[Cryptography] Security clearances and FOSS encryption?
John Denker
jsd at av8n.com
Fri Jul 4 15:55:33 EDT 2014
On 07/03/2014 08:47 AM, Bill Cox asked:
> Do US security clearances in any way restrict a person's involvement in
> FOSS encryption projects like CipherShed?
Generally not directly, not in so many words, but indirectly
yes, in some scenarios ... and obviously so.
-- Scenario #1: Your code contains a longstanding bug à la
heartbleed. The NSA knows of the bug, and has classified
this knowledge. Your buddy with the clearance is most
definitely "restricted" from telling you about it. So
you continue shipping the buggy code.
-- Et cetera. IANAL, but obviously there is a very wide
range of possibilities to consider.
===============
Also note that "security clearances" come in many different
flavors and colors. Everyone -- whether *OR NOT* they hold
a security clearance -- is forbidden by law from disclosing
certain types of classified information; as one example, see
http://www.law.cornell.edu/uscode/text/18/798
In theory, they could convict you of disclosing information
that you invented on your own, even if you didn't learn of
it through classified channels. To do that, they would have
to show that you knew it was classified. That is a tall but
not impossible burden for the prosecution, especially given
that any discussion of whether such-and-such is classified is
itself classified. In your defense you could argue that the
information is "obvious" and therefore not properly classified,
but you're not guaranteed to win that argument.
On top of the requirements embodied in black-letter law,
agencies can impose a wide array of additional requirements,
by demanding a solemn "agreement" as a precondition for
issuing a clearance. As one example, see
http://fas.org/sgp/isoo/new_sf312.pdf
In particular, 18 USC 798 forbids "knowingly and willfully"
disclosing classified information ... whereas anybody who
signs the 312 agreement can be sanctioned for /any/ disclosure,
even if not knowing and/or willful. Congress has repeatedly
and emphatically declined to write such a sweeping restriction
into law, but that doesn't stop the agencies from writing it
into the agreement.
I'm not convinced they can impose criminal penalties on the
basis of such an agreement, but they can certainly impose
civil penalties. This will further "restrict" your buddy.
This is relevant to the question that was asked, because unless
you know exactly what agreements he has signed, the fact that
he has a generic "security clearance" doesn't tell you anywhere
near the whole story.
More information about the cryptography
mailing list