[2301] in cryptography@c2.net mail archive
Inter@ctive Week : PGP to be sold abroad
daemon@ATHENA.MIT.EDU (Will Rodger)
Fri Mar 20 12:33:18 1998
Date: Thu, 19 Mar 1998 22:49:13 -0500
To: cryptography@c2.net
From: Will Rodger <rodger@worldnet.att.net>
--=====_Eudora-PGP-Plugin22554==_
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
The theoretical has become the real.
I wrote about PGP's moves in Europe in March 1997 based on conversations's
at that year's CFP conference. After more than a year of looking around,
NAI is not licensing abroad, but selling directly.
As former NSA Counsel Stewart Baker told me this evening, "this takes
cojones."
http://www.zdnet.com/zdnn/content/inwo/0319/296341.html
By Will Rodger, Inter@ctive Week Online
March 19, 1998 6:56 PM PST
Pretty Good Privacy, a computer security product long associated with
opposition to US export controls on data-scrambling exports, will be sold
outside the United States for the first time ever beginning this week,
sources at Network Associates Inc. said.
The sales initiative comes perilously close to violating US felony
prohibitions on exports of strong encryption software. But it also exposes
a gaping hole in export laws that could lead to the ultimate downfall of
the regulations themselves, observers say.
"It's yet another example of the absurdity of export controls," said Alan
Davidson, staff counsel with the Center for Democracy and Technology. "You
can't stop ideas at the border."
Powerful encryption techniques were once the province of empire-fighting
patriots like John Adams and Thomas Jefferson, spies and military officers.
For centuries they used the arcane mathematical concepts behind code making
to protect secret communiques, form new governments and win wars. But those
skills have rapidly spread to the private sector over the past 20 years,
giving companies and private citizens secure email and voice communications
over cell phones, conventional telephones and a hacker-ridden Internet.
The core conflict
At the same time, the technology that renders privacy certain in a digital
age can also hide criminal plans and conspiracies. It's for that reason
that the US government has controlled encryption exports tightly since
World War II. More recently, the Clinton Administration has forced
encryption exporters to supply spare encryption "keys" for storage with
third parties in case wiretaps are needed or forego exports in all but a
few cases.
The clear conflict between the need for personal security on one hand and
the ability to track down criminals on the other has exploded on Capitol
Hill. On one side stand civil libertarians and businesses who fear
uncontrolled police power. On the other: federal wiretappers who want
access to all electronic communications with court orders.
"Our reaction is this is something to be investigated," said Bill Reinsch,
undersecretary for export control at the US Department of Commerce. "This
case may be a ground breaker."
How PGP slipped past the Feds
To sell the controlled encryption software abroad, Pretty Good Privacy
executives last year exported copies of the software source code in book
form. Since the software went over in books, there was no violation of
export laws, they say.
Once abroad, volunteers supportive of PGP's fight to liberalize encryption
laws scanned the books into computers and converted that source code into
usable software. Had the software been shipped on floppies, by contrast,
those who exported it could have been charged with felony violations of the
law.
Executives at Network Associates' Dutch affiliate have since taken the
software and begun striking deals to sell the American-developed product
abroad - all in compliance with US laws, they say. The Commerce
Department's Reinsch isn't so sure, however. US laws prohibit not just the
export of powerful encryption technology, but re-export as well. As a
result, he says, any attempt by Network Associates' executives to export
the software from the Netherlands would be a crime punishable in a court of
law if federal lawyers could show the end product was at least 25 percent
American. Prosecution of foreign nationals could be difficult, especially
given the Netherland's disinterest in controlling strong encryption.
"Can we reach a foreign national? Sometimes we can, sometimes we can't," he
said.
Books yes, software no
Encryption advocates say there's more than a bit of irony in the Network
Associates story. For years, the government has avoided First Amendment
challenges to encryption controls by drawing distinctions between source
code in book form and software on diskettes. As long as US attorneys could
claim they would control only finished software and not books, they could
safely say their controls were constitutional.
Yet two court challenges to the regulations say that source code itself is
speech, regardless of whether it exists in books or floppy disks. By giving
safe harbor to books, attorney Cindy Cohn said, the government has
effectively reduced export controls to meaninglessness. Cohn is counsel to
Daniel Bernstein, a professor who has filed suit to publish the source code
to his encryption program "Snuffle" on the Internet.
Cohn disputed Reinsch's interpretation of regulations governing "re-export"
of encryption.
"I don't think you can take something that's protected expression at the
time it's exported and then claim that it suddenly becomes an export item
on the other side," she said. "I'm pleased that PGP is continuing to take
advantage of the obvious inconsistencies in the regulations."
--=====_Eudora-PGP-Plugin22554==_
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: jLhFL5vDJkMvChIcgL5fY9XCiqxysT4b
iQA/AwUBNRHnP9ZgKT/Hvj9iEQJBzACaAgxPSxltl5LnATk1Zgwdwa+crZcAoMb7
+2AlauvlhUBTN8AW8pFxaWoy
=/f27
-----END PGP SIGNATURE-----
--=====_Eudora-PGP-Plugin22554==_--
