|Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-and-a-half-years collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.|
5 December 1998: Add messages.
4 December 1998
See related: http://jya.com/wa-state98.htm#msg1 and http://jya.com/wass-suks.htm
To: email@example.com, firstname.lastname@example.org Subject: What was the quid pro quo for Wassenaar countries? Date: Fri, 04 Dec 1998 18:40:15 -0800 From: John Gilmore <email@example.com> I spoke some hours ago with Tatu Ylonen in Finland. His company has confirmation from the Finnish government that the government agreed to a proposal to limit mass-market crypto exports to 56 bits. Perhaps he or someone else from SSH can post more details. So *something* really did happen at the Wassenaar meeting, but we don't know two important things: * What exactly did they agree to? In particular, is public domain -- as opposed to mass market -- crypto controlled? * And what did NSA offer, to convince many countries to directly contradict policies that they had arrived at during year-long public consultations with their own citizens? A carrot? A stick? Blackmail from wiretaps? Access to NSA's wiretap network in return for cooperation? What was the strong motivation for so many countries to go against their own economic and self-determination interests? It was pointed out to me that the Wassenaar Arrangement has no legal effect. Each country has to go back and amend its own local controls. However, I personally saw cases more than a year ago where both Japan and Belgium were restricting bona fide civilian crypto transactions "because Wassenaar requires us to" when in fact it didn't. This development will give these countries much more "cover" to implement draconian policies, under secret arm-twisting from the US. We will have to fight this one in the trenches, in each country. First step is to raise a hue and cry and put each government on the defensive (as they well ought to be). Then let's find out what "deal" they made with the devil. Finally let's see whether, as Perry says, civil rights and political processes work, and the will of the people will actually end up codified in the laws of each country. Or not. John PS: I particularly like Ambassador Aaron's characterization that this new development will help US industry, by censoring foreign crypto publishers in the same way the US government censors US publishers. A giant step forward for freedom and commerce everywhere, eh Mr. Aaron? What an incredibly talented liar, I mean diplomat, he is.
To: firstname.lastname@example.org Subject: my two cents From: "Perry E. Metzger" <email@example.com> Date: 04 Dec 1998 19:27:44 -0500 The new Wassenar abomination has to be the end of this, one way or another. Supposedly, the United States is a democracy. Supposedly, elected officials are supposed to respond to the desires of the electorate, not the desires of the National Security Agency. It is time that we explained, clearly and distinctly, to the legislative branch that this is *not* a joke, that "balancing the interests of law enforcement" is not what the electorate wants, that the law enforcement officials have no interests of their own and are ALSO the employees of the people. Either we find out that the U.S. Government is government of the bureaucrats, by the bureaucrats, for the bureaucrats, or we get our way -- but either way, it is finally, in my opinion, the time for us to quit pussyfooting around, quit trying to appease people, and to just come out and say "cryptography controls are stupid, and we, the people, do not want them, and we don't CARE what the NSA wants, they work for *us*, not the other way around." Perry
Date: Fri, 04 Dec 1998 21:25:31 -0500 From: David Miller <firstname.lastname@example.org> Organization: Linux Quality Assurance To: email@example.com Subject: Wassenaar John, It just struck me that the Wassenaar Arrangement is not a binding agreement to anyone but those individuals who signed it. I've done some research and can't find any reference to a Treaty which has been ratified by the US Senate. Of course, certain Departments in the Executive branch are intending to enforce the Arrangement, but without a person (a corporation or natural person) petitioning for and being issued a license from such Departments, I can't see how the Arrangement is enforceable. As always, I maintain that one is better off to rely on one's rights as secured under the Consitution than to enter in to a contractual agreement (license) when dealing with "powerful munitions", such as the XOR algorithm, et al. http://www.osce.usia.co.at/wa.htm http://www.wassenaar.org/ Oddly enough, I believe that I was the original creator of the "globe" image which appears on the www.wassenaar.org homepage. Not only that, but if I am correct, I also wrote the algorithm and program which produced the image! This would have been ~1990-91 or so. Too bad I didn't copyright that image, I guess. ;-) I still have my old papers, though, so I may still be able to claim "prior art". As Steven Wright says, "it's a small world, but I wouldn't want to have to paint it." --David
To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Greg Taylor: preliminary Wassenaar details from three countries Date: Fri, 04 Dec 1998 23:42:55 -0800 From: John Gilmore <firstname.lastname@example.org> [Greg graciously allowed me to repost this. --gnu] Date: Sat, 05 Dec 1998 15:22:53 +1000 From: Greg Taylor <email@example.com> Hi John, You wrote: >I have not found a single confirmation of the Aarons statement that >the 33 Wassenaar countries have agreed to change the exemption for >mass market crypto software. (The NY Times and Reuters stories both >quote Ambassador Aarons.) I think Aarons must have an advanced degree in spin doctoring, but nevertheless information about new restrictions on mass market software has also come from 3 independent well-placed sources. >From the UK crypto list: ================= Just talked to Dirk Weicke, Senior Adviser to Wassenaar Organisation. Tel:+43 1 516360) No written details will be issued until next week, but gist is: *) No alteration to question of whether Wassenaar covers intangible exports. Up to