[sword-devel] Sorry, I can't export sapphire.zip, but...
Michael Paul Johnson
sword-devel@crosswire.org
Thu, 18 Nov 1999 14:58:38 -0700
--=====================_25546958==_.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 08:20 PM 11/18/99 +0000, Paul Gear wrote:
>Guys,
>
>Until this message (and then reading the Sword 1.4.5 README), i was unaware
>that Sword now depends on Sapphire.
>
>Let me just make sure i'm understanding the facts:
>- Sapphire is written in the U.S. and is a sufficiently sophisticated
>encryption algorithm to make it unexportable under U.S. munitions law
Sapphire was written in the U. S., and is sufficiently secure to make it
unexportable under U. S. export regulations, with some exceptions. One of
those exceptions is that if it is compiled into an object file in such a
way that the end user can't reasonably use it to encrypt arbitrary text,
but its sole purpose is copy protection or point of sale control, then it
can be exported freely except to the terrorist sponsoring countries to
which you can't export much of anything.
>- Commercially licensed texts are only available using Sapphire
Yes, and only with permission of the publishers -- permission that I
understand we don't have at all.
>- By default, Sword cannot be built without Sapphire
>- The only version of Sapphire available internationally is a version
>illegally exported without the author's knowledge or permission
While someone somewhere defied the law and exported it, there is no law
against possession of Sapphire outside of the USA, nor is there any law
against downloading or use of the Sapphire software from Estonia and the
other places it exists to most countries. Almost anyone can get a copy of
it anywhere without breaking any law. This is strange, considering that I
still can't send you a copy outside of the USA, and that I still have to
put a CGI script to control access between my distribution site and the
outside world
(http://cryptography.org/cgi-bin/crypto.cgi/mpj/sapphire.zip). Sapphire is
free, so there is no copyright or patent problems with using it.
><DISCLAIMER>
>1. I'm not looking for a flame war.
>2. I'm assuming that my grasp of the above facts is right. If it's not,
>please don't flame me for the discussion below, because it is based on this
>assumption.
>3. Please make any discussion about this topic constructive, not flaming.
>4. I'm not looking for a flame war.
></DISCLAIMER>
>
>Now that i've got that said :-), let me proceed.
>
>I find situation this unacceptable for a few reasons:
>
>- Depending on an illegally exported version of Sapphire for international
>users is:
> 1) possibly illegal in itself (This is especially relevant since
> Mike
>has posted a URL to the illegal version. There was recently a successful
>lawsuit against a Swedish (?) college student for posting _links_ to
>illegally-obtained MP3 files on his web site - admittedly in Europe, not the
>U.S.),
I don't think so. Consider the model PGP, the encryption portion of ZIP,
and other international crypto freeware uses. It is pretty much the same.
> 2) unmaintainable in the medium to long term (because updates of the
>software - including patch files - can't be exported), and
Actually, there is a legal way to export crypto software: publish it in a
printed book, and mail the thing overseas. If someone scans or retypes it
over there, that is OK. The last few versions of PGP have been publicly
exported that way, and it is far less work to update sapphire than PGP,
because of the difference in sheer size. Anyone want to mail a book to
someone out of the USA? Anyone outside of the USA want to scan and/or
re-key some code, then post it? Then there would be no legal taint
whatsoever on the code. Printed publications are protected by the first
amendment of the U. S. Constitution, according to our federal courts, and
not subject to export controls.
Consider also that the Sapphire code is well-tested, stable, and unlikely
to change.
> 3) immoral anyway, because as Christians we should be
> endeavouring to
>obey laws of the country we live in, and thus not promote the use of
>illegally-obtained software
Yes, but the law is not actually being violated with respect to crypto
exports. We could do better, however, by releasing a point of sale module
that uses sapphire but has no ability to encrypt arbitrary data in object
code format only, or, if you insist on open source, do the
book-mailing/scanning exercise.
>Hence i would recommend that:
>- any reference to the illegally exported version of Sapphire be removed from
>any sites affiliated with Sword, and that the owner of that site be requested
>to remove it (for their own protection).
