________________ _______________ _______________
/_______________/\ /_______________\ /\______________\
\\\\\\\\\\\\\\\\\/ ||||||||||||||||| / ////////////////
\\\\\________/\ |||||________\ / /////______\
\\\\\\\\\\\\\/____ |||||||||||||| / /////////////
\\\\\___________/\ ||||| / ////
\\\\\\\\\\\\\\\\/ ||||| \////
EFFector Online Volume 09 No. 09 July 25, 1996 firstname.lastname@example.org
A Publication of the Electronic Frontier Foundation ISSN 1062-9424
Bernstein Files for Partial Summary Judgment in Crypto Case
EFF/EFC Toronto Benefit Concert Wrap-up
Quote of the Day
What YOU Can Do
* See http://www.eff.org/Alerts/ or ftp.eff.org, /pub/Alerts/ for more
nformation on current EFF activities and online activism alerts! *
Subject: Bernstein to File for Partial Summary Judgment in Crypto Case
BERNSTEIN TO FILE FOR PARTIAL SUMMARY JUDGMENT IN CRYPTO CASE
Claims Government's Restrictions on Export
of Cryptographic Speech Violates First Amendment
July 26, 1996 Electronic Frontier Foundation
Shari Steele, Staff Counsel
Mike Godwin, Staff Counsel
Lori Fena, Executive Director
San Francisco, CA -- A University of Illinois at Chicago faculty member
could strengthen his claim that government restrictions on information
about cryptography violate the First Amendment's protections for freedom
Relying on Judge Marilyn Hall Patel's prior ruling that computer source
code is speech protected by the First Amendment, mathematician Daniel J.
Bernstein will file a motion for partial summary judgment in his suit
against the State Department.
* Any legal framework that requires a license for First Amendment
framework to be acceptable, the government has the burden of showing that
necessary to prevent this damage. The government has not met this burden
* Because restrictions on speech about cryptography are
content-based, the court must apply a strict scrutiny test in determining
compelling state interest and that it is narrowly drawn to achieve that
end. The ITAR regulatory scheme has adopted the *most* restrictive
approach by prohibiting all speech in the area of cryptography.
* The ITAR regulatory framework lacks the necessary procedural
Scheme allows its administrative agencies to make inconsistent, incorrect
and sometimes incomprehensible decisions censoring speech, all without the
* The ITAR framework is unconstitutionally vague. The government
the lack of standards has allowed the government to misuse a statute aimed
at commercial, military arms sales to limit academic and scientific
* The ITAR regulatory scheme is overbroad. In an internal memo
concluded that the ITAR s licensing standards "are not sufficiently
action." The OLC specifically warned that the coverage was so broad it
could apply to "communication of unclassified information by a technical
lecturer at a university or to the conversation of a United States
engineer who meets with foreign friends at home to discuss matters of
theoretical interest." This is exactly what is happening here, and it is
While a graduate student at the University of California at Berkeley,
Bernstein completed the development of an encryption equation (an
"algorithm") he calls "Snuffle." Bernstein wishes to publish a) the
algorithm, (b) a mathematical paper describing and explaining the
algorithm, and (c) the "source code" for a computer program that
ncorporates the algorithm. Bernstein also wishes to discuss these items
at mathematical conferences, college classrooms and other open, public
meetings. The Arms Export Control Act and the International Traffic in
Arms Regulations (the ITAR regulatory scheme) required Bernstein to submit
an arms dealer, and to apply for and obtain from the government a license
to publish his ideas. Failure to do so would result in severe civil and
criminal penalties. Bernstein believes this is a violation of his First
Amendment rights and has sued the government.
