Subject: RISKS DIGEST 14.67 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 1 June 1993 Volume 14 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [UNEXPURGATED COLLECTION OF COMMENTARIES. READ WHAT YOU CAN.] Crypto as "Right to Bear Arms" issue (Larry Hunter) Re: Peter D. Junger's risks of teaching... (Paul Robinson, Bill Murray [2], Carl Ellison, Tim Poston, Jonathan Haruni, Martin Minow, Jerry Leichter) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 1 Jun 93 11:46:47 -0400 From: hunter@ncbi.nlm.nih.gov (Larry Hunter) Subject: Crypto as "Right to Bear Arms" issue Following Peter Junger's depressingly Kafkaesque description of why US export restrictions on cryptographic technology (or even technical data related cryptography) makes it probably illegal to discuss his 174-byte MSDOS program implementing a one-time pad in the law class he teaches, our esteemed moderator said: Incidentally, at last week's IEEE Symposium on Research in Security and Privacy, a rump group decided that because crypto falls under munitions controls, the right to bear arms must sanction private uses of cryptography! This is a point I have been making in private for some time. I am completely convinced that framers of the Constitution would have wholeheartedly endorsed citizen access to effective encryption as a fundamental right. It's a natural part of the outlook that posits that the citizenry should be able to publish subversive literature in their basements, own enough weaponry so that a local militia should be able to hold off the government, and that there is a positive obligation to rise up in revolution against an unjust government. However, there are several practical problems with the idea. First of all, constitutional rights must be balanced against each other. Your right to bear arms is balanced against the rights of your neighbors to pursue their happiness in an orderly society. One consequence of that balance is that you cannot legally possess nuclear weapons or even, say, a .50 caliber machine gun privately. PGN's statement not withstanding, just because a munition is export regulated does not mean that private US uses of these weapons are allowed. It is not hard to imagine the Supreme Court finding a compelling state interest in regulating cryptologic technology in the same manner it does machine guns. So the "right to bear arms" strategy for defending encryption doesn't seem likely to succeed practically. Second, the approach seems to stipulate that secure encryption is a "dangerous" technology, which I suspect is a mistake. After all, "arms" are weapons, instruments of combat, something to fight with. That is not how to envision encryption. To my mind, it is much more like a private place, or a refuge; quite the opposite of an instrument of combat. Encryption and related technologies empower individuals and private associations, without threatening anyone else. Arms empower people precisely through direct threats to others. This distinction is not a small one. We should be fighting the claim that cryptography is useful primarily to criminals (and is therefore threatening) for precisely the same reason. On the other hand, perhaps we could enlist the NRA in defending effective encryption. Powerful allies are crucial in this fight, and I for one would be willing to find common ground with all kinds of folks to ensure that effective encryption technology becomes widely available. [Please note explicitly that I do not speak for the the National Library of Medicine or the US Government on this issue. Thanks.] Larry Hunter, National Library of Medicine, Bethesda MD. hunter@nlm.nih.gov ------------------------------ Date: Sun, 30 May 1993 19:48:23 -0400 (EDT) From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.65) > A fortnight ago, in order to postpone the necessity of > grading final exams, I started writing a simple-minded encryption > program, which uses a "one-time pad" as a key, for use this Fall in > my class on Computers and the Law. It's always nice to try things. I'm working on writing an SMTP gateway to run on PCs to make E-Mail much more accessible to them. The stuff out there is complicated and troublesome to use. You mentioned that your program is only 174 bytes: that's good; we need people to write things small and tight. > As I was writing this program I realized that it itself, > and any `technical data' relating to it, might be subject to > federal export licensing regulations, I suspect if this is what the law means, then the law is on its face unconstitutional. You might want to write to the EFF or the ACLU. Try asking someone at the office the following question: If a reporter for the New York Times were to publish your algorithm in the paper, would the reporter or the Times be required to get a license before it could print the article? If he says yes, then he is declaring the law is a law mandating prior restraint. Judges frown heavily on laws mandating prior restraint, and especially since we are talking about the work of a private individual, not someone working on a contract for a government agency. If you know the law, you know that while the courts usually uphold laws unless the other party can show that the statute is unconstitutional, if a law is shown to constitute prior restraint, the courts tend to strike down the law unless there is an extreme burden proven by the government, i.e. that there is no other way to fix the problem the law supposedly solves. If the law would even be able to withstand challenge, it would have to do so using the method going back to the censorship laws on motion pictures, it may be that if the law in question is an attempt to license a particular type of expression, the agency may be held to the same standard as that used in the censorship laws, i.e. that the agency must promptly issue a license or file suit to prevent distribution. A law that permits an agency to restrict publication of a work and use delay to hold it out of distribution is clearly unconstitutional. The Copyright office has already taken a look at this issue: a work expressed on a