informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/programming/CRYPTOGRAPHY/crypto.tch

229 lines
12 KiB
Plaintext
Raw Blame History

Newsgroups: alt.security.pgp
Subject: Can you teach the law without breaking it?
Message-ID: <1993May31.154227.5699@wisipc.weizmann.ac.il>
From: oren@wisdom.weizmann.ac.il (Ben-Kiki Oren)
Date: Mon, 31 May 1993 15:42:27 GMT
Organization: Weizmann Institute of Science, Computation Center
This was posted in comp.risks, specifically: RISKS-LIST: RISKS-FORUM Digest
Sunday 30 May 1993 Volume 14 : Issue 65. Admittedly it is longish, but I think
it is worth wading through:
-------------------------------------------------------------------------------
Date: Fri, 21 May 93 16:13:46 EDT
From: junger@samsara.law.cwru.edu (Peter D. Junger)
Subject: The risks of teaching about computers and the law
A fortnight ago, in order to postpone the necessity of grading
final exams, I started writing a simple-minded encryption program, which
uses a "one-time pad" as a key, for use this Fall in my class on
Computers and the Law. The program is intended to demonstrate certain
things that lawyers who are going to deal with the problems generated by
computers should know: things like the nature of an algorithm and the
fact that any text (that is encoded in binary digits) of length n
contains (if one just has the key) all other texts of length n.
Although in that course we shall mainly be concerned with
copyright and patent issues relating to computer programs, we should
also spend some time on security issues and on government regulation of
computer programs. And that, of course, includes the regulation of the
export of computer programs, including cryptographic programs and
technical information relating to such programs. I shall also have to
discuss cryptographic programs when dealing with issues of computer
security, since it would profit lawyers to be aware of the fact that
cryptography can do far more than the law can to keep one's confidences
confidential. The latter point is, of course, of particular importance
to members of a profession who have a legal and moral duty to keep their
clients' confidences confidential from everyone, but especially from the
agents of the state.
As I was writing this program I realized that it itself, and any
`technical data' relating to it, might be subject to federal export
licensing regulations, since I intended to give copies of it to, and
discuss it with, my students and make it available to anyone who wants
it, even foreigners. Even if I do not put it on an anonymous FTP
server, as I originally planned, there is no way that I can guarantee
that all the students who enroll in my class will be citizens or
permanent residents of the United States.
After a little quick research I have determined that my program
may be--and, in fact, probably is--subject to such licensing, though
whether by the Department of Commerce or that of State is a matter that
it will take some sixty days for the bureaucrats to determine. The
trouble is that the program, which should run on any PC clone running
MSDOS 3 or higher, and which now consists in its entirety of 174 bytes
of 8086 machine code, which I am pretty sure I can get down to 170 bytes
or less, is squarely covered by the definitions of Category XIII of the
U.S. Munitions List (as is my old Captain Midnight Decoder, which I got
during the War for a boxtop--or was it an Ovaltine label?--and change).
The relevant subdivision of Category XIII of the Munitions List
is (b), which provides in relevant part:
(b) Information Security Systems and equipment, cryptographic
devices, software, and components specifically designed or
modified therefor, including:
(1) Cryptographic (including key management) systems,
equipment, assemblies, modules, integrated circuits,
components or software with the capability of maintaining
secrecy or confidentiality of information or information
systems, except cryptographic equipment and software as
follows:
.... [none of the exceptions appear to be applicable to my
program]
There is no exception for encryption software that is so simple minded
that a law teacher, whose only degrees are in English and law, can hack
it out in about six hours, most of which time was spent chasing bugs
that were the result of typos. I estimate that the average computer
literate 12-year old could have written the program in about 20 minutes.
In the course of my researches, which so far have consisted
of speaking to a very pleasant person at the Department of Commerce's
Bureau of Export Administration, to a not very nice major and a slightly
nicer person at the Department of State's Bureau of Politico-Military
Affairs, Office of Defense Trade Controls, and to a not un-nice person,
whose name I was not allowed to know, who supposedly was at NSA, and
wading an inch or so into a seven inch stack of Commerce Department
regulations and a few more inches of statutes, I have concluded that if
I `export' my little program without first getting a license I may be
subject to a fine of not more than $1,000,000, or imprisonment for not
more than ten years, or both.
This isn't so bad, since in the case of the actual program it is
pretty clear that `exporting' means exporting, so, since I don't intend
to export the program, the only problem is that posting it on an FTP
server on the internet gets into a `grey' area (according to the
unknowable at NSA). Of course, if the program is considered to be my
expression--which it must be if it is protected by the copyright
laws--it is probably a violation of the First Amendment to require me to
get a license before I can export it. But since I don't intend to
export it--and the unknowable, on whom I dare not rely, did keep saying
that it was a matter of my intention--I can treat that issue as an
academic problem. (By the way, it is my position that the actual
program--the machine code--not being in any sense expression--cannot
Constitutionally be protected by copyright law; this is a position that
the lower courts have--at least _sub silentio_--uniformly rejected, but
it is a good bet that the Supreme Court will agree with me when it
finally gets around to considering this issue!)
