On 2000-05-24 at 23:22 -0400, Branden Robinson wrote: > [Replies to this message should move to debian-legal.]
I have dropped debian-devel as a recipient. > However, the BXA regulations were later amended[2]. I haven't read through > all the changes, but we might presume with some caution that you don't need > to attempt to restrict access to public Web or FTP sites to exclude > connections from countries that the United States has identified as its > enemies. If, on the other hand, you were engaged in some sort of commerce > where you would get the name and address of every person to whom you > distributed crypto, you almost certainly would be expected to turn away > Libyans, Sudanese, etc. > > This message is not an endorsement of BXA policy. Quite the contrary; I > think the U.S. government needs to leave the cryptographic community to > exercise its constitutional rights in peace. The very fact that such > letters have to be written to explain these Byzantine regulations to > American academics is evidence that the BXA should be dismantled and > eliminated from the federal budget. Perhaps its employees could find > gainful employment elsewhere as truant officers or gossip columnists. I don't think this is clear at all. I certainly can see no basis for reading the regulations so as to distinguish between actual knowledge acquired prior to export as distinct from after export. That is, what is Bernstein to do if his web server log clearly shows a download from a prohibited domain? Does Bernstein have a duty to disclose his logs? Does Bernstein have an obligation to keep logs? Does Bernstein have a legal duty to read the logs he does keep? This is a crazy situation foisted upon us by regulations written by people who have no understanding of how the Internet works, much like the apocryphal rules requiring that a man waving a red flag should be required to walk ahead of an automobile so as to warn of its approach. The Bernstein case also, as far as I know, addresses the issue of source code per se. It is by no means clear that restrictions which would not be enforced against source code would also not be enforced against binary executables such as Debian packages. The key legal element of the Bernstein case is that source code has a "speech" component such that it is the unique means of communication used among human programmers, and it is far from clear that one can have a free speech right when talking directly to a machine. There have certainly been stranger distinctions drawn in the courts on this issue, as in the Karn case where the source code was held to be exportable when printed on paper but not when stored on a floppy disk, although the government stipulated to Karn's assertion that the paper printout could be scanned in using OCR and turned into the identical form as on the floppy disk in only about three hours. Regardless of the transactions in the Bernstein case, the common interpretation which is evolving of the new regulations seems to be that the user has to be forced to affirm that they are not in a prohibited country before downloading the files. This is how Netscape seems to handle their 128-bit browser now. It makes no sense that "I am not a terrorist" loyalty oaths are expected to be useful for any purpose whatsoever, and we are starting to approach the realm of legal absurdity when plastic bags are labeled "This bag is not a toy" and coffee cups are labeled "Coffee may be hot." -- Mike
