80

I was reading up on the history of the PGP encryption software when I realised its creator was under criminal charges for munitions export without a license for releasing the source code of PGP.

What was so dangerous about PGP at that point in time that it was an offence under the law? I mean, PGP is just an encryption and decryption algorithm; what am I missing here?

TRiG
  • 609
  • 5
  • 14
Computernerd
  • 2,391
  • 9
  • 23
  • 30
  • 10
    afaik PRZ's records were subpoenaed in an investigation but he was never charged. the relevant law is the ["ITAR"](http://en.wikipedia.org/wiki/International_Traffic_in_Arms_Regulations) which is international arms regulation law that even regulates strong cryptography [rationalized as that it has "military applications"]. note the ITAR never seems to much restrict massive US "defense" corps from exporting _billions of dollars of highly lethal weaponry_ to "borderline" allies over many decades... – vzn Apr 07 '14 at 16:09
  • 2
    fyi some of the early history of PGP is also closely tied with [Hal Finney](http://www.forbes.com/sites/andygreenberg/2014/03/25/satoshi-nakamotos-neighbor-the-bitcoin-ghostwriter-who-wasnt/). more historical context: [Clipper chip](http://en.wikipedia.org/wiki/Clipper_chip) announced by presidential order/ghostbuilt by [NSA](http://en.wikipedia.org/wiki/Nsa) in 1993. note over the years ITAR sometimes restricts supercomputing technology also. – vzn Apr 07 '14 at 16:30
  • 20
    This question was more interesting when I misread it as 'PHP'. – AShelly Apr 08 '14 at 14:13

5 Answers5

104

PGP was considered dangerous because it could have allowed Soviet spies and military officers to plan the nuclear annihilation of the western world without the CIA realizing what's happening before it's too late.

Time for some history.

During World War II, the importance of cryptography for military use became apparent. Being able to crack enemy cryptography while also having cryptography systems for oneself which can not be cracked, proved to be an important military factor which could result in victory or defeat.

During the subsequent universal arms-race during the cold war, all sides were aware of this. Having the upper hand in cryptographic technology over the other side was considered a strategical factor which could turn the tide in another world-war. That meant that any knowledge-transfer of cryptography know-how from the Western to the Eastern world had to be prevented.

As a result of this doctrine, cryptographic technology was considered of military value and thus filed under Category XIII in the United States Munitions List. That meant any data storage medium which contained cryptographic software was legally considered like live ammunition when it came to moving it across borders.

From today's point of view it might seem absurd to try to contain knowledge through export restrictions designed for physical goods, but it fitted into the isolationist viewpoint of the military strategists of the cold war era. Also remember that this was the 70s, long before the internet age. This was decades before the time where you were able to obtain any software in the world via the internet through your favorite piracy website. Getting a piece of software from computer A to computer B usually meant to put it on a physical medium like a floppy disk, magnetic tape or (even earlier) punch-cards, and the movement of such physical media across borders seemed controllable (at least in theory).

Technology marched on. In the 80s, the first international computer networks emerged, and the hacker community began to flourish. The world became increasingly interconnected and soon it became apparent that containing knowledge within geographical borders was an exercise in futility. But as usual, politics and laws didn't keep up with technical innovation, so when PGP emerged in the 90s, it was still subject to cold war era laws regarding cryptography exporting. The algorithms it used were open secrets, available to anyone in the world capable of buying a modem and making long-distance phone calls. Hackers were tattooing them on their bodies to ridicule the cryptography export restrictions. But as a commercial company, PGP had to play along and find a loophole in the form of exporting their source code in printed form and re-transcribe it.

Although the restrictions on cryptographic technology have been relaxed in the past decades, some of them are still in place.

WΑF
  • 107
  • 5
Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 19
    Not exactly before the internet, but before the widespread use of it (1991). To complete this history lesson it should be noted that around 1995 the source code was printed in a book, and thus suddenly it became legal to export it. And due to the effort of some typewriter monkeys, the PGPi version was born. – PlasmaHH Apr 07 '14 at 16:10
  • 1
    The criminal investigation didn't happen until 1993, after the Soviet Union was gone. In addition, the same argument regarding prevention of its use by the Soviet Union could equally be applied to its use by Al Qaeda. Restricting its export wasn't any more reasonable back then than it is now. – Warren Dew Apr 08 '14 at 05:58
  • 7
    @WarrenDew It took politicians a *long* time to stop being stupid about the internet. Arguably they still haven't stopped completely, for that matter... – Shadur Apr 08 '14 at 08:34
  • 4
    @Shadur I don't think they've stopped t all. – Warren Dew Apr 08 '14 at 08:35
  • 16
    That horrible, dark time in the 90s where we had no Soviet Union anymore but no Al Quaeda yet and the US government had no bogeyman to excuse their civil rights violations. – Philipp Apr 08 '14 at 09:45
  • 5
    Minor detail quibble that doesn't affect the your otherwise excellent post: militaries were aware of the importance of cryptography since before the Romans. Perhaps you meant the *US* military became of the importance of cryptography during WWII? – JS. Apr 08 '14 at 18:12
  • My favourite loop hole was the "International Edition" of Netscape, which was exported out of the US in the form of a book, then OCRed and compiled out of the US, then distributed normally. The only difference was the "International Edition" had been printed then OCRed. – Aron Apr 09 '14 at 03:58
  • @Aron Given today's state of the art OCR techniques, I have a few doubts about that story. – Mr Lister Apr 09 '14 at 07:08
  • @MrLister Apologies, it was actually PGP, not netscape (misremembered) http://www.pgpi.org/pgpi/project/scanning/ At the time a book was "freedom of speech", hence exempt from export restrictions. The effort required was non-trivial and highly manual, but never the less it did occur. – Aron Apr 09 '14 at 07:14
  • @Philipp The WTC was bombed in 1993, and i think _The Anarchist's Cookbook_, porn, and copyright were issues back then. [Don't Copy That Floppy!](https://www.youtube.com/watch?v=up863eQKGUI) – Cees Timmerman Apr 09 '14 at 08:42
  • @CeesTimmerman None of these issues were really frightening the us public enough to justify measures like the patriot act. There simply was no single, tangible force of evil in the 90s which appeared to be a serious threat to the "American way of life". – Philipp Apr 09 '14 at 22:23
  • 1
    "From today's point of view it might seem absurd to try to contain knowledge through export restrictions designed for physical goods" You mean, like, everything subject to copyright ? – Autar Apr 10 '14 at 14:46
  • FYI, it was in 1992 that the infamous 40-bit key length limit for the RC2 and RC4 algorithms was set (by a deal between the NSA and the SPA). You used a Commodity Jurisdiction in which they added special fast track processes for encryption review. – Yuhong Bao Jan 22 '15 at 05:06
23

