copyright notice
link to the published version: IEEE Computer, October, 2019


accesses since July 1, 2019

HUAWEI, BIS and the IEEE: it's deja vu all over again

Hal Berghel

Once again the big-and-powerful-government proponents call upon the professional societies to do their bidding for them. And once again IEEE members nudged IEEE over to the right side of history.

COMPUTING AND 3-LETTER AGENCIES

Government 3-letter agencies have a checkered public policy history when it comes to academic freedom and free speech. [BUMP] [WHITEHEAD] [BAMFORD] Historically, this position has been bi-partisan. The most recent interference that involved the IEEE came from the Trump administration as part of its broader, tariff/import control strategy. Let me emphasize that I take no position on the U.S. government's tariff/import controls or the overall public policy agendas of government agencies, but restrict my comments to the involvement of professional societies such as the IEEE in such agendas.

The current example involved a U.S. government action taken against Huawei and 68 affiliates by the Bureau of Industry and Security (BIS) the division of the Department of Commerce that purportedly “advances … national security, foreign policy and economic objectives by ensuring an effective export control and treaty compliance system, and by promoting continued U.S. leadership in strategic technologies…. by maintaining and strengthening adaptable, efficient, effective export controls.…” . (www.commerce.gov/bureaus-and-offices/bis)

This past May, BIS placed Huawei on its “entity list” for engaging “in activities that are contrary to U.S. national security or foreign policy interests including alleged violations of the International Emergency Economic Powers Act (IEEPA), conspiracy to violate IEEPA by providing prohibited financial services to Iran, and obstruction of justice in connection with the investigation of those alleged violations of U.S. sanctions, among other illicit activities.” ( https://www.commerce.gov/news/press-releases/2019/05/department-commerce-issues-limited-exemptions-huawei-products ) It isn't altogether clear whether, or to what extent, BIS' claims were legitimate. On June 29 President Trump reversed some of the BIS decision and announced that U.S. companies can sell equipment to Huawei after all [TALEV] thereby placing the justification for the May action in some doubt.

In order to avoid potential digital tribal conflict from partisans, I again emphasize that for the purposes of this column I am agnostic regarding the issues of whether BIS is needed, purposeful, effective or well-managed in pursuit of its mission and whether placing Huawei on the entity list was justified. I restrict my attention to a narrow issue involving one of our professional societies and the Commerce Department's actions as they impact the broader professional computing community.

THE IEEE MEMO

In response to the Commerce/BIS announcement, the IEEE issued a “Statement on Participation of Members/Volunteers on BIS Entity List” on May 22, 2019 to “…provide guidance to IEEE volunteers, members, and staff on interacting with a Listed Person or an employee of a Listed Person (or other person directly paid or otherwise sponsored by a Listed Person) who seeks to participate in IEEE activities.” As expected, the IEEE reaffirmed some of its core principles as it relates to the BIS announcement, namely that “listed persons”:

  1. “may continue to be IEEE members in good standing and continue to be eligible for membership-grade elevation
  2. “may continue to order and receive subscriptions and make other purchases of IEEE publications, as well as access materials publicly available on IEEE Xplore.
  3. “may attend IEEE-sponsored conferences (whether inside or outside of the United States) that are open to interested members of the public. A Listed Person may speak or make presentations at such conferences and may submit materials for inclusion in such conference proceedings or for publication in post-conference written proceedings (to the extent otherwise permitted under the conference rules).
  4. “may participate in business, logistics, and other meetings relating to conference planning or evaluation.
  5. “may participate in meetings of a leadership group such as executive committees, administrative committees, or similar bodies (or subcommittees of such bodies) for purposes of discussing or voting on business, logistics, nominations, elections, or other aspects of organizational governance
  6. “may continue to submit articles and other materials for consideration for publication. IEEE staff and volunteers may continue to provide normal copy editing support
  7. “may continue to join or use an email reflector for nontechnical discussions or (where the reflector can be accessed through a publically available archive) for technical discussions, and
  8. “A Listed Person may provide funds for conference sponsorships, scholarships, or awards.”
  9. I would fully expect any professional association to reaffirm such principles in this context, and I take no exception to IEEE's position. However, the May 22 memo also contained the following IEEE statements that I did take issue with:

  10. “A Listed Person shall not participate in nonpublic meetings or communications that involve technical discussions.” \
  11. “A Listed Person may not receive or access materials submitted by other persons for publication until after IEEE has accepted the material for publication in accordance with IEEE's normal publication process. Once material has been accepted for publication, a Listed Person may act as editor or peer reviewer for that material.”