The real trouble is that Category XIII contains as its final
subdivision paragraph (k), which covers
(k) Technical data . . . related to the defense articles listed
in this category.
And that, of course, means that I cannot lawfully export technical data
about my program without first obtaining a license.
But the regulations relating to technical data that is included on the
Munitions List say, in effect, that the `export' of technical data includes
talking about the defense article to which the data relates--which in my case
is my piddling little program--in the presence of someone who is neither a
citizen of the United States nor admitted to permanent residence in the United
States. So, if any foreign students sign up for my course I will be required
to get a license--which I am not sure I can get at all, and certainly will not
be able to get in time to teach my course--before describing the program to my
class, explaining how to use it, and giving them the source code--which, by
the way, I contend _does_ contain expression--to load in with the debug
program.
I admit that I am not greatly concerned about the potential criminal
penalties that might be imposed if I do discuss the program with my students
without a license, and not only because I don't have a million dollars
and--far all I know--may not have ten years. I cannot imagine anyone--except
perhaps that major--who would be stupid enough to try to punish me for
discussing my trivial program with my students.
But how can I teach this particular bit of computer law if the very
act of teaching amounts--at least in theory--to a criminal violation of the
very law that I am teaching? That this is not a logical paradox is an
illustration of the fact that the law is not logic; but I still feel that I am
trapped in an impossible situation.
It is hard for me as a law teacher to believe that this regulatory
scheme that requires me to get a prior license each time that I speak about,
or publish the details of, my trivial program (or, in the alternative, to make
sure that no foreigners get to hear or read what I have to say about it) can
withstand a constitutional challenge on First Amendment grounds.
The "secret" of how to keep a secret in 170 bytes or less is not
something that imposes any conceivable threat to the security of the United
States, especially not when the underlying algorithm is well known to most who
are, and many who aren't, knowledgeable about computers--or, for that matter,
about logic. And thus the government can't constitutionally punish me for
revealing this "secret" of mine or talking and writing about how it works.
And even if the government could constitutionally punish me after the fact,
that does not mean that they can impose a prior restraint on my speaking or
writing about the "secret". Prior restraints on speech or publication--and
especially licensing schemes--are especially vulnerable to constitutional
attack, since the First Amendment provisions relating to the freedom of speech
and of the press were adopted in large part to prevent the federal government
from adopting the type of censorship and licensing that had prevailed in
England under the Tudor and Stuart monarchies.
And yet I am so intimidated and disheartened by this
unconstitutional scheme that I dare not explain in a submission to
Risks, which undoubtedly has foreign subscribers, how my silly little
program works. And even if I were willing to take that risk, I could
not in good conscience impose it on our moderator.
And if I have problems now, just think how ridiculous the
situation will be if the government tries to outlaw all encryption
programs and devices other than the Clipper Chip.
[For those of you who understand how my program works and who
take the effort to write your own encryption program based on that
understanding, I have a special offer. If you will just send me an
E-mail message certifying that you are a United States Citizen, I will
send you (at any address on the internet that is within the United
States), a UUENCODEd key that when applied by your program to this
particular submission to Risks--after all headers have been stripped
off--will produce a working copy of my program, which is a COM file that
runs under MSDOS. (Be sure that your copy of this submission uses the
Carriage Return / Line Feed combination as the End of Line indicator.)]
Peter D. Junger
Case Western Reserve University Law School, Cleveland, OH
Internet: JUNGER@SAMSARA.LAW.CWRU.Edu -- Bitnet: JUNGER@CWRU
[Incidentally, at last week's IEEE Symposium on Research in Security
and Privacy, a rump group decided that because crypto falls under
munitions controls, the right to bear arms must sanction private uses of
cryptography! PGN]
-------------------------------------------------------------------------------
This (k) subdivision seems deadly. For example, discussions of PGP algorithms -
key lengths, use of IDEA, etc. seem to be covered by this act. Possibly simple
advice as to how to use PGP is also covered. Therefore, this newsgroup might
breaking USA law anytime a posting crosses the USA border.
More to the point, books about cryptology, scientific papers etc. are
*definitely* covered. And I bet most of these are published in the USA and
sent abroad. How can they be exported?
I think that if the simple act of "putting it in the public domain" was
sufficient, the Law Prof would have known/found out about it. What's going on?
(BTW, If you don't know what a one-time pad is, I cannot enlighten you as this
would cause some poor soul in NYU to break the law by unlicenced import
of munitions. Worse, he'll break the law when the post is further distributed
to the world, by exporting it. Lets play it safe - look it up in the library...)
Oren.
P.S. I found this so hilarious (especially the last footnote) that I sent it
to rec.humor.funny; but then, I am not a USA citizen :-)
P.P.S. What happened to the version 3.0 of PGP? Is it available yet? I am
reluctant to use the current version since it was discovered there's a memory
allocation bug in it that might cause DOS to trash my disk. Or is a bug fix
available?
Oren.
Reference in New Issue View Git Blame Copy Permalink