what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

legal.html

legal.html
Posted Dec 21, 1999

legal.html

tags | encryption
SHA-256 | ffacf3eb07085ed6d8ba9f6479861133c42a7279e6b51474fdd965e994d7c09e

legal.html

Change Mirror Download
<HTML>
<HEAD>
<TITLE>Its illegal to export strong crypto from the US</TITLE>
</HEAD>

<BODY BGCOLOR="#000000" TEXT="#FFFFFF" LINK="#00FFFF" VLINK="#FFFF00" ALINK="#FF00FF">

<H2>Why crypto software is illegal to export from the US</H2>

Basically the reason that it is illegal to export strong crypto
software from the US is that the US State Deparment sees fit to
classify crypto software as munitions along with chemical and
biological weapons, tanks, heavy artillery, and military aircraft.
Export of crypto software is tightly controlled, there are heavy
penalties ($1,000,000 fines and long prison terms) for violating the
ITAR regulations.

<P>
The office dealing with ITAR queries is called the Office of Defense
Trade Controls (they renamed it from it's previous name 'Office of
Munitions Control' to make it less obviously bogus as applied to
things like crypto).

<P>

Now attempting to restrict crypto software has a several major
flaws:

<UL>

<LI> It's impossible to enforce. Just look at PGP for an example of
this, its popularity has fared well under ITAR, the intrigue has only
served to increase interest in it. These days PGP is the de facto
standard for secure internet mail and file encryption.

<P>

<LI> The technology behind the software is widely available worldwide.

<P>

<LI> There have been many, many publications of crypto algorithms in
<EM>international</EM> scientific journals. The RSA public-key
crypto-system was published in the CACM (an international journal)
back in 1978.

This is the <A HREF="ref.html">full reference</A> so you can check and
see if you have a copy in your library. This paper is an important
piece of history.

<P>

<LI> Some modern crypto systems were invented outside of the US (what
they know about crypto too?) One example being IDEA (which is used by
PGP, along with RSA), by Xuejia Lai & James Massey at ETH, Zurich.
IDEA is believed to be stronger than DES and triple-DES the current
standard encryption schemes used by US finanicial institutions.

</UL>

<H2>The regulations</H2>

Click here for some references for more background info on <A
HREF="itar.html">ITAR</A>, current court cases by the <A
HREF="http://www.eff.org/pub/Crypto/ITAR_export/">EFF</A> (Electronic
Frontier Foundation), the Dan Berstien case (on constitutional free
speech grounds), the Phil Zimmermann investigation, <A
HREF="http://www.netresponse.com/zldf/">legal costs</A>, and Phil
Karns on-going <A HREF="http://www.qualcomm.com/people/pkarn/">fun with
the US state department</A> making a laughing stock of them by getting
them to write letters banning the export of the <EM>very same</EM>
data on a floppy disk which they allow to be exported in book form
(the book being Bruce Schneier's "Applied Cryptography"). MIT (<A
HREF="http://web.mit.edu/network/pgp.html">MIT distributes PGP</A>
these days) has also gotten in on the fun with the <A
HREF="http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html">
PGP source code and internals</A> book. This book has 800 pages of
PGP source code (in a nice OCR friendly font), plus annotations, and
guess what? MIT is going to ask for permission to export the book, a
la Phil Karn. Will the NSA and US state department say yes or will
they say no? Fun isn't it: if they say yes, people say hmm, why can
we export the source code in a book, I mean people outside the US have
scanners, and that nice specially selected OCR font should ensure it
scans no problem. The presumption so far is that they will have to
say yes to the book, there is both a precedent (the above Applied
Crypto book), and a hugely strong 1st ammendment principle of freedom
of the press. This is good, forcing them into untenable situations
weakens their position as it points out the illogical, and
inconsistent nature of the ITARs (it's also quite amusing).

<H2>Motives</H2>

The question one might be forgiven for asking is why does the NSA (US
National Security Agency) seem so keen to restrict access to
encryption software.

<P>

The official line, as you might expect, is "to protect national
security interests". Of course given the widespread global
availabilty of crypto expertise, and software described above, this
does not actually add up.

<P>
Here are a few more likely (unofficial) reasons:

<UL>

<LI> They are making a last ditch attempt to stop encryption being
used, as it foils their routine scanning of messages crossing the US
border (and inside the US border no-doubt). The "Big Brother" brigade
gets very upset when they lose their illegal wire-tap capabilities.

<P> You will no doubt have come across USENET posts where people are
inserting interesting text snippets to trigger the scanning software
used in the presumed automatic scanning of USENET.

<P>

"<a href="spook.html"> hello to my friends in domestic surviellance </A>"

<P>

<LI> They want to introduce a mandatory "key escrow" scheme (this
means the Government gets full access to all the master keys). This
would mean they would have to ban other forms of encryption. It has
recently been discovered by the EFF with FOIA requests that mandatory
key escrow has been actively planned for, by the NSA, the FBI, and the
DoJ. It appears that these elements of the government were actively
planning what various government spokes persons were making
categorical statements against. There were statements that key escrow
would always be voluntary, and yet it transpires that these government
officials were either not informed of these agendas, or were being
somewhat economical with the truth.

<P>

<LI> Self preservation, organisations have self preservation
mechanisms. If the NSA can't routinely scan messages to gather open
source intelligence then what is the need for the NSA. So wide spread
crypto deployment puts them out of business, and therefore the NSA as
an organisation has an incentive to attempt to hinder crypto
deployment.

</UL>
<HR>
<EM>
Comments, html bugs to me
(<A HREF="http://www.dcs.ex.ac.uk/~aba/">Adam Back</A>) at
<A HREF="mailto:aba@dcs.ex.ac.uk"><aba@dcs.ex.ac.uk></A>

</BODY>
</HTML>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close