[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITP seahorse

On 2000-05-24 at 23:22 -0400, Branden Robinson wrote:

> [Replies to this message should move to debian-legal.]

I have dropped debian-devel as a recipient.

> However, the BXA regulations were later amended[2].  I haven't read through
> all the changes, but we might presume with some caution that you don't need
> to attempt to restrict access to public Web or FTP sites to exclude
> connections from countries that the United States has identified as its
> enemies.  If, on the other hand, you were engaged in some sort of commerce
> where you would get the name and address of every person to whom you
> distributed crypto, you almost certainly would be expected to turn away
> Libyans, Sudanese, etc.
> This message is not an endorsement of BXA policy.  Quite the contrary; I
> think the U.S. government needs to leave the cryptographic community to
> exercise its constitutional rights in peace.  The very fact that such
> letters have to be written to explain these Byzantine regulations to
> American academics is evidence that the BXA should be dismantled and
> eliminated from the federal budget.  Perhaps its employees could find
> gainful employment elsewhere as truant officers or gossip columnists.

I don't think this is clear at all.  I certainly can see no basis for
reading the regulations so as to distinguish between actual knowledge
acquired prior to export as distinct from after export.  That is, what is
Bernstein to do if his web server log clearly shows a download from a
prohibited domain?  Does Bernstein have a duty to disclose his logs?  
Does Bernstein have an obligation to keep logs?  Does Bernstein have a
legal duty to read the logs he does keep?

This is a crazy situation foisted upon us by regulations written by people
who have no understanding of how the Internet works, much like the
apocryphal rules requiring that a man waving a red flag should be required
to walk ahead of an automobile so as to warn of its approach.

The Bernstein case also, as far as I know, addresses the issue of source
code per se.  It is by no means clear that restrictions which would not be
enforced against source code would also not be enforced against binary
executables such as Debian packages.  The key legal element of the
Bernstein case is that source code has a "speech" component such that it
is the unique means of communication used among human programmers, and it
is far from clear that one can have a free speech right when talking
directly to a machine.  There have certainly been stranger distinctions
drawn in the courts on this issue, as in the Karn case where the source
code was held to be exportable when printed on paper but not when stored
on a floppy disk, although the government stipulated to Karn's assertion
that the paper printout could be scanned in using OCR and turned into the
identical form as on the floppy disk in only about three hours.

Regardless of the transactions in the Bernstein case, the common
interpretation which is evolving of the new regulations seems to be that
the user has to be forced to affirm that they are not in a prohibited
country before downloading the files.  This is how Netscape seems to
handle their 128-bit browser now.  It makes no sense that "I am not a
terrorist" loyalty oaths are expected to be useful for any purpose
whatsoever, and we are starting to approach the realm of legal absurdity
when plastic bags are labeled "This bag is not a toy" and coffee cups are
labeled "Coffee may be hot."

-- Mike

Reply to: