Date: 15 Apr 95 21:05:59 EDT From: Jim Demberger <74425.1642@compuserve.com> Subject: ODTC Correspondence VOTPCRYP PUBLIC DOMAIN CRYPTOGRAPHIC SOFTWARE James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 April 8, 1885 The Electronic Frontier Foundation is currently sponsoring a federal lawsuit seeking to bar the government from restricting publication of cryptographic documents and software. The restrictive regulations are embodied in section 38 of the Arms Export Control Act (AECA) (22 U.S.C. S 2778), and the International Traffic in Arms Regulations (ITAR)(22 C.F.R. Parts 120-130); these regulations are enforced by the Office of Defense Trade Controls (ODTC) in the Department of State. The EFF argues that the export-control laws, both on their face and as applied to users of cryptographic materials, are unconstitutional and the lawsuit challenges the export-control scheme as an `impermissible prior restraint on speech, in violation of the First Amendment.' I noted with much interest the announcement of the EFF's suit to overthrow the ITAR regulations since I had started a battle with the ODTC on just the "public domain technical data" aspect of the ITAR back in August 1994. Many knowledgeable people have come to the conclusion that information in the public domain is exempt from the provisions of the ITAR. A report prepared for the National Institute of Standards and Technology (NIST) dated January 1994 by the National Intellectual Property Law Institute and The George Washington University makes note of public domain technical data as follows "An export license is required for the export of unclassified technical data .... However, information which is in the public domain is not subject to the controls for technical data." If the ODTC were to acknowledge that public domain cryptographic software is not subject to the ITAR regulations then public domain cryptographic software might provide a means to encourage "the growth and spread of privacy and security technologies"; one of the aims of EFF lawsuit. I modified a prototype encryption/decryption program on which I held a copyright by making some changes that made the program's encryption less secure and added a notice that the program was released to the public domain. One of the public domain definitions in the ITAR reads "S120.11 Public domain. (2) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;". The program was uploaded to the EFF library on August 14 1995 and to three other fora/forums on Compuserve to establish the program as meeting the ITAR definition of published public domain software. By the end of September 1994 the program (VOTP11.ZIP) had been downloaded by over 100 CompuServe users, some of whom may well have logged in from foreign countries. No one had questioned the statement in the program that it was public domain and exempt from the provision of the ITAR. When the ODTC did not take any notice of the program files uploaded to CompuServe, I decided to upload the program to the sci.crypt newsgroup on UseNet (Internet) where I was sure that someone would bring the program to the attention of the ODTC. Finally, by letter dated Sept 22 1994, the ODTC sent me a routine warning that they did not consider the program to be public domain and exempt from the ITAR regulation and that I had exported a "defense article" by posting the program to the sci.crypt newsgroup on September 10 1994. From Sept 22 1994 thru Feb 22 1995, I received a series of four letters from the ODTC and sent them four replies. The letters from the ODTC and my replies makes for some interesting reading, The letters reproduced in this file have been reformated to a longer line length than that of the original letters but are otherwise verbatim copies of the original letters. These letters from the ODTC are a very good example of what the EFF finds objectionable and unconstitutional in the ODTC's implementation of the ITAR. In the last letter dated February 3, 1995, the OTDC has in effect said that I am prohibited from making and publishing any revisions to the public domain VOTPCRYP program since the ODTC has "ruled" that the program is a defense article and that it is subject to what ever provisions of the ITAR that the ODTC might choose to enforce. 