DES export regulations. And what to do about it!

Fri Jan 4 06:41:39 AEST 1991

People can endlessly debate the small points of the rules; I want to
understand the big ones.  WHY SHOULD PRIVACY TECHNOLOGY BE ILLEGAL?
Why does the US government think that privacy is something neither its
subjects, nor the citizens of other countries, should have?

Back to details...

From: jfh at rpp386.cactus.org (John F Haugh II)
> Hopefully you will mention in your letter that DES should not be
> restricted by the Commerce Department either.  There is no reason
> to restrict DES software (or even hardware).

True.  Commerce Dept. rules are that software which is freely available
to the public is treated like documents, e.g. can be exported to any
destination under no-paperwork General Licence GTDA.  But this limits
commercial usage of encryption, which is a serious problem;
multinational companies are at a severe disadvantage in computer
security if they do their r&d in the US, because they can't export
the result.

DES is not the be-all and end-all of encryption either.  It's just
the "sticking point" where the Munitions people refuse to allow export.
There should be no controls on the import, export, or use of encryption.

From: bhoughto at hopi.intel.com (Blair P. Houghton)
>    . . . there's something to be said for prohibiting the
> export of sensitive technologies, regardless of the availability
> of related scientific information.

What exactly is "sensitive" about the availability of PRIVACY?

From: janm at dramba.neis.oz (Jan Mikkelsen)
>              It is considerably more difficult to design a piece of hardware
> with specific characteristics, for example, very high encryption speed,
> tamper resistance, small size, or the ability to operating in a hostile
> environment. . .  These should be sensitive, not the algorithm itself

What exactly is sensitive about the ability to produce a tamper resistant
package?  Do we not wish anyone who wants a tamper resistant package to
have one?  The only reason I can see for outlawing tamper resistance
is if the government wants to undetectably tamper with our things.

Small size?  What is sensitive about SMALL devices that provide
privacy?  If privacy itself is OK, why not portable privacy?

High speed encryption?  I presume the problem is high volume, not high
speed.  If privacy itself is OK, what business is it of the
government's how much data you choose to keep private?  I would think
that the government would encourage people with a lot of private data
(credit card companies, gun registration lists, payroll information for
large companies, etc) to have good means for keeping their information
private.

Hostile environments?  Hostile to what?  Certainly a privacy-assuring
device should operate in environments hostile to privacy :-).  High
temperatures, humidity, radiation, etc?  I don't think techniques for
heat-sinking, sealing, shielding, etc are export-controlled, though
there are some that are classified (and thus aren't even available to the
U.S. public).
-- 
John Gilmore      {sun,pacbell,uunet,pyramid}!hoptoad!gnu        gnu at toad.com
Just say no to thugs.  The ones who lock up innocent drug users come to mind.