The site owners are in no danger, nor are they violating the law (unless
there is one in the USA that has it up with no export barriers like mine
has). There is no law against pointing out that cryptographic software is
freely available outside of the USA and Canada. (If there were, I would
have to remove http://cryptography.org/freecryp.htm immediately.)
>- the Sword libraries be changed to have Sapphire disabled by default.
This is a good idea, at least until such time as commercial Bible text
resale and publication permission is granted by at least one publisher.
>- investigation into alternative encryption technologies that are exportable
>and non-patent-encumbered begin as soon as possible. (I'd be happy to do this
>once i've got a reasonably functional GNOME frontend for Sword going, although
>given my track record this could be a while ;-). I've heard that
>Blowfish/Twofish are quite a good family of algorithms, and fit these
>criteria. GNU Privacy Guard (GPG) could probably also be adapted for this
>purpose.
There is no advantage to going with Blowfish/Twofish or GPG from a legal
standpoint. You can legally get and use Sapphire internationally right now,
as long as you don't get it from a server in North America if you are
outside of North America.
>- once such a system is found, all commercially licensed modules be switched
>to use this encryption method.
>
>What could happen if we don't do this:
>- International users (at least in certain countries) will never be able to
>legally use commercially-licensed Sword modules. This is ironic considering
>that some of the texts in question are actually non-English, and the most
>advanced GUI frontend for Sword at present is BibleTime, a non-U.S. product.
This isn't necessarily true.
>- Mike could get sued/jailed by the government for exporting his software. I
>know you say you didn't do it, but how can you prove it? Who is the govt.
>going to look at if they start asking questions? Even if they can't pin the
>exporting of the software on you, they can probably still get you for not
>securing your software sufficiently. (Obviously, you have some legal grounds
>for comebacks here, like arguing that once you've given it to another
>American, you have no control over what they do with the software. However,
>it is still a legal minefield that you probably want to avoid.)
It is a legal minefield I have already mapped and crossed many times. The
U. S. Government would be foolish to come after me, because I have taken
appropriate safeguards and done so openly and in a way that is verifiable.
The most likely outcome of such a move would be to have the export
regulations partially struck down as unconstitutional. Besides, I am in no
way the highest profile target. If they wanted to make an example of
someone, they have many people who openly and blatantly defy the
cryptographic export regulations to make examples of.
>- Crosswire could be sued by the government for promoting use of an illegally
>exported encryption technology.
This isn't nearly as likely as being sued by Zondervan for distributing its
NIV to all Sword developers. That should cease.
>- Commercial text vendors could be reluctant to license their material to us
>due to the cloud that hangs over the encryption technology.
I doubt it. They are more concerned about profit, the effectiveness of the
point of sale control, and the assurance of full royalty payments.
>Again, please take these comments constructively. Mike, i am not having a go
>at your software - i haven't even looked at it. I just think that because of
>the place you wrote it, it is inappropriate for a project such as Sword. (Why
>not consider a holiday in Australia next time you write encryption code? ;-)
Why bother? There is plenty of good encryption code available legally
internationally, right now, including some I wrote.
