Is it illegal in the US to release software containing cryptography if there is no master key or backdoor or data retention?

Question

If I made a proprietary piece of software that provided AES-256 encryption for IM, voice chat, and file transfer would this itself be illegal? The way it'd be set up is people would run the service entirely on their own. There would be no retention of data by 3rd party or even on the person's machine. It would be stored in memory for smallest time possible then dumped away. It would not be saved. There'd be no backdoor, master key, etc. The ONLY way to read the data would be to have a connection to the server with a valid key to read data sent from other people connected to it. It seems this is a project idea to keep on the shelves as in the US and all over the world something like this would be extremely illegal. The only way to obtain the key would be from the server operator him/herself, or if you knew someone who had a valid key that connects to that server and they shared it with you.

To clarify even more:

I want to know if itd be illegal to create and release a software that effectively encrypts internet communication such as IM and voice chat, and any file transfer end to end--in a context where there is no way to read the data unless your client has the key to decrypt received data in the event you are connected to a server, or intercepting data sent from clients or server and trying to decrypt it yourself with brute force. Those are the only 2 ways. Otherwise you'd have to lift the key somehow from the server machine or client machine in the event the person has their USB still plugged in(unless it's on harddrive of course)and you can somehow read from it from a remote location or acquire the Harddrive/USB itself or have access to the physical client's or serve machine itself. In other words, in the event of a police investigation regarding something that when on that was illegal during the use of the app... authorities would have to go to some pretty pretty great lengths to get anywhere. But they'd have to catch the crime happening live, as no text, voice, or file transfer data will EVER live on the server's harddrive or client's harddrive(just in memory as briefly as possible). The only other way would be screenshot. The only other way I can think of would be to catch suspect using the app, get their computer that has the app on it with key in place to use with the server, and get the people connected to the serve to somehow admit to crimes without them knowing the police are on the other side of this suspects client and not that person. Once again, some extreme lengths. I wouldn't want to be responsible for any of that. If people took it and used it for bad that needs to be their problem, not mine. If theres a chance I could owe money, or serve jail time, theres no way it's worth it.

Answer 1

Is it illegal in the US to release software containing cryptography if there is no master key or backdoor or data retention?

No.

There are some kind of technologies, including certain kinds of cryptography, which are subject to export controls under the Export Administration Act of 1979.

But, whether or not there is a master key, backdoor, or data retention is not the criteria for export control. Instead, the criteria is basically based upon how hard the cryptography is for foreign intelligence agencies to crack.

For example, a three digit numeric code with no master key, backdoor or data retention is not going to be controlled technology.

Many cryptography applications that are subject to export control are also classified by the NSA, and are not known of, or available to, private sector firms for use in proprietary applications, something that would have been made clear to the firm if it was permitted to use those applications under license from the federal government.

I don't have the technical expertise to know whether or not AES-256 encryption is export controlled technology. The U.S. Department of Commerce regularly updates a list which is disseminated via regulation. In this case, the relevant list is the Commerce Control List (CCL) in Category 5 part 2 (information security) and product group D (software). The full text of the relevant part of the CCL is here (although this actually just points you to more detailed sublists).

(The other two main lists are for nuclear materials and for munitions.)

Answer 2

We have a subtle rule here, that you cannot ask for legal advice about your own affairs. That would be illegal and also a bad idea. Instead, we provide information to help people understand the law, including by reference to hypothetical scenarios. So I'm assuming your question is hypothetical. I had better not get a call from the FBI saying 'We arrested Keith and he said you said he could do xyz'!

No, it is not illegal. 'End-to-end encryption' products aim to do what you describe. They are not targeted at obstructing lawful government activities, but a side-effect of minimising exposure to unlawful surveillance is to reduce exposure to lawful surveillance.

Signal, for example, says in its terms of service that it will comply with a lawful requirement to hand over information, which is true, but Signal is designed to minimise the amount of information that exists to be handed over. If I understand correctly, as a trade-off between convenience and privacy, Signal and other third parties are exposed to information about the timing of your messages and various information about the parties such as account numbers and network addresses.

If your hypothetical service was likewise exposed to such information (as I understand it, it would try not to be), and your hypothetical self tried to prevent lawful access to that information, then that would be illegal. For example, hypothetically, the government might tell you that one of your users is under investigation and therefore any metadata related to them that flows through your system is material evidence; I don't know this area of the law very well but it might well become 'obstruction of justice' for you to delete that data. Of course, if you never have the data then you can't be expected to hand it over.

If, hypothetically, you were deliberately facilitating crime, rather than protecting privacy more generally, then you might commit a conspiracy offence like Ross Ulbricht did when he operated the 'Silk Road' online marketplace.

If I understand correctly you need to register cryptography products with the government; failure to do so might be illegal. Your hypothetical self would need a real lawyer.

There are various suggestions to change the law in the United States so that, if you implemented such a system, you would have to insert a surveillance capability at the government's request (perhaps with prior judicial authorisation etc). This might include key escrow, metadata retention or some other mechanism. Some of the issues are discussed at https://arstechnica.com/tech-policy/2017/11/as-doj-calls-for-responsible-encryption-expert-asks-responsible-to-whom/ and https://en.wikipedia.org/wiki/Crypto_Wars. As I understand it, these discussions are motivated by the fact that what you describe is not currently illegal.

In practice, police are very resourceful. When Ross Ulbricht was arrested, two police officers distracted him while another officer swiped his laptop and copied data from it before any countermeasures could take effect. In another case, the police proved that a suspect had undertaken certain activities under a pseudonym via Tor by correlating the pseudonym's activities with the timing and quantity of traffic on the suspect's home Internet connection, the suspect's sleeping times, etc; they disconnected his home Internet connection and watched the pseudonym disappear off IRC. If 'Death Note' has taught us anything, it is that even if someone is using magic they cannot outmanoeuvre the law forever.