federal law (18 USC 1029) makes it a crime to manufacture or posses 15 or more access devices that can be used to obtain fraudulent service. The term access devices is broadly defined and is usually interpreted as including cellular telephone activation codes, account passwords, credit card numbers, and physical devices that can be used to obtain access.

Federal law also makes software piracy, as well as possession of unlicensed copyrighted software with the intent to defraud, a crime.

Every time a new communications medium is presented, pornography and erotica seem to be distributed using it. Unfortunately, we live in times in which there are people in positions of political and legal influence who believe that they should be able to define what is and is not proper, and, furthermore, restrict access to that material. This belief, coupled with the fact that U.S. standards of acceptability of nudity and erotic language are more strict than in many places in the world, lead to conflict on the networks.

As this book goes to press, the Supreme Court is hearing arguments about a federal law that makes it a criminal offense to put “indecent” material on a computer where a minor might encounter it. Portions of that law were declared unconstitutional by a three-judge panel in Philadelphia in 1996. The decision will be closely watched by nearly everyone involved with computers, because it will help define whether U.S. law will view computer publications as in the same category as print publications. This will also have some impact on the 20 or so states that have their own local version of a “computer indecency” law.

Notwithstanding that decision, we have heard of cases in which people have had their computers confiscated for having a computer image on disk (which they were unaware was present) that depicted activities that someone decided violated “community standards.” There have also been cases where individuals in one state have been convicted of pornography charges in another state, even though the material was not considered obscene in the state where the system was normally accessed. Last of all, you can be in serious legal trouble for simply FTPing an image of a naked minor, even if you don’t know what is in the image at the time you fetch it.

Currently, the threat of child pornography is being used as one justification for enacting rules and legislation that intrude into the lives and professions of the 99.999 percent of the U.S. population that finds child pornography repugnant. In the 1600s, it was witchcraft in Salem. In the 1950s, it was Communists in Hollywood and Washington. In the 1990s, it is (child) pornography and terrorism that are raised as specters by demagogues. It is therefore in the interest of these people to make public examples of purported violators. As such, many of these laws are currently being applied selectively. In several cases, individuals have been arrested for downloading child pornography from several major online service providers. In the United States, the mere possession of child pornography is a crime. Yet the online service providers have not been harassed by law enforcement, even though the same child pornography resided on the online services’ systems.

We won’t comment further on the nature of the laws involved, or the fanatic zeal with which some people pursue prosecution under these statutes. We will observe that if you or your users have images or text online (for FTP, the Web, Usenet, or otherwise) that may be considered “indecent” or “obscene,” you may wish to discuss the issue with legal counsel.

In general, while the U.S. Constitution protects most forms of expression as “free speech,” it does not protect expression that is obscene. Furthermore, prosecution may be threatened or attempted simply to intimidate and cause economic hardship: this is not prohibited by the Constitution. Sadly, there is a tradition of this form of harassment in some venues.

As part of any sensible security administration, you should know what you have on your computer, and why. Keep track of who is accessing material you provide, and beware of unauthorized use.

As we discussed in Chapter 10, Cryptography Basics , under current U.S. law, cryptography is a munition, akin to nuclear materials and biological warfare agents. Thus, the export of cryptographic machines (such as computer programs that implement cryptography) is covered by the Defense Trade Regulations (formerly known as the International Traffic in Arms Regulation—ITAR). To export a program in machine-readable format that implements cryptography, you need a license from the Commerce Department; publishing the same algorithm in a book or public paper is not controlled.

Historically, programs that implement sufficiently weak cryptography are allowed to be exported; those with strong cryptography, such as DES, are denied export licenses. Currently, the laws and regulations are undergoing some significant changes. Court challenges are being mounted against the rules, and many members of Congress are interested in changing the regulations. The Executive Branch of government is trying to sell the ideas of escrowed and recoverable key systems and is allowing expedited export licenses for such systems. All this means that anything specific we might write here could change very soon.

A 1993 survey by the Software Publishers Association, a U.S.-based industry advocacy group, found that encryption is widely available in overseas computer products and that availability is growing. They noted the existence of more than 250 products distributed overseas containing cryptography. Many of these products use technologies that are patented in the U.S. (At the time, you could literally buy high-quality programs that implement RSA encryption on the streets of Moscow, although Russia has since enacted stringent restrictions on the sale of cryptographic programs.)

Nevertheless, despite the widespread availability of cryptographic software overseas, it remains a crime to distribute cryptographic software outside the United States without an export license. This is true even if the software was created outside the United States, imported to the United States, and re-exported without change. If you wish to distribute cryptographic software from your computer, we advise that you take suitable precautions to assure that you are only distributing it to U.S. citizens and that you are not distributing it outside of the United States.