Bernstein Second Inquiry to BXA

10 March 2000. Thanks to Cindy Cohn.

See prior Bernstein-BXA correspondence:

http://cryptome.org/bernstein-bxa.htm (First letter of inquiry)
http://cryptome.org/bxa-bernstein.htm (BXA response)

See EFF's Bernstein case files: http://www.eff.org/bernstein/

Douglas S. McGlashan
William A. Bauld
Colleen E. McAvoy
Cindy A. Cohn
____________
Patrick J. Wood

McGlashan & Sarrail

Professional Corporation
177 Bovet Road, Sixth Floor
San Mateo, CA 94402
(650) 341-2585
Fax (650) 341-1395

March 10, 2000
Karen A. Sarrail
(Retired 1999)

VIA FACSIMILE AND EXPRESS MAIL
James A. Lewis, Director
Office of Strategic Trade and
Foreign Policy Controls
United States Department of
Commerce
Bureau of Export Administration
Washington, D.C. 20230
Re: Bernstein v. Department of Justice, et. al.
Dear Mr. Lewis:
Thank you for your letter of February 17, 2000 with responses to our request for an Advisory Opinion. This letter is in response to your offer to answer any further questions that we have concerning the export restrictions. We would like some additional clarification about some issues at this time.
First, on page 3 you state that "Binary code which is compiled from TSU source code and which is itself publicly available and not subject to licensing or royalty fee can also be exported under the provisions of license exception TSU." This interpretation of the regulations is new to us and surprised numerous people familiar with the new export controls. It also does not appear to be supported by the text of the regulations or mentioned in any of the supporting materials referenced in your letter. Does this mean that TSU exception includes both source code that meets the TSU requirements and object code that has been compiled from TSU source code? For example, if Professor Bernstein published his Snuffle.c source code on his web site under TSU, would the binaries resulting from the compiling of that code also be subject to the TSU exception? If this is what this sentence means, please provide us with its basis in the regulations so that Professor Bernstein and others may rely upon it. If this is not what that sentence means, please explain what it does mean.
Second, you stated that sites that "[C]oncerning the posting onto a mirror or archive site of already-posted source code, notification is required only for the initial posting," (page 4). This answer, while very helpful, raises several additional questions, all of which are directly applicable to Professor Bernstein, since he plans to do all of these in his forthcoming web pages:
1. is notification required when mirroring object code?
2. is notification required for either source or object code when the original publisher either failed to do the initial notification or was abroad and so was not subject to the export restrictions?
3. what is the regulatory treatment of mirror sites that include binaries that were not compiled from publicly available source code?
4. what is the regulatory treatment of mirror sites that include source code that is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code?

Third, you noted that if Professor Bernstein has "post-export knowledge" that someone from a proscribed country subscribes to a newsgroup or reads his web page where encryption source code is posted, his actions would not be prohibited by § 740.13(e)(2). I believe you may have misunderstood my question. I asked whether Professor Bernstein would be prohibited from posting source code to a listserv or a web site if he has pre-export knowledge that a person from a proscribed country (or on the list of Denied Persons) is subscribed to the newsgroup or will read his web page. Examples of this include if Professor Bernstein is aware that the newsgroup sci.crypt is fed into Iran as part of a general Usenet feed or if an Iranian mathematics professor contacts Professor Bernstein and indicates that he intends to read his web site. If Professor Bernstein (or anyone else, since this is a facial challenge) has such pre-export knowledge, is his subsequent export in violation of the regulations?
Fourth, again you may have misunderstood my question concerning publications. I am quite aware of your policy concerning publications that exist solely on paper. The question was directed at electronic publications, such as AAAS's Science in its electronic form, where AAAS does expressly require assignment of all rights and does expressly reserve the right for payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code. Is such source code treated as TSU or ENC?
Finally, we are confused by an apparent discrepancy in your treatment of source code as "modifiable." In your letter to us, you stated that "simply because source code is modifiable does not make it an Open Cryptographic Interface" (page 3). Yet at the same time, in a case brought by Hugh Daniel concerning the source code for Integrated DNSSEC, you stated that the source code at issue, which performs authentication functions only, was nevertheless properly classified as 5D002 because, as source code, it was "modifiable" to provide encryption functionality. I am sure that you are aware that Lee Tien, co-counsel on this case, represents Mr. Daniel. Obviously, if authentication source code can be categorized and regulated as though it was encryption source code on the grounds that it is modifiable, the same could be said of much other source code that could be "modifiable" to be an OCI. Could you please explain the difference in your statements? As you know, this case is a facial challenge and is watched by many. An understanding of your analysis of how the fact that source code is "modifiable" impacts its treatment under your regulations would be quite helpful to Professor Bernstein and many others.
Although this does not exhaust the questions we have about the current regulations, answers to these should help us evaluate our position concerning the ongoing litigation. We hope that you will be able to respond to these questions by March 20, 2000. Should you have any questions or wish additional time to respond, please do not hesitate to contact me. Thank you again for your ongoing courtesy in this matter.
Sincerely,
McGLASHAN & SARRAIL
Professional Corporation
CINDY A. COHN

cc:
Anthony Coppolino [Department of Justice]
Scott McIntosh [Department of Justice]
Daniel J. Bernstein

HTML by Cryptome.