Slashdot Mirror
U.S. May Kill Open Source Crypto Export Regs
Update: 10/20 08:04 by michael : Note that there's no real reason to believe the export of source code will be permitted under the new regulations - there's been no indication of that whatsoever, rather the "relaxations" have been only on compiled code, and only in very specific situations designed to appease certain specific industries. (Every time the press reports another "relaxation", you might think suddenly crypto is free. Au contraire.) The DOJ has already had an eight-month delay earlier in the Bernstein case when the rules were changed previously (which had no effect on the case); the plaintiffs are arguing that the DOJ shouldn't be allowed to stall any further. Essentially there's a shell game going on, with the government shuffling the crypto ball around under the cups and daring Bernstein and the other litigants to find it.
That possibility isn't necessarily being suggested on high moral or commonsense grounds. It may be driven mainly by the desire to prevent Microsoft from moving their crypto development labs abroad, eg. to the UK as was suggested by Gates' recent hob-knobbing with the British PM.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Basically, the law covers binaries and machine readable instructions. The reason for this is that books are a sacred cow, and if the gov't went after books, the whole scheme would collapse.
/.'s thing, there is no limitation on key sizes domestically.
Arguing the source code = free speach is an interesting but unclear argument. A cryptographic binary would clearly not be speach, so it could be regulated as a munition. However, the source code is readily compilable into that executable, so where is the distinction? That is the argument for the regulation of machine readable code. Allowing source code as speach but not binaries would be ludicrous.
However, a book with algorithms in it is clearly not excryption for a computer, is it? Regulating a book is dangerous, and the courts protect "the press" really well. If someone was to stand on a soap box explaining encryption, the government would have a difficult time censoring him (legally), and when it is put into a book, they have the same issues. However, in a machine readable format, it can be argued that it is the same as the binary, and electronic data is less protected in the courts than press/speach (see the laws regulating television and radio).
What makes this interesting is that the justification for radio/tv restrictions was that the radio spectrum was a public good with limited capacity, so it was necessary to insure that it was used for the good of the people, while speach and the press are unlimited...
i.e. my printing a newspaper doesn't prevent you from doing so, but if I grab the last channel, you're SOL
Unfortunantly, this screwy standard was appearing to be applied to the Internet, afterall, it applied to cable which was not using a public good (although as regulated monopolies...), but the courts are realizing that the Internet appears to be the extreme of the speach/press, where everyone can publish and not get in the way of others.
The current US restrictions, while well intentioned, are a little silly. However, contrary to what
The reason for the 128 bit limit is that it is good enough to prevent cracking with current technology, and we like our current 128-bit algorithms. In a few years, when it is insufficient, we'll move to 256 bit keys with the algorithms modified appropriately. I've used 1024-bit keys, but those are usually only used in less secure algorithms, so they are about the same to crack as a 128 bit.
The US Government was well intentioned, as encrypted data made a HUGE different during WWII. Right now, encryption is pretty well known, and there is nothing unique in the US right now. The US Gov't should concentrate on getting a Quantum Computer instead of this nonsense.
The encryption limits are a red herring. Everyone knows that they are retarded, but it allows negotiation. It is VERY important to US Software firms, but they are making several other demands, more H-1B Visas, no Net taxes, etc. As a result, this makes a nice bargaining tool, and the Administration is able to give in to their demands slowly. As a result, they hold on to their cards as long as possible.
We need both the court ruling and the relaxation of regulations. The relaxation of regulations might very well not cover source code by the time it actually appears. On the flip side, the court ruling definately will not cover binaries, it would only open source code as speech.
----
----
Open mind, insert foot.
I was reading a court decision regarding this a while back (it was on the 'net, don't remember where) and according to the judge in that case it's only a viable contract if the terms were visible on the package at the time of sale. If the contract is inside the package (as with most EULA's), unless you open the package and read it before handing the clerk your money, the EULA isn't valid.
As with all things lawyerly though, I'm sure it only applies in that place at that time with the moon in that position...
*Just* as I get done submitting this puppy, up it goes! Oh, well...
:-)
Clinton, and his army of spooks see themselves in a real pickle here. On one side, they have the First Amendment hindering their nefarious plotting, and on the other side they have a raving band of open source zealots doing the unthinkable: sharing!