Ignoring the baroque logic in the strange last sentence, it seems clear that the intent was to minimize any skullduggery that might result from listed persons being involved in editorial decision making. In 9.-10. the IEEE became, perhaps unwittingly and under duress, drawn into the position of agency by the government – a position that It should not relish and in the future should avoid. Let me be very clear: it was unwise to put 9.-10. in print because of the implicature of the statements, not the logical implication. My own position is that it was unwise to send out the May 22 memo at all! But these sort of things happen when you give attorneys keyboards. (I am confident that this memo was not inspired by the IEEE membership!)

In the end, sensible minds prevailed. On June 2, IEEE President Jose Moura walked back from the May 22 memo and announced via email to IEEE members that subsequent to feedback from the membership, the IEEE “have revised our guidance to remove any restriction on the participation of the employees of these companies as editors or peer reviewers in the IEEE publication process. To reemphasize, all IEEE members can continue to participate in the open and public activities of the IEEE, including our scientific and technical publications.” This is what most of the IEEE membership would have assumed all along. In the end, the original memo accomplished nothing from a policy point of view.

What can be said is that once again the IEEE was brought into alignment with the right side of history – not by the lawyers, but by pressure from the membership. President Moura confirmed this in his email. However, several aspects of the IEEE reaction to the BIS announcement are alarming and deserving of further discussion, not the least of which whether the May 22 memo was necessary and proper for a professional society in the first place. President Moura claimed that it was necessary to “protect [IEEE} volunteers and members from potential legal risk that could have involved significant penalties.” His email begins to run off the rails with his remark that “As a non-political, not-for-profit organization registered in New York, IEEE must comply with its legal obligations under the laws of the United States and other jurisdictions.” I leave it to the legal scholars to determine whether agency is required for such compliance. I know of no case law that holds that professional organizations are responsible for their membership's behavior as a registered not-for-profit corporation in this way. This situation is not bound by the RICO statutes. By way of full disclosure, I am not a lawyer. If such case law exists, please send me the links. I'll verify and follow up in an appropriate venue.

DÉJÀ VU

 

The IEEE and other professional computing societies have dealt with such bureaucratic interference from the U.S. government before. I'll document only one example here, although I have written about others. [BERGA][BERGB][BERGC]

 

In the early 1980's National Security Agency Director Bobby Inman tried to coopt ACM and IEEE conferences by laying claim to pre-publication censorship for all scholarly papers involving cryptography. A compromise was reached by a committee of representatives from the professional societies that publish cryptographic research (including the ACM, Computer Society, and IEEE among others). This compromise encouraged voluntary self-censorship. The only dissenting vote was from the Computer Society representative, George Davida, [SANDERS] who prophetically enough predicted that such incursions into the academy could undercut first amendment protections and ultimately subvert scholarship. As I have noted in an earlier Computer column, history has been very supportive of Professor Davida's predictions. [BERGA] Davida emerges as one of the heroes of a story that began a few years earlier when Inman was appointed to lead the NSA when one of his civilian subordinates, Joseph Meyer, “wrote a threatening letter to the Institute of Electrical and Electronic Engineers, the nation's largest professional engineering society … warning that those planning to participate in an upcoming IEEE symposium on cryptology might violate the law.” [BAMFORD] Apparently the Department of State was invoked in this case as the government's interested party. According to Meyer, State's International Traffic in Arms Regulations (ITAR) also extended to all “unclassified data associated with the restricted equipment.” By offering conferences on cryptography, he argued, “the IEEE could find itself in technical violation of ITAR.” It was clear that Meyer was moving the NSA (and Inman) closer to active censorship of ACM and IEEE conferences.

