The electronic "export" restriction holds even when the code is already publicly available outside the USA. In fact, it holds even if the code was written and published outside of the USA, as is the case for the 3-line RSA program. I don't think it has taken more than a week for any public domain encryption program from the USA to be exported to encryption sites outside the USA. The ITAR does not keep encryption software in the USA, it just makes sure that US companies don't use good encryption, so products from companies like Microsoft can be broken into.
The crazy idea that first-amendment rights don't extend into cyberspace will not last long, with all the current legal activities, so enjoy a little civil disobedience while you can. In the Bernstein case a federal judge has already decided that code is first-amendment protected and written a very informative legal decision on this. However, in the Karn case the judge thinks a 3 inch floppy is a weapon and a book with the same information is not. This has led some to ask, "Are Karn and Bernstein judges on the same planet?". Also, a Cleveland law professor has filed a lawsuit against the government.
New legislation may remove this problem. A congressional study has recommended greatly reducing ITAR controls. Also, Senator Burns and Bob Dole are pushing a "Pro-CODE" bill to remove the export restrictions. In a recent letter 27 members of Congress ask the president to liberalize export controls. The Encryption Policy Resource Page has a section on the proposed bills and who is pushing which. The Internet Privacy Coalition is actively working on this issue. The Electronic Frontier Foundation has started a Golden Key Campaign for private communications online as part of their efforts to educate people and combat ITAR.
The definition of "machine readable media" is arbitrary, and changing as computers get better at reading (OCR software is getting better and computers keep getting faster). If a 2D bar code is used to make a machine readable graphic for the program and printed in a computer magazine is the magazine then munitions?
What if a book is printed in an easily scanable OCR font? To push this point MIT has printed a book with PGP in a machine readable OCR font. Compared to the Internet, it is much slower to load up, and costs far more to distribute, but publishing software is publishing software. Is that book "arms"?
The very idea that encryption software is only "arms" when on a "machine readable media" seems to assume the the enemies of the USA can not type programs into their computer by hand, or even hire anyone who can type. Not sure why the President would think this.
The law says that "The President shall periodically review the items on the United States Munitions List to determine what items, if any, no longer warrant export controls under this section. The results of such reviews shall be reported to the Speaker of the House [...] at least 30 days before any item is removed from the Munitions List [...]." So a simple act on the part of President Clinton could end the classification of software as arms.
As another sign of how silly this all is, it seems that you can export crypto software from the US to Candada, and then from there to the rest of the world.
The President currently permits software that uses 40 bit keys, but no longer. This is because it is easy for the US government to break small keys by just searching all 2^40 possible keys. However, you can encrypt something several times with the same software, and if you use different keys each time it is like using one longer key (some assuptions here). Since DES is not enough these days, many people use "Tripple-DES" which just runs DES 3 times with different keys. If people encrypt files, use IP level encryption, and use a web browser that does encryption, it is possible to end up with multiple-encryption just by accident (though if there is known cleartext at each level it is not really that good).
The ITAR restrictions on software export is totally unenforceable. The government would have to check every disk (both harddisk and floppy) on every portable computer traveling out of the USA. Harddisks are large and would take a long time to search. Floppies can be hidden anyplace in luggage or pockets. The Gov would have to monitor all information on the Internet. The information could be disguised or encrypted, so even searching everything would not catch it. And for every program they did notice, they would have to decide if it was an encryption program or not. There is no magic way to tell what a program does. Having the government search through all your information would clearly be "unreasonable search" and unconstitutional.
The government has finally noticed that hundreds of thousands of people are traveling with encryption software on their portable computers. Rather than arrest them all, the government said it was ok if you bring your portable back. So now the government has to decide for every computer that went outside the USA if encryption software was passed on via floppy, laplink, local network, modem, infrared, etc, while it was outside the USA. Talk about impossible! Even assuming that the USA was the only place that wrote encryption software, it is foolish for Government to think ITAR slows down any dangerous evil organization outside the USA from having access to encryption software.
The government says it needs the keys to our encryption so that it can wiretap us. However, there are very few government wiretaps, and most of these are for drugs and gambling. The government should not be using its "war on drugs" to take away our privacy.
The 4th amendment says "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, ...". To be secure with your documents and computers on the Internet, you need to use encryption. So the 4th amendment protects our right to use encryption.
Another line of argument is that if the government is classifying 3 lines of writing as "arms", then the second-amendment, saying "the right to keep and bear arms shall not be infringed", should protect people. However, the right to bear arms has been heavily infringed, so there is little chance of protection here. Besides, does the 3-line program make you think of tanks, handguns, and grenades, or monkeys typing on a typewriter?
The law says "... in regulations issued under this section, of items as defense articles or defense services for purposes of this section shall not be subject to judicial review", which is attempting to prohibit trial by jury, thereby violating amendments V, VI, and VII.
The constitution does not give the government the power to control the contents of messages on the Internet, so the ITAR violates amendments IX and X.
The constitution is the highest law in the USA. In any conflict between the constitution and some lower law, such as the ITAR regulation, the lower law is voided for being "unconstitutional". In due time, the supreme court should strike down this law.
Vince Cate of Offshore Information Services Ltd.