You could mail me or go to my home page.
Am I Smuggling Munitions?
Here's my bid at being an international arms dealer:
If you don't live in the U.S. (or Canada?) I've succeeded! (This is a short, if not readable, Perl program that implements the RSA cryptosystem. It is legally categorized as a munition here in the land of the free and the home of the brave.)
Actually, I lied here: the image is stored in England, so you have just imported a cryptosystem from England, which is (as far as I know) perfectly legal if your own national laws allow it. You could figure this out by examining the HTML source of this page. You couldn't figure it out from the output on a normal browser.
A Career Opportunity?
If you, too, live in the U.S. and want to become an international arms trafficker, here's a place to help you get started. It provides a form that will send the above Perl program to Anguilla.
Does this seem a bit silly to you? It does to me. Bear in mind that I can send this in text form legally, and that there are numerous better (not to mention more readable) freely availably cipher systems. One very popular one is the PGP (Pretty Good Privacy) system. The older, freeware, version is findable at M.I.T. I've seen reports of PGP source being placed on the University of Oslo's web site, but didn't find it in a ten-minute search (it might help if I knew some Norwegian).
Why is this illegal?
The United States thinks that its best interests are served by making sure the FBI and the NSA can read all encrypted messages. One reason is to spy on enemy countries. (After World War II, the British scooped up all of the German "Enigma" cipher machines they could find, and sold them to emerging nations cheap. They didn't bother to tell them that the British and Americans could break those ciphers.) Another reason is to monitor criminal activity internally. It is a lot easier to get strong evidence that somebody is a criminal than to get courtroom-quality evidence, and law enforcement people have found that tapping people's telephones works very well to bridge that gap. Such taps have caught terrorists, drug smugglers, and many other people you really don't want in your neighborhood.
I am not concerned to refute these arguments. There is always a question of how much individual privacy and liberty to give up in order to have an effective police force, but that's irrelevant. Suppose we agree, for the sake of argument, that it would be really good if the FBI and the NSA could read all encrypted messages. Would this mean that the legal regulations would be a good idea?
Why should ciphers be legal?
Fundamentally, cipher control doesn't work. Consider gun control, which has never been a great success in the U.S. Some of our states and cities have very strong laws against using guns in any way illicitly. Lots of criminals are carrying, and often using, guns in spite of the laws. Only rarely have the laws seriously impeded criminals from using guns.
Now, consider how relatively easy it is to control ciphers. Suppose I have an illegal gun and an illegal cipher system. If I want to use the gun, I have to carry it. If I am stopped, even a cursory search will show that I have a gun on my person. If I want my partner to be armed also, I have to acquire another gun, rather than just duplicate the one I've got. If I use the gun, I'm leaving rather obvious traces that a gun was used, as well as evidence that can link the shooting to my gun. Now, consider me carrying a cipher system. It is a program on a disk or whatever, and there's no obvious reason to suspect it of being a cipher, unless I have given it a revealing name. If I want my partner to use the cipher, I can copy it quickly and easily. If I use the cipher, I can do so very inobviously: Romana Machado has written a program to embed arbitrary information in picture files, so if I can come up with an excuse to transfer computerized pictures to my partner, I can send encrypted information easily and securely. If a message is discovered, there is no way to know from the message itself who it came from.
Consequently, the first rule is that the bad guys will use cipher systems that the government can't read. Any attempt on the government's part to restrict cipher systems will affect only the vast majority of us who are going about our lawful business: we will either use ineffective ciphers, or none at all, or we will be outlaws.
With export controls, we aren't denying cryptosystems to people in other countries. The PGP system is in widespread use all across the world, despite never having been openly exported. Furthermore, some people who aren't U.S. citizens and don't live in the U.S. are highly intelligent and write excellent computer programs. No laws that we make can restrict these people from writing their own cryptosystems. The struggle to keep effective ciphers out of the hands of international criminals, foreign governments, subversives, and other non-native undesirables has been lost, and it was never winnable.
What about domestic cryptography?
The other side of the U.S. government's position is the restriction on domestic encryption. Proposals keep coming up that would force U.S. citizens to use cipher systems with keys held in escrow. This would allow the government to use its own copies of keys to understand the enciphered messages of citizens.
There's cipher systems out there, freely available, that do not involve sharing a key with the government. Some of them will stop the NSA. Anybody who wants to use an illicit cipher system will do so, so there's no hope that such a system will slow down criminals. It will apply only to law-abiding citizens, and these should not be controlled and restricted.
What are ciphers useful for?
This is important regardless of whether you think people should be able to communicate in privacy or not. The future of commerce on the Internet depends on this. Messages on the Internet are not safe from prying eyes, any more than messages sent by radio. Nor is it possible to tell from a message where it originated. Ciphers make it possible to send messages that competitors cannot read, and also make it possible to digitally sign messages, so that it can be known that the sender of a message had a certain key.
If a businessman conducts transactions on the net, and his key is leaked, anybody can read his messages, past and present, and anybody can send messages that appear to come from him. If this key is available to government officials, who makes sure it is not leaked when the businessman falls out of favor with the current administration? It would be potentially much nastier than what President Nixon was able to order.
For these reasons, the proposed cryptographic laws do no good and have the potential to do much harm.
Copyright 1997 by David H. Thornley.