Dear Sir/Madam,
In June of this year the International Security and Arms Control Division of your Ministry required that a software program designed to protect banking transactions have its security deliberately compromised in order for it to be exportable from New Zealand. As the author of the security portion of the software, I am very concerned at this decision, not only because it will seriously hurt New Zealand trade and the image of New Zealand as a potential provider of security software and expertise for electronic commerce, but also because of the unusual nature of the export requirements and the way in which they were imposed.
The security software offers users the following key features:
In the last few years the growth of the Internet has made the prospect of online electronic commerce very attractive for businesses. Because the Internet is fast becoming all-pervasive, it allows even smaller businesses easy access to previously inaccessible international markets and provides consumers with the ability to do business with companies which were unavailable to them.
The one thing standing in the way of a global electronic commerce system is the lack of security available on the Internet. The way to provide this security is through the use of encryption software, which scrambles data sent over the net so that only properly authorized persons will have access to it. This allows data for banking transactions and related commercial activities to be safely transmitted over an otherwise insecure network.
The reason why the necessary encryption software isn't used worldwide is because US software houses currently supply around 75% of all mass-market commercial software in the world, but are prohibited by an obscure US law (the ITAR, now DTR) passed in secret during World War II from exporting this kind of security technology. This restriction is proving a goldmine for non-US countries who are provided with a captive market for security technology, protected for them by the US government. One report has estimated that by the year 2000, US firms will be losing 30-60 billion US dollars each year in sales to overseas competitors if the current policy remains unchanged (Computer Systems Policy Project, "Perspectives on Security in the Information Age", January 1996). This figure itself pales into insignificance compared to the "collateral damage" when other software deals fall through because a crucial encryption component can't be provided. Reports in early 1996 estimated the electronic-commerce market to be worth hundreds of billions of US dollars per year by the year 2000. The software, in the form of an encryption "library" which provides a general-purpose toolkit for adding security functions to other programs, is just such a "crucial encryption component".
Finally, data such as business and private correspondence sent over the Internet is also very vulnerable to interception and monitoring. There have been many reports of businesses losing sales because of illicit interception of electronic mail, often by foreign competitors (W.Madsen, "Online Industrial Espionage", Network Security, November 1994), or even supposedly "friendly" governments (Reuter, "Clinton instructs CIA to focus on trade espionage", Los Angeles, 23 July 1995)
The use of the software for applications such as protecting medical records transmitted between doctors, medical labs, and hospitals, has attracted a considerable amount of attention overseas. Because the software can't be sourced from the US, New Zealand companies are in a position to become leading suppliers internationally of the technology required to protect this kind of information. The same goes for protection of business correspondence: a number of New Zealand companies are desperately in need of this kind of software to protect the details of dealings with overseas suppliers and customers. This, again, is the kind of service which the encryption library was designed to provide.
The first problem with the ISAC decision is that it is unnecessary. Encryption software ceased to have any special status 20-25 years ago. Strong encryption software is available from virtually any country in the world (I could supply a list, but it would make this letter even longer than it already is), can be typed in from books available in bookstores (Whitcoulls and Dymocks in Auckland, for example), is taught in university mathematics and computer science courses (first-year maths lectures and second-year computer science at Auckland university), and includes algorithms so simple they can be implemented in about 10 minutes by anyone with the necessary typing skills (the algorithms used were RC4 and TEA, taken from a book available in Whitcoulls. The test subject was 12 years old). Any foreign competitor of a New Zealand company can walk into a bookstore, choose the algorithm they feel most comfortable with, type it in (using a 12-year-old child for the typing if they feel like it), and then sell it into a market which the ISAC has stopped New Zealand companies from competing in. Exactly the same software which was blocked from export can be downloaded from virtually anywhere over the Internet in a matter of seconds (if you have a world-wide web browser available, go to the http://www.altavista.digital.com (Altavista) site and type in "crypt" as the search string. This one index lists just under 45,000 locations worldwide for encryption information and software (it will only show the first 10,000 locations, which stretch on for around 1000 A4 pages which I won't include with this letter). I have included with this letter a sample of around half a dozen brochures from companies around the world who are selling the same encryption software internationally which the ISAC blocked from being exported. This is merely a sample, taken from a stack of brochures around 20cm high, and represents products from Alwil Software (Czech republic), Concord-Eracom (Germany and the Netherlands), uti-maco (Belgium), Crypto AG (Switzerland), LAN Crypto (Russia and eastern Europe, run by a division of the former KGB), Editel (Czech republic), TeamWare (Finland and the UK), Algorithmic Research (Germany), and Ascom Tech (Switzerland). These products more or less cover every single function in the library which ISAC blocked, and this is not including the 45,000 Internet sites which contain the same information.
A problem related to this is that most of the software in the library comes from outside New Zealand anyway. The RC2 code comes from the Netherlands, the RC5 code comes from the proceedings of a UK conference published in a German journal, the DES and triple DES code comes from Australia, the Safer code comes from Switzerland and Singapore, the Blowfish code comes from Germany and Finland, and the IDEA code comes from Switzerland. The logic of prohibiting the export of, say, Swiss encryption code back to Switzerland is baffling, especially since foreign competitors are free to do the same thing.
Finally, the validity of the decision to disallow the export is questionable. Although ISAC never explained their decision, it is likely that they will claim that the software is covered by (originally) the old COCOM rules, now superseded by the Wassenaar agreement. However a few months ago the Canadian government, which follows exactly the same regulations as New Zealand and other countries under the Wassenaar agreement, ruled that the entire library was freely exportable without any need for permits to any country except Libya, Angola and Iraq. I have attached the appropriate form and a covering letter from the Canadian Ministry of Foreign Affairs and International Trade which covers the library and another encryption program, showing that this is freely exportable.
In the light of this information - that New Zealand trade and the image of New Zealand as a potential provider of security software and expertise for electronic commerce are being damaged, and that the software which ISAC blocked from export is not subject to export controls - I would ask that you reconsider the decision and allow the full export of the encryption library as has been done by the Canadian government.
In addition, in order to help my understanding of the issue, I would appreciate it if you could provide answers to the following two questions:
Yours sincerely,
Peter Gutmann
Attachments:
ISAC fax of 11 June 1996 blocking export unless the security is deliberately compromised, making the product unmarketable.
Canadian Ministry of Foreign Affairs and Trade form and accompanying letter permitting unrestricted export (except to Libya, Angola, and Iraq) with no requirement for export permits.
Assorted brochures from overseas companies selling the same software which ISAC wouldn't allow the export of (I apologise for the quality of the copies, some of the coloured brochures didn't copy well).