Cryptography and Liberty 2000
Cryptography and Liberty
2000
An International Survey of Encryption Policy
Electronic Privacy Information Center
Washington, DC
About the Electronic Privacy Information Center
The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC is a project of the Fund for Constitutional Government. EPIC works in association with Privacy International, an international human rights group based in London, UK and is also a member of the Global Internet Liberty Campaign, the Internet Free Expression Alliance and the Internet Privacy Coalition.
The EPIC Bookstore provides a comprehensive selection of books and reports on computer security, cryptography, the First Amendment and free speech, open government, and privacy. Visit the EPIC Bookstore at https://www.wendangku.net/doc/7a3166371.html,/bookstore/.
Copyright ? 2000 by the Electro nic Privacy Information Center
First edition 2000
Printed in the United States of America
All Rights Reserved
ISBN: 1-893044-07-6
EPIC Staff
Marc Rotenberg, Executive Director
David L. Sobel, General Counsel
Andrew Shen, Policy Analyst
Sarah Andrews, Policy Analyst
Dori Kornfeld, Policy Fellow
David Banisar, Senior Fellow
Wayne Madsen, Senior Fellow
Acknowledgements
This report was written by Wayne Madsen and David Banisar, Senior Fellows at the Electronic Privacy Information Center.
The following individuals provided invaluable information and advice: Dr. Andrzej Adamski, Nicholas Copernicus University, Poland; Yaman Akdeniz, Cyber-Rights & Cyber-Liberties (UK); Ian Brown, University of London; Jos Dumortier, KU.Leuven, Belgium; Rishab Aiyer Ghosh, India; Brian Gladman, UK; Peter Gutmann, New Zealand; Austin Hill, ZKS, Canada; Gus Hosein, London School of Economics, UK; Bert-Jaap Koops, Tilburg University, NL; Meryem Marzouki, Imaginons un Réseau Internet Solidaire, France; Jose Luis Martin Mas, FREE, Spain; Ulrich Sandl, Bundesausfuhramt, Germany; Viktor-Mayer-Schoenberger, Harvard University; Erich Moechel, quintessenz, Austria; Andriy, Privacy Ukraine; Per Helge S?rensen, Denmark; Greg Taylor, EF Australia; Jerome Thorel, ZD France; Peter Wallstrom, Sweden; Rigo Wenning, FITUG, Germany; Maurice Wessling, BITS of Freedom, NL.
The Electronic Privacy Information Center gratefully acknowledges the support of the Open Society Institute, as well as the assistance of members of the EPIC Advisory Board and members of the Global Internet Liberty Campaign (GILC).
An electronic version of this report and updates is available online
at https://www.wendangku.net/doc/7a3166371.html,/crypto/
Table of Contents
Executive Summary
The international relaxation of regulations concerning encryption has largely succeeded. The rise of electronic commerce and the
recognition of the need to protect privacy and increase the security
of the Internet has resulted in the development of policies that
favor the spread of strong encryption worldwide. Governments attempting to develop e-commerce are recognizing that encryption is
an essential tool for transactions, and are reversing decades old restrictions based on national security concerns. An increasing number of countries have developed policies, based on the OECD guidelines.
Most countries in the world today impose no restrictions on the use
of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both leading industrial countries and for emerging economies.
There are a small number of countries where strong domestic controls on the use of cryptography exist. These are mostly countries where human rights command little respect, most notably Russia and China. Many of these countries place strict controls on the Internet,
satellite dishes and other new communications devices.
There is little international support today for key escrow encryption. It has been abandoned by most counties and is no longer enforced in the few countries where laws requiring its use still remain.
A few countries impose “lawful access” requirements that could compel users to disclose keys or decrypted files to government agencies. Concerns over the right against self-incrimination found in many legal systems have led many countries to reject their adoption. Several other countries are considering bills that would require
third parties to decrypt communications from suspects.
A number of governments are considering proposals that give intelligence and law enforcement agencies new powers to conduct surveillance, break into buildings or hack computers to obtain encryption keys and obtain information. Law enforcement and intelligence agencies are also demanding and receiving substantial increases in budgets. These new powers and budgets raise concerns about the expansion of government surveillance and the need for
public accountability.
Export controls remain the most powerful obstacle to the development and free flow of encryption but they are steadily being relaxed because of the Internet and demands for secure electronic commerce. The decision by the United States to liberalize its own encryption export regulations in January 2000 has had the effect of weakening
the position of those who favor strict controls on cryptography.
