New Zealand's Crypto Controls - The Final Chapter
This is (hopefully) the final chapter in the saga of New Zealand's crypto
controls, and documents two final issues: The changes made to the Wassenaar
arrangement in 1999, and the real situation with our export controls. The
following text is taken from a post to assorted crypto mailing lists and
newsgroups in mid-1999.
What happened
I've finally (it took more than a month to get a response) managed to get hold
of the General Technology Note and General Software Note from NZ's version of
the Wassenaar control lists (the other parts took mere days to obtain). In
previous versions, NZ has followed the US lead and altered the text so that the
GSN, which provides a more or less blanket exception for mass-market and
freely-distributable (which Wassenaar calls "public domain") software, itself
had an exception for crypto software, which reversed the intent of the GSN
exception. In the 1999 version, this change hasn't been made, and NZ now has,
for the first time, the same version of Wassenaar as most of the rest of the
world.
Here's the current New Zealand GSN text, which is identical to
the text used by
Australia:
General Software Note
The Lists do not control "software" which is either:
1. Generally available to the public by being:
a. Sold from stock at retail selling points without restriction,
by means of:
1. Over-the-counter transactions;
2. Mail order transactions; or
3. Telephone call transactions; and
b. Designed for installation by the user without further
substantial support by the supplier; or
N.B. Entry 1 of the General Software Note does not release "software"
controlled by Category 5 - Part 2.
2. "In the public domain".
For comparison, here's the more traditional, doctored version:
GENERAL SOFTWARE NOTE (GSN)
(This note overrides any control within section D of Categories 0 to 9.)
With the exception of Category 5, Part 2 (Information Security) Categories 0
to 9 of this list do not control "software" which is either:
[...]
[Australia still had this change made at the time the message was originally
posted, but the text was later restored to its original form. Apparently the
change was "an editing error"]
Why the change (or non-change) was made
I doubt the real reason will ever be known, but I have a possible explanation.
As I've documented in
the past, NZ has, in theory, some of the strictest export controls of any
country. Since I believe the basis for these controls (a version of the
Wassenaar control lists altered by the Ministry of Foreign Affairs and Trade
(MFAT) to suit their own requirements) is completely bogus and has no hope of
surviving a court challenge, for about the past 1 1/2 years I've been
systematically violating the controls in an attempt to get MFAT to enforce
them. At every possible opportunity I've exported any kind of crypto I could
think of, and been fairly open about telling people about it (having a series
of letters from MFAT telling me everything I couldn't do made it a lot easier
to ensure I did, although that wasn't the original intent of writing to them).
For example, I was quite happy to tell journalists that I'd been exporting
crypto in violation of the controls, and this has appeared in print a number of
times (eg one national magazine carried an article which said I was exporting
hundreds of copies of my crypto software a week as a protest against MFAT). In
the most extreme case, I stood up in front of a roomful of people at an
overseas conference, waved all the crypto (one example of everything :-) which
I'd exported around while explaining what I'd done, and later collected the
business cards of people I'd distributed it to in order to make absolutely sure
there was no disputing what had happened. I'm still waiting to be prosecuted
for this.
Eventually it became evident that MFAT were never going to enforce the
controls, because they had everything to lose and nothing to gain by doing so.
On the other hand forcing them into an open confrontation (for example by
taking out an ad in the paper saying I'd exported crypto) didn't seem like a
good idea either. The result was a stalemate.
The 1999 version of Wassenaar gave them a way out. Given the choice of having
to enforce the controls (resulting in a practically suicidal court case and
publicity they couldn't afford) or moving the boundary markers back six inches
in the night and hoping noone would notice, it looks like they decided to do
the latter. The result is that I can keep doing what I've been doing already,
and they don't have to take any action over it.
Obviously this is pure speculation, but the fact that they've been adamant
about sticking to their policy in the past ("This is our policy and we're not
changing it") would indicate that this wasn't a change made voluntarily. It's
nice to at least think that civil disobedience in the face of unworkable
government restrictions can still work, and it saved me a small fortune in
legal costs (I'd had estimates of up to NZ$100K in court costs if MFAT decided
to drag things out for as long as possible in court).
Further thoughts
The fact that tactics like this worked show just how precarious the position of
those trying to enforce crypto controls is. Their position wasn't made any
easier by the fact that in NZ the controls were applied in an illogical fashion
(even more illogical than the US) by a combination of MFAT and a secretive
government agency with no apparent accountability to anybody (the Government
Communications Security Bureau (GCSB), the local NSA subsidiary), the fact that
some of the shenanigans they'd engaged in in the past meant they really
couldn't afford to go to court over this, and the fact that the controls, being
based on a doctored form of the Wassenaar lists, were of questionable
legitimacy to begin with. MFAT found it easier to alter the controls in order
to avoid having to enforce them, than to try to enforce them (which is a
pretty sad indictment of crypto export controls as a whole).
To quote the Ninth Circuit court's ruling in the Bernstein case, MFAT used a
routine update of the controls to "line edit the regulations in an attempt to
rescue them". The same trick has been used before, when the US used the ITAR
to EAR switch to add a minor change which specifically allowed the export of
crypto in printed form, eliminating the ambiguity which Phil Karn challenged
where a book was exportable but the same material on disk wasn't. Similarly,
by fiddling with the details of New Zealand's controls, MFAT have moved
themselves out of an absolutely impossible position into a merely unreasonable
position. At the same time they've retroactively legitimised all my export
control violations (if such a thing is possible) so they don't have to take any
action over them, and made it very difficult for me to repeat this exercise,
because while it's easy enough to distribute a continuous stream of
freely-available material, doing the same with copyrighted commercial products
would run into problems for reasons other than export control violations.
Still, it's nice to know that they blinked first :-).