_______
Michael Paul Johnson
mpj@eBible.org http://ebible.org/mpj
--=====================_25546958==_.ALT
Content-Type: text/html; charset="us-ascii"
<html>
At 08:20 PM 11/18/99 +0000, Paul Gear wrote:<br>
<blockquote type=cite cite>Guys,<br>
<br>
Until this message (and then reading the Sword 1.4.5 README), i was
unaware<br>
that Sword now depends on Sapphire.<br>
<br>
Let me just make sure i'm understanding the facts:<br>
- Sapphire is written in the U.S. and is a sufficiently
sophisticated<br>
encryption algorithm to make it unexportable under U.S. munitions
law</blockquote><br>
Sapphire was written in the U. S., and is sufficiently secure to make it
unexportable under U. S. export regulations, with some exceptions. One of
those exceptions is that if it is compiled into an object file in such a
way that the end user can't reasonably use it to encrypt arbitrary text,
but its sole purpose is copy protection or point of sale control, then it
can be exported freely except to the terrorist sponsoring countries to
which you can't export much of anything.<br>
<br>
<blockquote type=cite cite>- Commercially licensed texts are only
available using Sapphire</blockquote><br>
Yes, and only with permission of the publishers -- permission that I
understand we don't have at all.<br>
<br>
<blockquote type=cite cite>- By default, Sword cannot be built without
Sapphire<br>
- The only version of Sapphire available internationally is a
version<br>
illegally exported without the author's knowledge or
permission</blockquote><br>
While someone somewhere defied the law and exported it, there is no law
against possession of Sapphire outside of the USA, nor is there any law
against downloading or use of the Sapphire software from Estonia and the
other places it exists to most countries. Almost anyone can get a copy of
it anywhere without breaking any law. This is strange, considering that I
still can't send you a copy outside of the USA, and that I still have to
put a CGI script to control access between my distribution site and the
outside world
(<a href="http://cryptography.org/cgi-bin/crypto.cgi/mpj/sapphire.zip" eudora="autourl">http://cryptography.org/cgi-bin/crypto.cgi/mpj/sapphire.zip</a>).
Sapphire is free, so there is no copyright or patent problems with using
it.<br>
<br>
<blockquote type=cite cite><DISCLAIMER><br>
1. I'm not looking for a flame war.<br>
2. I'm assuming that my grasp of the above facts is
right. If it's not,<br>
please don't flame me for the discussion below, because it is based on
this<br>
assumption.<br>
3. Please make any discussion about this topic
constructive, not flaming.<br>
4. I'm not looking for a flame war.<br>
</DISCLAIMER><br>
<br>
Now that i've got that said :-), let me proceed.<br>
<br>
I find situation this unacceptable for a few reasons:<br>
<br>
- Depending on an illegally exported version of Sapphire for
international<br>
users is:<br>
1) possibly illegal in
itself (This is especially relevant since Mike<br>
has posted a URL to the illegal version. There was recently a
successful<br>
lawsuit against a Swedish (?) college student for posting _links_
to<br>
illegally-obtained MP3 files on his web site - admittedly in Europe, not
the<br>
U.S.),</blockquote><br>
I don't think so. Consider the model PGP, the encryption portion of ZIP,
and other international crypto freeware uses. It is pretty much the
same.<br>
<br>
<blockquote type=cite cite>
2) unmaintainable in the medium to long term (because updates of
the<br>
software - including patch files - can't be exported),
and</blockquote><br>
Actually, there is a legal way to export crypto software: publish it in a
printed book, and mail the thing overseas. If someone scans or retypes it
over there, that is OK. The last few versions of PGP have been publicly
exported that way, and it is far less work to update sapphire than PGP,
because of the difference in sheer size. Anyone want to mail a book to
someone out of the USA? Anyone outside of the USA want to scan and/or
re-key some code, then post it? Then there would be no legal taint
whatsoever on the code. Printed publications are protected by the first
amendment of the U. S. Constitution, according to our federal courts, and
not subject to export controls.<br>
<br>
Consider also that the Sapphire code is well-tested, stable, and unlikely
to change.<br>
<br>
<blockquote type=cite cite>
3) immoral anyway, because as Christians we should be endeavouring
to<br>
obey laws of the country we live in, and thus not promote the use
of<br>
illegally-obtained software</blockquote><br>
Yes, but the law is not actually being violated with respect to crypto
exports. We could do better, however, by releasing a point of sale module
that uses sapphire but has no ability to encrypt arbitrary data in object
code format only, or, if you insist on open source, do the
book-mailing/scanning exercise.<br>
