29

A Wikipedia page says that in the US

regulations were introduced as part of munitions controls which required licenses to export cryptographic methods (and even their description)

What concrete evidence is there that the US banned the export of e.g. books on cryptography or similar descriptions of encryption methods. Surely they could have kept some algorithms from becoming public even in the US (as state secrets), but that's not what I'm talking about, but rather something that was ok to circulate e.g. in book form in the US, but banned from export (as a book) e.g. to the USSR or Iran, etc. Are there such examples?

There's no evidence of this kind that I can see on that wiki page.

Improve this question
5
  • 2
    I remember a song circulating many years ago that claimed to be barred from being exported from the USA (someone had taken the relevant crypto code and set it (badly) to music).
    – Tim B
    Commented Apr 16, 2020 at 20:01
  • 2
    @TimB "Descramble" by Joe Wecker
    – fraxinus
    Commented Apr 17, 2020 at 8:56
  • 1
    The US did not ban the export of algorithm descriptions, ever. Despite it being a valuable resource, Wikipedia is not authoritative.
    – President James K. Polk
    Commented Apr 18, 2020 at 13:10
  • 1
    @PresidentJamesMoveonPolk An algorithm is method for solving a problem by following a defined procedure. It is not possible to convey an algorithm without describing it in some manner. Basically an algorithm IS a description.
    – barbecue
    Commented Apr 18, 2020 at 15:39
  • There seems to be a discrepancy between the question title and the quoted text. The former specifies a "description of an [...] algorithm", e.g. "SHA256 is a cryptographic hashing function". The latter, and - contrary to @PresidentJamesMoveonPolk 's implicit assertion - being what Wikipedia actually says, is a "description of [...] methods", which is indeed usually "an algorithm" in the relevant context.
    – mikołak
    Commented Apr 18, 2020 at 19:46

3 Answers 3

Reset to default
36

Part 121

The United States Munitions List Enumeration of Articles

Sec. 121.1 General. The United States Munitions List.

...

Category XIII--Auxiliary Military Equipment ...

(b) Information Security Systems and equipment, cryptographic devices, software, and components specifically designed or modified therefore, including:

(1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems

...

f) "Software" includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test, operation, diagnosis and repair.

Improve this answer
8
  • 8
    @Fizz page 164 of "Cryptography's Role in Securing the Information Society" says that Phillip Karn requested a ruling on the exportability of a book. books.google.com/…
    – DavePhD
    Commented Apr 15, 2020 at 16:12
  • 5
    @Fizz see also this law review: digitalcommons.law.scu.edu/cgi/…
    – DavePhD
    Commented Apr 15, 2020 at 16:13
  • 3
    @Fizz this is the case: law.justia.com/cases/federal/district-courts/FSupp/925/1/…
    – DavePhD
    Commented Apr 15, 2020 at 16:16
  • 17
    @Fizz, a criminal investigation was opened against Phil Zimmerman for exporting a book containing the PGP source code. The investigation was dropped after several years with no charges filed, presumably because the outcomes of Bernstein v. United States and Junger v. Daley indicated that a conviction was unlikely.
    – Mark
    Commented Apr 16, 2020 at 1:49
  • 11
    During the Bernstein case someone produced tee-shirts saying "This shirt is a munition". Underneath it had a simple crypto algorithm in Perl and a machine-readable version in a barcode.
    – Paul Johnson
    Commented Apr 16, 2020 at 7:28
19

Actually, it looks like books with crypto algorithms were excluded from such exporting licensing requirements; in the Karn case:

The ODTC [Office of Defense Trade Controls] determined that the book, which contained the algorithms in printed form, was not subject to its export jurisdiction because it was in the public domain. However, the information on the floppy disk (which was identical to that in printed form in the book) was nonetheless subject to its jurisdiction because it was in the form of source code and thus considered a functional commodity. Karn was therefore required to register as an arms dealer and obtain an export license for the material on the floppy, but he was able to freely export the book.

Even though it was the same information, the material on the floppy was considered technical information because it did not meet the definition for a public domain exception under ITAR.

And how the regs defined that

Sec. 120.18 Public domain.

