------------------------------ Date: Thu, 3 Mar 1994 22:12:58 -0500 (EST) From: "Shabbir J. Safdar" Subject: File 2--Privacy, Communications, and Cryptography Have you ever wondered why so many people get caught talking on their cellular phones? Or perhaps why people laugh when they talk about the security of electronic mail? The reason we cannot assure the privacy of our personal communications is because the government places strict controls on the only technology that protects our privacy: cryptography. Cryptography can assure our privacy unlike anything else in history. Let's say you are given a driver's license by the state of NY. If you do something to annoy the state, you can lose your driver's license. Cryptographic privacy cannot be taken away. A tyrannical government or a rogue police dept. cannot eavesdrop on your well-encrypted conversations or read your well-encrypted email by stealing your computer. However cryptographic technology in recent years has been carefully controlled by the government. Anyone who wanted to build a product with real privacy built into it, such as an encrypting cellular telephone, would be subjected to a litany of absurd government regulations. Ultimately they would be limited to producing their product for US use only. The legal fees just to get this far may still be daunting enough to have discouraged most manufacturers from putting cryptographic technology into their products. Their markets would be automatically diminished to be US-only, perhaps not enough to warrant developing the product for market. The gov't. claims this is done in the interest of national security. Can this be true? Many of these products are available outside the US already. In fact many stronger products are available outside the US both from vendors and on the Internet anonymous ftp sites. US companies are constrained by these regulations since they cannot compete with other international companies in the global marketplace. US citizens lose their privacy because their own firms are unable to provide them with the products they need. You can change this! Rep. Maria Cantwell has introduced legislation (cryptographic export bill HR 3627) that would fix the cryptographic export laws to allow businesses to produce eqiupment with strong cryptography for sale in the global marketplace. This will mean more privacy-enhancing products for ordinary citizens like you and me. HR 3627 currently has five co-sponsors. The current co-sponsors are: Shepherd - Utah Wyden - Oregon Orton - Utah Manzulo - Illinois Edwards - California Can one person make a difference? Sure, just ask Colin Campbell from Utah. He wrote Rep. Karen Shepherd and asked her to co-sponsor Rep. Cantwell's bill. Rep. Shepherd's office had been thinking about the bill, and between constituent support, her own good judgement, and good advice from several software companies she decided to co-sponsor the bill. Would she have co-sponsored if Colin hadn't written his letter? Perhaps not. In the last election (1992) Shepherd (who is now only a freshman legislator) defeated her challenger, Enid Greene with only a 2% margin (52% vs. 48%). Had she thought that this might be a sensitive issue with voters, she might have merely passed it up, like so many other pieces of legislation that get filed every year and go nowhere. Help your legislator make this difference. Ask them to co-sponsor or support HR 3627. It's very very easy. All you do is call, write, or fax (you bought that fax modem for a reason, right?!) your representative. Ask them to support HR 3627 because its good for privacy and its good for business. Once when working in another state, I asked a state legislator what sort of mail they got. One said "five letters is a landslide". Although US reps and Senators get significantly more, it shows how much of an impact one group of individuals can have. HERE'S WHAT TO DO Act now! This bill will be in "mark-up" next week! The last step before it is reported to the House floor! 1. Find out your legislator's name or number. You can do this by calling the League of Women Voters in your area, or by calling the City Board of Elections. If you're truly lazy, you can write to me with your city and I'll find it for you. (If you recognize your legislator's name or district, ftp the current list of Reps and Senators from una.hh.lib.umich.edu in the directory /socsci/poliscilaw/uslegi/congdir 2. Call/write/fax your representative and tell them you would like them to support HR 3627. Colin Campbell's letter below is a good example. (It's a success story!) Let me know what his/her reaction is by dropping me a line at shabbir@panix.com. 3. Continue reading EFFector Online, Computer Underground Digest, and other publications for progress announcements. 4. If you want to help coordinate the legislators in your state, join the mailing list ad_hocracy@panix.com. It's dedicated to passing HR 3627 and other similar legislation. Join and send mail saying, "I'll make sure gets taken care of!" Attachments: Colin Campbell's successful letter A copy of HR 3627 ============================================================================ [excerpt of email from Colin Cambpell] I faxed a message to Rep. Karen Shepherd on Feb 16 (see below for text). A member of her staff called me on the telephone a few days later. I can't quote verbatim, but he said: 1) Rep. Shepherd hadn't been aware of the issue previously. 2) After receiving my letter, they did some research and decided the Cantewll bill was a good idea. I got the impression that they contacted some software industry associations. 