40922odt.ltr ******************************************************** United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Washington, D.C. 20522-0602 James T. Demberger 9862 Lake Seminole Drive West Sep 22 1994 Seminole, FL 34643 Dear Mr. Demberger: Pursuant to section 38 of the Arms Export Control Act (AECA) (22 U.S.C. S 2778), the Department of State controls the export of defense articles, defense services, and related technical data. Items which have been designated defense articles and defense services constitute the United States Munitions List (USML) and are enumerated at Part 121 of the International Traffic in Arms Regulations (ITAR) (22 C.F.R. S 121.1). Before any item listed on the USML may be exported, an exporter must receive prior written authorization from the Office of Defense Trade Controls (DTC) of the Department of State. The Term "export" is defined at 22 C.F.R. S 120.17 and encompasses broad categories of transactions. With respect to cryptographic software, we are particularly concerned with the transactions defined at ITAR sections 120.17(1), that is "Sending or taking a defense article out of the United States in any manner." It has come to the attention of this office that you may be in the business of manufacturing and exporting defense articles. Specifically, on September 10, 1994, from CompuServe account 74425,1642, you posted a cryptographic software program named VOTPCRYP version 1.1 to the SCI.CRYPT Usenet group on the Internet. Please be advised cryptographic software and related source code, is a defense article as defined in 22 C.F.R. S 121.1, Category XIII(b). We take this opportunity to advise you that any company or individual who engages in the United States in the business of either manufacturing or exporting defense articles, or furnishing defense services or related technical data, is required to register for a fee with the Office of Defense Trade Controls (DTC) pursuant to 22 U.S.C. S 2778(b)(1)(A) and 22 C.F.R. Part 122. Furthermore, the export of such defense articles and related technical data must be licensed by the Department of State in accordance with 22 U.S.C. S 2778(b)(1)(B)(2) and 22 C.F.R. Parts 120-130. A booklet entitles "REGISTRATION: The First Step in Defense Trade" is enclosed. In the manual posted with VOTPCRYP, you claim your product qualifies for the public domain exemptions for technical data. Specifically, you state on page 10 "...cryptographic technology is included in the government's definition of technical data." The exemptions listed in 22 C.F.R. S 125.4 for technical data do not apply to cryptographic software and related source code. A valid Department of State license is required to export cryptographic software and related source code. Posting cryptographic software and related source code to internationally distributed Usenet groups on the Internet constitutes an export. It is a violation to export cryptographic software and related source code without a valid Department of State export license. Please be aware that you may submit any additional information to the Department concerning this transaction under 22 C.F.R. S 127.12. The Department will consider any mitigating information you supply in determining whether any further action in this case is warranted. If you are unsure whether an article is on the U.S. Munitions List, you may send nine (9) copies of descriptive literature about the product and request a commodity jurisdiction determination from this office according to 22 C.F.R. S 120.4 of the ITAR. If you have any questions please contact Mr. John Sonderman, Compliance and Enforcement Branch, at 703-875-6650. Sincerely, /s/Mary F. Sweeney Mary F. Sweeney Acting Chief Compliance and Enforcement Branch cc: Senior Special Agent James P. McShane Customs Coordinator United States Customs Service 41003rep.ltr ******************************************************** 3 October 1994 United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Compliance and Enforcement Branch Attn. Ms. Mary F. Sweeney Washington, D.C. 20522-0602 Reference: letter addressed to James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 Dated Sep 22 1994 Dear Ms. Sweeney: Regardless of all the various citations of the ITAR regulations in the referenced letter, central to the situation regarding my posting of the public domain VOTPCRYP program and documentation is the fact that both the program and documentation are in the public domain and the fact that public domain information is exempt from these regulations. The following paragraph is quoted from the program and documentation: "Under current copyright regulations, a copyright was automatically granted to the author for the VOTPCRYP program and for this information file. The author of the VOTPCRYP program and this information file does not intend to assert any of the rights granted by the copyright and hereby releases the VOTPCRYP program and this information file to the Public Domain. The files may be freely copied, distributed or modified for any lawful purpose." The wording in the quoted paragraph has long been accepted by users of computer software to mean that the copyright holder has unconditionally released the software to the public domain. The following is quoted from the fifth paragraph of the referenced letter: "In the manual posted with VOTPCRYP, you claim your product qualifies for the public domain exemptions for technical data. Specifically, you state on page 10 "...cryptographic technology is included in the government's definition of technical data." The exemptions listed in 22 C.F.R. S 125.4 for technical data do not