DTI to ban electronic export of crypto from the UK!

Brian Gladman gladman at seven77.demon.co.uk
Sun, 5 Jul 1998 20:23:12 +0100 

Once the EU 'Dual Use' Directive had been published it was inevitable that
the UK government would move on the intangible goods issue.  The problem
here is that all sorts of nasty things (weapons of mass destruction etc) are
being bundled up with cryptographic products under the heading 'dual use'.
This probably serves GCHQ interests well but there is no longer any logical
basis for this and we need to get it changed.

The fact is that defence now depends on commercial technologies to a huge
extent and this means that nearly all modern electronic and computer
products could in principle be classified as 'dual use'. Of course this
would not be sensible and this makes it necessary to look for technologies
that are fairly unique to 'weapons of mass destruction' in order to operate
a sensible control regime.   It is thus important that any controls that are
used to limit the proliferation of the 'technolgies of mass destruction' are
carefully designed to limit the spread of those technolgies that have
primary use in these areas rather than those technolgies that happen to be
used in defence but which are designed for primarily commercial purposes. To
attempt to limit mass market electronic and computer products would be
disasterous.

Looking in particular at crytptography, it is a long established UK
government policy that published algorithms and commercial products will
***NEVER*** be used in defence.  I know this policy well as I tried to get
it changed while I was in MOD because it was forcing the defence use of very
inferior products whilst also forcing the abortive expenditure of
unbelievably large sums of UK taxpayers money to build 'secure' systems that
were indeed secure, but only because their performance was so poor that
no-one ever bothered to switch them on!

For a number of rather complex and obscure reasons that I won't repeat here,
pretty well all other governments will not use published cryptographic
algorithms or commercial cryptographic products either - they all believe
that their own 'home grown' cryptographic algorithms and products offer them
better protection.  Since, therefore, published cryptographic algorithms and
commercial cryptographic products are never used in defence or weapons
programmes these cannot, by definition, be 'dual use'.

Given this situation it should hence be possible when the dual use
legislation is implemented to achieve changes in our existing cryptographic
export controls to limit their scope to products designed specifically for
defence and closely related purposes.  This matches the need to target dual
use controls at technologies that are specific to 'weapons of mass
destruction' and avoids trying to control technologies that are designed for
commercial use.   For those of us interested in the commercial world it is
not unreasonable to maintain controls on products designed specifically for
such uses; nor will this matter since no-one who is serious about
cryptographic information security is going to use such products (and their
secret algorithms) anyway!

So, Nigel, can we get the DTI to use this opportunity to amend cryptographic
export controls so that they apply only to activites, services and products
specifically associated with defence and weapons applications?   Given the
DTI role in promoting commerce this is surely something to which you should
be able to give your strong support?

    Brian

-----Original Message-----
From: nigel hickson <nigelhickson@compuserve.com>
To: INTERNET:ukcrypto@maillist.ox.ac.uk <ukcrypto@maillist.ox.ac.uk>
Date: 05 July 1998 09:39
Subject: Re: DTI to ban electronic export of crypto from the UK!


Colleagues

Given the level of concern generated (a mixture of some real problems and
just speculation) I will try and get my colleagues in DTI to host some
meeting or something.  In the meantime I suggest you write in as directed
in White Paper.   I am fairly sure that the "research" which Ross is
concerned about would be excluded from control under other parts in Control
List.  I will try and provide more on this.

Nigel


PS   This stuff about "encrypting messages to yourself under UK law" is -
of course - not correct.