Purpose and Methodology of the Survey
This is the third annual review of encryption policies around the world. This survey was undertaken by the Electronic Privacy Information Center (EPIC), with the assistance of members of the Global Internet Liberty Campaign and other experts on encryption policy, to provide a comprehensive review of the cryptography
policies of national and territorial jurisdictions around the world.
To obtain information for the survey, we sent letters to the embassies, United Nations missions, government ministries, trade boards, and information offices of some 230 countries and territories with independent policy-making authority. These entities were contacted in the belief that governments themselves are best able to authoritatively explain their policies, especially on such a
technical subject. We patterned our survey after one conducted in 1989 by the Computer Science and Law Research Group (GRID) of the University of Quebec, which analyzed the data protection policies and laws of over 150 countries on behalf of the government of Canada. In our second and third surveys, we expanded the contacts to include organizations and individuals in various countries with direct knowledge of encryption and telecommunications policies. We inquired about five major areas of cryptography policy:
?Controls maintained by the governments on the domestic use of cryptography in their countries;
?Legal requirements or pending proposals that require end users or communications companies to provide encryption keys or
decrypted communications, or files to government officials when required for an investigation;
?Controls maintained by the governments on the importation to their countries of computer programs or equipment that permit
cryptography;
?Controls maintained by the governments on the exportation of domestically developed computer programs or equipment that
permit cryptography; and
?Identification of the agency or department of the governments responsible for setting policy on the use, importation, or
exportation of cryptographic technology.
Between the issuance of our first report in February 1998 and our second report issued in May 1999, the Organization of Economic Cooperation and Development (OECD) conducted an inventory of the cryptography regulations of its member states. We have incorporated
those findings in this report as they best represent current national policies within the OECD member countries.
We also referred to a report prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy, obtained by EPIC under the Freedom of Information Act. The report, dated July 1995, is titled “A Study of the International Market for Computer Software
with Encryption.” The Commerce Department and NSA attempted to
obtain and analyze copies of the laws and regulations from as many encryption-producing nations as possible. This document is mostly historical now.
A 100 per cent response was the goal of this and our previous surveys. For this survey we discovered that many more countries were familiar with the issue than had been during the first and second surveys. As
a result, this is the most comprehensive survey to date of encryption policies.
Country Ratings
Reported countries have been grouped into three categories regarding controls on cryptography.
A “Green” designation signifies that the country imposes few
controls on encryption in the country and promotes or has expressed support for a policy that allows for unhindered legal use of cryptography, such as adopting the OECD Guidelines. A “Yellow” designation signifies that the country has significant domestic controls such as requirements for lawful access, excessive export or import controls in law or have proposed new domestic cryptography controls. A “Red” designation denotes countries that have
instituted sweeping controls on cryptography, including domestic use controls. Many countries do not fit neatly into one of the three categories, but may share attributes from two of the categories.
These countries are designated as “Green/Yellow” or “Yellow/Red” depending on the direction the policies appear to be heading.
Issues in Encryption Policy
The Importance of Cryptography
Emerging computer and communications technologies have radically altered the ways in which we communicate. Along with the speed, efficiency, and economy of the digital revolution come new challenges to the security and privacy of communications and information traversing the global communications infrastructure.
In response to these challenges, the security mechanisms of
traditional paper-based communications media - envelopes and locked filing cabinets - are being replaced by cryptographic security techniques. Through the use of cryptography, communication and information stored and transmitted by computers can be protected against interception. Until recently, there was little non-governmental demand for encryption capabilities. Modern encryption technology - a mathematical process involving the use of formulas (or algorithms) - was traditionally deployed most widely to protect the confidentiality of military and diplomatic communications. With the advent of the computer revolution and recent innovations in the science of encryption, a new market for cryptographic products has developed. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever-increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic fund transfers require secure means of encryption and authentication – features that can only be provided
if cryptographic know-how is widely available and unencumbered by government regulation.
Cryptography can also be used to allow for the anonymous dissemination of information, such as reports on human rights abuses, and to ensure that documents of human rights groups are not tampered with or altered after release.
Governmental regulation of cryptographic security techniques endangers personal privacy. Encryption ensures the confidentiality of personal records, such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of being stolen or misused.
