Date: Fri, 11 Mar 88 17:55:05 EST From: eachus@mitre-bedford.arpa Subject: Re: Question--Exporting the DES Algorithm Sender: security@aim.rutgers.edu To: iconsys!bryan@uunet.uu.net Resent-date: Wed, 6 Apr 88 23:01 EST Resent-to: security-list@aim.rutgers.edu The communications on exporting the DES algorithm which have appeared on the net recently are ALL correct. Huh? What did you just say? Read on. If something not subject to ITAR regulations is in the public domain, or "widely published" in the US, any citizen has a general license to export that information. If fact you may go overseas and speak publicly about what you know, and that will create information subject to license requirements, qualify it for general license, and export it. In other words, as an American citizen, your freedom of speech does not end at the waters' edge. (The country where you give the speech might not like what you say, but that is a different issue.) However, if you have information subject to ITAR regulations (no matter how you got it), you (or your company) can be prosecuted if you export it without State Department approval. See the "aid and comfort" clause in the constitution. Since some crypto information is clearly protected this way, most company lawyers "take the easy way out" and advise the company not to export any crypto software, without checking to see if it falls under the ITAR rules. (Apply standard disclaimers to what follows at least twice.) Last time I checked the "opinion" of State was that the DES algorithm was not subject to ITAR rules, although certain implementations (usually in the form of chips) were protected. Note that any government employee must be vague here, either he knows all the (classified) uses of crypto (and where is YOUR need to know) but can't tell you, or he doesn't know and can't be more specific. Therefore the standard procedure is to request an opinion before exporting crypto implementations, and if you don't get something on the order of "your application does not currently appear to fall under ITAR rules..." you talked to the wrong person (or you really are trying to export a 300 MIP DES chip 8^> ). If you do ACCIDENTLY export something subject to ITAR rules, you probably won't go to jail. In any violation, your rights to free speech must be shown to conflict with other constitutional powers, and the balence must tilt strongly against you before the ITAR regulations have any standing. If you intentionally violate the ITAR regs, however you might not have any constitutional protection. Let me give you a realistic example. You buy a Zowie 1000 portable computer and take it with you to England. Unbeknownst to you, the Zowie 1000 is used in a test system for Stealth Bomber ECM equiptment. You violated the ITAR regulations, but in the normal course of events, you won't even know it, because the DoD is unlikely to tell the Customs people which COTS (commercial off the shelf) equipment is used on black projects. In any case your violation was innocent and is probably protected. Second case, an ATE specialist on the Stealth project buys a Zowie 1000 for personal use because he uses it at work and likes it. He takes it (and some of his software) to England on his vacation. Dumb, and the security folk at the plant may have a long talk with him, but if it was innocent probably no long term repercussions. The third case of course, is he takes it with him and sells it to a foriegn agent for $100,000 -- and twenty years hard labor. What did you think the ITAR regulations were for anyway? So now you know why all the weasel words. If you take my (knowingly incoorect) advice (or someone elses) and innocently violate the ITAR regs, I'm guilty and you are not... "So you're going to Berlin on your vacation? Could you do me a favor? I have this package for my sister, but the mail takes weeks. I'll give you ten bucks for your trouble." You are only guilty if you think he's a spy and do it anyway... Each case is different, and an awful lot depends on intent. It would be nice if someone who has requested and recieved (from the government, not from a company lawyer) a recent opinion on the DES algorithm, would post the opinion here. If no one out in net land has a recent opinion, someone should go ahead and request one. The most recent opinion I have seen was two companies back, and things can change in either direction. Robert I. Eachus Disclaimer: Oh boy, do I need one here. If you have any intention of exporting anything which might be subject to ITAR rules, have your lawyer check with the State Department and get a written opinion. If you decide to create a test case and take it to the Supreme Court, I'll be glad to come cheer, but if you expect me to get up and say it was all my idea, you didn't read carefully. Second Disclaimer: I didn't ask MITRE, MITRE's lawyers, or anyone elses lawyers for their opinion of this message, but if I did, I'm sure that they would waffle at least as well as I did.