gamiddleton@math.waterloo.edu (Guy Middleton) (04/26/89)
I need to find a copy (or, preferably, a summary written in English instead of legalese) of the American regulations that restrict the export of DES and other cryptographic software. Does anybody know where I can find this? Thanks. -Guy Middleton, University of Waterloo Institute for Computer Research gamiddleton@math.waterloo.edu
rsalz@BBN.COM (Rich Salz) (05/12/89)
In <1075@altos86.UUCP> gamiddleton@math.waterloo.edu (Guy Middleton) writes: >I need to find a copy (or, preferably, a summary written in English instead >of legalese) of the American regulations that restrict the export of DES and >other cryptographic software. Does anybody know where I can find this? Let me start with a disclaimer: I'm speaking only for myself here, most definitely not for my employer or anyone else I refer to below, and only as an interested layman. You will not be able to find a non-legalese summary. (Hubris makes me want to add "other than this one." :-) You will only be able to find legalese rules and such. Your best bet is to hunt through a law library and a one that has the US Federal Register. There are two popular researched analyses on DES that were distributed on Usenet. One is by John Gilmore, the other is by DEC's Corporate Law Office. Lots of other opinion and "facts" have been offered, but almost without exception they have been based on ignorance; unless you've done research, or have the two primary sources, it's probably safe to ignore everything you've read other than this. (There's that hubris again.) DES export is a complicated issue, and like all legal issues when you get an opinion you should keep in mind the viewpoing of the person who gives it. John wants to spread open information as widely as possible, DEC doesn't want to get hauled into court. I agree with John. >From his readings of the rules and regulations, John determined that DES is technical information, and software. This means that it is under the control of the Department of Commerce. As such, once it is in the open literature, it can be passed around the world. In terms of Usenet and distributing source, this might mean someone would first have to publish their code in a journal somewhere. The only exception to this is if you're on a small list of banned countries, and even that might not hold. DEC claims that John is wrong, that DES is specifically called out as munitions, and therefore is under the control of the Department of Defense, specifically the Munitions Control Act. The upshot is that you can't give it outside of the USA. I'm not a lawyer, but the took John's analysis apart sentence by sentence, ending with "It is imperative that no Digital employee act in reliance on Gilmore's analysis or his conclusions." They even used SCREAMING all-caps. Since neither Department is an expert, the NSA acts as the technical advisory expert. Based on a couple of phone calls, chats with some former employees, and a DES-related meeting, the NSA's position is that DES should not leave the country. Because of this, many Unix vendors have two versions of their software, and it depends on whether they ship the DES cryptographic stuff or not. I remember reading a note from one of the Unix originators, that the only reason there were two versions of Version 7 was more administrative than legal. Perhaps if someone back then was able to fight the red tape we'd be spared all this mess today, perhaps not. I've heard Amdahl got the right permissions to export DES, but I don't know for sure; it was only "planned" at the time I read that note, they may have backed down. DES export has been discussed, at times, in sci.crypt, and in the Kerberos and Internet Engineering Task Force mailing lists. Switching from reporter to interpreter, let me say that I think the situation is changing, and that the stupid US rules may -- applicable or not -- may be lifted soon. Note that soon is measured on a beaurocratic time scale, which is similar to geologic time. The technical community, in particular the Internet, has a good channel into the Department of Defense, and the right word seems to be reaching the right people. There is a need for DES to be used globally, and there has been world-wide publication (in comp.sources.unix/unix-sources) of a package written in Finland, posted from Australia. I no longer have John's analysis at all (it was mostly private email, that he later posted), and I do have the DEC analysis. I don't like to distribute it since it has the look of a DEC internal thing (even though it was forwarded, second-hand, to sci.crypt), and especially since I don't have John's work. It is, however, interesting reading, and if someone is going to take up the fight (as opposed to just idle curiousity), let me know. If you want to play lawyer, here are some places to start: Department of State You want sections 120-126, at least, of the International Traffic in Arms Regulation 22C.F.R Subch. M (I don't know what that last part means.) Office of Munitions Control, Department of State They're responsible for saying if something is "munitions." The National Security Agency I've heard their DES tech expert left, and they're in the lurch. It's funny the way the answer their phones. Department of Defense You want Section 38 of the Arms Export Control Act. Department of Commerce You want the Commodity Control List, and Export Administration Regulations, Section 370.10 and 379.3 (General License GTDA). I like to know what's going on, and I seem to be in touch with the several areas where this is discussed, so if you start digging around, I'd like to know. Yes, that means I'm offering to be a "point man" on this. /rich $alz PS: if ANYONE has a copy of John's research, please let me know; I'll pay you for a copy. -- Please send comp.sources.unix-related mail to rsalz@uunet.uu.net.