signatory states to interpret and legislate. *) mass-market software, symmetric key length limited to 56-bits *) software generally available, but with other restrictive tests on end-user re-configurability, symmetric key length limited to 64-bits *) Assymetric key lengths (not sure how relates to above) limited to: RSA & Digital logarithm: 512 bits Elliptic curve : 112 bits ===================== And here's a view from David Jones (EFC), from the GILC list: ===================== - There is "some relaxation" for restrictions on symmetric methods using key lengths of 56 bits or less. Stronger crypto would require an export license. - There is no restriction on mass-market software using symmetric methods and a key length of 64 bits or less. Stronger mass-market crypto would require an export license. - "Public Domain Software is not restricted" [If this is really true, this is still an important loophole.] - There is not yet any clear information about the status of "intangible goods", like crypto software on a web site, or sent by email, as opposed to "tangible goods", like software on a floppy disk or CD-ROM. - The restrictions on mass-market software greater than 64 bits is "for public safety" reasons and will last for 2 years, after which it will be reviewed. ============================= Yesterday I got the Australian government interpretation from Robbie Costmeyer in Canberra. Costmeyer is the Defence bureaucrat responsible for approving export licenses. I was told that Wassenaar had now agreed that the General Software Note waiver no longer applied to Category 5/2 items (i.e. crypto) on the controlled goods list. It has always been the view of Defence Signals Directorate here that it was an oversight that crypto software came under the GSN. That reason was used to justify Australia's going one step further than required under the original Wassenaar Arrangement and disallowing exemptions to the export licensing rules. A few other countries do the same (USA, New Zealand, France, Russia). Canberra thus views the latest change as the correction of an oversight. Clearly there is a difference of interpretation here regarding public domain software (compare the Canadian view above). This question needs further investigation. The Australian view is that the latest Wassenaar changes are a relaxation of the previous rules. And they're right, when compared with the previous rules applying here. Australia will now move to amend the Defence Strategic Goods List (DSGL) to allow exemptions for small key lengths as decribed above. For other countries, the effects remain to be seen. We'll just have to wait for more information to filter out. Greg
From: "Phillip Hallam-Baker" <firstname.lastname@example.org> To: <email@example.com>, <firstname.lastname@example.org> Subject: RE: What was the quid pro quo for Wassenaar countries? Date: Sat, 5 Dec 1998 00:12:23 -0500 John Gilmore may be right, but remember folks that in Europe we have this thing the Greeks invented called democracy. One of the ideas of democracy is that decisions are not made in secret closed meetings. The interpretation of the US ambassador appears to be based on the assumption that the governmental proceedures of democratic countries are like those of his home country. In fact European governments cannot make law simply by telling the national police force to arrest folk who engage in particular behaviour. The system of checks and balances may be described in the US constitution but it is entrenched in the European polity. The UK does not have a national police force precisely to stop Hooverism. Even directives of the European Commission do not have legal force until the national parliaments enact legislation to implement the directive. One should also remember that the government of the Netherlands has agreed to control the sale and use of narcotics. If their efforts to control cryptography are as dilligent we have nothing to worry about. In addition under the single European act the entire country of Europe is one export zone for crypto control purposes. I fail to see that stopping Brits from exporting crypto to the US changes the equation a great deal. There once was an English king called Canute who attempted to demonstrate to his courtiers that he was fallible and could not order the tide to turn. Perhaps Clinton's courtiers need to learn that they suffer the same limmitation. Phill
Date: Sat, 5 Dec 1998 07:17:21 +0100 (CET) From: Lucky Green <email@example.com> To: John Gilmore <firstname.lastname@example.org> cc: email@example.com, firstname.lastname@example.org Subject: Re: What was the quid pro quo for Wassenaar countries? On Fri, 4 Dec 1998, John Gilmore wrote: > We will have to fight this one in the trenches, in each country. > First step is to raise a hue and cry and put each government on the > defensive (as they well ought to be). Ultimately, It won't make a difference, but sure, why not. Crypto regs can go one way, and one way only: more restrictive. See some 5 years of my postings on this topic. Lobbying and litigation can only delay the arrival of a total ban on general purpose strong crypto, not prevent it. Note that I am not at all claiming that either lobbying or litigation is useless. By all means, keep it up. It just won't change the fact that the ratchet turns only into one direction. Until the ratchet breaks, but that is another matter entirely and tends to be acompanied by lots of dead bodies. > Then let's find out what "deal" > they made with the devil. I doubt we will find out anytime soon. Favors? Blackmail? Most likely all of the above. But it doesn't matter why the representative of country A or B voted for export controls. We already know that most, if not all, governments would fall all over themselves banning crypto outright were they exposed to some of the traffic this list has seen over the years. What does surpise me, however, is why some people (not John) tend act surprised when the ratchet tightens yet another notch. I can't help but wonder if they are equally surprised when the sun goes up in the morning or tide moves in. Weird. -- Lucky Green <email@example.com> PGP v5 encrypted email preferred.
To: Lucky Green <firstname.lastname@example.org> To: email@example.com, firstname.lastname@example.org, email@example.com Subject: Re: Which way are crypto regs going? Date: Fri, 04 Dec 1998 23:41:08 -0800 From: John Gilmore <firstname.lastname@example.org> Lucky Green said: > Ultimately, It won't make a difference, but sure, why not. Crypto regs can > go one way, and one way only: more restrictive. Lucky's such an optimist! Actually, crypto regs have gone many different directions. The general direction in the US is toward more openness. (I've been watching them longer than Lucky has been.) Authentication used to be licensed. It isn't any more -- though the bastards reserve the right to lie about what is authentication. ATM machines used to require a license. 40-bit crypto used to require a license. Financial institutions used to require licenses. Big companies used to need licenses for intra-company use. DES used to require a license. (Still does, until the incredibly cold warriors move their bowels and produce a new, uh, release of the regs.) Maybe sometime next year I'll be able to say, "Publishing crypto on the net used to require a license but now it doesn't, since the courts started enforcing the Constitution." Whether this happens or not is NOT under the control of the NSA -- I think. On the other hand, crypto regs in other countries tended to start from "unrestricted", so indeed there was no way they could go from there except "more restrictive". But after the first dollop of restriction, they could go either way, as we've seen in various countries. Germany for example seems to be loosening. Canada turned out to be looser than anyone had suspected, and is still trying to be loose despite intense arm-twisting by US wiretappers. Some countries actually seem to care what their citizens think about their crypto laws, unlike the shining example of democracy, the USSA. And when we educate the citizens, they tend to make the right choices. Let's keep trying. John
Date: Fri, 4 Dec 1998 23:01:53 -0800 To: email@example.com From: Tim May <firstname.lastname@example.org> Subject: Re: What was the quid pro quo for Wassenaar countries? At 10:17 PM -0800 12/4/98, Lucky Green wrote: >Ultimately, It won't make a difference, but sure, why not. Crypto regs can >go one way, and one way only: more restrictive. See some 5 years of my >postings on this topic. Lobbying and litigation can only delay the arrival >of a total ban on general purpose strong crypto, not prevent it. Note that >I am not at all claiming that either lobbying or litigation is useless. By >all means, keep it up. It just won't change the fact that the ratchet >turns only into one direction. Until the ratchet breaks, but that is >another matter entirely and tends to be acompanied by lots of dead bodies. Indeed. What more is there to say on this point? One way only. Even the "do gooders" actually make things worse, by "greasing the skids" for legislative talk and legislative "compromise"...said compromise always being another turn of ratchet. (This applies to many industries. I recently heard T.J. Rodgers, CEO of Cypress Semiconductor, repeat his oft-made point that Silicon Valley and the high tech industry gains _nothing_ by talking to Washington. That as soon as dialog is started with Washington, things get worse. This applies as well to crypto, to gun rights, to everything. Everything Washington touches turns to statist shit.) On another topic, what of the "free export of crypto" nations? Some nations, or folks in some nations, like to talk about how they are actually "more free" than Americans are because they can export strong crypto. Canada comes to mind, as there are a couple of companies we know about using the ostensibly weaker Canadian export controls. (I maintain, and Lucky can be my witness that I expressed this forcefully to some Canadian entrepreneurs very recently, that Canada's relative laxness on crypto arises first, from their ignorance of the issues and second, from the fact that Washington hasn't yet told them how high to jump. I have long believed the U.S. would issue the orders and other countries would turn out to be just as restrictive, if not more restrictive, as they have fewer in-country protections against restrictions on strong crypto. If Canada, Finland, etc. tighten up, can Anguilla be far behind?) >I doubt we will find out anytime soon. Favors? Blackmail? Most likely >all of the above. Or perhaps "strange fruit"? That is, hackers found hanging from a tree.... Or direct deposits to the Swiss bank accounts of Wassenaar delegates? Or just intense lobbying, threats of foreign aid cutoffs, and repeated showings of the "If you only knew what we know" videotape (specially converted to PAL). Nothing very surprising. --Tim May "I swear to tell the truth, the whole truth, just the way the President did." ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments.