4 September 1997
Source: Hardcopy from Peter Junger
[Fax header] AUG-07-1997 15:32 OCC/BXA 202 482 0085 P.01
UNITED STATES DEPARTMENT OF COMMERCE
Bureau of Export Administration
Washington. D.C. 20230
AUG 7 1997
Gino J. Scarselli, Esq.
664 Allison Drive
Richmond Heights, Ohio 44143
Dear Mr. Scarselli:
This letter is in response to your letters of July 18 1997 and July 24, 1997, forwarded to us by Anthony Coppolino of the Department of Justice, concerning our prior response of July 3, 1997 to the three commodity classification applications you submitted on behalf of your client, Professor Peter Junger. We respond, in turn, to the issues raised by the numbered paragraphs of your July 18 letter.
1. You indicate first that you requested a classification of the "entire chapter" from "Computers and the Law" (Item No. 2 to Application 2082061; hereinafter "Item No. 2") and, specifically, that BXA did not provide a classification for an item described as a "source code in ANSI C of Paul Leyland's one time pad" in figure 1.4.
At the outset, we note that it is the requestor's responsibility to identify and describe with specificity the items and/or activities for which he seeks a determination, and you did not previously specify this software program. As reflected in our determination, Item No. 2 contains distinct items for which commodity classifications under the EAR may vary. Specifically, the EAR treats encryption software differently from other software, and from "technology" as defined in the EAR. For this reason, BXA examines and classifies specific items of software and technology separately, not as a single item consolidated by the requestor.
There are four software programs included in Item No. 2. The attachment to this letter provides classifications for each of the programs. Please note that all of the programs are classified as EAR99 and are not software controlled under ECCN 5D002.
In addition, contrary to your assertion, BXA did not classify Item No. 2 as both subject to the EAR and not subject to the EAR. Since software designated as EAR99 is not subject to the licensing restrictions for encryption software covered by ECCN 5D002, the software portion of Item No. 2 in its entirety, as submitted, is not subject to the EAR if it is made publicly available within the meaning of Section 734.3. As our previous determination also indicates, the non-software portion of Item No. 2 is not subject to the EAR if it does not meet the definition of "technology" under the EAR (e.g., discussion of export policy and the Junger lawsuit) or if it is "publicly available" within the meaning of Section 734.3 of the EAR, whether it is in electronic form or not. Accordingly, if Professor Junger makes all of Item No. 2 publicly available, there are no restrictions under the EAR on Professor Junger's ability to export Item No. 2 as submitted, including the software which it contains.
2
You also ask what the status of Item No. 2 would be if you modified it in the future to include the software for the RSA algorithm implemented in Perl. Again, BXA's classification is made as to the software itself and, as we previously advised you, this software program in electronic form or media is covered by ECCN 5D002. A software program subject to export licensing requirements under ECCN 5D002 of the CCL is not exempt from the EAR simply because an exporter chooses to consolidate it with items not subject to the EAR. Please note, however, that should you choose to consolidate encryption software subject to ECCN 5D002 with other items, our determination with respect to such software does not mean that the other portions of Item No. 2 discussed above would then become subject to ECCN 5D002, or would be controlled for export in the same manner as such software.
2. You next ask us to "clarify the status of posting html pages that link to encryption programs overseas." In rendering a determination or advisory opinion, BXA assesses the specific proposed export activity which the requestor describes and indicates that he proposes to undertake. In Item No. 3 of Application Z082061, you indicate that Professor Junger wishes to add a page of html links on his web server to sites outside of the United States containing encryption programs. While the use of html links by a person might, in some applications, involve an export, see Section 734.2(b) (export of encryption software includes downloading such software from Internet sites in the United States to locations outside the United States), we reiterate that the activity described by your submission is not an export activity that is subject to the EAR and would also not constitute conduct prohibited by Section 744.9 of the EAR.
You ask whether this determination is "limited to Professor Junger" or whether that same conclusion would follow for anyone else. Again, our determination applies to the activity described by the requestor. BXA cannot render an advisory opinion with respect to activities by other individuals that have not been presented to us. Obviously, however, if the identical activity is described to us by another requestor, our conclusion would be the same.
