what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

legal.html

legal.html
Posted Dec 21, 1999

legal.html

tags | encryption
SHA-256 | ffacf3eb07085ed6d8ba9f6479861133c42a7279e6b51474fdd965e994d7c09e

legal.html

Change Mirror Download
<HTML>
<HEAD>
<TITLE>Its illegal to export strong crypto from the US</TITLE>
</HEAD>

<BODY BGCOLOR="#000000" TEXT="#FFFFFF" LINK="#00FFFF" VLINK="#FFFF00" ALINK="#FF00FF">

<H2>Why crypto software is illegal to export from the US</H2>

Basically the reason that it is illegal to export strong crypto
software from the US is that the US State Deparment sees fit to
classify crypto software as munitions along with chemical and
biological weapons, tanks, heavy artillery, and military aircraft.
Export of crypto software is tightly controlled, there are heavy
penalties ($1,000,000 fines and long prison terms) for violating the
ITAR regulations.

<P>
The office dealing with ITAR queries is called the Office of Defense
Trade Controls (they renamed it from it's previous name 'Office of
Munitions Control' to make it less obviously bogus as applied to
things like crypto).

<P>

Now attempting to restrict crypto software has a several major
flaws:

<UL>

<LI> It's impossible to enforce. Just look at PGP for an example of
this, its popularity has fared well under ITAR, the intrigue has only
served to increase interest in it. These days PGP is the de facto
standard for secure internet mail and file encryption.

<P>

<LI> The technology behind the software is widely available worldwide.

<P>

<LI> There have been many, many publications of crypto algorithms in
<EM>international</EM> scientific journals. The RSA public-key
crypto-system was published in the CACM (an international journal)
back in 1978.

This is the <A HREF="ref.html">full reference</A> so you can check and
see if you have a copy in your library. This paper is an important
piece of history.

<P>

<LI> Some modern crypto systems were invented outside of the US (what
they know about crypto too?) One example being IDEA (which is used by
PGP, along with RSA), by Xuejia Lai & James Massey at ETH, Zurich.
IDEA is believed to be stronger than DES and triple-DES the current
standard encryption schemes used by US finanicial institutions.

</UL>

<H2>The regulations</H2>

Click here for some references for more background info on <A
HREF="itar.html">ITAR</A>, current court cases by the <A
HREF="http://www.eff.org/pub/Crypto/ITAR_export/">EFF</A> (Electronic
Frontier Foundation), the Dan Berstien case (on constitutional free
speech grounds), the Phil Zimmermann investigation, <A
HREF="http://www.netresponse.com/zldf/">legal costs</A>, and Phil
Karns on-going <A HREF="http://www.qualcomm.com/people/pkarn/">fun with
the US state department</A> making a laughing stock of them by getting
them to write letters banning the export of the <EM>very same</EM>
data on a floppy disk which they allow to be exported in book form
(the book being Bruce Schneier's "Applied Cryptography"). MIT (<A
HREF="http://web.mit.edu/network/pgp.html">MIT distributes PGP</A>
these days) has also gotten in on the fun with the <A
HREF="http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html">
PGP source code and internals</A> book. This book has 800 pages of
PGP source code (in a nice OCR friendly font), plus annotations, and
guess what? MIT is going to ask for permission to export the book, a
la Phil Karn. Will the NSA and US state department say yes or will
they say no? Fun isn't it: if they say yes, people say hmm, why can
we export the source code in a book, I mean people outside the US have
scanners, and that nice specially selected OCR font should ensure it
scans no problem. The presumption so far is that they will have to
say yes to the book, there is both a precedent (the above Applied
Crypto book), and a hugely strong 1st ammendment principle of freedom
of the press. This is good, forcing them into untenable situations
weakens their position as it points out the illogical, and
inconsistent nature of the ITARs (it's also quite amusing).

<H2>Motives</H2>

The question one might be forgiven for asking is why does the NSA (US
National Security Agency) seem so keen to restrict access to
encryption software.

<P>

The official line, as you might expect, is "to protect national
security interests". Of course given the widespread global
availabilty of crypto expertise, and software described above, this
does not actually add up.

<P>
Here are a few more likely (unofficial) reasons:

<UL>

<LI> They are making a last ditch attempt to stop encryption being
used, as it foils their routine scanning of messages crossing the US
border (and inside the US border no-doubt). The "Big Brother" brigade
gets very upset when they lose their illegal wire-tap capabilities.

<P> You will no doubt have come across USENET posts where people are
inserting interesting text snippets to trigger the scanning software
used in the presumed automatic scanning of USENET.

<P>

"<a href="spook.html"> hello to my friends in domestic surviellance </A>"

<P>

<LI> They want to introduce a mandatory "key escrow" scheme (this
means the Government gets full access to all the master keys). This
would mean they would have to ban other forms of encryption. It has
recently been discovered by the EFF with FOIA requests that mandatory
key escrow has been actively planned for, by the NSA, the FBI, and the
DoJ. It appears that these elements of the government were actively
planning what various government spokes persons were making
categorical statements against. There were statements that key escrow
would always be voluntary, and yet it transpires that these government
officials were either not informed of these agendas, or were being
somewhat economical with the truth.

<P>

<LI> Self preservation, organisations have self preservation
mechanisms. If the NSA can't routinely scan messages to gather open
source intelligence then what is the need for the NSA. So wide spread
crypto deployment puts them out of business, and therefore the NSA as
an organisation has an incentive to attempt to hinder crypto
deployment.

</UL>
<HR>
<EM>
Comments, html bugs to me
(<A HREF="http://www.dcs.ex.ac.uk/~aba/">Adam Back</A>) at
<A HREF="mailto:aba@dcs.ex.ac.uk"><aba@dcs.ex.ac.uk></A>

</BODY>
</HTML>
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close