Bernstein's ideas were expressed, in part, in source code, they were not
Because of its far-reaching implications, the Bernstein case is being
and cryptography communities, and First Amendment activists. In fact,
ABOUT THE ATTORNEYS
Lead counsel on the case is Cindy Cohn of the San Mateo law firm of
McGlashan & Sarrail, who is offering her services pro bono. Major
additional pro bono legal assistance is being provided by Lee Tien of
Berkeley; M. Edward Ross of the San Francisco law firm of Steefel, Levitt
& Weiss; and James Wheaton and Elizabeth Pritzker of the First Amendment
ABOUT THE ELECTRONIC FRONTIER FOUNDATION
The Electronic Frontier Foundation (EFF) is a non-profit civil liberties
organization working in the public interest to protect privacy, free
expression, and access to online resources and information. EFF is a
bono counsel, is a member of the Bernstein legal team, and helped collect
members of the academic community and computer industry to support this
Full text of the lawsuit and other paperwork filed in the case is
available from EFF's online archives:
Subject:Internet Society's Strong Encryption Policy Statement
US encryption policy, yesterday, linking Internet standards bodies'
businesses, in a strong front against Clinton administration key "escrow"
July 24, 1996
The Internet Architecture Board (IAB) and the Internet Engineering
Steering Group (IESG), the bodies which oversee architecture and
and by the need to offer all Internet users an adequate degree of
Security mechanisms being developed in the Internet Engineering
Task Force to meet these needs require and depend on the international
use of adequate cryptographic technology. Ready access to such
technology is therefore a key factor in the future growth of the
The IAB and IESG are therefore disturbed to note that various
technology that either:
(a) impose restrictions by implementing export controls; and/or
(b) restrict commercial and private users to weak and inadequate
mechanisms such as short cryptographic keys; and/or
(c) mandate that private decryption keys should be in the hands of
the government or of some other third party; and/or
(d) prohibit the use of cryptology entirely, or permit it only
to specially authorized organizations.
We believe that such policies are against the interests of consumers
and the business community, are largely irrelevant to issues of
military security, and provide only a marginal or illusory benefit
to law enforcement agencies, as discussed below.
The IAB and IESG would like to encourage policies that allow ready
access to uniform strong cryptographic technology for all Internet
users in all countries.
The IAB and IESG claim:
The Internet is becoming the predominant vehicle for electronic
commerce and information exchange. It is essential that the support
Encryption is not a secret technology monopolized by any one country,
are well documented, some with source code available in textbooks.
Export controls on encryption place companies in that country at
a competitive disadvantage. Their competitors from countries without
export restrictions can sell systems whose only design constraint
s being secure, and easy to use.
Usage controls on encryption will also place companies in that
country at a competitive disadvantage because these companies cannot
Escrow mechanisms inevitably weaken the security of the overall
cryptographic system, by creating new points of vulnerability that
can and will be attacked.
Export controls and usage controls are slowing the deployment of
n size and attackers are increasing in sophistication. This puts
users in a dangerous position as they are forced to rely on insecure
* TECHNICAL ANALYSIS
based on their key size. Systems that are breakable by one country
corporations and even criminal enterprises have the resources to
break many cryptosystems. Furthermore, conversations often need
to be protected for years to come; as computers increase in speed,
key sizes that were once out of reach of cryptanalysis will become
Use of public key cryptography often requires the existence of a
"certification authority". That is, some third party must sign a
the third party's key is often signed by a higher-level certification
Such a structure is legitimate and necessary. Indeed, many
citizens' transactions with their governments. But certification
authorities should not be confused with escrow centers. Escrow
centers are repositories for private keys, while certification
authorities deal with public keys. Indeed, sound cryptographic
anyone, even the certification authority.
KEYS SHOULD NOT BE REVEALABLE
The security of a modern cryptosystem rests entirely on the secrecy
of the keys. Accordingly, it is a major principle of system design
that to the extent possible, secret keys should never leave their
user's secure environment. Key escrow implies that keys must be
Any such disclosure weakens the total security of the system.
Sometimes escrow systems are touted as being good for the customer
because they allow data recovery in the case of lost keys. However,
t should be up to the customer to decide whether they would prefer
the more secure system in which lost keys mean lost data, or one
n which keys are escrowed to be recovered when necessary. Similarly,
keys used only for conversations (as opposed to file storage) need
never be escrowed. And a system in which the secret key is stored
by a government and not by the data owner is certainly not practical
for data recovery.
Keys used for signatures and authentication must never be escrowed.
Any third party with access to such keys could impersonate the
legitimate owner, creating new opportunities for fraud and deceit.
that his or her escrowed key was used, putting the onus on that
that the evidence had been forged by the government, thereby making
non-repudiation is one of the most important uses for cryptography;
and non-repudiation depends on the assumption that only the user
that do not involve secrecy. While this may suffice in some cases, much
of the existing technical and commercial infrastructure cannot be
card numbers, and the like must be protected by strong encryption,
even though some day more sophisticated techniques may replace them.