3. In your July 18 letter, you ask BXA to classify "all programs that implement a certain algorithm rather than actual programs because programs can be written in different languages, versions, and for different operating systems." This a very different question from your original classification request. In fact, BXA does evaluate specific software products that are implemented on a variety of platforms (such as Windows, OS/2, Macintosh) in a single classification request. Your original request, however, did not seek a classification for a specific software program to be implemented on different operating platforms. Rather, you asked for a classification for ''any encryption program that can be used to maintain secrecy by implementing" a certain algorithm, such as RC2 or RSA. See Item Nos. 4 and 5 to Application No. Z082062.
We reiterate that BXA cannot provide a single classification opinion for any encryption product that "implements'' a certain algorithm. One reason for this is that encryption products, including software, may have fundamentally different functions, even though they "implement" the same algorithm in hardware or software. ECCN 5D002 is directed at regulating encryption products, including software, that perform a certain function -- i.e., that have the capability of maintaining
3
the secrecy of information. See Section 742.15 of the EAR. Several cryptographic functions are not regulated under ECCN 5A002 and 5D002, including functions limited to access control or password verification, data authentication, and certain banking transactions. See Note to ECCN 5A002; paragraphs (f), (g), (h). Each of these functions, however, may be achieved by implementing the same algorithm in software or hardware form, such as the RSA algorithm. In addition, licensing controls on encryption software that does maintain the secrecy of information may vary depending on how an algorithm is implemented in the software. For example, certain software products classified under ECCN 5D002 that implement an algorithm such as RC4 and RC2, with a key space of no longer than 40 bits, may be eligible for mass market treatment under a license exception.
Thus, it is not possible to provide a single classification for "any program" that "implements" the same algorithm, as you originally requested If, however, you identify a specific software product, and seek a classification thereof for different operating systems, BXA will provide it in a single classification.
Sincerely,
[Signature]
James A. Lewis
Director
Office of Strategic Trade
And Foreign Policy Controls
Attachment
ATTACHMENT
ITEM NO 2 - APPLICATION Z082061
CCATS #G006703
ITEM #2: Portions of Chapter One to Computers and the Law, written by Professor Peter Junger in electronic form or media as described in the notes to paragraph (B)(2) & (B)(3) following Section 734.3 of the EAR .
a. Figure 1.2--twiddle program in UUENCODEd machine language is classified EAR99.b. Figure 1.3--twiddle program in 8086 machine language is classified EAR 99.
c. Figure 1.4--Paul C. Leyland's Encryption Program in ANSI C is classified EAR99.
d. Section 1.1.3.2.2--twiddle program in 8086 assembly language is classified EAR99.
[The classification of the non-software portions of Item No. 2 remain unchanged from the July 3, 1997 commodity classification.]
[Following three Scarselli letters attached]
Gino J. Scarselli, Esq.
664 Allison Drive
Richmond Hts., Ohio 44143
gscarsel@mail.multiverse.com
Tel/Fax 216 291-8601
July 18, 1997
VIA FAX AND EXPRESS MAIL
Anthony J. Coppolino, Esq.
Department of Justice
Civil Division, Room 1084
901 E Street, N.W.
Washington, DC 20530
re: Commerce Department response to Applications Nos. Z082060, Z082061, and Z082062.
Dear Mr. Coppolino:
As we have discussed, I am sending you this letter to forward to the Commerce Department. We are seeking clarification of some of the responses that Commerce made to our applications dated June 12, 1997.
I understand that you will first get some indication from Commerce as to how long we will have to wait for a response. I would appreciate it if you would let me know as soon as possible. We expect Commerce to reply within a reasonably short time since the Department has already reviewed our submissions. We would prefer a response from Commerce before we file the supplemental complaint, but we may file without one depending on how long it will take Commerce to respond.
Although we have more questions than the ones we ask below (like "Why was Twiddle classified as EAR99?"), we have tried to keep the list short and limit our questions to what we think is most important. Having said that, our questions are as follows:
1. In response to Application No. Z082061, the Department describes item 2 as "Portions of Chapter One to Computers and the Law, written by Professor Peter Junger in electronic form or media..." This is not an entirely accurate description of our request. We requested a classification of the entire chapter, which includes the source code and machine code representations of Twiddle and the source code in ANSII [sic] C of Paul Leyland's one-time pad (See Figure 1.4 in Chapter One). The response states that Twiddle is classified as EAR99 and that the "non-software part of the chapter" is not subject to the EAR if it "does not meet the definition of 'technology' under the EAR (e.g. discussion of export policy and the Junger lawsuit), or if it is 'publicly available' within the meaning of section 734.3 of the EAR..."
This response first ignores to mention Paul Leyland's program and second "classifies" the item. Chapter One, as both EAR99 and as "not subject to the EAR." On the first point, the failure to mention Paul Leyland's program may have been an oversight so we ask that Commerce address it in its response. On the second point, if the same item is subject to the EAR and not subject to the EAR, how is its export status determined?
Professor Junger used the chapter that was submitted in his class last fall. He is revising the chapter for his class this coming fall. If this fall's version of the chapter contains the RSA algorithm
in Perl, which was classified as ECCN 5D002 (Application No. Z082060, item 4) will the chapter be classified as ECCN 5D002, EAR99, not subject to the EAR or something else?
2. In Application No. Z082061, we requested a classification of an html page of links to overseas sites where encryption programs can be downloaded. Instead of responding with a classification, Commerce responded with an advisory opinion stating that "Professor Junger's activity is not an export that is subject to the Export Administration Regulations (EAR). See section 734.2(b) of the EAR."
Since Commerce has offered to supply us with an advisory opinion, we ask that the Department clarify the status of posting html pages that link to encryption programs overseas. Specifically, we have three questions: First, is the html page _itself_ classified under the EAR? Second, although the response states that Professor Junger's activity -- posting an html page containing links to overseas sites where encryption programs can be downloaded -- is not an export, can it be construed as providing technical assistance), would the same conclusion follow for anyone else who posts links to overseas encryption sites?
3. In Application No. Z082062, we requested rulings on programs that implement certain encryption algorithms and gave examples of such programs. In response, Commerce stated that it was unable to classify the requests because we would have to submit "a complete technical description of the particular software" rather than a description of programs that implement particular operations or algorithms.
We asked for classifications of programs that implement certain encryption algorithms rather than actual programs because programs can be written in different languages, versions and for different operating systems. For example, if we requested a classification for Wordperfect, we would expect that Wordperfect 5.1, Wordperfect 6.0 and Wordperfect 3.5 (for the Macintosh) would all be given the same classification. Without submitting a complete list of _all_ programs that implement particular encryption algorithms, which we could not do, how can we obtain a classification for programs that implement the same algorithm in different languages and different versions?
Again, please let me know as soon as possible when Commerce can respond. If you have any questions whatsoever, please let me know and I will do my best to answer them.
Sincerely,
[Signature]
Gino J. Scarselli
Attorney for Professor Junger
cc: Raymond Vasvari, Esq.
Kevin Francis O'Neill, Esq.
Peter D. Junger
2
Gino J. Scarselli, Esq.
664 Allison Drive
Richmond Hts., Ohio 44143
gscarsel@mail.multiverse.com
Tel/Fax 216 291-8601
July 24, 1997
VIA FAX AND MAIL
Anthony J. Coppolino, Esq.
Department of Justice
Civil Division, Room 1084
901 E Street, N.W.
Washington, D.C. 20530
re: your letter dated July 21, 1997
Dear Mr. Coppolino:
First, thank you for responding to my letter dated July 18, 1997. In your letter, you stated that the Commerce Department would respond no later than August 18, 1997. This, however, is unacceptable.
In the letter of July 18, we asked your client to clarify some of the responses to our classification requests. None of the questions asked in that letter require a review of new material. Your client has had all the information that it needs to respond since at least June 17, 1997. We believe that Commerce would be able to respond within a short time and expected a response by the end of this week. Although you stated in your letter and in our telephone conversation that Commerce would respond as soon as possible, we are not prepared to wait until August 18 for a response.
We do not want to further delay the litigation. At the same time, we want to be as reasonable as possible. Therefore, we will wait until the end of next week for a response. If we do not receive a response by Friday, August 1, 1997, we will withdraw our questions and prepare to file the supplemental complaint. If, by the end of next week, your client needs an additional day or two, please let me know.
Since our conversation on Tuesday, I have decided not to submit other questions that may delay a response from Commerce. I would, however, like to clarify the last question asked in the July 18 letter. The question had to do with our requests for rulings on programs that implement certain encryption algorithms. Our example of Wordperfect may not have been the best example since it is not an encryption program. Therefore, consider programs that implement the RSA algorithm. Commerce has classified our submission of a program in Perl that implements the RSA algorithms as 5D002 software. Are we justified in believing that a program in C, for
July 24, 1997
Page 2
example, or any other programming language that implements RSA would also be covered as 5D002 software?
If you would like to discuss this matter further, please feel free to contact me.