apply to cryptographic software and related source code." I can not understand why you would quote only eleven words that do not have any relevance to the exemption for public domain information and to not quote the next two sentences that point out that the regulations have a provision for the exemption for public domain information. The next two sentences are quoted as follows: "The regulations provide an exemption to the export license requirements for information that is in the public domain. The VOTPCRYP program and this information file has been released to the public domain by the author. Information regarding XOR encryption and the use of One-Time-Pads has long since been in the public domain." I have not made any claim regarding exemptions listed in S 125.4. Since the VOTPCRYP program and documentation are in the public domain, the applicable exemption is the second sentence of paragraph S 125.1. This sentence reads as follows: "Information which is in the public domain (See S 120.11 of this subchapter and S 125.4(b)(13)) is not subject to the controls of this subchapter." The points that I have made in preceding paragraphs fully support my contention that the VOTPCRYP program and documentation are in the public domain and that both are exempt from ITAR regulations based the stated exemptions for public domain information contained in the regulations. I see no reason at this time to responding to the other items that your office made in the referenced letter since these items would only be applicable if the VOTPCRYP software was not in the public domain and it was not exempt from the ITAR regulations. It would be appreciated if you would let me know as soon as possible if your office does not agree that the VOTPCRYP program and manual are in the public domain and that they are therefor exempt from the ITAR regulations. Sincerely, James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 41107odt.ltr ******************************************************** United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Washington, D.C. 20522-0602 James T. Demberger 9862 Lake Seminole Drive West NOV - 7 1994 Seminole, FL 34643-4521 Dear Mr. Demberger: This letter is in response to your letter dated October 3, 1994 regarding the VOTPCRYP program. In your letter, you claim VOTPCRYP is in the public domain and thus under 22 C.F.R. S 125.1 is exempt from the International Traffic in Arms Regulations (ITAR) (22 C.F.R. Parts 120-130). However, the ITAR's "public domain" exemption applies only to technical data meeting the "public domain" criteria, and cryptographic software does not come within the meaning of technical data as defined by the ITAR. The ITAR's software definition, at section 121.8(f), specifically excludes cryptographic software from the software for which an exporter should apply for a technical data license. An exporter must receive prior written authorization from the Office of Defense Trade Controls (DTC) of the Department of State before VOTPCRYP may be exported. The Department of State does have a commodity jurisdiction procedure to allow transfer to the Commerce Department's Commerce Control List (CCL) of some mass market software products with encryption. For your reference, I have enclosed instructions on how to submit such a request. If you have any questions regarding these matters please contact Mr. John Sonderman, Compliance and Enforcement Branch at (703) 875-6650. Sincerely, /signature/ William B. Robinson Director Office of Defense Trade Controls 41117rep1.ltr ******************************************************* 17 November 1994 United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Att. Mr. William B. Robinson, Director Washington, D.C. 20522-0602 Dear Mr. Robinson: This letter is in response to your letter dated November 7, 1994 regarding the VOTPCRYP program. In your letter of November 7, you state that I "claim" that the VOTPCRYP software is in the public domain. The VOTPCRYP software has been in the public domain since the date that it was originally published, August 14, 1994; I have no need to make any "claim" regarding the public domain status of the software. The term "public domain" has a well established meaning by dictionary definition and by both common and case law. Since I am the copyright owner of the VOTPCRYP software, I followed established precedents in placing this software in the public domain. The VOTPCRYP software does not have to meet any "public domain" criteria established in the ITAR in order to be placed in the public domain. The software does meet the public domain requirement of paragraph (2), section 120.11 of the ITAR. Your reference to the software definition in section 121.8(f) may apply to proprietary or trade-secret software; this definition does not apply to public domain software covered in sections 120.11 and 121.1(a). For your information, I am not "in the business of either manufacturing or exporting