Date: Sun, 26 Feb 95 09:18:24 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#021 Computer Privacy Digest Sun, 26 Feb 95 Volume 6 : Issue: 021 Today's Topics: Moderator: Leonard P. Levine EFF Sues to Overturn Cryptography Restrictions Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: Aki Namioka Date: Wed, 22 Feb 95 08:26:30 PST Subject: EFF Sues to Overturn Cryptography Restrictions ----- Begin Included Message ----- From robg@prognet.com Tue Feb 21 23:03:52 1995 Subject: EFF SUES TO OVERTURN CRYPTOGRAPHY RESTRICTIONS For a variety of reasons we've had to keep quite quiet about this case, which has been developing for some time. We think it's an ideal test case that will kick up a lot of dust and might even end the ridiculous export control morass. Any questions should be address to Shari Steele at EFF (ssteele@eff.org). Rob From: farber@central.cis.upenn.edu (David Farber) Date: Tue, 21 Feb 1995 23:18:30 -0500 Subject: EFF SUES TO OVERTURN CRYPTOGRAPHY RESTRICTIONS EFF SUES TO OVERTURN CRYPTOGRAPHY RESTRICTIONS First Amendment Protects Information about Privacy Technologies February 21, 1995 San Mateo, California In a move aimed at expanding the growth and spread of privacy and security technologies, the Electronic Frontier Foundation is sponsoring a federal lawsuit filed today seeking to bar the government from restricting publication of cryptographic documents and software. EFF argues that the export-control laws, both on their face and as applied to users of cryptographic materials, are unconstitutional. Cryptography, defined as "the science and study of secret writing," concerns the ways in which communications and data can be encoded to prevent disclosure of their contents through eavesdropping or message interception. Although the science of cryptography is very old, the desktop-computer revolution has made it possible for cryptographic techniques to become widely used and accessible to nonexperts. EFF believes that this technology is central to the preservation of privacy and security in an increasingly computerized and networked world. The plaintiff in the suit is a graduate student in Mathematics at the University of California at Berkeley named Dan Bernstein. Bernstein developed an encryption equation, or algorithm, and wishes to publish the algorithm, a mathematical paper that describes and explains the algorithm, and a computer program that implements the algorithm. Bernstein also wishes to discuss these items at mathematical conferences and other open, public meetings. The problem is that the government currently treats cryptographic software as if it were a physical weapon and highly regulates its dissemination. Any individual or company who wants to export such software -- or to publish on the Internet any "technical data" such as papers describing encryption software or algorithms -- must first obtain a license from the State Department. Under the terms of this license, each recipient of the licensed software or information must be tracked and reported to the government. Penalties can be pretty stiff -- ten years in jail, a million dollar criminal fine, plus civil fines. This legal scheme effectively prevents individuals from engaging in otherwise legal communications about encryption. The lawsuit challenges the export-control scheme as an ``impermissible prior restraint on speech, in violation of the First Amendment.'' Software and its associated documentation, the plaintiff contends, are published, not manufactured; they are Constitutionally protected works of human-to-human communication, like a movie, a book, or a telephone conversation. These communications cannot be suppressed by the government except under very narrow conditions -- conditions that are not met by the vague and overbroad export-control laws. In denying people the right to publish such information freely, these laws, regulations, and procedures unconstitutionally abridge the right to speak, to publish, to associate with others, and to engage in academic inquiry and study. They also have the effect of restricting the availability of a means for individuals to protect their privacy, which is also a Constitutionally protected interest. More specifically, the current export control process: * provides too few procedural safeguards for First Amendment rights; * requires publishers to register with the government, creating in effect a "licensed press"; * disallows general publication by requiring recipients to be individually identified; * is sufficiently vague that ordinary people cannot know what conduct is allowed and what conduct is prohibited; * is overbroad because it prohibits conduct that is clearly protected (such as speaking to foreigners within the United States); * is applied overbroadly, by prohibiting export of software that contains no cryptography, on the theory that cryptography could be added to it later; * egregiously violates the First Amendment by prohibiting private speech on cryptography because the government wishes its own opinions on cryptography to guide the public instead; and * exceeds the authority granted by Congress in the export