Technology Law Column

This page has been speech-enabled for Macintosh owners using the Talker Netscape Plug-in. Hit Escape to discontinue speech.

Published in the Chicago Daily Law Bulletin, September 14, 1995 at p. 6.


Try decoding the latest in munitions-wear

Copyright 1995 by David Loundy


I was preparing to order a visual aid for a talk I have been asked to give on cryptography, when I realized that to do so would be a mistake. The reason it would be a mistake is because there is a reasonable likelihood that some of the attendees of my talk will not be U.S. citizens. This being the case, showing my visual aid would make me an unlicensed munitions exporter, and thus I would be subjecting myself to as much as $1,000,000 in fines and up to ten years in jail. This would not be a fair gamble when the talk earns me only a free lunch.

The visual aid is a T-shirt.

To understand how wearing an article of clothing can make you an international arms dealer, and why these particular shirts are fast-selling items, it helps to take a step or two back and look at three specific incidents and some relevant statutes.

The Arms Control Export Act (ACEA) is codified in 22 U.S.C. Section 2778. This statute gives the President the authority to designate certain items (such as battleships and land mines) as defense articles or defense services (Section 2278(a)). These designated items make up the United States Munitions List, which is found at 22 C.F.R. Section 121.1. The ACEA also allows the creation of regulations to control the import and export of designated defense articles and services found on the Munitions List. These regulations are the International Traffic in Arms Regulations (ITAR), of which the Munitions List is a part, found at 22 C.F.R. Section 120-130.

One of the items on the munitions list, sandwiched between laser targeting systems and particle beam weapons, is cryptographic software. Specifically, "components or software with the capability of maintaining secrecy or confidentiality of information or information systems" (Category XIII(b)(1)).

Because it is on the Munitions List, the law prohibits exporting cryptographic software (or technical data about cryptographic software) without a license from the U.S. Department of State (22 U.S.C. Section 2778(b)(2)). Included in the definition of "export" is disclosing or transferring technical data to a foreign person, either in the U.S. or abroad (22 C.F.R. Section 120.17).

Some specific encryption software has received a lot of attention lately. The software is PGP (Pretty Good Privacy). It is the de facto world standard for personal encryption software (much to the chagrin of the government and their Clipper Chip and related encryption schemes). PGP allows one to send, say, client-confidential information over unsecure communications channels such as the Internet and other on-line services with relative safety. (The author of PGP, Philip Zimmermann was told over a year ago that he is the subject of a grand jury investigation into the international spread of this software.)

Because encryption software, such as PGP, is on the Munitions List, whoever is responsible for the exporting of Mr. Zimmermann's software is an international arms dealer. Although Zimmermann claims not to have exported the software himself, it has not prevented a year-plus investigation by an Assistant U.S. Attorney in California. Many people speculate that Zimmermann will not be indicted, due to the case being weak at best, and the poor publicity an indictment would generate--especially since he has recently earned a Chrysler Innovation in Design award for PGP.

While Mr. Zimmermann's case has gained quite a bit of media attention, PGP is not the only incident involving the ITAR to gain attention lately. Another case involves the book "Applied Cryptography" by Chicago-area resident Bruce Schneier. Mr. Schneier's book contains some cryptographic algorithms and source code employing the algorithms. Some of the algorithms are of historic interest, and some are quite modern and powerful. Some are U.S. government standards, and some were developed by foreign entities. When an individual, Phil Karn, applied for a license to export this book (which is readily available in bookstores and libraries), he was told by the Office of Defense Trade Controls that the contents of the book were in the "public domain" and thus were not subject to State Department licensing restrictions.

This ruling, however, specifically excluded the floppy disk available from the book author which contains the exact same source code as is printed in the book. A request to export the disk was denied, appealed, and denied again. The State Department's position is apparently that, while the source code in the book is exportable, once that same code is put into a machine-readable form, it becomes a controlled munition. Efforts by Mr. Karn to explain to the State Department that typing into a computer the source code printed in the book, or running it through a scanner and optical character recognition software, which would require minimal effort and would also produce a machine-readable version of the source code, were not well-received.

Similar to this ongoing fight over the apparent arbitrariness allowed by ITAR, is a full-blown constitutional challenge currently before the U.S. District Court for the Northern District of California (Case No. C 95-0582-MHP). This case is being brought by Daniel Bernstein (and supported by the Electronic Frontier Foundation) against the U.S. Departments of State, Defense, and Commerce, the National Security Agency, and others. This case is challenging the ACEA and ITAR as being in violation of the First and Fifth Amendments, as being vague and overbroad, and as raising a host of constitutional and procedural concerns.

(Support for these claims can also be found in the government's own internal legal opinions questioning the regualtion's constitutionality.)

The essential argument is that these regulations prohibit Mr. Bernstein, a graduate student in mathematics, from publishing his work in cryptography, or even discussing it in situations where he cannot ascertain the nationality of all possible audience members and obtain a license for any foreigners. Bernstein alleges that the regulations constitute an impermissible prior-restraint on Bernstein's first amendment rights.

This brings us to the T-shirts.

The shirt is billed by the promoters as a "classic example of civil disobedience." The shirt has some computer code printed on it. The code is an implementation of the "RSA" algorithm published by three M.I.T. professors which describes how to implement a public key cryptosystem by factoring prime numbers.

It is the same algorithm which is used in Philip Zimmermann's PGP software.

To make sure that the shirt qualifies as a munition, and is thus treated like the non-exportable "Applied Cryptography" floppy disk and not the exportable book, the shirt even has a bar-code rendition of the software printed on it, thus presenting the code in machine-readable form. And to show the arbitrariness of the arms control regulations, the shirts can be ordered only by U.S. or Canadian citizens from the U.S. address, but since the algorithm is widely available, even though the shirts presumably cannot be exported without a license, they can also be ordered from an address in England by non-U.S. or Canadian citizens.

Amidst the sales pitch that "Now you too can become an international arms dealer for the price of a T-shirt" are warnings that if a non-U.S. citizen sees you wearing the shirt you may be classified as a criminal. (Though if you are arrested, they will refund the purchase price of the shirt.)

While the idea of a T-shirt being a munition is entertaining (if you wear it inside-out, is it a concealed weapon?), it does raise an issue worth considering. If you desire to have private communications over on-line services, or desire to have un-tapable wireless communications, you might reasonably, say, have encryption software on your laptop computer. But are you aware that if you take your computer, containing non-exempt encryption software, on an international flight without a temporary export license you may be considered an arms dealer?

Moreover, cryptographic software is essential in developing an information infrastructure that is usable for commerce. If the U.S. does not allow the free development of such software, other nations already do-- U.S. technology companies will be faced with a state-induced disadvantage.

In a world where international terrorists like those who blew up the World Trade Center can be caught when they try to get their deposit back on the rental van they blew up with the building, and when the government has devices that can read the contents of your computer screen from outside of your office, is it really necessary to prohibit discussing higher math with foreigners?

Cryptography does not pose the kind of threat posed by guns and bombs, and the current restrictions are irrational, ineffective, and an impediment to commerce.


[Technology Law] [E-Law Web Page]