Encryption and Human Rights
Government regulation of techniques such as encryption that help to protect individual privacy may also be contrary to the spirit of international laws and norms that recognize privacy and the freedom to communicate in confidence as fundamental human rights. Article 12 of the Universal Declaration of Human Rights, and Article 17 of the International Covenant on Civil and Political Rights, as well as other international agreements, and national laws, make clear the importance of privacy protection for human freedom and civil society.
In many countries in the world, human rights organizations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, reported widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries. In some countries, such as Honduras and Paraguay, the state-owned telecommunications companies were active participants in helping the security services monitor human rights advocates. These problems are not limited to developing countries. French counter-intelligence agents wiretapped the
telephones of prominent journalists and opposition party leaders. The French Commission Nationale de Contr?le des Interceptions de Securitéhas estimated that there are some 100,000 illegal taps conducted each year in France. There have been numerous cases in the United Kingdom, which revealed that the British intelligence services monitor social activists, labor unions and civil liberties organizations. Even in countries that are considered to have open governments such as Sweden and Norway, national security agency have been found to routinely invade the privacy of non-governmental organizations.[1]
The European Parliament issued a report in January 1998 alleging that the U.S. National Security Agency was conducting massive monitoring of European communications as part of a worldwide surveillance system named Echelon.[2] The report also said that the system was used to target human rights groups such as Amnesty International. A subsequent report released in May 1999 and presented before the European Parliament in February 2000 revealed more information on the system and its use for economic espionage and resulted in protests and anger from the EU.[3]
Many human rights groups currently use encryption to protect their files and communications from seizure and interception by the governments they monitor for abuses. These include China, Guatemala, Ethiopia, Haiti, Mexico, South Africa, Hong Kong and Turkey. Other groups such as Amnesty International USA and the Tibetan Government-in-exile also use cryptographic techniques to digitally sign messages that they send over the Internet to ensure that the messages are not altered in transmission.
Additional information on the use of encryption technology by international human rights organizations is contained in the briefing paper “Encryption in the Service of Human Rights,” produced by Human Rights Watch.[4]
National Controls on Cryptography
Only a few countries around the world restrict the domestic use of encryption by their citizens. Of the handful of countries around the world that do, most have strong authoritarian governments.
Most countries that have explicitly rejected controls have noted the importance of security of electronic information for electronic commerce, the threats of economic espionage, and the need to protect privacy online. The 1997 OECD Guidelines on Cryptography Policy and the 1998 European Commission report expressed strong support for the unrestricted development of encryption products and services. Following their promulgation, Canada, Germany, Ireland, and Finland announced national cryptography policies based on the OECD Guidelines, favoring the free use of encryption.
A number of countries explicitly reversed their positions on domestic controls based on the OECD Guidelines. Most notable of these is France, which had long restricted encryption, but reversed that
policy in January 1999 and announced that people can use encryption without restrictions. In December 1997, Belgium amended its 1994 law
to eliminate the provision restricting cryptography.
Most of the countries that do restrict encryption are either former republics of the Soviet Union, or are located in Asia, or the Middle East. The countries include Belarus, Burma, China, Kazakhstan, Pakistan, Russia, Tunisia, and Vietnam. We found no countries in
North or South America or Western Europe that currently restrict domestic use. The United Kingdom is the only major western power that continues to advocate for controls.
Most of these countries also generally place strong restrictions –
in some cases, such as Burma and Iraq, outright bans – on the use of the Internet. In many of the countries, the restrictions do not
appear to be enforced. In China, a new regulation requires companies
to disclose their security systems to the national government but few companies are complying.
The rapid growth of worldwide electronic commerce and the lack of international consensus on restrictions will further isolate these
countries and make it difficult for them to continue these policies. The wide availability of encryption on the Internet will make it impossible for them to enforce the laws in any meaningful way without imposing massive surveillance and censorship.
Key Escrow/Key Recovery
Concurrent with the rejection of domestic controls by most countries
is the rejection of key escrow/recovery policies by governments. We found that there is now no international support for key escrow or
key recovery systems.
Key escrow/recovery was a concept promoted by the United States government whereby users would be able to use strong encryption in their systems. However, a third party such as a government agency or
a specially authorized company (usually with government ties) would hold the keys and provide them to a government agency when requested. Escrow was first introduced in the U.S. in the Clipper Chip in 1993.
It was adopted into law by France in 1996 and promoted by the UK government for several years.
