and you can then present your lectures to a class
devoid of foreign (or any) students.

Alternatively, you could check passports at the door, and boot out foreign
students during the parts of your class which are essential to American
Sickurity.  By doing so you will raise eyebrows well outside of the
computer-and-law sphere of interest and you may bring this ludicrous
situation into the limelight.  But then, you may get sacked.

Probably a much more effective solution to your problem, and one which has
recently been proven perfectly legal and acceptable in an American court,
would be for you to merely shoot dead all the foreigners in your class,
after which you can speak freely.

----

Your posting raised some questions in my mind, and perhaps after your recent
research into the topic you would be able answer:

What exactly do you have to do to "export" a crypto system ?  You raise the
ambiguous possibility of putting it on a public FTP site.  What happens
if you go abroad and do so ?  Go abroad with the sytem in your mind only -
no magnetic or paper copies of any kind - type the code in from scratch
at a keyboard outside the U.S., and post it to an FTP site outside the U.S.
Have you "exported" the code ?

What if you come up with a general idea for a simple crypto system and then
avoid thinking about it until you have left the country.  You leave,
then create the system, type it in and post it.  Have you exported it ?
Are you ever allowed to bring it back to the USA again ?

Jonathan.


Re: Peter D. Junger's risks of teaching... (RISKS-14.65)

Martin Minow <minow@apple.com>
Tue, 1 Jun 93 09:27:34 -0700
I was surprised that Peter Junger did not conclude his discussion of the
problems caused by his 174-byte encryption program with the all-purpose
academic response:

-- a grant proposal to study the issue.
-- an article published in an appropriate academic journal.

At the very least, there should be ample material here for a graduate seminar.

Thanks for a wonderful submission.

Martin Minow  minow@apple.com


Re: Peter D. Junger's risks of teaching... (RISKS-14.65)

Jerry Leichter <leichter@lrw.com>
Tue, 1 Jun 93 15:40:49 EDT
In a recent Risks, Peter D. Junger talks about his attempts to deal with the
US export regulations that define cryptographic equipment as weaponry, and
place strict controls on the export either of the "weaponry" or "technical
data" about them.

While more sophisticated in his writing, what Mr. Junger is really doing is
simply repeating an argument we've seen many, many times on the net:

    1.  Anyone can write cryptographic software, so where is the secrecy?

    2.  The regulations as written forbid export of such things as -
        a favorite example that Mr. Junger surely did not re-invent
        independently - Captain Midnight Decoder rings.

Let me turn the question around.  Sure, it's easy to find examples at the
extreme where the regulations look silly; how would YOU phrase a regulation
to control the export of cryptographic devices?  Yes, I know some people
believe the world is a benign place - the Cold War is over and all that
(funny, before the end of the Cold War the same people had no trouble finding
other arguments supporting their position); they need go no further.  For the
rest of us:  Even today, you might want to control export of, say, very high-
speed encryption chips, especially suitable for use in military command and
control systems.  How about conjectural software, 500 man-years in the making
after a large research investment, for breaking cryptosystems used by the US
for communicating with its embassies abroad?  (Not all software is trivial
to develop!)

Mr. Junger teaches law.  Perhaps he'll take up the challenge of suggesting
regulatory wording that covers "significant" cryptographic "equipment" -
along the way, perhaps, coming up with a distinction that can be made in
some useful way among "equipment", "software", and "specifications".

The only distinction *I* can see how to make is between cryptosystems in
actual (past, present, or planned future) operational use, and everything
else.  The first class could presumably be covered under existing espionage
laws; but is that really enough?  Such laws would probably NOT cover the
500-man-year product mentioned above.

Mr. Junger is also surprised at his inability to get a straight answer on the
regulations, as they apply to his trivial program, from a number of government
officials he spoke to.  I think he's being naive.

A number of years ago, while I was traveling out of state, my car's license
plate was stolen.  I called the police to report the stolen plate, and asked
what I should do.  I was told that I could not move the car until I went to
the main registry office (60-70 miles from where I was, with no convenient
transportation) to get a temporary plate.  Not thinking, I pointed out how
impractical this was.  The cop's response was the same:  I'd have to get a
temporary plate.  Not being TOO dense, I thanked him for the information and
hung up.

Now, you know, and I know, and the *cop* knows, that it's absurd to expect
someone to spend a full day, at considerable inconvenience and expense,
traveling across state to get a temporary plate so they can drive home.
Anyone rational would tell me to do what I actually did:  I made a cardboard
replacement plate (with a suitable note) and went about my business.

But the *cop* couldn't tell me that.  He couldn't even hint at it.  In his
particular position, it is not his place to suggest to someone that they
violate the law, even if the violation is a trivial one of a plainly silly
law.  I'm sure Mr. Junger will confirm that no lawyer would have suggested
that I do it either - though a decent lawyer, not being a direct represen-
tative of the law enforcement community, would no doubt have seen his way
clear to mention that LEGALLY I had to get the replacement plate, but in
practice nothing was likely to happen if I didn't.

What would Mr. Junger have expected government officials charged with en-
forcing the export laws to say?  "Hey, just ignore it?  It's silly?"  No
bureaucrat will EVER say that; and, in fact, no bureaucrat in such a position
SHOULD say it.  It's not the bureaucrat's place to judge the regulations; it's
his position to enforce them.  He certainly has latitude in deciding which
violations that come across his desk are worth pursuing - and certainly the
chances of anyone being prosecuted for exporting a Captain Midnight decoder
ring are a hell of a lot less than the chance that I would have gotten into
trouble for driving home with my cardboard plate - but he's just plain not in
a position to tell you that.
                            -- Jerry

Please report problems with the web pages to the maintainer

Top