Slashdot Mirror
U.S. May Kill Open Source Crypto Export Regs
Update: 10/20 08:04 by michael : Note that there's no real reason to believe the export of source code will be permitted under the new regulations - there's been no indication of that whatsoever, rather the "relaxations" have been only on compiled code, and only in very specific situations designed to appease certain specific industries. (Every time the press reports another "relaxation", you might think suddenly crypto is free. Au contraire.) The DOJ has already had an eight-month delay earlier in the Bernstein case when the rules were changed previously (which had no effect on the case); the plaintiffs are arguing that the DOJ shouldn't be allowed to stall any further. Essentially there's a shell game going on, with the government shuffling the crypto ball around under the cups and daring Bernstein and the other litigants to find it.
Basically, the law covers binaries and machine readable instructions. The reason for this is that books are a sacred cow, and if the gov't went after books, the whole scheme would collapse.
/.'s thing, there is no limitation on key sizes domestically.
Arguing the source code = free speach is an interesting but unclear argument. A cryptographic binary would clearly not be speach, so it could be regulated as a munition. However, the source code is readily compilable into that executable, so where is the distinction? That is the argument for the regulation of machine readable code. Allowing source code as speach but not binaries would be ludicrous.
However, a book with algorithms in it is clearly not excryption for a computer, is it? Regulating a book is dangerous, and the courts protect "the press" really well. If someone was to stand on a soap box explaining encryption, the government would have a difficult time censoring him (legally), and when it is put into a book, they have the same issues. However, in a machine readable format, it can be argued that it is the same as the binary, and electronic data is less protected in the courts than press/speach (see the laws regulating television and radio).
What makes this interesting is that the justification for radio/tv restrictions was that the radio spectrum was a public good with limited capacity, so it was necessary to insure that it was used for the good of the people, while speach and the press are unlimited...
i.e. my printing a newspaper doesn't prevent you from doing so, but if I grab the last channel, you're SOL
Unfortunantly, this screwy standard was appearing to be applied to the Internet, afterall, it applied to cable which was not using a public good (although as regulated monopolies...), but the courts are realizing that the Internet appears to be the extreme of the speach/press, where everyone can publish and not get in the way of others.
The current US restrictions, while well intentioned, are a little silly. However, contrary to what
The reason for the 128 bit limit is that it is good enough to prevent cracking with current technology, and we like our current 128-bit algorithms. In a few years, when it is insufficient, we'll move to 256 bit keys with the algorithms modified appropriately. I've used 1024-bit keys, but those are usually only used in less secure algorithms, so they are about the same to crack as a 128 bit.
The US Government was well intentioned, as encrypted data made a HUGE different during WWII. Right now, encryption is pretty well known, and there is nothing unique in the US right now. The US Gov't should concentrate on getting a Quantum Computer instead of this nonsense.
The encryption limits are a red herring. Everyone knows that they are retarded, but it allows negotiation. It is VERY important to US Software firms, but they are making several other demands, more H-1B Visas, no Net taxes, etc. As a result, this makes a nice bargaining tool, and the Administration is able to give in to their demands slowly. As a result, they hold on to their cards as long as possible.
I spoke with Bernstein's lawyer a few days ago and while she was very optimistic that the 9th Circuit would find in her favor again, she was worried about the over all landscape of the crypto laws because the Circuit court in Ohio will hear another case involving a law professor's request for a BXA license to teach his students (Junger v. Daley).
There the Northern District of Ohio upheld the BXA's denial of a license. Now it is on appeal. If the federal appeals court in Ohio affirms the district court's holding, we will have a split of opinion in the federal courts. This means that one circuit would hold that source code is speech and another would hold that it's not. Then we would have to see if the Supreme Court would resolve this split. It may not, then we would have disparate laws in the various federal jurisdictions.
In addition, even if the Clinton Administration revamps its rules the issue would persist whether any licensing scheme regulating the publication of encryption source code would violate of the 1st Amendment. The specific issue is whether the requirement that license approvals must be finalized by the president are an arbitrary prior restraint on free speech and violative of the 1st Amend. The general issue is whether any licensing scheme that regulates source code of any kind is a prior restraint on free speech and a 1st Amend violation.
Both of these issues ultimately hinge on whether source code is speech. And we already have one court saying it is and another saying that it isn't.
The ray of hope in all of this is that if the Supreme Court does eventually get to resolve this split in all likelihood it will find that source code is speech and give it full 1st Amend protections. The reason for this is that we have an exceptionally conservative bench that tends to employ a literalist textual method of interpreting the constitution. They will hold that any prior restraint must meet the strictest scrutiny; the government can only restrain speech when it is in the country's imminent national security interest where they know immediate harm will occur to our security if the speech is not restrained.
Source code will never meet this test unless the code is 'how to destroy our financial networks' or something like that (IOW software as a weapon). Encryption can always be used for non-harmful purposes so it will not fit the S.Ct.'s strict scrutiny standards.
I plan on attending the Bernstein Appeals hearing in December. If anyone is interested in attending with me, email me and I'll let you know when and where. It's in San Francisco. I can also find out the locations for the Junger hearing in Ohio; there's also a crypto case called Karn in D.C. I can find out the details of that as well. We should all go to these hearings and make a show of support for the 'source code is speech' platform.
I remember browsing in '95 a crypto book (PGP, I think) with a nifty preface, in which they describe how the book contains the entire source code in a format ideal for OCR scanning. This was because even though the compiled binary was illegal for export, the *book* with the source code was a book, and thus could not only be exported but contain guidelines for scanning and compilation to create the final product.
Rather schizophrenic situation, and ironic to boot, esp. since the binary is considered a "munitions" product. Just about the entire book consisted of only source code - can't remember what it was. I guess there are subtle legal differences between exporting a book w/ source code vs. posting the source code for download.
BTW, when Phil Zimmerman of PGP won a legal case against the FBI, a govt. agent asked him how he felt. His answer - "Pretty Damn Good".
L.