The U.S. pressured many countries and international organizations including as the OECD and Wassenaar to adopt key escrow. The U.S. Envoy for Encryption David Aaron traveled the world urging countries
to adopt escrow policies. The OECD countries rejected the U.S. pressure and called for free use of cryptography and respect for privacy.
Security experts have been critical of the security of escrow systems, noting a number of problems created by having a central party holding users' keys. In October 1997, the European Commission issued a report that reviewed the problems with key escrow systems:[5]
(i) Key access schemes are considered by law enforcement agencies as
a possible solution to cope with issues like encrypted messages. However these schemes and associated TTPs raise a number of critical
questions that would need to be carefully addressed before
introducing them. The ongoing discussion of different legislative initiatives in the US is an illustrative example of the implied controversy. The most critical points are vulnerability, privacy, costs and effectiveness:
?Inevitably, any key access scheme introduces additional ways to break into a cryptographic system. More people will know about
"secret keys" and "system designs" leading to higher risks of
insider abuse and the TTPs itself can become target for attacks.
These new vulnerabilities are complex and need to be understood
as substantial liability and privacy questions are implied.
? The costs associated with key access schemes can be very high.
Until now, questions on costs and who would bear them have not
been addressed by policy makers. Important cost factors would
be the specific requirements put on TTPs, e.g. response time to
deliver keys, storage time for session keys, authenticate
requesting government agency, secure transfer of recovered keys, internal security safeguards, etc. Furthermore, substantial and
unknown costs would occur through the need for scaleability of
key access schemes, i.e. making it work in a multi-million user
environment. Up to now, such systems have at best been
developed for small scale use. The costs to make them work on
an economy of even global wide scale need to be looked at
carefully.
?Key access schemes can be easily circumvented - even if, hypothetically speaking, everyone would be forced to pass
through these systems.
(ii) Any involvement of a third party in confidential communication increases its vulnerability. The main reason for involving a third party in the management of keys for confidentiality is to allow that party to make the keys available to other than the two communicating parties, for example, to law enforcement.
Users may therefore not see many advantages in using TTPs for confidential communication, and probably not even for stored
information. Regulators would thus need to offer incentives to convince users to use licensed TTPs for confidentiality purposes, for instance through a "public security label" or even by introducing a "mandatory scheme". Such a mandatory scheme would make any publicly available offer of encryption services subject to a licence that
inter alia would demand key escrow/recovery.
The acceptance of such a system remains to be seen, but given its implied overheads, can not be regarded as an incentive for electronic commerce. In any case, restrictions imposed by national licensing schemes, particularly those of a mandatory nature, could lead to Internal Market obstacles and reduce the competitiveness of the European Industry.
The final blow to key escrow was its rejection by the Wassenaar Arrangement group in December 1998. The U.S. attempted to gain favorable export rules for escrow/recovery products to encourage an international market. No consensus was reached and this plan was rejected. T he German Ministry of Economics announced: “Certain states that had originally demanded special treatment for key recovery products were unsuccessful in their efforts. The export of encryption technology will therefore remain possible without the deposit o f keys with the government.”[6]
These international policy developments had a significant impact on domestic policies in both countries that supported escrow and those that did not have encryption policies. The most dramatic turnaround was in France, where Prime Minister Jospin announced in January 1999 that France would scrap its key escrow system in favor of free use of cryptography and implemented new regulations relaxing controls in March 1999. Taiwan, which had stated in 1997 that it was planning a key escrow system, reported back in 1998 that it not longer plans to adopt such a system.
Only a few countries now officially endorse key escrow. Spain enacted a telecommunications bill in 1998 that endorsed escrow, but it was never implemented. For many years the UK was promoting a policy that would have coerced certificate authorities to obtain private keys as
a condition of licensing. It is now using other means to try and attempt to gain keys (see section below). In the U.S., export control rules that once encouraged key escrow were somewhat relaxed in 1998 and eliminated in January 2000.
“Lawful Access” and Forced Disclosure of Encryption Keys
Following the rejection of key escrow, a new approach being considered by many governments is to demand “lawful access” to encryption keys or plain text. Under this approach individuals would be required to disclose keys to law enforcement agencies or face criminal penalties for failure to assist in a law enforcement investigation. So far, only a few countries have implemented such provisions.
The OECD Encryption Guidelines noted but did not endorse the lawful access principle. The Guidelines state:
National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.[7]
This was a very contentious issue in the OECD. The OCED considered and rejected support for the lawful access goal. As a result, this is the only principle and because that did not state that members “shall” adopt as a policy.