According to Bamford, Meyer's letter motivated the IEEE to urge participants in the upcoming conference to clear any questionable material with the U.S. government. This, in turn, produced a storm of controversy both for the IEEE and the NSA, which caused the NSA to disclaim the letter and the IEEE to walk back on its position. The similarities between this incident and the current one under review should not be overlooked. Again, pressure from the membership worked to the society's advantage.

 

There is of course a much broader historical context behind this that has to do with 3-letter agencies' attempted corruption of patent and copyright laws, the invocation of the Invention Secrecy Acts of 1917 and 1951, and the 1917 Espionage Acts that Bamford and others document for any interested reader. I emphasize that Inman, Meyer and their ideological siblings advanced the notion that (a) government censorship involving technology research was necessary for national security reasons, and (b) that professional societies and organizations should be coerced into participating in such censorship. While I'm not confident that (a) could ever motivate good public policy, I am absolutely convinced that (b) will always lead to bad public policy. (b) is a case of throwing the baby out with the bathwater. Coopting those organizations that ensure that the democratic objectives of education and research are met and sustained in geopolitical skullduggery will ensure the failure of both. According to Bamford, Inman wanted the NSA to “receive the same authority over cryptology that the Department of Energy enjoys over research in atomic energy. Such authority would grant to NSA absolute “born classified” control over all research in any way related to cryptology.” According to a 1982 article in the New York Times archives, “Bobby R. Inman, predicted a ''tidal wave'' of outrage when the public learned of the ''hemorrhage of the country's technology.'' [NYT]

 

Inman sought to determine how the NSA might exercise prepublication censorship over non-governmental technical information particularly relating to cryptography although how Inman proposed to reconcile his position with the Pentagon Papers Supreme Court Decision a decade earlier that banned government prepublication censorship [SCOTUS] isn't obvious. The study group that Inman convened consisted of scholars who represented the relevant professional societies, including the IEEE, the Computer Society, the ACM, SIAM, the AMS, the AAUP and other interested parties. Overseen by the NSA general counsel, this study group with one exception (Davida) recommended in favor of voluntary censorship. We emphasize that the sole dissenter, George Davida (who represented the Computer Society!), opined that this decision might lead researchers “to lose our constitutional freedoms in bits and pieces…. One gets the impression that the NSA is struggling to stand still, and to keep American research standing still with it, while the rest of the world races ahead. The NSA can best perform its mission in the old-fashioned way: Stay ahead of others.” (quoted in [BAMFORD]) It was Davida, the Computer Society representative in the study group, who opposed any form of government censorship of scientific research! For that reason alone, the Computer Society should consider Davida for a special recognition, or name the recognition in his honor.

According to Bamford, the story didn't end there. Inman found that the voluntary censorship approach proved to be ineffective, and next proposed to corrupt the National Science Foundation. The first effort involved an attempt by the NSA to wrest control over cryptography research from the NSF. According to Bamford, Fred Weingarten, NSF special projects coordinator for crypto work, together with Assistant NSF general counsel, Jesse Lasken, simply refused to recognize NSA's authority in this area (add two more heroes to our story). We note that this is the same Fred Weingarten who testified against the DMCA anti-circumvention provisions in May, 2000. [WEINGARTEN] Weingarten challenged the technological and economic justifications for the government hardening of copyright controls to serve the parochial interests. On both counts Weingarten and Lasken firmly placed themselves on the right side of history, and so lets add two more First Amendment heroes and candidates for special Computer Society recognitions.

 

We should not dismiss Inman's views lightly, but we should cast at least the second one, (b), aside with great gusto. Suppose for the moment that we agree with the notion that the government has a national security interest in maintaining a monopoly in cryptography. To assume that censoring U.S. research in cryptography will ensure this monopoly is folly unless and until the U.S. achieves a monopoly on global intelligence in this area (we'll return to that issue in a few paragraphs) Failing that, the censorship will simply drive scholarship in the hands of potential adversaries. It is important to remember that much of the leadership in mathematics and the hard sciences that Germany enjoyed until the 1920's didn't emigrate voluntarily - it was forced out of Germany. One sure way to purge the U.S. in whatever lead it may have in cryptography or any other scientific field is to censor it. And even if a government could enlist professional societies as willing accomplices, that won't stop the conversation it will simply force the speakers to find other venues and diminish the global importance of the professional societies. It is the arrogant illusion of intellectual monopoly that always drives such absurd censorship policies. This tactic should be recognized for what it is – a primitive Orwellian defense mechanism that is guaranteed to prove ineffective in the long term.

