US export laws relaxed

The US export laws were relaxed in 1999. Crypto software can exported with minimal restrictions now. So the t-shirt is at this time legal to export as is the perl-rsa signature.

The rest of this page is of historic value only. It may be i that the RSA sig played some small part in the eventual relaxation of the US crypto export laws.

Why crypto software is illegal to export from the US

Basically the reason that it is illegal to export strong crypto software from the US is that the US State Deparment sees fit to classify crypto software as munitions along with chemical and biological weapons, tanks, heavy artillery, and military aircraft. Export of crypto software is tightly controlled, there are heavy penalties ($1,000,000 fines and long prison terms) for violating the ITAR regulations.

The office dealing with ITAR queries is called the Office of Defense Trade Controls (they renamed it from it's previous name 'Office of Munitions Control' to make it less obviously bogus as applied to things like crypto).

Now attempting to restrict crypto software has a several major flaws:

It's impossible to enforce. Just look at PGP for an example of this, its popularity has fared well under ITAR, the intrigue has only served to increase interest in it. These days PGP is the de facto standard for secure internet mail and file encryption.
The technology behind the software is widely available worldwide.
There have been many, many publications of crypto algorithms in international scientific journals. The RSA public-key crypto-system was published in the CACM (an international journal) back in 1978. This is the full reference so you can check and see if you have a copy in your library. This paper is an important piece of history.
Some modern crypto systems were invented outside of the US (what they know about crypto too?) One example being IDEA (which is used by PGP, along with RSA), by Xuejia Lai & James Massey at ETH, Zurich. IDEA is believed to be stronger than DES and triple-DES the current standard encryption schemes used by US finanicial institutions.

The regulations

Click here for some references for more background info on ITAR, current court cases by the EFF (Electronic Frontier Foundation), the Dan Berstien case (on constitutional free speech grounds), the Phil Zimmermann investigation, legal costs, and Phil Karns on-going fun with the US state department making a laughing stock of them by getting them to write letters banning the export of the very same data on a floppy disk which they allow to be exported in book form (the book being Bruce Schneier's "Applied Cryptography"). MIT (MIT distributes PGP these days) has also gotten in on the fun with the PGP source code and internals book. This book has 800 pages of PGP source code (in a nice OCR friendly font), plus annotations, and guess what? MIT is going to ask for permission to export the book, a la Phil Karn. Will the NSA and US state department say yes or will they say no? Fun isn't it: if they say yes, people say hmm, why can we export the source code in a book, I mean people outside the US have scanners, and that nice specially selected OCR font should ensure it scans no problem. The presumption so far is that they will have to say yes to the book, there is both a precedent (the above Applied Crypto book), and a hugely strong 1st ammendment principle of freedom of the press. This is good, forcing them into untenable situations weakens their position as it points out the illogical, and inconsistent nature of the ITARs (it's also quite amusing).

Motives

The question one might be forgiven for asking is why does the NSA (US National Security Agency) seem so keen to restrict access to encryption software.

The official line, as you might expect, is "to protect national security interests". Of course given the widespread global availabilty of crypto expertise, and software described above, this does not actually add up.

Here are a few more likely (unofficial) reasons:

They are making a last ditch attempt to stop encryption being used, as it foils their routine scanning of messages crossing the US border (and inside the US border no-doubt). The "Big Brother" brigade gets very upset when they lose their illegal wire-tap capabilities.
You will no doubt have come across USENET posts where people are inserting interesting text snippets to trigger the scanning software used in the presumed automatic scanning of USENET.
" hello to my friends in domestic surviellance "
They want to introduce a mandatory "key escrow" scheme (this means the Government gets full access to all the master keys). This would mean they would have to ban other forms of encryption. It has recently been discovered by the EFF with FOIA requests that mandatory key escrow has been actively planned for, by the NSA, the FBI, and the DoJ. It appears that these elements of the government were actively planning what various government spokes persons were making categorical statements against. There were statements that key escrow would always be voluntary, and yet it transpires that these government officials were either not informed of these agendas, or were being somewhat economical with the truth.
Self preservation, organisations have self preservation mechanisms. If the NSA can't routinely scan messages to gather open source intelligence then what is the need for the NSA. So wide spread crypto deployment puts them out of business, and therefore the NSA as an organisation has an incentive to attempt to hinder crypto deployment.

Comments, html bugs to me (Adam Back) at <adam@cypherspace.org>