Export controls, crypto as a munition
OK – this blog post may be 20 years too late, but it’s interesting that
this nonsense is still going on.
We just completed an internal review of our corporate export
controls. Despite the fact that “cryptography is a munition” is idiotic,
the fines that companies can face if they are caught exporting it without
a license are nothing to sneeze at.
In the process, we learned that the US – and a variety of other countries
– still have strong export and import controls over cryptographic
technology. The biggest offenders are the US, France, Israel and Hong Kong
(oddly enough). China is also threatening to require that all crypto
in their country be “Chinese-origin” (and presumably Chinese-back-door).
Now of course this is nonsense. Algorithms don’t explode, so classifying
cryptography as a “munition” only makes sense to the mentally
challenged. Moreover, if a criminal/terrorist/bad guy really wants to
protect their communication, of course they will do so – SSH, PGP and
other tools all support strong encryption and are all free and easy to
download. The Windows OS and even Blackberry phones also incorporate
strong crypto – world-wide.
This means that “we want to keep crypto out of the hands of bad guys”
is a completely nonsense argument. Nobody buys it.
And if keeping crypto out of the hands of bad guys is not the objective,
then the only remaining possibility is that export controls are intended
to keep cryptography out of the hands of law-abiding citizens.
Think about that for a minute. The US government wants to make it
more difficult for the citizens of other countries to communicate
securely. Since bad guys will presumably use crypto anyways, this
means that they what they really want is to violate citizens’ privacy –
domestically and abroad.
With that in mind, consider what happened in Iran recently – popular
unrest and a violent government crack-down. One would think that what the
US government really wants is exactly the opposite of that: to empower
citizens everywhere to communicate freely and safely, without fearing
government interception. That wouldn’t endanger benign government (like
the US?) but it would definitely cause headaches for dictatorships like
those in Iran and China.
Maybe the protesters in Iran would have had an easier time organizing
if they all had mail clients that embedded PGP. That would surely be in
the US national interest!
So export controls on cryptography are backwards! If US foreign policy
interests are really the motivation, then the US should *promote* strong
cryptography for citizens everywhere. That wouldn’t cause real harm to
US law enforcement or intelligence services, since the objects of their
surveillance already have strong crypto. On the other hand, it would
cause harm to those governments where the US (and the West in general)
would like to see regime change.
So what’s wrong with this picture? When will this old, cold-war thinking
finally give way to a pragmatic realization that crypto-for-all is good
for the US?