Encryption can be added on quite easily; wholesale changes to diverse
CONFLICTING INTERNATIONAL POLICIES
Conflicting restrictions on encryption often force an international
company to use a weak encryption system, in order to satisfy legal
against whom commercial enterprises should use strong cryptography.
Clearly, key escrow is not a suitable compromise, since neither
country would want to disclose keys to the other.
Even if escrowed encryption schemes are used, there is nothing to
any serious malefactors would do this; the outer encryption layer,
ESCROW OF PRIVATE KEYS WON'T NECESSARILY ALLOW DATA DECRYPTION
A major threat to users of cryptographic systems is the theft of
long-term keys (perhaps by a hacker), either before or after a
"perfect forward secrecy" are often employed. If PFS is used, the
attacker must be in control of the machine during the actual
conversation. But PFS is generally incompatible with schemes
nvolving escrow of private keys. (This is an oversimplification,
but a full analysis would be too lengthy for this document.)
As more and more companies connect to the Internet, and as more and
more commerce takes place there, security is becoming more and more
critical. Cryptography is the most powerful single tool that users
can use to secure the Internet. Knowingly making that tool weaker
threatens their ability to do so, and has no proven benefit.
The Internet Architecture Board is described at http://www.iab.org/iab
The Internet Engineering Task Force and the Internet Engineering
Steering Group are described at http://www.ietf.org
(C) Internet Society 1996. Reproduction or translation of the
complete document, but not of extracts, including this notice,
s freely permitted.
* EFF/EFC Toronto Benefit Concert Wrap-up
The Eden MusicFest, a benefit concert (produced by ICONcerts) for the
Electronic Frontier Foundation and it's Canadian sister organization,
Electronic Frontier Canada, recently gathered more than 50,000 fans of
modern rock music for a weekend camping adventure at the Mosport
Set in rural farmland an hour east of Toronto, the festival staged over 40
bands in a three day period, July 12-14, 1996, and featured headliners
Rockets. Music began about noon each day and continued on each of two
nterviews with band members and discussions with attendant notables
RealAudio, IChat, and other Internet innovations.
"Music forums are one of the online "killer apps" most at
Eden MusicFest was a great venue for celebrating free-speech online and
EFF's own Dennis Derryberry had virtual centerstage between main acts,
ssues, for the cybercast and the giant twin screens on either side of
the main stage.
EFF's and EF-Canada's presence in the Internet Expo tent attracted the
nterest of many wishing to decorate themselves with a free temporary
tattoo. The tattoos bore the blue ribbon--a symbol employed in recent
months to promote the free expression of ideas online around the world,
and a protest the Communications Decency Act and similar government
Net censorship proposals in other countries.
Two trailers were set up adjacent to our tent with Internet connections
and Compaq terminals, allowing Internet rookies to sample the online
every few hours. Across the pavilion from our booth, passers-by stopped to
for the many music fans experiencing stage envy.
After the event, all at EFF agreed that the weekend was a success not
only as a benefit event, but from the perspective of having made
contacts within the music and entertainment world who are sympathetic to
EFF's mission to protect free speech online. Many band members wore EFF
t-shirts[*] and pins during their performances, while others took time to
talk about civil liberties concerns on the cybercast (and, between
bands, on the stage's side screens).
The simple fact that an event of this magnitude can be organized this
quickly around issues of privacy and free speech on the Internet sends a
clear message - these concerns are not a special interest to be swept aside,
but are now a mainstream interest, a sizeable blip on the voting public's
the "cyberliberty" message to general public, and preaching beyond the
For those of you who missed the Netcast of the festival, visit
MediaCast's archives at http://www.edencast.com where you'll find many
Lastly, we'd like to thank the sponsors of the event, and those who organized
and staffed the event for making it all happen, as well as EF-Canada's
and our own wonderful volunteers for helping run the info booth.
[* Note: if you have ordered an EFF t-shirt and have not received it, do
not be alarmed at this fact. The shirts arrived shortly before the
festival, and are now being sent to those of you who are on a back-order
list. Thanks for your patience.]
