Newsgroups: alt.security.pgp Subject: Can you teach the law without breaking it? Message-ID: <1993May31.154227.5699@wisipc.weizmann.ac.il> From: oren@wisdom.weizmann.ac.il (Ben-Kiki Oren) Date: Mon, 31 May 1993 15:42:27 GMT Organization: Weizmann Institute of Science, Computation Center This was posted in comp.risks, specifically: RISKS-LIST: RISKS-FORUM Digest Sunday 30 May 1993 Volume 14 : Issue 65. Admittedly it is longish, but I think it is worth wading through: ------------------------------------------------------------------------------- Date: Fri, 21 May 93 16:13:46 EDT From: junger@samsara.law.cwru.edu (Peter D. Junger) Subject: The risks of teaching about computers and the law A fortnight ago, in order to postpone the necessity of grading final exams, I started writing a simple-minded encryption program, which uses a "one-time pad" as a key, for use this Fall in my class on Computers and the Law. The program is intended to demonstrate certain things that lawyers who are going to deal with the problems generated by computers should know: things like the nature of an algorithm and the fact that any text (that is encoded in binary digits) of length n contains (if one just has the key) all other texts of length n. Although in that course we shall mainly be concerned with copyright and patent issues relating to computer programs, we should also spend some time on security issues and on government regulation of computer programs. And that, of course, includes the regulation of the export of computer programs, including cryptographic programs and technical information relating to such programs. I shall also have to discuss cryptographic programs when dealing with issues of computer security, since it would profit lawyers to be aware of the fact that cryptography can do far more than the law can to keep one's confidences confidential. The latter point is, of course, of particular importance to members of a profession who have a legal and moral duty to keep their clients' confidences confidential from everyone, but especially from the agents of the state. As I was writing this program I realized that it itself, and any `technical data' relating to it, might be subject to federal export licensing regulations, since I intended to give copies of it to, and discuss it with, my students and make it available to anyone who wants it, even foreigners. Even if I do not put it on an anonymous FTP server, as I originally planned, there is no way that I can guarantee that all the students who enroll in my class will be citizens or permanent residents of the United States. After a little quick research I have determined that my program may be--and, in fact, probably is--subject to such licensing, though whether by the Department of Commerce or that of State is a matter that it will take some sixty days for the bureaucrats to determine. The trouble is that the program, which should run on any PC clone running MSDOS 3 or higher, and which now consists in its entirety of 174 bytes of 8086 machine code, which I am pretty sure I can get down to 170 bytes or less, is squarely covered by the definitions of Category XIII of the U.S. Munitions List (as is my old Captain Midnight Decoder, which I got during the War for a boxtop--or was it an Ovaltine label?--and change). The relevant subdivision of Category XIII of the Munitions List is (b), which provides in relevant part: (b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefor, including: (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems, except cryptographic equipment and software as follows: .... [none of the exceptions appear to be applicable to my program] There is no exception for encryption software that is so simple minded that a law teacher, whose only degrees are in English and law, can hack it out in about six hours, most of which time was spent chasing bugs that were the result of typos. I estimate that the average computer literate 12-year old could have written the program in about 20 minutes. In the course of my researches, which so far have consisted of speaking to a very pleasant person at the Department of Commerce's Bureau of Export Administration, to a not very nice major and a slightly nicer person at the Department of State's Bureau of Politico-Military Affairs, Office of Defense Trade Controls, and to a not un-nice person, whose name I was not allowed to know, who supposedly was at NSA, and wading an inch or so into a seven inch stack of Commerce Department regulations and a few more inches of statutes, I have concluded that if I `export' my little program without first getting a license I may be subject to a fine of not more than $1,000,000, or imprisonment for not more than ten years, or both. This isn't so bad, since in the case of the actual program it is pretty clear that `exporting' means exporting, so, since I don't intend to export the program, the only problem is that posting it on an FTP server on the internet gets into a `grey' area (according to the unknowable at NSA). Of course, if the program is considered to be my expression--which it must be if it is protected by the copyright laws--it is probably a violation of the First Amendment to require me to get a license before I can export it. But since I don't intend to export it--and the unknowable, on whom I dare not rely, did keep saying that it was a matter of my intention--I can treat that issue as an academic problem. (By the way, it is my position that the actual program--the machine code--not being in any sense expression--cannot Constitutionally be protected by copyright law; this is a position that the lower courts have--at least _sub silentio_--uniformly rejected, but it is a good bet that the Supreme Court will agree with me when it finally gets around to considering this issue!) The real trouble is that Category XIII contains as its final subdivision paragraph (k), which covers (k) Technical data . . . related to the defense articles