3) She will be co-sponsoring the bill. A copy of what I faxed to her is attached. You may use my name and city publicly, as well as any of the text of my letter. Glad to help a worthy cause, Colin Campbell ;;; text of Fax sent Feb 16, 1994 Rep. Karen Shepherd U.S. House of Representatives Washington, DC Dear Rep. Shepherd: I would like to register my strong support for H.R. 3627, Legislation to Amend the Export Administration Act of 1979. The bill proposes to end the ban on the export of privacy and data-security software from the U.S. As a longtime worker in the software industry, I can attest to the senseless and counter-productive effects of the current export restrictions on cryptographic software. For me, the issue is simple: 1) The current ban is ineffective. There is no way to control the availability of privacy software in other countries. Software is not a commodity that is consumed and continually reexported to replenish supply; it is information and technology. The encryption technology in question is already fully available wherever there are computers. Whether we like it or not, the genie is out of the bottle and will not be put back. 2) The U.S. software industry is severely hampered by not being able to export products with privacy and data-security features. This is about jobs. I think cryptography has a bit of an image problem. I think it is inaccurately associated in popular thinking with secrecy, espionage and even crime or terrorism. In fact, privacy software is just an electronic "envelope." It is as common and unexotic as paper envelopes or locking file cabinets. I regularly send my mail sealed in envelopes made of opaque paper, and no one would interpret this practice as evidence of criminal intent. Similarly, I file my business documents in a locking file cabinet. In the future, nearly all electronic communication will be enclosed in secure, software "envelopes." This is proper, natural and in no way suspect. And it is a growth industry for the U.S., if we are only sensible enough to recognize and take advantage of the opportunity. I believe that the arguments of national security offered by opponents of the proposed legislation are not compelling. I suspect that many in the law enforcement and national security communities, who pursued the majority of their careers with the technology and politics of the Cold War, regret the wide availability of electronic privacy; undeniably, it does make their job harder. However, whether or not we allow privacy software to be exported will not change this. Classifying privacy software as a "munition" makes about as much sense as classifying personal computers and photocopy machines as implements of war. Are we willing to forbid the export of personal computers and photocopy machines for national security reasons as well? Now is an opportunity for progressive, forward-thinking approaches to electronic communications and the software industry. Our national policy should reflect the realities of the technology and the public interest. Needlessly crippling one of our most vital industries with a policy which is ineffective at meeting its stated goals is not in that interest. I urge you to support and even co-sponsor H.R. 3627. As you know, Utah is one of the country's major centers of software development. This is an issue that is very important to the software community. If there is any way I can help you in your effort pass HR 3627, please let me know. Thank you for your consideration. Sincerely yours, Colin Campbell ============================================================================ Below is a copy of the Cantwell bill. It and much more valuable information about pending legislation is also available at ftp.eff.org in /pub/Policy/Legislation. 103D CONGRESS H.R. 3627 1ST SESSION --------------------------------------- IN THE HOUSE OF REPRESENTATIVES MS. CANTWELL (for herself and ___) introduced the following bill which was referred to the Committee on __________. --------------------------------------- A BILL To amend the Export Administration Act of 1979 with respect to the control of computers and related equipment. Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress Assembled, SECTION 1. GENERALLY AVAILABLE SOFTWARE Section 17 of the Export Administration Act of 1979 (50 U.S.C. App. 2416) is amended by adding at the end thereof the following new subsection: ``(g) COMPUTERS AND RELATED EQUIPMENT.--- ``(1) GENERAL RULE.---Subject to paragraphs (2) and (3), the Secretary shall have exclusive au- thority to control exports of all computer hardware, software and technology for information security (including encryption), except that which is specifi- cally designed or modified for military use, including command, control and intelligence applications. ``(2) ITEMS NOT REQUIRING LICENSES.--- No validated license may be required, except pursuant to the Trading With The Enemy Act or the Inter- national Emergency Economic Powers Act (but only to the extent that the authority of such act is not exercised to extend controls imposed under this act), for the export or reexport of--- ``(A) any software, including software with encryption capabilities, that is--- ``(i) generally available, as is, and is designed for installation by the purchaser; or ``(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or ``(B) any computing device soley because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). ``(3) SOFTWARE WITH ENCRYPTION CAPABILITIES. --- The Secretary shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which ex- ports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be--- ``(A) diverted to a military end-use or an end-use supporting international terrorism; ``(B) modified for military or terrorist end- use; or ``(C) reexported without requisite United States authorization. ``(4) DEFINITIONS.---As used in this subsection--- ``(A) the term `generally available' means, in the case of software (including software with encryption capabilities), software that is offered for sale, license, or transfer to any person with- out restriction through any commercial means, including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; ``(B) the term `as is' means, in the case of software (including software with encryption ca- pabilities), a software program that is not de- signed, developed, or tailored by the software company for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the soft- ware program; ``(C) the term `is designed for installation by the purchaser' means, in the case of soft- ware (including software with encryption capa- bilities)--- ``(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software pro- gram on a computing device and has sup- plied the necessary instructions to do so, except that the company may also provide telephone help line services for software in- stallation, electronic transmission, or basic operations; and--- ``(ii) that the software program is de- signed for installation by the purchaser without further substantial support by the supplier; ``(D) the term `computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process or provide out- put of data; and ``(E) the term `computer hardware', when used in conjunction with information security, includes, but is not limited to, computer sys- tems, equipment, application-specific assem- blies, modules and integrated circuits.'' =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ + END THIS FILE + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=