At the Denver Summit in June 1997, the G-8 supported access. It recommended that every country adopt “Lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies.”
Only Singapore and Malaysia have enacted laws that would require users to disclose their keys or face criminal penalties. In both of those countries, police have the power to fine and imprison users who
do not provide the keys or the plaintext of files or communications
to police.
Similar bills are pending in the United Kingdom and India. In the United States, Belgium and the Netherlands, bills are pending that would require third parties to release encryption keys and other information but would not require a person to incriminate himself.
A number of countries including Ireland, Sweden, Finland, and Denmark suggested that the government would consider lawful access provisions following the release of the OECD Guidelines. Thus far, none have adopted it. In Ireland a draft Electronic Commerce Bill has recently been published which would force individuals to provide access to plaintext but recommends against forced disclosure of keys. In Canada, an interministerial committee headed by Justice Canada is examining possible legislation. Other countries such as Denmark have decided against adopting such policies.
The Right Against Self-incrimination
Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide. The privilege against self incrimination forbids a government official from compelling a person to testify against himself. It has a long history in law originally developing from Roman and Canon law and was subsequently adopted by the Common law.[8]
In the United States, this issue has not been directly addressed by any courts yet but many legal scholars believe that it would not be permissible under the 5th Amendment to the Constitution to force an individual to disclose an encryption key or passcode that was not written down anywhere.[9]
Many European legal scholars also believe that requiring disclosure violates the European Convention on Human Rights.[10] The European Court of Human Rights has stated that the right of any "person charged" to remain silent and the right not to incriminate himself
are generally recognized international standards which lie at the heart of the notion of a fair procedure under Article 6 of the European Convention on Human Rights. The burden of proof cannot be reversed for the suspect to provide the requested evidence or prove his/her innocence.[11] Article 8 of Convention, which protects the right to respect for private life and correspondence also sets out limits on surveillance that would affect interception.
In other countries, this concern is also raised. The New Zealand Law Commission noted recently that on the issue of lawful access, it will be difficult to compel people to disclose encryption keys:
We note that the difficulty in compelling a person to disclose the means of decryption, or the plain text of the document itself, will need to be given considerable thought; as will the question of an appropriate sanction in the event that disclosure is not made. In
that regard, the disclosure of something held in one’s head is somewhat different in kind to the provision of DNA samples. Ultimately, any view formed on this issue will need to recognise that a private key may be held in the memory of a human being, rather than located in an electronic or paper based record.[12]
In Australia the Walsh Report, written by the former director of the Australian intelligence agency, also recomme nded against the “lawful access” requirement stating:
1.2.27 Invocation of the principle of non self-incrimination is
likely to prove an obstacle to efforts by law enforcement agencies to obtain encryption keys by search warrants or orders made by courts and tribunals.[13]
Another issue is the penalizing of individuals who may not have access to the keys issued in their name. In many circumstances, an individual may not be in possession of a key, either because they have lost the key, revoked it or never possessed it in the first place. Under several of these laws and pending bills, the users could face jail for being unable to provide the keys. A group in the United Kingdom illustrated this problem by sending an encrypted
“incriminating” message to Home Secretary Jack Straw after creating a key in his name. They then destroyed the encryption key.[14]
Increase in Surveillance Budgets
As countries reject restrictions on encryption, they continue to face pressure from law enforcement and intelligence agencies which demand access to communications. There have been a variety of approaches taken to resolve this pressure.
One trend has been the increased funding of intelligence agencies to compensate for the perceived loss of intelligence from encryption. In the United States, a number of new “Net Centers” have been proposed. These Net Centers would provide technical assistance to law enforcement agents specifically to break codes and would not be subject to freedom of information laws.[15] President Clinton also recently has asked for $2 billion for network protections.
New Surveillance Powers
In the absence of key escrow, intelligence and law enforcement agencies in a number of countries have been demanding the ability to use formerly extralegal approaches to obtain information and encryption keys from targets. This includes breaking into homes to “bug” computers and legal authorization to “hack” computer systems to obtain encryption keys.
