Export Policy

Here’s the big one. Most people reading this will need to abide by these. In the US, encryption algorithms are viewed as ‘munitions.’ They cannot be exported from the US unless approved by the Defense Trade Regulations (DTC). Strong cryptographic algorithms (such as DES) will not receive approval from the DTC. For illegally exporting encryptions, the penalties can be up to $1,000,000 in fines or 10 years in jail, or both. Most European countries have already discarded similar laws.

In 1992, the SPA and the State Department reached an agreement that allows the exportation of programs containing RSADSI RC2 and RC4 algorithms but only when the key size is set to 40 bits or less. Those key sizes are not very secure (I use a 1024 bit key...). Now there is one exception to the exportation rule. Cryptographic software can be exported to Canada like the fifty first states! Thanks to Canada’s Rule #5100, Canada honors US export prohibitions on "all goods originating in the United States" unless they have been "further processed or manufactured outside the United States so as to result in substantial change in value, form, or use of the goods or in the production of new goods." What about your friend in Russia, you say? He can use the international version of PGP, which is interoperable with the US version, fortunately.

In the near past, international traveller carrying a laptop out of the US may well have committed a crime by exporting potential war material. The US government considers encryption software to fall into the same area as munitions for export purposes. The US has a set of regulations, called the International Traffic in Arms Regulations (ITAR), that limits what is exportable.

However, Martha Harris, Deputy Assistant Secretary of State for Political-Military Affairs, stated on Feb 4 1994: "We will no longer require that US citizens obtain an export license prior to taking encryption products out of the US temporarily for their own personal use. In the past, this requirement caused delays and inconvenience business travellers."

Today, US-made products may contain cryptographic capability, such as Netscape Navigator's built-in Secure Socket Layer (SSL). The limit set for the export of these products, is a maximum of 40-bit key length. Thus a 'crippled' version of the cryptographic material is exportable.

Recently, Electronic Frontier Foundation, which helped fund and coordinate a successful attempt at breaking DES, has proved what has been argued by computer scientists for 20 years, that DES can be cracked quickly and inexpensively, in 56 hours using an array of computer circuit boards. This somehow lessened the government's claim that common encryption technology is 'too strong to let fall into the hands of off-shore terrorists and criminals'. This success has triggered several libertarian groups to lobby for a change in the legislation.