<br>
<blockquote type=cite cite>Hence i would recommend that:<br>
- any reference to the illegally exported version of Sapphire be removed
from<br>
any sites affiliated with Sword, and that the owner of that site be
requested<br>
to remove it (for their own protection).</blockquote><br>
The site owners are in no danger, nor are they violating the law (unless
there is one in the USA that has it up with no export barriers like mine
has). There is no law against pointing out that cryptographic software is
freely available outside of the USA and Canada. (If there were, I would
have to remove
<a href="http://cryptography.org/freecryp.htm" eudora="autourl">http://cryptography.org/freecryp.htm</a>
immediately.)<br>
<br>
<blockquote type=cite cite>- the Sword libraries be changed to have Sapphire disabled by default.</blockquote><br>
This is a good idea, at least until such time as commercial Bible text resale and publication permission is granted by at least one publisher.<br>
<br>
<blockquote type=cite cite>- investigation into alternative encryption technologies that are exportable<br>
and non-patent-encumbered begin as soon as possible. (I'd be happy to do this<br>
once i've got a reasonably functional GNOME frontend for Sword going, although<br>
given my track record this could be a while ;-). I've heard that<br>
Blowfish/Twofish are quite a good family of algorithms, and fit these<br>
criteria. GNU Privacy Guard (GPG) could probably also be adapted for this<br>
purpose.</blockquote><br>
There is no advantage to going with Blowfish/Twofish or GPG from a legal standpoint. You can legally get and use Sapphire internationally right now, as long as you don't get it from a server in North America if you are outside of North America.<br>
<br>
<blockquote type=cite cite>- once such a system is found, all commercially licensed modules be switched<br>
to use this encryption method.<br>
<br>
What could happen if we don't do this:<br>
- International users (at least in certain countries) will never be able to<br>
legally use commercially-licensed Sword modules. This is ironic considering<br>
that some of the texts in question are actually non-English, and the most<br>
advanced GUI frontend for Sword at present is BibleTime, a non-U.S. product.</blockquote><br>
This isn't necessarily true.<br>
<br>
<blockquote type=cite cite>- Mike could get sued/jailed by the government for exporting his software. I<br>
know you say you didn't do it, but how can you prove it? Who is the govt.<br>
going to look at if they start asking questions? Even if they can't pin the<br>
exporting of the software on you, they can probably still get you for not<br>
securing your software sufficiently. (Obviously, you have some legal grounds<br>
for comebacks here, like arguing that once you've given it to another<br>
American, you have no control over what they do with the software. However,<br>
it is still a legal minefield that you probably want to avoid.)</blockquote><br>
It is a legal minefield I have already mapped and crossed many times. The U. S. Government would be foolish to come after me, because I have taken appropriate safeguards and done so openly and in a way that is verifiable. The most likely outcome of such a move would be to have the export regulations partially struck down as unconstitutional. Besides, I am in no way the highest profile target. If they wanted to make an example of someone, they have many people who openly and blatantly defy the cryptographic export regulations to make examples of.<br>
<br>
<blockquote type=cite cite>- Crosswire could be sued by the government for promoting use of an illegally<br>
exported encryption technology.</blockquote><br>
This isn't nearly as likely as being sued by Zondervan for distributing its NIV to all Sword developers. That should cease.<br>
<br>
<blockquote type=cite cite>- Commercial text vendors could be reluctant to license their material to us<br>
due to the cloud that hangs over the encryption technology.</blockquote><br>
I doubt it. They are more concerned about profit, the effectiveness of the point of sale control, and the assurance of full royalty payments.<br>
<br>
<br>
<blockquote type=cite cite>Again, please take these comments constructively. Mike, i am not having a go<br>
at your software - i haven't even looked at it. I just think that because of<br>
the place you wrote it, it is inappropriate for a project such as Sword. (Why<br>
not consider a holiday in Australia next time you write encryption code? ;-)</blockquote><br>
Why bother? There is plenty of good encryption code available legally internationally, right now, including some I wrote.<br>
<br>
<div>_______</div>
<br>
<div>Michael Paul Johnson </div>
<div>mpj@eBible.org <a href="http://ebible.org/mpj" EUDORA=AUTOURL>http://ebible.org/mpj</a></div>
</html>
--=====================_25546958==_.ALT--