computer does not become something different from a work printed on paper. Question: do you think the law would require you to get a license before publishing this in a technical journal? Or require the journal in question to do so? > After a little quick research I have determined that my > program may be--and, in fact, probably is--subject to such > licensing, I've never had to handle stuff I wrote but I sometimes have questions regarding stuff which I've sent as E-Mail or mailed overseas to people. I generally ignore such laws; I believe there is a general "public" exemption for publicly published material or anything not subject to specialized licensing, i.e. if something is put on a BBS or is sold over the counter in a store, it can be shipped anywhere in the world (except Vietnam, Libya and Cuba, and any of the countries with banns, such as Iraq, etc.) PKWare has encryption in it and the people there discovered that the restrictions don't apply to it as long as they don't ship to Vietnam or Cuba. > ... I have concluded that if I `export' my little program > without first getting a license I may be subject to a fine > of not more than $1,000,000, or imprisonment for not more > than ten years, or both. Do you really expect people who are involved in trying to keep anyone from learning anything about encryption to admit that it's okay to export something or to give out information? There was a case a while back in which a man who left the CIA published something without getting approval. In a case that was decided by the Supreme Court, the rules permitted them to require - since he had signed a contract - him to get approval to write anything for publication, for life, it still did not require him to get approval to give speeches extemporaneously. Call (or better, write) the Office of the General Counsel for one of these organizations and ask two simple question and ask a yes or no answer, "If there was an encryption program written from scratch by a non-government employee, published by a reporter in the New York Times, would the Times or the reporter be required under the ITAR regulations or other federal laws, to obtain a license before it could publish the article?" "And would they be subject to fines or imprisonment for doing so without a license?" (There are lots of people who are not American Citizens and not legal residents who read the Times, as well as copies sent overseas.) If they say no, you have a legal ruling from them. If they say "yes" then you should put out a press release saying so: "X department claims it has right to require newspapers to obtain government licenses to print stories and can impose fines and imprisonment on reporters or newspapers who do not obtain government licenses in advance." Quote from the letter, and name the source. Send it to your local newspaper and the Times and others. To get reporters to notice, you have to hit them where they live. > Of course, if the program is considered to be my expression--which > it must be if it is protected by the copyright laws--it is probably > a violation of the First Amendment to require me to get a license > before I can export it. It also depends on the size. A program that is only 174 bytes in length may be so short that the application and expression merge, especially if it's the only means available to perform the application at hand. Also, something that is minor and inconsequential in nature may not be subject to copyright protection. What that long item means is that a two-line poem is too short to be copyrightable; a 5 note song is also too short. With applications now approaching 20 meg and more, 174 bytes might be considered so short it's not copyrightable. > It is hard for me as a law teacher to believe that this > regulatory scheme that requires me to get a prior license each time > that I speak about, or publish the details of, my trivial program > (or, in the alternative, to make sure that no foreigners get to > hear or read what I have to say about it) can withstand a > constitutional challenge on First Amendment grounds. It wouldn't. My guess is the law has never been enforced or challenged. The law is probably void as (1) prior restraint (2) vague (3) overly broad (4) excessive fines (4th Amendment). > [...] That doesn't necessarily apply that the recipient is in the U.S. Any site that's on the Internet can be accessed by telephone which can be anywhere. MCIMAIL is in the U.S. but anyone on a telex network or Datanet address worldwide can call into it. But I am, for the sake of argument, willing to declare that I am an American Citizen and would like a copy. Paul Robinson -- TDARCOS@MCIMAIL.COM ------------------------------ Date: Mon, 31 May 93 09:13 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Export Controls on Cryptography Professor Peter Junger describes a program thus: >The program is intended to demonstrate certain >things that lawyers who are going to deal with the problems generated by >computers should know: things like the nature of an algorithm and the >fact that any text (that is encoded in binary digits) of length n >contains (if one just has the key) all other texts of length n. Of course, if what he says above is true, and he asserts that he can so demonstrate, then I can produce an algorithm and a key to demonstrate that the program that he has described is encoded under the description. Indeed, I can produce an infinite number of such keys and algorithms, all of which decode to the the same algorithm. Surely, that should be sufficient to convince a jury of twelve that it was his intent to do so. He has already published this description on RISKS. I think that his very text offers evidence that he "knows" that RISKS is exported. Surely, I can offer "proof" that he had "reason to know." Do I not now have a prima facia case? Out of his own mouth, pen, keyboard!? Have I not now succeeded in shifting the burden of proof to him? What defense might he offer? (That someone else can produce an equal number of algorithms and keys that do not decode to such a program?) Will it convince? Am I not now in a position to convict, at least in many cases, on mere accusation? Junger, you still have time to deny that you wrote that post. If you fail to recant on a timely basis, I plan to denounce you to the thought police. And for those of you who think that I have failed to make my case, I suggest that you read the history dealing with the thought police. History is clearly on my side. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Mon, 31 May 93 09:31 EDT From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Crypto Export Controls > [...] Is there anyone out there who can find grounds to exclude my notebook, or any other modern computer, from this definition, whether or not it contains encryption software? Is it the intent of the law to include my computer? It is possible to arrive at a definition that includes what the law intends and excludes my computer? Can we safely leave the the discretion to distinguish to the signals intelligence elite? William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Mon, 31 May 93 12:27:37 EDT From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.65) It sounds to me like you're trying to publish, not export. Back in the bad old days, the NSA tried to prevent publication of information about cryptology including lectures to foreign students, conferences with foreign nationals present, .... This attempt was soundly defeated (and that may be why we've had these less obvious struggles in the years since then). Publication is legal -- happens all the time -- no license. International meetings are legal -- happen all the time -- no license. You can buy a full technical description of the DES algorithm from the US Govt (FIPS-PUB-46), with no export controls and then write code from that. RS&A published their algorithm as equations in the Feb 1978 CACM and to a user of Mathematica, what they published was perfectly good code. You tell me: is an anonymous FTP node a publication or an export medium? What about a magazine which includes a floppy disk? > [Incidentally, at last week's IEEE Symposium on Research in Security > and Privacy, a rump group decided that because crypto falls under > munitions controls, the right to bear arms must sanction private uses of > cryptography! PGN] That's one approach. I prefer distinguishing between cryptographic munitions (eg., crypto devices which are specially hardened for battlefield use or crypto devices containing secret NSA algorithms or algorithms created by companies and sold to the government as alternatives for secret NSA algorithms), standard commercial cryptography (crypto algorithms (devices or software) invented in the private sector and intended for private sector customers) and free cryptography (algorithms invented by individuals, often in academia, fully published, available anywhere in the world that there are programmers (eg., DES and RSA, (for non-commercial use))). Clearly, the first should be considered arms and controlled by the State Department, the second a product of commerce and controlled by the Commerce Department, and the third a product of free speech and totally uncontrolled. Meanwhile, a good reading of David Kahn's "The Codebreakers" shows that cryptosystems in the latter two categories have traditionally been at least as strong as those in the first category, so it makes no sense to try to categorize these systems based on someone's (eg., NSA's) opinion of their cryptographic strength. [My comments to NIST for this week's conference made essentially these points, although in those I referred to two classes instead of the three there clearly are.] Carl Ellison, Stratus Computer Inc., 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 (508)460-2783 cme@sw.stratus.com [RIPEM PUBLIC KEY DELETED] ------------------------------ Date: Tue, 1 Jun 1993 13:06:34 GMT From: tim@iss.nus.sg (Tim Poston) Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.65) risks@CSL.SRI.COM (RISKS Forum) writes: Peter D. Junger's posting had : There is no exception for encryption software that is so simple minded : that a law teacher, whose only degrees are in English and law, can hack : it out in about six hours, most of which time was spent chasing bugs : that were the result of typos. I estimate that the average computer : literate 12-year old could have written the program in about 20 minutes. Surely this is covered by the sensible supralegal principle "De minimis non curat lex"? (The law does not concern itself with trifles.) Without this principle, almost any law stated in natural language can be run into the ground. With it, a sane court would throw out any case that a deranged prosecutor might bring. Granted that law and sanity can be far apart, that often "The law is an ass", and so on, but surely one must assume it is not _completely_ psychotic to make (as P. D. Junger has) the decision to spend one's working life teaching and/or practising it? Tim Poston ------------------------------ Date: Tue, 1 Jun 93 14:17:52 BST From: jharuni@micrognosis.co.uk (Jonathan Haruni) Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.6)5 Organization: Micrognosis International, London Peter D. Junger (junger@samsara.law.cwru.edu) wrote: > [ about his amusing and sad conundrum of being unable to teach law students > about a law without breaking it. ] I think that if you give your students copies of your comp.risks article, they should all be sufficiently disheartened with American law that they will quit the program and you can then present your lectures to a class devoid of foreign (or any) students. Alternatively, you could check passports at the door, and boot out foreign students during the parts of your class which are essential to American Sickurity. By doing so you will raise eyebrows well outside of the computer-and-law sphere of interest and you may bring this ludicrous situation into the limelight. But then, you may get sacked. Probably a much more effective solution to your problem, and one which has recently been proven perfectly legal and acceptable in an American court, would be for you to merely shoot dead all the foreigners in