defense articles, or furnishing defense services or related technical data". I have not contacted Mr. John Sonderman since I have no questions regarding the text of sections 120.11 and 121.1(a) of the ITAR. It would be appreciated if you would let me know as soon as possible if your office does not agree with my contention that the VOTPCRYP software is in the public domain and that, as such the software is exempt from the ITAR regulations. Sincerely, James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 41222odt.ltr ******************************************************** United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Washington, D.C. 20522-0602 James T. Demberger 9862 Lake Seminole Drive West Dec 22 1994 Seminole, FL 34643 Dear Mr. Demberger: This letter is in response to your letters dated November 1, 1994 and November 17, 1994. In your November 17th letter, you requested further clarification on whether you VOTPCRYP program is exempt from the International Traffic in Arms Regulations (22 C.F.R. Parts 120-130) (ITAR). Specifically you wanted to know if VOTPCRYP qualified for the "public domain" exemption in section 125.1. The ITAR's software definition, at section 121.8(f), specifically excludes cryptographic software from the software for which an exporter should apply for a technical data license. Cryptographic software does not qualify for any exemption under Part 125 of the ITAR. Clearly, you must receive prior written authorization from the Office of Defense Trade Controls (DTC) of the Department of State before VOTPCRYP may be exported. This includes distributing VOTPCRYP over the Internet by posting it to internationally distributed Usenet news groups. Furthermore, simply putting a distribution line into the post limiting distribution to the United States will not prevent the export of the software. Your letter further states that you are not in the business of manufacturing or exporting defense articles. However you created a defense article and exported it on September 10, 1994. You are not exempt from the registration requirement of the ITAR simply because you did not charge money for you product. If you have any questions regarding these matters please contact Mr. John Sonderman of my office at (703) 875-6650. Sincerely, /s/Mary F. Sweeney Mary F. Sweeney Acting Chief Compliance and Enforcement Branch 50102rep.ltr ******************************************************** 2 January 1995 United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Attn. Ms. Mary F. Sweeney Washington, D.C. 20522-0602 Dear Ms. Sweeney: This letter is in response to your letter dated December 22, 1994 regarding the VOTPCRYP program. As I pointed out in my letter to Mr. Robinson dated 17 November 1994, the VOTPCRYP software is in the public domain and meets the definition and qualifications shown in section 120.11 of the ITAR for public domain information. Section 125.1(a) of the ITAR states "Information which is in the public domain (see S 120.11 of this subchapter...) is not subject to the controls of this subchapter." The wording of sections 120.11 and 125.1(a) of the ITAR very clearly states that public domain software, such as the VOTPCRYP software, is not subject to the ITAR. The definition of cryptographic software in section 121.8(f) does not have any bearing on the public domain status of the VOTPCRYP software. Since the public domain VOTPCRYP software is not subject to the ITAR, there is no need for authorization for the export of this software. So far as I am aware, there has been no judicial finding that posting messages or articles on the Internet is constitutes export. The possibility of the VOTPCRYP software being a defense article ended when it was placed in the public domain in August 1994. There was no defense article in the VOTPCRYP articles posted to Internet on September 10. 1994. During the past year messages and articles have been posted to the Internet pointing out the fact that public domain information was not subject to the ITAR. However, none of the messages or articles cited any specific instance where public domain cryptographic software had been found by the ODTC to be not subject to the ITAR. The VOTPCRYP software was placed in the public domain and posted to the file libraries of four CompuServe Fora in August 1994 as a test of the ITAR's applicability to public domain information. While CompuServe is similar to Internet in that CompuServe messages and articles may be accessed from foreign countries, it was not until after the software had been posted to the science.crypt newsgroup on the Internet that the software came to the attention of your office. Your original letter of September 22, 1994 went to considerable lengths to avoid acknowledging the fact that the VOTPCRYP software was in the public domain and not subject to the ITAR regulation. My reply of October 3, 1994 to your letter of September 22, 1944 was mainly in substantiation