THE ASSAULT ON PGP

Not to be thwarted by academic freedom arguments, “Big Gov” made another assault on computing research a decade later when it attempted to prosecute PGP inventor Phil Zimmermann [ZIMMER] for alleged violations of the Arms Export Control Act [SUSSMAN]. The government's claim was that the act of releasing shareware necessarily incurs liability for any subsequent online distribution by third parties. [RANGER][BARTLETT][SPECT] In this case, the Clinton administration sought to minimize the effect of strong cryptography on the U.S. government's communications interception agenda – especially as it related to foreign communications. It should be remembered that the anemic 56-bit DES, the favorite target for ridicule by Whitfield DIffie and Martin Hellman [DIF][HELLMAN][ORLIN], was an outgrowth of this agenda, for it was the NSA that convinced IBM to reduce the key size of the Feistel network to 56 bits in the first place – a key length that was within the NSA's brute force capability of decryption at the time. Phil Zimmermann's own account appears on his website ( https://www.philzimmermann.com/EN/faq/index.html ).

Diffie, Hellman, and Zimmermann offer compelling arguments in their own ways and at different times that the NSA and other secretive government agencies should never be allowed control over scientific research in cryptography. Their arguments are pragmatic and reinforced d by the recent Shadow Brokers hack that released the NSA exploits WannaCry and Eternal Blue. [ZEGART] [GREENBERG] It is singularly unwise to vest such concentrations of power and control in secretive agencies that are, by their very nature, not subject to public accountability. History has shown that because of the enormous capability of a secretive agency (or government for that matter) to conceal, misrepresent, cover-up and deceive, any disclosure of failed missions, illegal and/or unconstitutional conduct, and the like is unlikely to surface at all. Absent whistleblowers and leakers, the public will never find out. This was Senator Moynihan's central concern in his books on government secrecy. {MOY1][MOY2] Moynihan concludes that government secrecy is far more likely to cover wrongdoing and illegality than to preserve, protect and defend the constitution and protect the national security interests of citizens. The overall corrosive effects of secrecy in government has been documented for many years [SHILS][HORTON].

So in the case of government censorship of computing research we have the worst of all possible worlds: not only does it diminish the overall strength of the non-governmental and public research agenda, but it may ultimately be self-defeating for the censored information may leak from the censoring agencies just as WannaCry and Eternal Blue leaked from the NSA's Vulnerabilities Equities Process (VEP). The Shadow Brokers experience should provide a wake-up call on just how dangerous it is to allow secretive agencies to maintain a VEP vulnerabilities monopoly – this monopoly provides a uniquely tempting target that would not exist were it not for the monopoly. And since the documented history of this incident is cloaked in secrecy, there is no way for the public to determine whether or to what degree VEP was (and is) a really bad idea. It should also be remembered that it was the same agency that pushed for the reduced 56-bit anemic DES key size and also allowed Shadow Brokers to harvest and re-purpose a treasure trove of zero-day malware. [MCGRAW] Had it not been for the NSA's failed policies and misplaced priorities, 1970's cryptographic systems would have been more secure and the current world's supply of virulent malware in the hands of cyber-mercenaries would have been diminished. Only authoritarians and dictators consider secretive government agencies as trusted systems.

IN SHORT

This problem will never go away as long as authoritarians are drawn to government. As this goes to press, the Trump administration is considering whether to seek legislation to outlaw tech companies from using end-to-end encryption [GELLER] [DOFFMAN] that cannot be broken by big brother, reminiscent of the DES-56 discussions forty years ago.