In December 1999, the Australian Parliament approved a bill
authorizing the Australian Security Organization (ASIO) to obtain warrants to access computers and telecommunications services “for
the purpose of obtaining access to data that is relevant to the security matter and is stored in the target computer and, if necessary to achieve that purpose, adding, deleting or altering other
data in the target computer, (b) copying any data to which access has been obtained, that appears to be relevant to the collection of intelligence by the Organisation in accordance with this Act; (c) any thing reasonably necessary to conceal the fact that any thing has been done under the warrant.” The bill does not mention
encryption.[16]
In the Netherlands a law to allow the use of bugging devices in computers as a means to obtain clear text (Wet Bijzondere Opsporingsbevoegdheden) was approved in 1999 and went into effect in February 2000. Another bill that would allow the secret service to use hacking techniques to remotely access computer systems (Wet op de Inlichtingen- en Veiligheidsdiensten) is also pending. These powers were specifically given to combat cryptography during investigations.
In the United States the White House proposed the Cyberspace Electronic Security Act (CESA) in September 1999. Under the bill, law enforcement and intelligence agencies would be able to compel third parties to release encryption keys and other information. Technical methods used to obtain keys can be kept secret from disclosure in court. In addition, the FBI would be given $80 million in additional funding for its “Technical Support Center.” Previous versions allowed for secret searches.
Other countries are still developing policies that will give more powers to intelligence agencies. In France, Prime Minister Jospin announced in 1999 that as part of France's relaxation of controls, “the technical capacities of the authorities will be significantly reinforced.” Similarly the 1999 Germany encryption policy states
that “the federal government w ill, to the extent that it can, support an improvement of the technical capabilities of the criminal prosecution and security authorities.”
At the urging of the U.S. Department of Justice, the Council of Europe is also developing a new Convention on Computer Crime that
will reportedly expand surveillance powers and centers for network monitoring. The convention will require countries to adopt
legislation to facilitate wiretapping of computer networks and compel manufacturers to build in surveillance capabilities.
These new proposals for new investigative powers raise troubling questions about surveillance and accountability. Will the agencies granted these powers be fully accountable to democratic institutions and subject to meaningful public oversight?
The Role of Export Controls
Internationally, export controls have been the strongest tool used by governments to limit development of encryption products. However, in the past several years, there has been a gradual relaxation of export controls, internationally, especially for software products.
Export controls reduce the availability of encryption in common programs such as operating systems, electronic mail and word processors, especially from American companies. The restrictions make it difficult to develop international standards for encryption and interoperability of different programs. Countries must develop their own local programs, which do not inter-operate well (if at all) with other programs developed independently in other countries. They may not be as secure because of a lack of peer review. Because markets are smaller, companies and individuals are not as interested in developing programs because of smaller potential profits.
Some countries have taken advantage of the situation by promoting the lack of controls in their countries. As Switzerland noted in response to our 1999 inquiry, “Switzerland will keep its efficient export permit process for cryptographic goods in order to encourage Swiss exports to increase their sales and share worldwide while being mindful of national security interests.” One result of this has been the emergence of small companies in many countries without restrictions, which produce encryption products. Another result has been companies, especially American companies, moving their
encryption production divisions overseas to countries with fewer controls, such as Switzerland.
The Internet significantly changed the effectiveness of export controls. Strong, unbreakable encryption programs can now be delivered in seconds to anywhere in the world with a network connection. It has been increasingly difficult for countries to limit dissemination, and once a program is released, it is nearly impossible to stop its redissemination, especially if it is in one of the many countries around the world with no export controls. In the United States, export controls were used as a justification to limit the availability of encryption on domestic Internet sites and thus serve as indirect domestic controls on encryption.
Many countries have relaxed their export controls on encryption products, especially software. The United States Government announced in January 2000 that it now allows companies to export most products. It is now likely that other countries will follow suit.
The Wassenaar Arrangement
The Wassenaar Arrangement (WA) is an agreement by a group of 33 industrialized countries to restrict the export of conventional weapons and “dual use” technology to certain other countries considered pariah states or, in some cases, those that are at war. Certain cryptographic products, along with other technology such as supercomputers and high-level computer security access software, are considered to be “dual use” in that they can be used for both commercial and military purposes. The WA replaced the former Cold War-era Coordinating Committee on Multilateral Export Controls (COCOM), a group of 17 countries that placed restrictions on the export of certain technology to countries of the former Warsaw Pact and other communist states. After the fall of the Warsaw Pact and Soviet Union, COCOM became an anachronism, and on November 16, 1993, in The Hague, COCOM agreed to dissolve itself and to establish a grouping called the “New Forum.”