On one side, their laws are being exposed as unconstitutional, and on the other, the spread of PGPi, OpenBSD, adn such are making the laws moot.
I'd throw in a comment about Clinton's place in history, but it'd probably get me moderated down.
This would be a very good thing if it happens, and happens right. We may finally get linux (and *BSD of course) distros that come very secure straight out of the box, without having to jump through all the hoops like OpenBSD does, or keep packages on a non-us server like Debian.
On top of that, the potential for unencumbering software like Mozilla is exciting.
mmm... standard 128+ bit browsers, standard (Open)SSH, no more telnet...
I just hope it is this unregulated. Of course there's still the concern of binary limitations, which to my understanding have only been slightly lifted for commercial entities with the "blessing" of big bro.
Living in the UK, its horrible watching you guys over the pond being able to have all that stuff, now we may actually have a chance!!!!
yahooooo
I spoke with Bernstein's lawyer a few days ago and while she was very optimistic that the 9th Circuit would find in her favor again, she was worried about the over all landscape of the crypto laws because the Circuit court in Ohio will hear another case involving a law professor's request for a BXA license to teach his students (Junger v. Daley).
There the Northern District of Ohio upheld the BXA's denial of a license. Now it is on appeal. If the federal appeals court in Ohio affirms the district court's holding, we will have a split of opinion in the federal courts. This means that one circuit would hold that source code is speech and another would hold that it's not. Then we would have to see if the Supreme Court would resolve this split. It may not, then we would have disparate laws in the various federal jurisdictions.
In addition, even if the Clinton Administration revamps its rules the issue would persist whether any licensing scheme regulating the publication of encryption source code would violate of the 1st Amendment. The specific issue is whether the requirement that license approvals must be finalized by the president are an arbitrary prior restraint on free speech and violative of the 1st Amend. The general issue is whether any licensing scheme that regulates source code of any kind is a prior restraint on free speech and a 1st Amend violation.
Both of these issues ultimately hinge on whether source code is speech. And we already have one court saying it is and another saying that it isn't.
The ray of hope in all of this is that if the Supreme Court does eventually get to resolve this split in all likelihood it will find that source code is speech and give it full 1st Amend protections. The reason for this is that we have an exceptionally conservative bench that tends to employ a literalist textual method of interpreting the constitution. They will hold that any prior restraint must meet the strictest scrutiny; the government can only restrain speech when it is in the country's imminent national security interest where they know immediate harm will occur to our security if the speech is not restrained.
Source code will never meet this test unless the code is 'how to destroy our financial networks' or something like that (IOW software as a weapon). Encryption can always be used for non-harmful purposes so it will not fit the S.Ct.'s strict scrutiny standards.
I plan on attending the Bernstein Appeals hearing in December. If anyone is interested in attending with me, email me and I'll let you know when and where. It's in San Francisco. I can also find out the locations for the Junger hearing in Ohio; there's also a crypto case called Karn in D.C. I can find out the details of that as well. We should all go to these hearings and make a show of support for the 'source code is speech' platform.
I remember browsing in '95 a crypto book (PGP, I think) with a nifty preface, in which they describe how the book contains the entire source code in a format ideal for OCR scanning. This was because even though the compiled binary was illegal for export, the *book* with the source code was a book, and thus could not only be exported but contain guidelines for scanning and compilation to create the final product.
Rather schizophrenic situation, and ironic to boot, esp. since the binary is considered a "munitions" product. Just about the entire book consisted of only source code - can't remember what it was. I guess there are subtle legal differences between exporting a book w/ source code vs. posting the source code for download.
BTW, when Phil Zimmerman of PGP won a legal case against the FBI, a govt. agent asked him how he felt. His answer - "Pretty Damn Good".
L.
But lets face it, it feels sort of GOOD to use :-)
"illegal" software, doesnt it?
"GNU privacy Guard - for that underground feeling"
You are the same decaying organic matter as the rest of us.
Yet another promise in a long line of promises.
Most of the past promises have been "kept", sort of. The export regs have been changed but never enough to actually free strong crypto.