The IEEE's involvement in the Huawei/BIS issue should be understood in the historical context of the U.S. government's continuous attempt to draw professional societies into positions of agency. Once again, the IEEE and Computer Society membership, in the person of George Davida and anonymous contemporaries, has performed in bravura fashion by carefully guiding our societies over to the right side of history. This is as it should be. However, societies should take a much more pro-active stance against being drawn into these issues. Professional societies and governments have very distinct missions, and they should not be confused. While there may be disagreement over the proper role of government should be (the issue that I take no position on here), there should be little or no disagreement over the proper role of our professional societies. The recent American Psychological Association debacle referenced above should give us all pause that the membership needs to take a far more active role in the shaping of implementation of policy by professional societies.

In this age of tribalism and weaponized disinformation, we must be careful to clearly articulate our positions. I am not denying that a state may have national security objectives that may be served by, or strongly overlap, academic and professional research interests – whether in computing (as in cryptography, cyber security, cyber warfare), the physical sciences (biological, chemical and nuclear weaponry), the social sciences (PSYOPS,social engineering), etc. But we may willingly admit the fundamental responsibility of a government to protect the citizens' security, without conceding anything along the lines of censorship and the corruption of professional organizations. It is wise to remain agnostic regarding whether the current national security policies, strategies and tactics are adequate to this challenge because they are protected by veils of secrecy and are immune from public scrutiny and accountability. That said, I argue here that government censorship of such research is inconsistent with Constitutional safeguards and should not be tolerated – by us or our professional representatives. In the words of Edward Shils, a balance must be struck between publicity, privacy and secrecy, and this balance must not include the corruption of the scientific enterprise or subversion of democratic principles. There are mechanisms such as non-disclosure agreements and security clearances that may be used to protect governmental interests. Censorship and deceit are unnecessary.

To confuse the separate responsibilities of government and professional societies (or allow them to be coopted one by the other) creates a deformation of the body politic from which democracy cannot easily recover. Fortunately for all of us, the IEEE and the Computer Society have, in these cases and albeit reluctantly at times, avoided being drawn into any such deformation by a membership animated to speak out on the issues. For that we should all be most appreciative.

REFERENCES

[BUMP] Bump, Philip, The NSA Lost a Free Speech Lawsuit (Involving a T-Shirt), The Atlantic, Feb 18, 2014. ( https://www.theatlantic.com/politics/archive/2014/02/nsa-lost-free-speech-lawsuit-involving-t-shirt/358230/ )

[WHITEHEAD] Whitehead, John, Free Speech, Facebook and the NSA: The Good, the Bad and the Ugly, HUFFPOST, 06/04/2015. ( https://www.huffpost.com/entry/free-speech-facebook-and_b_7497064 )

[BAMFORD] Bamford, James, The Puzzle Palace, Penguin Books, 1983, pp. 450ff.

[TALEV] Talev, Margaret, Nick Wadhams, and Jennifer Jacobs, Trup Says He'll Allow China's Huawei to Buy from U.S. Suppliers, Bloomberg, June 29, 2019. ( https://www.bloomberg.com/news/articles/2019-06-29/trump-says-he-ll-allow-china-s-huawei-to-buy-from-u-s-suppliers )

[BERGA] Berghel, Hal, The Intimidation Factor: How a Surveillance State Can Affect What You Read in Professional Publications, Computer, December, 2013, pp. 91-95. ( https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6689262 )

[BERGB] Berghel, Hal, What Price Gonzo Ethics?, Computer, December, 2015, pp. 88-93. ( https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7367985 )

[BERGC] Berghel, Hal, Codes of Ethics in a Post-Truth World, Computer, March, 2019, pp. 76-80. ( https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8677356 ).