listed in this category. And that, of course, means that I cannot lawfully export technical data about my program without first obtaining a license. But the regulations relating to technical data that is included on the Munitions List say, in effect, that the `export' of technical data includes talking about the defense article to which the data relates--which in my case is my piddling little program--in the presence of someone who is neither a citizen of the United States nor admitted to permanent residence in the United States. So, if any foreign students sign up for my course I will be required to get a license--which I am not sure I can get at all, and certainly will not be able to get in time to teach my course--before describing the program to my class, explaining how to use it, and giving them the source code--which, by the way, I contend _does_ contain expression--to load in with the debug program. I admit that I am not greatly concerned about the potential criminal penalties that might be imposed if I do discuss the program with my students without a license, and not only because I don't have a million dollars and--far all I know--may not have ten years. I cannot imagine anyone--except perhaps that major--who would be stupid enough to try to punish me for discussing my trivial program with my students. But how can I teach this particular bit of computer law if the very act of teaching amounts--at least in theory--to a criminal violation of the very law that I am teaching? That this is not a logical paradox is an illustration of the fact that the law is not logic; but I still feel that I am trapped in an impossible situation. It is hard for me as a law teacher to believe that this regulatory scheme that requires me to get a prior license each time that I speak about, or publish the details of, my trivial program (or, in the alternative, to make sure that no foreigners get to hear or read what I have to say about it) can withstand a constitutional challenge on First Amendment grounds. The "secret" of how to keep a secret in 170 bytes or less is not something that imposes any conceivable threat to the security of the United States, especially not when the underlying algorithm is well known to most who are, and many who aren't, knowledgeable about computers--or, for that matter, about logic. And thus the government can't constitutionally punish me for revealing this "secret" of mine or talking and writing about how it works. And even if the government could constitutionally punish me after the fact, that does not mean that they can impose a prior restraint on my speaking or writing about the "secret". Prior restraints on speech or publication--and especially licensing schemes--are especially vulnerable to constitutional attack, since the First Amendment provisions relating to the freedom of speech and of the press were adopted in large part to prevent the federal government from adopting the type of censorship and licensing that had prevailed in England under the Tudor and Stuart monarchies. And yet I am so intimidated and disheartened by this unconstitutional scheme that I dare not explain in a submission to Risks, which undoubtedly has foreign subscribers, how my silly little program works. And even if I were willing to take that risk, I could not in good conscience impose it on our moderator. And if I have problems now, just think how ridiculous the situation will be if the government tries to outlaw all encryption programs and devices other than the Clipper Chip. [For those of you who understand how my program works and who take the effort to write your own encryption program based on that understanding, I have a special offer. If you will just send me an E-mail message certifying that you are a United States Citizen, I will send you (at any address on the internet that is within the United States), a UUENCODEd key that when applied by your program to this particular submission to Risks--after all headers have been stripped off--will produce a working copy of my program, which is a COM file that runs under MSDOS. (Be sure that your copy of this submission uses the Carriage Return / Line Feed combination as the End of Line indicator.)] Peter D. Junger Case Western Reserve University Law School, Cleveland, OH Internet: JUNGER@SAMSARA.LAW.CWRU.Edu -- Bitnet: JUNGER@CWRU [Incidentally, at last week's IEEE Symposium on Research in Security and Privacy, a rump group decided that because crypto falls under munitions controls, the right to bear arms must sanction private uses of cryptography! PGN] ------------------------------------------------------------------------------- This (k) subdivision seems deadly. For example, discussions of PGP algorithms - key lengths, use of IDEA, etc. seem to be covered by this act. Possibly simple advice as to how to use PGP is also covered. Therefore, this newsgroup might breaking USA law anytime a posting crosses the USA border. More to the point, books about cryptology, scientific papers etc. are *definitely* covered. And I bet most of these are published in the USA and sent abroad. How can they be exported? I think that if the simple act of "putting it in the public domain" was sufficient, the Law Prof would have known/found out about it. What's going on? (BTW, If you don't know what a one-time pad is, I cannot enlighten you as this would cause some poor soul in NYU to break the law by unlicenced import of munitions. Worse, he'll break the law when the post is further distributed to the world, by exporting it. Lets play it safe - look it up in the library...) Oren. P.S. I found this so hilarious (especially the last footnote) that I sent it to rec.humor.funny; but then, I am not a USA citizen :-) P.P.S. What happened to the version 3.0 of PGP? Is it available yet? I am reluctant to use the current version since it was discovered there's a memory allocation bug in it that might cause DOS to trash my disk. Or is a bug fix available? Oren.