As reported in many places, such as Current Underground Digest, New York Times
(Sept 21) and on AP, subpoenas were served on representatives from the
companies ViaCrypt and Austin Code Works for materials related to a grand jury
investigation in California associated with the U.S. Customs Office. Both
warrants are dated 9 Sept., but were served and received two days apart
(contrary to the NYT account), with the ViaCrypt on Tues 14 Sept and ACW on
Thur 16 Sept:
Austin Code Works:
>Any and all correspondence, contracts, payments, and record,
>including those stored as computer data, relating to the
>international distribution of the commercial product "Moby
>Crypto" and any other commercial product related to PGP and RSA
>Source Code for the time period June 1, 1991 to the present.
ViaCrypt:
>"Any and all
>correspondence, contracts, payments, and records, including those
>stored as computer data, involving international distribution related
>to ViaCrypt, PGP, Philip Zimmermann, and anyone or any entity acting
>on behalf of Philip Zimmermann for the time period June 1, 1991 to the
>present."
ViaCrypt just announced publicly a few weeks ago its intent to market a
commercial version of PGP. G. Ward, author of Moby Crypto, has been very vocal
on various newsgroups (sci.crypt, et. al.) indicating that an NSA agent had
previously contacted him over the book, essentially a cryptography tutorial
intended to be bundled with disks. Nevertheless the investigation appears at
this point to be primarily PGP-oriented based on subpoena wording, and my
following comments will focus on that aspect.
If the case progresses beyond this initial inquiry, the issues related to the
ITAR code (International Traffic and Arms Regulations) restricting the flow of
cryptographic software and documentation long debated in RISKS are likely to
receive intense scrutiny and perhaps the first significant judicial test. Many
aspects are related to the possibility of ITAR infringement in international
PGP distribution, involving highly complex import and export issues, some of
which follow.
PGP 1.0 was developed in the U.S. and soon spread internationally after its
official release in the month of June 1 1991 (the significance of the subpoena
date). Various sections of the ITAR govern the legal export of cryptographic
software and technical documentation, one critical clause defines technical
data as follows:
$120.21 Technical data.
Technical data means, for purposes of this subchapter:
(a) Classified information relating to defense articles
and defense services;
(b) Information covered by an invention secrecy order;
(c) Information, in any form, which is directly related
to the design, engineering, development, production,
processing, manufacture, use, operation, overhaul,
repair, maintenance, modification, or reconstruction
of defense articles. This includes, for example,
information in the form of blueprints, drawings,
1 photographs, plans, instructions, computer software,
1 and documentation. This also includes information
which advances the state of the art of articles on
2 the U.S. Munitions List. This definition does not
2 include information concerning general scientific,
2 mathematical, or engineering principles commonly
2 taught in academia. It also does not include basic
marketing information or general system descriptions
of defense articles.
The critical question: Is PGP (1) `computer software related to defense' or
(2) `technical documentation encompassing general scientific & engineering
principles'? Other sections of the ITAR definitely classify cryptographic
software as a defense article. In a hypothetical legal case against PGP
distribution, the defense might argue that the interpretation of PGP as (2)
takes priority over, or is more relevant and applicable, than (1). A wide
variety of respondents on the the `cypherpunks' list have indicated that the
RSA *algorithm* embodied in PGP is unequivocally public domain knowledge in
the U.S. and regularly `taught in academia'.
As a peripheral issue to *export* of PGP above, some sources point out that
the IDEA algorithm was implemented outside the U.S. and apparently *imported*
into the US in PGP. The legality of this may be affected by sections of the
ITAR that bar import of material not legally exportable:
"123.2 Imports.
No defense article may be imported into the United States unless (a) it was
previously exported temporarily under a license issued by the Office of
Munitions Control; or (b) it constitutes a temporary import/in-transit
shipment licensed under Section 123.3; or (c) its import is authorized by the
Department of the Treasury (see 27 CFR parts 47, 178, and 179)."
Many armchair-ITAR-experts have noted that the act does not appear to
specifically address distribution mechanisms intrinsic to an Internet PGP
distribution, specifically either via newsgroups ([x].sources etc.) or FTP.
It refers to traditional outlets associated with the "public domain" such as
libraries but has questionable, ambiguous, and debatable interpretation on
what might be termed `cyberspatial distributions' including BBSes.
Finally, If the case reaches a court, the actual outcome may also hinge on the
apparent court precedent that *willful* violation of the ITAR ("criminal
intent") must be demonstrated to exist for valid convictions under the law,
seen for example in U.S. v Lizarraga-Lizarraga (in 541 F2d 826).
I thank the following people for accounts, information, and analysis which
particularly influenced my post (which should in no way be considered
representative of their own opinions):
J. Bidzos, G. Broiles, H. Finney, J. Markoff, G. Ward, P. Zimmermann
Note: complete ITAR text can be found via anonymous FTP at
ripem.msu.edu:/pub/crypt/docs/itar-july-93.txt.
thanks to M. Riordan and D. Bernstein. ["L. Detweiler" via risks-digest Volume 15, Issue 11]
3:19
#
G!