control laws in many ways, as well as exceeding the authority granted by the Constitution. If this suit is successful in its challenge of the export-control laws, it will clear the way for cryptographic software to be treated like any other kind of software. This will allow companies such as Microsoft, Apple, IBM, and Sun to build high-quality security and privacy protection into their operating systems. It will also allow computer and network users, including those who use the Internet, much more freedom to build and exchange their own solutions to these problems, such as the freely available PGP encryption program. And it will enable the next generation of Internet protocols to come with built-in cryptographic security and privacy, replacing a sagging part of today's Internet infrastructure. Lead attorney on the case is Cindy Cohn, of McGlashan and Sarrail in San Mateo, CA, who is offering her services pro-bono. Major assistance has been provided by Shari Steele, EFF staff; John Gilmore, EFF Board; and Lee Tien, counsel to John Gilmore. EFF is organizing and supporting the case and paying the expenses. The suit was filed in Federal District Court for the Northern District of California. EFF anticipates that the case will take several years to win. If the past is any guide, the government will use every trick and every procedural delaying tactic available to avoid having a court look at the real issues. Nevertheless, EFF remains firmly committed to this long term project. We are confident that, once a court examines the issues on the merits, the government will be shown to be violating the Constitution, and that its attempts to restrict both freedom of speech and privacy will be shown to have no place in an open society. Full text of the lawsuit and other paperwork filed in the case is available from the EFF's online archives. The exhibits which contain cryptographic information are not available online, because making them publicly available on the Internet could be considered an illegal export until the law is struck down. See: [NOTE: Currently only the Exhibits documents are available; the complaint and other docs will appear shortly] ftp.eff.org, /pub/EFF/Policy/Crypto/ITAR_export/Bernstein_case/ gopher.eff.org, 1/EFF/Policy/Crypto/ITAR_export/Bernstein_case http://www.eff.org/pub/EFF/Policy/Crypto/ITAR_export/Bernstein_case/ Press contact: Shari Steele, EFF: ssteele@eff.org, +1 202 861 7700. For further reading, we suggest: The Government's Classification of Private Ideas: Hearings Before a Subcomm. of the House Comm. on Government Operations, 96th Cong., 2d Sess. (1980) John Harmon, Assistant Attorney General, Office of Legal Counsel, Department of Justice, Memorandum to Dr. Frank Press, Science Advisor to the President, Re: Constitutionality Under the First Amendment of ITAR Restrictions on Public Cryptography (May 11, 1978). [Included in the above Hearings; also online as http://www.eff.org/pub/EFF/Policy/Crypto/ ITAR_export/ITAR_FOIA/itar_hr_govop_hearing.transcript]. Alexander, Preserving High-Tech Secrets: National Security Controls on University Research and Teaching, 15 Law & Policy in Int'l Business 173 (1983) Cheh, Government Control of Private Ideas-Striking a Balance Between Scientific Freedom and National Security, 23 Jurimetrics J. 1 (1982) Funk, National Security Controls on the Dissemination of Privately Generated Scientific Information, 30 U.C.L.A. L. Rev. 405 (1982) Pierce, Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation, 17 Cornell Int'l L. J. 197 (1984) Rindskopf and Brown, Jr., Scientific and Technological Information and the Exigencies of Our Period, 26 Wm. & Mary L. Rev. 909 (1985) Ramirez, The Balance of Interests Between National Security Controls and First Amendment Interests in Academic Freedom, 13 J. Coll. & U. Law 179 (1986) Shinn, The First Amendment and the Export Laws: Free Speech on Scientific and Technical Matters, 58 Geo. W. L. Rev. 368 (1990) Neuborne and Shapiro, The Nylon Curtain: America's National Border and the Free Flow of Ideas, 26 Wm. & Mary L. Rev. 719 (1985) Greenstein, National Security Controls on Scientific Information, 23 Jurimetrics J. 50 (1982) Sullivan and Bader, The Application of Export Control Laws to Scientific Research at Universities, 9 J. Coll. & U. Law 451 (1982) Wilson, National Security Control of Technological Information, 25 Jurimetrics J. 109 (1985) Kahn, The Codebreakers: The Story of Secret Writing. New York: Macmillan (1967) [Great background on cryptography and its history.] Relyea, Silencing Science: national security controls and scientific communication, Congressional Research Service. Norwood, NJ: Ablex Publishing Corp. (1994) John Gilmore, Crypto Export Control Archives, online at http://www.cygnus.com/~gnu/export.html EFF Crypto Export Control Archives, online at ftp.eff.org, /pub/EFF/Policy/Crypto/ITAR_export/ gopher.eff.org, 1/EFF/Policy/Crypto/ITAR_export http://www.eff.org/pub/EFF/Policy/Crypto/ITAR_export/ ------------------------------ From: "Prof. L. P. Levine" Date: Thu, 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #021 ****************************** .