For a long time, cryptography was something used by spies and armies, and was weak, and a lot of the weakness was tentatively fixed by keeping algorithms and methods as secret as can be. That's security through obscurity, which is BAD, but, to be honest, algorithms from the pre-computer era were so weak that they needed secrecy; security through obscurity was about the best that could be hoped for.

From this followed a strict system for controlling who could get access to cryptographic technology. Since USA have these nifty things called "constitutional rights", including "free speech", the best the US government could do was tightening things at the boundary, i.e. export regulations.

The field of cryptography changed quite a lot with the advent of computers and public research, specifically in the 1970s and 1980s. The regulations, though, were lagging, and military people were firmly clinging to strict rules because if there is something that armies know how to do, it is to maintain immobility at all costs.

Therefore, when Zimmerman tried to push PGP and export it, they all fell on his skin, by pure conservatism. The case was compounded by Phil Zimmerman's stance, who was overtly hostile to the Federal government, the military, the NSA, and just about everybody who exhibits the slightest bit of organization. He went for a fight; he got it.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 2
    Those things called "constitutional rights", including "free speech" weren't really appreciated much in the US at the time. Just ask gays or "communists". – Davor Apr 08 '14 at 07:39
  • Maybe not exactly the same time. PGP is from the early 1990s, not the 1960s. Yet the legal details mattered: Zimmerman managed to _legally_ export his code by printing it as a book (I have seen it: source code in a big, clear monospace font, and a big "scan this book" banner on the cover). – Tom Leek Apr 08 '14 at 12:45
6

It is illegal to export 128 bit symmetric encryption or certain levels of asymmetric. PGP exceeded these limits. These export control laws are why some security firms have clean room teams that build strong encryption without any US educated employees working on the team.

Technically, if you learned about high strength encryption in the US, you are not allowed to export or use that knowledge in certain countries.

It is considered munitions because it can be used for protecting information during a war.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Things used to be more strict than they are today, which is actually why server-gated cryptography (SGC) exists; the laws allowed financial institutions to use 128-bit encryption, while restricting everyone else to 40- or 56-bit. An SGC SSL certificate on the server showed the browser you were 'allowed' to use 128-bit encryption, and the browser would 'step-up' the security for that connection. Now, it's mostly redundant as most everything supports 128-bit (or higher!) anyway. – Calrion Apr 08 '14 at 03:32
2

According to Wikipedia the Arms Export Control Acts permitted (at the 1990's) only weak crypto to be exported outside the U.S.

Dr.Ü
  • 1,029
  • 8
  • 16
0

Well back in the day even some commercial personal-level computers had export restrictions due to the cold war and the fear of illegal technology transfer to the enemy, but the reality is that the Soviets had an incredibly elaborated network used to procure foreign technology, let alone protect theirs.

From going straight to the source and bribing technicians and executives in nearly every industry to just sending someone to a store and smuggling it outside the country, like they did with the first Macs (the size helped a lot!)

It's know for example that the USSR created a network of fake banks and companies to acquire startups in Silicon Valley so they could have total and direct access to all data.

What happened with PGP was the dumb bureaucrat's idea of preventing a disaster, by the time they realized the problem with PGP the KGP most likely had already sent all materials home for analysis.

Ghost
  • 17
  • 1
  • 11
    Can you provide any sort of evidence to back up your claims about the USSR acquiring Silicon Valley startups? – Jonathan Leffler Apr 08 '14 at 02:20
  • Here is one case http://www.nytimes.com/1983/10/23/us/some-losers-in-silicon-valley-said-to-find-wealth-in-spying.html – Ghost Apr 10 '14 at 22:48
  • As I read it, the article describes a case of espionage, but does not describe a Russian-backed bank or other company taking over a Silicon Valley company. – Jonathan Leffler Apr 10 '14 at 23:15