Interesting People mailing list archives
IP: EET on PGP API Quash
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 02 May 1996 19:13:53 -0400
From: jya () pipeline com Date: Thu, 2 May 1996 15:08:21 -0400 [Thanks to BC] Electronic Engineering Times, April 29, 1996, page 4 State Dept. Tries To Quash API's for PGP cryptography By Loring Wirbel Washington -- The Justice Department may have halted attempts to bring criminal charges against Phil Zimmermann, author of the Pretty Good Privacy (PGP) public-key cryptography algorithms, but the State Department is taking an increasingly hard line on PGP. Where once the State had restricted itself to warning developers against exporting source code with PGP file-encryption routines, it is now arguing that application programming interfaces (API) allowing PGP program insertion should be subject to control under arms-trading statutes. Warning letters sent out in the last few weeks reflect the bizarre status of cryptography algorithms in the government's Export Control Act. Under the International Traffic in Arms Regulations (ITAR) promulgated under the act, the government can restrict any encryption programs the National Security Agency (NSA) is uncomfortable with. The new moves represent the first time State has tried to extend ITAR to software that only provides hooks for encryption packages, however. "There is some room to maneuver and make strong arguments that the rules on crypto APIs have some serious ambiquities," said Kenneth Bass, an attorney specializing in export control with the Washington law firm of Venable Attorneys at Law. Bass said several companies have received warning letters from State, but most do not want to do battle with the Federal government. Meanwhile, wildly differing rulings in the U.S. District Courts on the West and East coasts send mixed messages about software embedding crypto algorithms. In refusing to dismiss developer Daniel Bernstein's suit against the State Department, Judge Marilyn Hall Patel of San Francisco ruled in early April that source code can be protected free speech. "The particular language one chooses does not change the nature of the language for First Amendment purposes," Patel said. "This court can find no meaningful difference between computer languages ... and German or French; ... whether source code or object code is also functional is immaterial." Bernstein seeks to establish that his zero-delay private-key program, Snuffle, is not subject to ITAR. Opposite Rationale But on March 22, Judge Charles Richey of Washington dismissed Philip Karn's suit against State using almost exactly the opposite rationale. Karn, an employee of Qualcomm Inc. (San Diego), challenged a ruling that the floppy disks accompanying some editions of Bruce Schneier's book, *Applied Cryptography*, could be barred from export. Judge Richey said the government was free to view implemented source code as a munition that could be banned, and said Defense Department decisions regarding materials covered under export control were precluded from judicial review. Karn appealed to the U.S. Circuit Court of Appeals on April 19. "The stage is being set for some very basic issues on souce code and free speech to be decided," said attorney Bass. So far the API issue has not spurred any suits. Network Telesystems Inc. (Santa Clara, Calif.) a TCP/IP stack specialist and the one company that has admitted receiving a warning from State, said that a PGP API is not central enough to its business to warrant making its preservation a federal case. Company president John Davidson said Network Telesystems elected to make its new e-mail package, Confidante, "PGP ready" by including a PGP API instead of licensing the code. Davidson said the warning must have been the result of government officials seeing the press release on the package, which has not yet shipped, or a short article in a national magazine. "We thought it was a misunderstanding at first, since we had no resident PGP code," Davidson said. "It didn't seem possible that the government could really be talking about an interface." One computer-security expert said off the record that "NSA has told State to watch out for any APIs outside NSA's own effort to define a crypto API." NSA is embracing the API work of companies like RSA Data Security Inc., the source said, "but Zimmermann's PGP work has always been a freelance effort, so a compromise is not seen as necessary." -----
Current thread:
- IP: EET on PGP API Quash Dave Farber (May 02)