This schedule lists EFF events, and those we feel might be of interest to
our members. EFF events (those sponsored by us or featuring an EFF speaker)
are marked with a "*" instead of a "-" after the date. Simlarly, government
events (such as deadlines for comments on reports or testimony submission,
or conferences at which government representatives are speaking) are marked
ndicates a non-USA event. If it's a foreign EFF event with govt. people,
t'll be "*!+" instead of "-". You get the idea.
The latest version of the full EFF calendar is available from:
ftp: ftp.eff.org, /pub/EFF/calendar.eff
See also our new Now-Up-to-Date HTML calendar at:
31 + "Realigning Your Organization to Learning in the Information
Age," sponsored by On the Horizon and the University of North
Carolina School of Education. The University of Edinburgh,
Contact: James Morrison
Phone: +1 919 962 2517
Fax: +1 919 962 1533
30 * Spotlight: an Executive Conference Directing the Future of
Multimedia; discussion of critical issues facing interactive
media industry; EFF Executive Director Lori Fena will speak;
Ritz-Carlton, Laguna Niguel, CA.
Tel: 415 312 0687
31 ! The Forum of Incident Response and Security Teams's 8th
Conference and Workshop on Computer Security Incident Handling and
Response; Santa Clara, CA
Aug. 5- * Progress and Freedom Foundation; annual summit held in Aspen,
6 Colorado, will feature EFF Chairman Esther Dyson, Alvin Toffler
and Congressman Rick White and Senator Bill Bradley; "An
exploration of the Electronic Frontier's impact on American
Info: +1 202 289 8928 Email to: email@example.com
9 + International Conference on Computational Linguistics;
University of Copenhagen, Copenhagen, Denmark.
Aug. 8 - Registration deadline for SAB96, Sep. 9, 1996.
10 - Conference on Computing and Philosophy; Carnegie Mellon
University, Pittsburgh, PA. Deadline for submissions: Feb. 19.
Contact: +1 412 268 7643
16 + Information Seeking in Context: an International Conference on
Information Needs, Seeking and Use in Different Contexts; Tampere,
Finland. Deadline for submission of abstracts: October 15, 1995.
Contact: +358 31 215 7039 (voice), +358 31 215 6560 (fax)
17 - 7th Macintosh Summit Conference; learn the latest tips, tricks
and techniques of the Mac platform from the Mac giants.
University of California, Santa Barbara.
Contact: Fati Erdogan
Tel: 805 893 2811
Fax: 805 893 4943
23 + China-U.S. Meeting on Global Information Access: Challenges and
Opportunities; Beijing, China.
Aug. 26 - ACM SIGCOMM '96: Applications, Technologies, Architectures and
Protocols for Computer Communication; Stanford University,
Subject: Quote of the Day
"The Singapore government isn't interested in controlling information,
but wants a gradual phase-in of services to protect ourselves. It's not
to control, but to protect the citizens of Singapore. In our society,
you can state your views, but they have to be correct."
- Ernie Hai, coordinator of the Singapore Government Internet Project
Find yourself wondering if your privacy and freedom of speech are safe
the rush to make us secure from ourselves that our government
Concerned that legislative efforts nominally to "protect children" will
actually censor all communications down to only content suitable for
the playground? Alarmed by commercial and religious organizations abusing
the judicial and legislative processes to stifle satire, dissent and
Even if you don't live in the U.S., the anti-Internet hysteria will soon
be visiting a legislative body near you. If it hasn't already.
Subject: What YOU Can Do
* The Communications Decency Act & Other Censorship Legislation
The Communications Decency Act and similar legislation pose serious
threats to freedom of expression online, and to the livelihoods of system
operators. The legislation also undermines several crucial privacy
Business/industry persons concerned should alert their corporate govt.
affairs office and/or legal counsel. Everyone should write to their own
Representatives and Senators, letting them know that such abuses of
your free speech rights will be voted against by you in the next elections.
Join in the Blue Ribbon Campaign - see http://www.eff.org/blueribbon.html
Support the EFF Cyberspace Legal Defense Fund:
For more information on what you can do to help stop this and other
for information to firstname.lastname@example.org.
censorious legislation is turning up at the US state and non-US
national levels. Don't let it sneak by you - or by the online activism
community. Without locals on the look out, it's very difficult for the
Net civil liberties community to keep track of what's happening locally
as well as globally.
