DTI to ban electronic export of crypto from the UK!

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Thu, 02 Jul 1998 14:04:45 +0100 

In a white paper at <http://www.dti.gov.uk/export.control/stratex/>,
President Beckett proposes to extend the export control regime from
physical goods to the `transfer of technology by intangible means'.

`The Government therefore proposes that new legislation should provide
 it with the power to control the transfer of technology, whatever the
 means of transfer. This power would be used to introduce secondary
 legislation, which it is proposed should do the following:

`* Given the ever increasing ease with which information can be
   transferred across national boundaries by electronic means, i.e.
   by fax or e-mail, the Government proposes to provide that
   documents transferred abroad containing controlled technology
   should be subject to export licensing requirements, whether
   exported physically or in electronic form.

`* Information can also be passed on in non-documentary form
   (e.g. orally or through personal demonstration)...'

Beckett says she will limit this latter control initially to the
`areas of greatest concern' - weapons of mass destruction and
long-range missiles.. because `there are sensitivities in relation to
free speech and academic freedom.'

Jolly sweet of her. But she just doesn't get it, does she?

It's all very well to grant me the favour that I won't have to get an
export permit to give my talk on Serpent at the Advanced Encryption
Standard conference in Ventura this August (at least, until she
decides to tighten up the regulations). I will just have to remove the
source code of Serpent from my home page, or go to jail.

The real killer is that, if these regulations had already existed, it
wouldn't have been possible to develop Serpent in the first place.

As Serpent evolved, many hundreds of emails were exchanged between
Cambridge, Bergen and Haifa, many of them containing fragments of
code. All of the emails leaving the UK would have had to be
licenced. I wonder what favours GCHQ would have demanded in return for
granting a licence?

It's not just Serpent that would have been impossible. All the other
stuff I've done with Eli, such as Lion, Bear and Tiger, would also
have been caught, and the bitslice work on DES he did here in
September 95 (and which led to the code that did the DES keysearch)
would at least have had to be redone when he went back to Israel.

In the future, we may have a much harder time getting research grants
from companies like Intel, which are currently funding us to develop
copyright marking and steganographic tools which they want to see
eventually on their US developers' web site.

The impact on major industrial players in the UK computer science
community, such as Microsoft Research and the Olivetti-Oracle Research
Labs, could also be severe. At present all these guys can develop
security code and ship it home by email. If shipping becomes licence
dependent, and licences depend on the goodwill of GCHQ, and everyone
knows that this depends on products being Trojanned, then no-one will
want to buy any UK security code ever again.

Ross


*Get Serpent now from <http://www.cl.cam.ac.uk/~rja14/#Cryptanalysis>*