Why crypto software is illegal to export from the US
Basically the reason that it is illegal to export strong crypto
software from the US is that the US State Deparment sees fit to
classify crypto software as munitions along with chemical and
biological weapons, tanks, heavy artillery, and military aircraft.
Export of crypto software is tightly controlled, there are heavy
penalties ($1,000,000 fines and long prison terms) for violating the
The office dealing with ITAR queries is called the Office of Defense
Trade Controls (they renamed it from it's previous name 'Office of
Munitions Control' to make it less obviously bogus as applied to
things like crypto).
Now attempting to restrict crypto software has a several major
- It's impossible to enforce. Just look at PGP for an example of
this, its popularity has fared well under ITAR, the intrigue has only
served to increase interest in it. These days PGP is the de facto
standard for secure internet mail and file encryption.
- The technology behind the software is widely available worldwide.
- There have been many, many publications of crypto algorithms in
international scientific journals. The RSA public-key
crypto-system was published in the CACM (an international journal)
back in 1978.
This is the full reference so you can check and
see if you have a copy in your library. This paper is an important
piece of history.
- Some modern crypto systems were invented outside of the US (what
they know about crypto too?) One example being IDEA (which is used by
PGP, along with RSA), by Xuejia Lai & James Massey at ETH, Zurich.
IDEA is believed to be stronger than DES and triple-DES the current
standard encryption schemes used by US finanicial institutions.
Click here for some references for more background info on ITAR, current court cases by the EFF (Electronic
Frontier Foundation), the Dan Berstien case (on constitutional free
speech grounds), the Phil Zimmermann investigation, legal costs, and Phil
Karns on-going fun with
the US state department making a laughing stock of them by getting
them to write letters banning the export of the very same
data on a floppy disk which they allow to be exported in book form
(the book being Bruce Schneier's "Applied Cryptography"). MIT (MIT distributes PGP
these days) has also gotten in on the fun with the
PGP source code and internals book. This book has 800 pages of
PGP source code (in a nice OCR friendly font), plus annotations, and
guess what? MIT is going to ask for permission to export the book, a
la Phil Karn. Will the NSA and US state department say yes or will
they say no? Fun isn't it: if they say yes, people say hmm, why can
we export the source code in a book, I mean people outside the US have
scanners, and that nice specially selected OCR font should ensure it
scans no problem. The presumption so far is that they will have to
say yes to the book, there is both a precedent (the above Applied
Crypto book), and a hugely strong 1st ammendment principle of freedom
of the press. This is good, forcing them into untenable situations
weakens their position as it points out the illogical, and
inconsistent nature of the ITARs (it's also quite amusing).
The question one might be forgiven for asking is why does the NSA (US
National Security Agency) seem so keen to restrict access to
The official line, as you might expect, is "to protect national
security interests". Of course given the widespread global
availabilty of crypto expertise, and software described above, this
does not actually add up.
Here are a few more likely (unofficial) reasons:
- They are making a last ditch attempt to stop encryption being
used, as it foils their routine scanning of messages crossing the US
border (and inside the US border no-doubt). The "Big Brother" brigade
gets very upset when they lose their illegal wire-tap capabilities.
You will no doubt have come across USENET posts where people are
inserting interesting text snippets to trigger the scanning software
used in the presumed automatic scanning of USENET.
" hello to my friends in domestic surviellance "
- They want to introduce a mandatory "key escrow" scheme (this
means the Government gets full access to all the master keys). This
would mean they would have to ban other forms of encryption. It has
recently been discovered by the EFF with FOIA requests that mandatory
key escrow has been actively planned for, by the NSA, the FBI, and the
DoJ. It appears that these elements of the government were actively
planning what various government spokes persons were making
categorical statements against. There were statements that key escrow
would always be voluntary, and yet it transpires that these government
officials were either not informed of these agendas, or were being
somewhat economical with the truth.
- Self preservation, organisations have self preservation
mechanisms. If the NSA can't routinely scan messages to gather open
source intelligence then what is the need for the NSA. So wide spread
crypto deployment puts them out of business, and therefore the NSA as
an organisation has an incentive to attempt to hinder crypto
Comments, html bugs to me
(Adam Back) at