* New Crypto-Privacy Legislation
Urge your Represenatitives to support the Pro-CODE crypto export bill
(and to fix the few remaining bugs in it).
For years US export controls on encryption have hampered the development
of secure communications online. This technology is vital for online
commerce, for national security, and for YOUR electronic privacy.
The new Pro-CODE legislation will go a long way to rectifying the situation.
Join in the Golden Key Campaign - see http://www.eff.org/goldkey.html
Support the EFF Cyberspace Legal Defense Fund:
for more info.
* Digital Telephony/Comms. Assistance to Law Enforcement Act
The FBI has been seeking both funding for the DT/CALEA wiretapping
To oppose the funding, write to your own Senators and Representatives
urging them to vote against any appropriations for wiretapping.
We are aware of no major action on this threat at present, but keep your
eyes peeled. It will be back.
See http://www.eff.org/pub/Privacy/Surveillance/ for more info.
* Anti-Terrorism Bills
Several bills threatening your privacy and free speech have been introduced
this very moment - however, this status may change. Urge your
Congresspersons to oppose these unconstitutional and Big-Brotherish
bills, which threaten freedom of association, free press, free speech,
and privacy. One such bill passed a few weeks ago, stripped of some of the
more onerous provisions. It could have been worse, and could yet still
Keep up the pressure. Write to your legislators: No
authority, no national or "smart-card" ID systems!
For more information on some of this legislation, see
* Medical Privacy Legislation
Several bills relating to medical privacy issues are floating in Congress
enhance the medical privacy of citizens.
More information on this legislation will be available at
t appear there faster. :)
* Child Privacy Legislation
A new bill to protect children from unethical marketing practices (e.g.
tricking kids into revealing personal information by offering prizes or
like, and dislike, various points in this bill. The legislators
* Find Out Who Your Congresspersons Are
Writing letters to, faxing, and phoning your representatives in Congress
s one very important strategy of activism, and an essential way of
making sure YOUR voice is heard on vital issues.
EFF has lists of the Senate and House with contact information, as well
as lists of Congressional committees. These lists are available at:
The full Senate and House lists are senate.list and hr.list, respectively.
Those not in the U.S. should seek out similar information about their
own legislative bodies. EFF will be happy to archive any such
nformation provided to us, so pass it on!
try contacting your local League of Women Voters, who maintain a great
that matches Zip Codes to Congressional districts with about 85%
Computer Currents Interactive has provided Congress contact info, sorted
by who voted for and against the Communcations Decency Act:
* Join EFF!
You *know* privacy, freedom of speech and ability to make your voice heard
n government are important. You have probably participated in our online
campaigns and forums. Have you become a member of EFF yet? The best way to
opinions heard. EFF members are informed and are making a difference. Join
For EFF membership info, send queries to email@example.com, or send any
message to firstname.lastname@example.org for basic EFF info, and a membership form.
EFFector Online is published by:
The Electronic Frontier Foundation
San Francisco CA 94103 USA
+1 415 436 9333 (voice)
+1 415 436 9993 (fax)
Membership & donations: email@example.com
Legal services: firstname.lastname@example.org
General EFF, legal, policy or online resources queries: email@example.com
Editor: Stanton McCandlish, Online Activist, Webmaster (firstname.lastname@example.org)
This newsletter is printed on 100% recycled electrons.
Reproduction of this publication in electronic media is encouraged. Signed
articles do not necessarily represent the views of EFF. To reproduce
ually at will.
To subscribe to EFFector via email, send message body of "subscribe
effector-online" (without the "quotes") to email@example.com, which will add
you to a subscription list for EFFector.
Back issues are available at:
To get the latest issue, send any message to firstname.lastname@example.org (or
email@example.com), and it will be mailed to you automagically. You can also get
the file "current" from the EFFector directory at the above sites at any
time for a copy of the current issue. HTML editions available at:
at EFFweb. HTML editions of the current issue sometimes take a day or
longer to prepare after issue of the ASCII text version.
End of EFFector Online v09 #09 Digest