`Germany Frees Crypto' - do you believe it?

Ross Anderson Ross.Anderson at cl.cam.ac.uk
Mon, 07 Jun 1999 11:34:51 +0100 

Some people are under the impression that France and Germany have
freed crypto. However, export controls look like being tightened. 
Guess who organised that? As Brian eloquently puts it:

> Moreover within Europe, the Senior Officials Group on Informaton
> Security and the EU Cryptography Working Group are attended by the UK.
> The UK has been heavily involved in continuing discussions with the US
> (Aaron et al) on the topic of encryption controls.  And the GCHQ/NSA
> axis continues to discuss in detail the issues involved in trying to
> limit the spread of cryptography.  Moreover a number of nations
> co-operate 'behind the scenes' in such bodies as ETSI to limit the
> strength of the encryption technologies deployed within
> telecommunications systems.

After last year's DTI white paper on export controls proposed to
control `intangible exports' as in the USA (but worse), there was an
explosion of outrage; a report from the Trade and Industry Select
Committee trashed the idea. Officials said that we shouldn't worry as
there was no parliamentary time for a bill this century.

However the relationships to which Brian refers above seem to have
been exploited to cause the EU to issue a draft regulation in much the
same terms as the bill (see http://www.cl.cam.ac.uk/users/rja14/#Lib
for details). When speaking to the relevant DTI wallahs, I detect a
distinct note of gloating to the effect that `we outsmarted you by
doing this through Europe - you can't stop us now'.

GCHQ's agenda is obviously to stop people like Brian and me having
crypto source code on our web pages. They don't seem to have 
understood that:

(a) the public domain exemption will apply to the Serpent home page
    which will still be there. If the exemption is removed, the Serpent 
    home page will still be available in Norway, Israel, Taiwan ...;

(b) there will be enormous harm done to industrial R&D and to
    university teaching <http://www.cl.cam.ac.uk/~rja14/export.html>.
    Essentially everything we do in the School of Technology, and 
    much of what's done in the School of Medicine, will fall under the 
    net, so we'll have to get personal export licences for an awful 
    lot of foreign students. The system may just collapse unless we
    take our courses fully public domain (I have done this: check out
    http://www.cl.cam.ac.uk/Teaching/1998/Security/). But fully
    public domain research would undermine the DTI's efforts to make 
    us do all our research in collaboration with industry;

(c) the absurdity and chaos will bring the arms control regime into
    disrepute. At present, judges confronted with an arms smuggler
    throw away the key; but given a couple of years of confrontation
    with RSA T-shirts and newspaper stories of ludicrous official
    decisions, the DTI will be laughed out of court;

(d) even with an EU regulation, they can't create a new criminal 
    offence - of unlicensed talking to a foreigner - without primary
    legislation. However, with an EU regulation in place, the UK
    government will find itself compelled to introduce this.

Those clever people at the DTI clearly hoped that, in going via Europe
rather than sponsoring UK legislation directly, they could avoid a
confrontation that might embarrass ministers. But they have merely
ensured that the confrontation will happen on the worst possible
terms. Once the regulation is passed, the government will have been
painted into a corner by Brussels; they will have to legislate; they
won't be able to delay and obfuscate, as with crypto policy, in the
hope that the problem will go away somehow; the apparent `European'
source of the stupidity will ensure that the Tories savage it; its
intrusive and disproportionate nature will get the Lib Dems up in
arms; the DTI's finesse of the select committee will upset Labour back
benchers (who are divided anyway because the hard left want all arms
exports banned); and the furore will be even worse than with crypto
policy as it will affect many more people.

For example, the metallurgy people next door to us use a focussed ion
beam machine to prepare samples for electron microscopy. This is an
export controlled device (you can also use it to break smartcards);
until now all that meant was filling a form when you bought it and
another when you put it in a skip seven years later. But under the new
regime, every foreigner with access to the software will need a
personal export licence - that's most of the research students and
some of the undergrads. Also, the current practice of swapping
programs with metallurgists in other countries will be choked off.
Stand by for some very unhappy materials scientists (and engineers
and chemists and physicists and medics and botanists and ...).

Nigel, you used to be at export control before you moved to crypto
policy. I bet you're glad you escaped in time!

Ross