Sincerely,
[Signature]
Gino J. Scarselli
Attorney for Professor Junger
cc: Raymond Vasvari, Esq.
Kevin Francis O'Neill, Esq.
Peter D. Junger
Gino J. Scarselli, Esq.
664 Allison Drive
Richmond Hts., Ohio 44143
gscarsel@mail.multiverse.com
Tel/Fax 216 291-8601
APPLICATION NO. 082062
June 12, 1997
Department of Commerce
Bureau of Export Administration
To whomever it may concern:
This letter will serve as additional information for the classification requests in Application No. Z082062.
My client, Professor Peter D. Junger, is currently in litigation with the Commerce Department over the export controls on encryption under the Export Administration Regulations (EAR). In the interest of furthering the litigation, we seek classification requests under § 748.3 of the EAR for the following encryption programs:
1. Encryption programs that perform the XOR operation on each byte of a file with a key consisting of a single byte2. Programs that XOR the contents of a file with the contents of a one-time pad
3. Programs that implement the ROT13 algorithm
4. Programs that implement the RC2 algorithm
5. Programs that implement the RSA algorithm
In this set of requests, we seek rulings with respect to each program that implements one of the specified operations or algorithms and that does not fall under the exceptions to ECCN 5A002 or 5D002 of Part 774 of the EAR. It is our position that any program that implements one of the specified operations or algorithms can be used, in executable form, to maintain the secrecy or confidentiality of information and therefore is classified as encryption software under ECCN 5D002, 15 C.F.R. Part 774.
A classification is sought for the programs in electronic form or media as described in the Notes to paragraphs (b)(2) and (b)(3) following § 734.3. Samples of particular programs are included or referred to in this letter, but those programs are only intended to serve as examples.
What follows is additional information on the items.
Item 1
Item 1 consists of any encryption program that can be used to maintain secrecy or confidentiality by XORing each byte of a source file with a key consisting of a single byte. An example of such a program, written in C, is:
-------begin sample program for item 1------------------ #include "stdio.h" #include "stdlib.h"
- 1 -
[No other pages provided]
[Two-page form]
FORM BXA-748P
MULTIPURPOSE APPLICATION
APPLICATION CONTROL NUMBER
This is NOT and export license number
Z 082062
1. CONTACT PERSON Gino J. Scarselli
2. TELEPHONE 216-291-8601
3. FACSIMILE 216-291-8601
4. DATE OF APPLICATION 6/10/97
5. TYPE OF APPLICATION Classification Request
6. DOCUMENTS SUBMITTED WITH APPLICATION BXA-748P-A; Tech Specs;
Letter of Application
[Snip blanks 7. to 13.]
14. APPLICANT Gino J. Scarselli
664 Allison Drive
Richmond Hts.
OH USA 44143
SS: XXX-XX-XXXX
[Snip blanks 15. to 21.]
---------------------------------------------------------------------
22.(a) ECCN 5D002
[Snip blanks 22.(b) to 22.(i)]
22.(j) TECHNICAL DESCRIPTION Encryption programs that perform the XOR
operation on each byte of a file with a
key consisting of a single byte
---------------------------------------------------------------------
[Snip blank 23.]
24. ADDITIONAL INFORMATION See accompanying letter
[Snip illegible certification statement]
25. SIGNATURE [Signature]
NAME OF SIGNER Gino J. Scarselli
TITLE OF SIGNER Attorney for Peter Junger
[Snip illegible notice]
[Form continued]
ITEM APPENDIX
APPLICATION CONTROL NUMBER Z 082062
---------------------------------------------------------------------
22.(a) ECCN 5D002
22.(j) TECHNICAL DESCRIPTION Encryption programs that XOR the
contents of a file with the contents
of a one-time pad. See accompanying
letter.
---------------------------------------------------------------------
22.(a) ECCN 5D002
22.(j) TECHNICAL DESCRIPTION Encryption programs that implement the
ROT13 algorithm. See accompanying
letter.
---------------------------------------------------------------------
22.(a) ECCN 5D002
22.(j) TECHNICAL DESCRIPTION Encryption programs that implement the
RC2 algorithm. See accompanying letter.
---------------------------------------------------------------------
22.(a) ECCN 5D002
22.(j) TECHNICAL DESCRIPTION Encryption programs that implement the
RSA algorithm. See accompanying letter.
---------------------------------------------------------------------
[Snip blank balance]