Public domain means information which is published and which is generally accessible or available to the public:

(a) Through sales at newsstands and bookstores;

(b) Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;

(c) Through second class mailing privileges granted by the U.S. Government; or,

(d) At libraries open to the public.

[...]

PART 125

LICENSES FOR THE EXPORT OF TECHNICAL DATA AND CLASSIFIED DEFENSE ARTICLES

Sec. 125.1 Exports subject to this part.

(a) The export controls of this part apply to the export of technical data and the export of classified defense articles. Information which is in the "public domain" (see Sec. 120.18) is not subject to the controls of this subchapter.

Improve this answer
6
  • 2
    footnote 17 of the Karn case says "The Court will not address whether the defendants can regulate the book pursuant to the AECA and the ITAR because that issue is not properly before this Court" law.justia.com/cases/federal/district-courts/FSupp/925/1/…
    – DavePhD
    Commented Apr 15, 2020 at 16:30
  • 1
    @DavePhD: yeah, but the ODTC decided not to try to even claim that.
    – got trolled too much this week
    Commented Apr 15, 2020 at 16:31
  • I think that 37 CFR § 5.11 could also be an issue: law.cornell.edu/cfr/text/37/5.11
    – DavePhD
    Commented Apr 15, 2020 at 16:38
  • 1
    @Harper-ReinstateMonica Most likely registering as an arms dealer is the requisite for filing the paperwork for each specific export.
    – Nobody
    Commented Apr 16, 2020 at 17:51
  • 1
    @Harper-ReinstateMonica registration as a merchant of death means your company can apply to the State or Commerce Department (depending on the situation) for an export license. Some products sold to some close allies might not require a license, but in any case there is a lot of responsibility on the company. Even a disclosure to a foreign national at the neighborhood Starbucks or putting certain information on a website accessible internationally can be deemed an export.
    – Spehro Pefhany
    Commented Apr 17, 2020 at 8:18
13

Have a look at the case Bernstein v. United States

In the early 1990s, Daniel J. Bernstein created the Snuffle encryption system. He wanted to publish it in an international conference. However, after asking the appropriate US department, he was told by the Office of Defense Trade Controls:

the information known as Snuffle 5.0 has been determined, under the Commodity Jurisdiction (CJ) determination process, to be a defense article

requiring him to register as an arms manufacturer. After much back and forth, he ended up suing in February 1995 (the basis being that the export-control laws were unconstitutional). Government lawyers claimed that his claim [that he was restrained from exporting it] was unfounded, “the product of his own misinterpretation of the facts and the ITAR.”

On its decision, the District Court stated that

plaintiff had every reason to believe his paper had been determined to be a defense article

So we can conclude from the District Court ruling that the US did prohibit the export, even though the ITAR later backed out and claimed they didn't.

There was a lot of requesting information, not receiving an answer, or hardly applicable ones. One of the funny pieces of the Court decision was:

Defendants also conclude summarily that both the definition of cryptographic software and the exemptions from this definition are clear to a person of ordinary intelligence. This seems to be a bit of dissimulation, unless it is a confession, since the ODTC itself mistakenly classified Bernstein's academic paper as a defense article under Category XIII.

The ruling in the case declared that software was protected speech under the First Amendment. It is to note that export rules changed and now it is now allowed to export a cryptographic algorithm, even in digital form.

You can read the documents of the case at Daniel Bernstein page https://cr.yp.to/export.html including the multiple documentation involved.

Improve this answer
3
  • 4
    I see, so the gov't was (probably) relying, at least for a while, on the uncertainty in interpreting the intricate regulations as an additional control mechanism (which only the very determined [to sue]) could probably get over. An interesting perspective/addition. (Someone might even call that "government legal FUD".)
    – got trolled too much this week
    Commented Apr 16, 2020 at 23:04
  • 5
    A couple of examples of working arount it: The PGP software was exported as a printed book. Niels Provos traveled to Canada for openssh coding so he wouldn't export crypto from the US. You may consider things like the Munitions T-Shirt as a way to protest the regulation...
    – Ángel
    Commented Apr 16, 2020 at 23:16
  • 5
    Export restrictions were stated very broadly, and they intended to enforce them. For instance Zimmermann was investigated. It was when facing an unconstitutionality claim that they changed their position.
    – Ángel
    Commented Apr 16, 2020 at 23:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .