Why crypto software is illegal to export from the US

Basically the reason that it is illegal to export strong crypto software from the US is that the US State Deparment sees fit to classify crypto software as munitions along with chemical and biological weapons, tanks, heavy artillery, and military aircraft. Export of crypto software is tightly controlled, there are heavy penalties ($1,000,000 fines and long prison terms) for violating the ITAR regulations.

The office dealing with ITAR queries is called the Office of Defense Trade Controls (they renamed it from it's previous name 'Office of Munitions Control' to make it less obviously bogus as applied to things like crypto).

Now attempting to restrict crypto software has a several major flaws:

The regulations

Click here for some references for more background info on ITAR, current court cases by the EFF (Electronic Frontier Foundation), the Dan Berstien case (on constitutional free speech grounds), the Phil Zimmermann investigation, legal costs, and Phil Karns on-going fun with the US state department making a laughing stock of them by getting them to write letters banning the export of the very same data on a floppy disk which they allow to be exported in book form (the book being Bruce Schneier's "Applied Cryptography"). MIT (MIT distributes PGP these days) has also gotten in on the fun with the PGP source code and internals book. This book has 800 pages of PGP source code (in a nice OCR friendly font), plus annotations, and guess what? MIT is going to ask for permission to export the book, a la Phil Karn. Will the NSA and US state department say yes or will they say no? Fun isn't it: if they say yes, people say hmm, why can we export the source code in a book, I mean people outside the US have scanners, and that nice specially selected OCR font should ensure it scans no problem. The presumption so far is that they will have to say yes to the book, there is both a precedent (the above Applied Crypto book), and a hugely strong 1st ammendment principle of freedom of the press. This is good, forcing them into untenable situations weakens their position as it points out the illogical, and inconsistent nature of the ITARs (it's also quite amusing).


The question one might be forgiven for asking is why does the NSA (US National Security Agency) seem so keen to restrict access to encryption software.

The official line, as you might expect, is "to protect national security interests". Of course given the widespread global availabilty of crypto expertise, and software described above, this does not actually add up.

Here are a few more likely (unofficial) reasons:

Comments, html bugs to me (Adam Back) at <aba@dcs.ex.ac.uk>