of the public domain status of the VOTPCRYP software. Mr. Robinson's letter of November 7, 1994 indicated that the ODTC had not acknowledged that the software was in the public domain. In my reply dated November 17, 1994 I reiterated the fact that software was public domain as defined in section 120.11 and not subject to the ITAR as provided in section 125.1(a). I inadvertently cited section 121.1(a) rather than section 125.1(a) in my reply however your office apparently understand that section 125.1(a) was intended. Your reply of December 22, 1944, like Mr. Robinson's reply of November 7, 1994, indicated that the ODTC still was not acknowledging that the VOTPCRYP software was in the public domain. I had originally assumed that the ODTC might question the public domain status of the VOTPCRYP software but that your office would agree that, as public domain information, the software is "not subject to the controls of this subchapter"(ITAR). While your office may not agree that the VOPTCRYP software is not subject to the ITAR, there has been widespread distribution and acceptance of the software based on it being in the public domain and not subject to the ITAR. The program had no value as a part of a secure cryptographic system once it was published. The encryption methods used by the program have been in the public domain for many years. Methods that can be used to "break" the encryption performed by the VOTPCRYP program are taught in colleges and universities offering courses in cryptography. Following is quoted from the program documentation: "The VOTPCRYP program is not a finished product; it is a fully functional prototype that can be used to create a secure encryption system for anyone or for any activity." After this letter, I do not plan to pursue this matter with your office except to acknowledge the receipt of any reply you might choose to make. If you have any questions that I can answer by phone, please call me at 813 397-2930. I plan to distribute a revision of the VOTPCRYP manual which will include the letters that I received from the OTDC and my replies to these letters. Your reply to this letter will be included in the revision of the VOTPCRYP manual if the reply is received by January 27, 1995. Sincerely, James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 Phone 813-397-2930 50203odt.ltr ******************************************************** United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Washington, D.C. 20522-0602 FEB - 3 1995 Certified Mail - Return Receipt Requested Mr. James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 Dear Mr. Demberger: You have been informed that VOTPCRYP is a defense article as defined in 22 C.F.R. S 121.1, Category XIII(b). You have further been informed that cryptographic software does not qualify for any exemption under Part 125 of the International Traffic in Arms Regulations (ITAR), including the exemption for technical data in the public domain in section 125.1. Pursuant to section 38 of the Arms Export Control Act (AECA) (22 U.S.C. S 2778), and the International Traffic in Arms Regulations (22 C.F.R. Parts 120-130) it is unlawful to export or attempt to export from the United States any defense article or technical data or to furnish any defense service for which a license or written approval is required without first obtaining the required license or written approval from the Office of Defense Trade Controls. Further, it is unlawful to willfully cause, or aid, abet, counsel, demand, induce, procure or permit the commission of any act prohibited by, or the omission of any act required by 22 U.S.C. S 2778, 22 U.S.C. S 2779, or any regulation, license, approval, or order issued thereunder(see 22 C.F.R. S 127.1). Any further violations of the ITAR, including distributing VOTPCRYP over the Internet by posting it to internationally distributed Usenet news groups, will be referred to the United States Customs Service and other government agencies for appropriate criminal and civil action. If you have any further questions regarding these matters please contact Mr. John Sonderman of my office at (703) 875-6650. Sincerely, /s/ Mary F. Sweeney Acting Chief Compliance and Enforcement Branch cc: James P. McShane Customs Coordinator United States Customs Service 50220rep.ltr ******************************************************** 22 February 1995 United States Department of State Bureau of Politico-Military Affairs Office of Defense Trade Controls Attn. Ms. Mary F. Sweeney Washington, D.C. 20522-0602 Dear Ms. Sweeney: This letter acknowledges receipt of your letter of February 3, 1995. This letter does not acknowledge that there was any violation of the ITAR in posting the public domain VOTPCRYP files to the science.crypt newsgroup on the Internet. Sincerely, James T. Demberger 9862 Lake Seminole Drive West Seminole, FL 34643 Phone 813-397-2930 --- Now to see if CIS will take a 600+ line file. JimD X 3