The government always has, and still does, consider widespread strong encryption to be their enemy. That's something very fundamental, folks. They're not going to free crypto until there is a fundamental change in their thinking.
We're going to see many more promises of relaxed regulations before we see any real change.
Personally, I think that when 100% of the world's communications are strongly encrypted, we'll still be hearing promises of relaxed export regs.
File this one under "vaporware".
My guess would be mostly companies who also have their contacts in the US and rely on encrypted communication. This is due to the fact that as long as you want to communicate with people from inside the US you'll have to lower the encryption bitcode to 128, which immediatly brings me to your next question;
2. Are there any import restrictions for strong crypto?
As far as I know there are, or there were to be more precise, but to a certain extend. I'm into PGP for quite some time now (started using it on FidoNet back in '93 / '94 I believe) and I can remember that we once had PGP which was "smuggled" out of the US using the book which another /. mentioned and finally there was some Fin (not 100% sure here) who actually started scanning the critter in order to compile it. That process took him several weeks (some people also have a social life ;-)) but when he was done the result was pgp 2.xi (international version) which was compatible with the US to some degree. However; pgpi could also be used in a way that it wasn't compatible with the pgp in the US. Afaik this was due to keylengths
However; all the documentation clearly stated that residents of the US were legally not allowed to use pgpi since it could handle over 1024 bit keys while in the US everyone was limited to 128bits. So basicly you don't have any import restrictions but since I can't see why anyone outside the US would settle for 128bit keys I think you could label this minor restriction as a major one when it concerns importing.
As in: Other countries don't have these strange regulations, it would only take 1 copy in another country to make it available to everyone.
Are there any Open Source crypto systems that exist, but are only available in the US?
I don't think so...
2. Are there any import restrictions for strong crypto?
It would truly be weird if the rest of the world has strong crypto but the US hasn't, especially when it's OS and free to download...
Chris
It only hurts when you survive
... reliable sources from inside the white house have leaked information the the government will soon be easing export regulations on encription. Specifically rot13 will now be able to be exported to Canada. Our sources tell us that this easing is to promote the internet in lesser developed countries.
-- If it ain't the whole horse - it ain't worth nothing.
In practice, we can get all the crypto we want (look at the Debian non-US stuff) but we can also export it freely; I have source code for my algorithms on my Web pages. Wasenaar may change this but at the moment it looks like it won't.
--
Xenu loves you!
Circa WW2, when crypto was almost exclusively a military tool, it made a whole lot of sense to include it in a list of technologies that would directly threaten the U.S. if they were to get overseas. The point was that enemy nations could directly harm us good guys if we were unable to crack their codes. (See any number of texts on how cryptanalysis changed the course of the war.) It had nothing to do with U.S. citizens' ability to use encryption domestically. It's only relatively recently that the U.S. government has decided that satisfying its curiosity about its own citizens' affairs is more important than protecting their liberty.
Laws take a long time to change. This is good. Because once these stupid regulations are eliminated, you don't want the next boneheaded fascist administration to be able to just put them back at their whim.
Basicly the USG is arguing in Bernstein's case that because there's an off chance they'll modify the export regulations, the case should be delayed. He's pointed out that they've said this before (when the export regs. moved to commerce), and it didn't happen.
What really needs to happen is that the full court needs to uphold the decision that software source code is covered by 1st ammendment protection. Then no matter what, it can't be legislated against. That's much more important than the government simply changing its export stance temporarily.
Paul
http://www.pauldrobertson.com
Well, I don't know if we'll get relaxed regulations out of this, but the very fact that a U.S. president acknowledged Linux, and considers it important, is major progress for acceptance of the OS and OSS. Maybe he just realized that throwing over 10M voters away wasn't smart :), but it means the same anyway - Linux is on the radar screen in mainstream America, and considered either a political or economic force by politicians.
OSS sheds light on the encryption debate in a useful way. Clearly the development model itself requires the ability to publish sources, and any OS that wants to be used widely must support encryption. Very dangerous for a government to try to shutdown or harass a volunteer movement, the press can have too much fun portraying Big Government vs. Altruistic Volunteers. This plays even better than Big Government vs Evil Microsoft I suspect.