Mr Peter Gutmann
24 Durness Place
Orewa
Auckland
Dear Mr Gutmann,
Thank you for your letter of 2 February 1997 with regard to the possible restrictions on the export books[sic], magazines and journals containing encryption code.
As you will be aware from your copy of "New Zealand's Controls on the Export of Strategic Goods", "software" is defined as "... a collection of one or more "programmes" or "microprogrammes" fixed in any tangible medium of expression". This would appear to cover encryption code printed in books, magazines, and journals as well as data reproduced on a computer disk. Technically, the export of code in any form is regulated in New Zealand in terms of the guidelines below:
a. They contain encryption limited toWe are unsure what your statement that your technical report "includes the right by recipients to disseminate it freely with no limitations on how it may be used" actually means [2]. It should be noted that at this time the New Zealand regulation does not include the General Software Note of the EU and Wassenaar Arrangement control lists. Therefore basic scientific research is not exempted from the requirement to obtain an export permit[3].
(i) 40-bit key lengths for symmetric algorithms;
(ii) 512 bits for asymmetric algorithms;
(iii) 56-bit DES for dedicated financial algorithms[1]b. They are dedicated to specific applications and cannot be easily diverted to other uses;
c. Strict control is maitained over the distribution and ultimated[sic] end users of products.
However, as we have said before, the intent of New Zealand's strategic export controls is towards ends such as reducing crime and fighting terrorism [4] - not to limit academic knowledge.
Accordingly, while we cannot make any commitment before receiving a permit application we would be inclined to consider favourably the physical export of your computer science report "Secure Online Electronic Commerce: The View from Outside the US" either in text, electronic or other storage format for academic purposes (for example, evaluation) provided that acceptable end user certification was produced in each case [5].
Yours sincerely
John Borrie
for Secretary of Foreign Affairs and Trade
[2] I meant that libraries could put it on their shelves so people could read
it, and even loan it out for people to read at home.
[3] In case there's any doubt about what this entails, each "end user" (ie
anyone entering the library where the report was held) would have to fill out
an end user certificate - a sworn statement certifying that the reader wasn't a
terrorist or criminal - and return it to Foreign Affairs and wait for the 9
months it typically takes for them to grant approval to read the publication.
What it means in practice (since it's completely impossible to meet these
requirements) is that publication of academic research is prohibited.