[SANDERS] Sanders, Sylvia, Data Privacy: What Washington Doesn't Want You to Know, reason, January, 1981. ( https://reason.com/1981/01/01/data-privacy-what-washington-d )

[BERG1] Berghel, Hal, Legislating Technology (Badly), Computer, October, 2015, pp. 72-78. ( https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7310956 )

[NYT] Scientists Warned of U.S. Curbs, New York Times Archives, Jan 8, 1982 ( https://www.nytimes.com/1982/01/08/us/scientists-warned-of-us-curbs.html

[ZIMMER] Zimmerman, Phil, Why Do You Need PGP, open letter, July, 1995 ( http://www.spectacle.org/795/byzim.html )

[SUSSMAN] Sussman, Vic, Lost in Kafka Territory: The fed go after a man who hoped to protect privacy rights, U.S. News & World Report, 3/26/95. ( https://web.archive.org/web/20130616165334/http://www.usnews.com/usnews/news/articles/950403/archive_010975.htm )

[RANGER] Ranger, Steve, Defending the last missing pixels: Phil Zimmermann Speaks out on encryption, privacy and avoiding the surveillance state, techrepublic, June 23, 2015. ( https://www.techrepublic.com/article/defending-the-last-missing-pixels-phil-zimmermann/ )

[SPECT] The Zimmerman Case, in The Ethical Spectacle, July, 1995. ( https://cryptostorm.ch/viewtopic.php?t=2737 )

[BARTLETT] Bartlett, Jamie, Cypherpunks Write Code, American Scientist, March-April, 2016. ( https://www.americanscientist.org/article/cypherpunks-write-code )

[DIF] DES (Data Encryption Standard) Review at Stanford Unifersity, transcript of a recorded meeting between Stanford computer science researchers, NBS, and NSA to discuss the DES standard, 1976. ( http://www.toad.com/des-stanford-meeting.html )

[HELLMAN] Hellman, Martin, The Wisdom of Foolishness, Stanford Engineering Hero Lecture, Jan 13, 2013. ( https://www.youtube.com/watch?v=XDgLDsUU7og )

[ORLIN] Orlin, Ben, The Professor vs. the NSA, Heidelberg Lauireate Forum, October 11, 2017. ( https://mathwithbaddrawings.com/2017/10/11/the-professor-vs-the-nsa/ )

[ZEGART] Zegart, Amy, The NSA Contronts a Problem of Its Own Making, The Atlantic, June 29, 2017. ( https://www.theatlantic.com/international/archive/2017/06/nsa-wannacry-eternal-blue/532146/ )

[GREENBERG] Greenberg, Andy, The Shadow Brokers Mess is What Happens When The NSA Hoards Zero-Days, Wired, 08.17.16. ( https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zero-days/ )

[MOY1] Moynihan, Daniel Patric, Secrecy, Yale University Press (1 st ed.), 1998.

[MOY2] Secrecy: Report on the Commission on Protecting and Reducing Government Secrecy, U.S. Government Printing Office, 1997. (Moynihan, Daniel Patrick (Chairman), U.S. Senate Commission on Protecting and Reducing Government)

[SHILS] Shils, Edward, The Torment of Secrecy: The Background and Consequences of American Security Policies, U. Chicago Press, 1956.

[HORTON] Horton, Scott, Lords of Secrecy: The National Security Elite and America's Stealth Warfare, Bold Type Books, 2015.

[MCGRAW] McGraw, Gary, Silver Bullet Talks with Martin Hellman, IEEE Security & Privacy, 14:4, July-Aug. 2016, pp. 7-11.

[SCOTUS] New York Times Company v. United States; United States v. The Washington Post Company et al., 403 U.S. 713 ( 1971 ) ( https://supreme.justia.com/cases/federal/us/403/713/ )

[WEINGARTEN] Weingarten, Fred, Testimony before the U.S. Copyright Office on the need for exemptions from the anticircumvention provisions of the Digital Millennium Copyright Act, May 19, 2000. ( https://www.copyright.gov/1201/hearings/2000/fred_weingarten.pdf )

[GELLER] Geller, Eric, Trump officials weigh encryption crackdown, Politico, 06/27/19. ( https://www.politico.com/story/2019/06/27/trump-officials-weigh-encryption-crackdown-1385306 )

[DOFFMAN] Doffman, Zak, U.S. May Outlaw Messaging Encryption Used by WhatsApp, iMessage and Others, Report Claims, Forbes, June 29, 2019. ( https://www.forbes.com/sites/zakdoffman/2019/06/29/u-s-may-outlaw-uncrackable-end-to-end-encrypted-messaging-report-claims/#7fc3fad06c87 )