Xref: utzoo comp.unix.internals:1747 sci.crypt:4037 Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!rex!ames!apple!agate!ucbvax!hoptoad!gnu From: gnu@hoptoad.uucp (John Gilmore) Newsgroups: comp.unix.internals,sci.crypt Subject: Re: DES export regulations. And what to do about it! Message-ID: <14511@hoptoad.uucp> Date: 3 Jan 91 19:41:39 GMT References: <18874@rpp386.cactus.org> <1548@inews.intel.com> <1991Jan3.173546.9809@dramba.neis.oz> Organization: Cygnus Support, Palo Alto Lines: 62 People can endlessly debate the small points of the rules; I want to understand the big ones. WHY SHOULD PRIVACY TECHNOLOGY BE ILLEGAL? Why does the US government think that privacy is something neither its subjects, nor the citizens of other countries, should have? Back to details... From: jfh@rpp386.cactus.org (John F Haugh II) > Hopefully you will mention in your letter that DES should not be > restricted by the Commerce Department either. There is no reason > to restrict DES software (or even hardware). True. Commerce Dept. rules are that software which is freely available to the public is treated like documents, e.g. can be exported to any destination under no-paperwork General Licence GTDA. But this limits commercial usage of encryption, which is a serious problem; multinational companies are at a severe disadvantage in computer security if they do their r&d in the US, because they can't export the result. DES is not the be-all and end-all of encryption either. It's just the "sticking point" where the Munitions people refuse to allow export. There should be no controls on the import, export, or use of encryption. From: bhoughto@hopi.intel.com (Blair P. Houghton) > . . . there's something to be said for prohibiting the > export of sensitive technologies, regardless of the availability > of related scientific information. What exactly is "sensitive" about the availability of PRIVACY? From: janm@dramba.neis.oz (Jan Mikkelsen) > It is considerably more difficult to design a piece of hardware > with specific characteristics, for example, very high encryption speed, > tamper resistance, small size, or the ability to operating in a hostile > environment. . . These should be sensitive, not the algorithm itself What exactly is sensitive about the ability to produce a tamper resistant package? Do we not wish anyone who wants a tamper resistant package to have one? The only reason I can see for outlawing tamper resistance is if the government wants to undetectably tamper with our things. Small size? What is sensitive about SMALL devices that provide privacy? If privacy itself is OK, why not portable privacy? High speed encryption? I presume the problem is high volume, not high speed. If privacy itself is OK, what business is it of the government's how much data you choose to keep private? I would think that the government would encourage people with a lot of private data (credit card companies, gun registration lists, payroll information for large companies, etc) to have good means for keeping their information private. Hostile environments? Hostile to what? Certainly a privacy-assuring device should operate in environments hostile to privacy :-). High temperatures, humidity, radiation, etc? I don't think techniques for heat-sinking, sealing, shielding, etc are export-controlled, though there are some that are classified (and thus aren't even available to the U.S. public). -- John Gilmore {sun,pacbell,uunet,pyramid}!hoptoad!gnu gnu@toad.com Just say no to thugs. The ones who lock up innocent drug users come to mind.