your class, after which you can speak freely. ---- Your posting raised some questions in my mind, and perhaps after your recent research into the topic you would be able answer: What exactly do you have to do to "export" a crypto system ? You raise the ambiguous possibility of putting it on a public FTP site. What happens if you go abroad and do so ? Go abroad with the sytem in your mind only - no magnetic or paper copies of any kind - type the code in from scratch at a keyboard outside the U.S., and post it to an FTP site outside the U.S. Have you "exported" the code ? What if you come up with a general idea for a simple crypto system and then avoid thinking about it until you have left the country. You leave, then create the system, type it in and post it. Have you exported it ? Are you ever allowed to bring it back to the USA again ? Jonathan. ------------------------------ Date: Tue, 1 Jun 93 09:27:34 -0700 From: Martin Minow Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.65) I was surprised that Peter Junger did not conclude his discussion of the problems caused by his 174-byte encryption program with the all-purpose academic response: -- a grant proposal to study the issue. -- an article published in an appropriate academic journal. At the very least, there should be ample material here for a graduate seminar. Thanks for a wonderful submission. Martin Minow minow@apple.com ------------------------------ Date: Tue, 1 Jun 93 15:40:49 EDT From: Jerry Leichter Subject: Re: Peter D. Junger's risks of teaching... (RISKS-14.65) In a recent Risks, Peter D. Junger talks about his attempts to deal with the US export regulations that define cryptographic equipment as weaponry, and place strict controls on the export either of the "weaponry" or "technical data" about them. While more sophisticated in his writing, what Mr. Junger is really doing is simply repeating an argument we've seen many, many times on the net: 1. Anyone can write cryptographic software, so where is the secrecy? 2. The regulations as written forbid export of such things as - a favorite example that Mr. Junger surely did not re-invent independently - Captain Midnight Decoder rings. Let me turn the question around. Sure, it's easy to find examples at the extreme where the regulations look silly; how would YOU phrase a regulation to control the export of cryptographic devices? Yes, I know some people believe the world is a benign place - the Cold War is over and all that (funny, before the end of the Cold War the same people had no trouble finding other arguments supporting their position); they need go no further. For the rest of us: Even today, you might want to control export of, say, very high- speed encryption chips, especially suitable for use in military command and control systems. How about conjectural software, 500 man-years in the making after a large research investment, for breaking cryptosystems used by the US for communicating with its embassies abroad? (Not all software is trivial to develop!) Mr. Junger teaches law. Perhaps he'll take up the challenge of suggesting regulatory wording that covers "significant" cryptographic "equipment" - along the way, perhaps, coming up with a distinction that can be made in some useful way among "equipment", "software", and "specifications". The only distinction *I* can see how to make is between cryptosystems in actual (past, present, or planned future) operational use, and everything else. The first class could presumably be covered under existing espionage laws; but is that really enough? Such laws would probably NOT cover the 500-man-year product mentioned above. Mr. Junger is also surprised at his inability to get a straight answer on the regulations, as they apply to his trivial program, from a number of government officials he spoke to. I think he's being naive. A number of years ago, while I was traveling out of state, my car's license plate was stolen. I called the police to report the stolen plate, and asked what I should do. I was told that I could not move the car until I went to the main registry office (60-70 miles from where I was, with no convenient transportation) to get a temporary plate. Not thinking, I pointed out how impractical this was. The cop's response was the same: I'd have to get a temporary plate. Not being TOO dense, I thanked him for the information and hung up. Now, you know, and I know, and the *cop* knows, that it's absurd to expect someone to spend a full day, at considerable inconvenience and expense, traveling across state to get a temporary plate so they can drive home. Anyone rational would tell me to do what I actually did: I made a cardboard replacement plate (with a suitable note) and went about my business. But the *cop* couldn't tell me that. He couldn't even hint at it. In his particular position, it is not his place to suggest to someone that they violate the law, even if the violation is a trivial one of a plainly silly law. I'm sure Mr. Junger will confirm that no lawyer would have suggested that I do it either - though a decent lawyer, not being a direct represen- tative of the law enforcement community, would no doubt have seen his way clear to mention that LEGALLY I had to get the replacement plate, but in practice nothing was likely to happen if I didn't. What would Mr. Junger have expected government officials charged with en- forcing the export laws to say? "Hey, just ignore it? It's silly?" No bureaucrat will EVER say that; and, in fact, no bureaucrat in such a position SHOULD say it. It's not the bureaucrat's place to judge the regulations; it's his position to enforce them. He certainly has latitude in deciding which violations that come across his desk are worth pursuing - and certainly the chances of anyone being prosecuted for exporting a Captain Midnight decoder ring are a hell of a lot less than the chance that I would have gotten into trouble for driving home with my cardboard plate - but he's just plain not in a position to tell you that. -- Jerry ------------------------------ End of RISKS-FORUM Digest 14.67 ************************