Cryptology - I: Export Controls on Cryptologic Technology

Instructors: R.E. Newman-Wolfe and M.S. Schmalz

Legal Issues in the Export of Cryptologic Technology

According to United States law, it is a crime to export cryptologic technology outside the USA. Such prohibitions are grounded in the fact that cryptography and cryptanalysis technologies are officially classified as munitions (i.e., in the same category as guns and bombs). Therefore, cryptologic technologies appear on several lists, such as the:

Export is generally assumed to include sending cryptologic algorithms, hardware, or software through the U.S. mail, across the Internet, or by other means of information transmission.

However, if you move outside the borders of the USA, then you are free of U.S. Munitions List restrictions in the place where you reside. Unfortunately, many countries have similar laws, so it would be difficult to find a place where one could export crypto technology in safety and security.

How does this affect the students taking this class? Simply put, do not E-mail or otherwise send cryptologic technology (including class notes) to destinations outside the USA. Unpleasant circumstances can result if you are caught, as discussed near the end of this section.

What the Munitions List Law (ITAR) Says

The U.S. Department of State is responsible for and publishes the Munitions List as part of the International Traffic in Arms Regulations (ITAR). Here follows a salient excerpt from ITAR:
Part 121 -- The United States Munitions List

 121.1 General. The United States Munitions List

  Category XIII -- Auxiliary Military Equipment

  (1) Cryptographic (including key management) systems, equipment,
      assemblies, modules, integrated circuits, components or software
      with the capability of maintaining secrecy or confidentiality of
      information or information systems, except cryptographic equipment
      and software as follows:
      (i)    Restricted to decryption functions specifically designed
             to allow the execution of copy protected software,
             provided the decryption functions are not user-accessible.
      (ii)   Specially designed, developed or modified for use in
             machines for banking or money transactions, and
             restricted to use only in such transactions. Machines
             for banking or money transactions include automatic
             teller machines, self-service statement printers, point
             of sale terminals or equipment for the encryption of
             interbanking transactions.
      (iii)  Employing only analog techniques to provide the
             cryptographic processing that ensures information
             security in the following applications ....
      (iv)   Personalized smart cards using cryptography restricted
             for use only in equipment or systems exempted from the
             controls of the USML.
      (v)    Limited to access control, such as automatic teller
             machines, self-service statement printers or point of
             sale terminals, which protects password or personal
             identification numbers (PIN) or similar data to prevent
             unauthorized access to facilities but does not allow
             for encryption of files or text, except as directly
             related to the password of PIN protection.
      (vi)   Limited to data authentication which calculates a
             Message Authentication Code (MAC) or similar result to
             ensure no alteration of text has taken place, or to
             authenticate users, but does not allow for encryption
             of data, text or other media other than that needed
             for the authentication.
      (vii)  Restricted to fixed data compression or coding techniques.
      (viii) Limited to receiving for radio broadcast, pay television
             or similar restricted audience television of the consumer
             type, without digital encryption and where digital
             decryption is limited to the video, audio or management
      (ix)   Software designed or modified to protect against
             malicious computer damage, (e.g., viruses).

  (2) Cryptographic (including key management) systems, equipment,
      assemblies, modules, integrated circuits, components or software
      which have the capability of generating spreading or hopping codes
      for spread spectrum systems or equipment.

  (3) Cryptanalytic systems, equipment, assemblies, modules, integrated
      circuits, components or software.

  (4) Systems, equipment, assemblies, modules, integrated circuits,
      components or software providing certified or certifiable multi-
      level security or user isolation exceeding class B2 of the Trusted
      Computer System Evaluation Criteria (TCSEC) and software to certify
      such systems, equipment or software.

If want more information about the ITAR-regulations switch to ITAR in full (about 380kB).

Penalties for Exporting Cryptologic Technology

It is wise not to run afoul of the Munitions List and its associated laws. Penalties for breaking the law regarding unauthorized munitions export include, but are not limited to:

An example of the expense associated with defending oneself against charges of exporting munitions can be found in the case of Philip Zimmerman. Although not prosecuted for posting the PGP algorithm to the Internet in 1991 (charges were dropped after a three-year investigation), Mr. Zimmerman was harrassed by Government factota, and incurred a significant legal bill. (The story behind the Zimmermann Legal Defense Fund, the ZLDF, is a must-read.)