Section 7.7. Cryptographic Export Restrictions

7.7. Cryptographic Export Restrictions

The U.S. government closely regulates the sale and export of cryptographic products developed within the United States. Export regulations are intended to restrict the use of products that ultimately could make an enemy nation's communications more difficult for U.S. intelligence agencies to decipher.

Most cryptographic export restrictions were eased under the Clinton administration, nevertheless, it is imperative that you verify that there are no restrictions in place against each nation with which you use cryptography.

In general, licenses are issued only for the governments and government contractors of the NATO countries, plus certain "friendly" governments, such as Canada, Australia, and New Zealand. License applications are considered on a case-by-case basis. NSA sometimes requires a vendor to change its own encryption algorithm to qualify for an export license. Licenses are easier to get for internationally based financial institutions with recognized needs for encryption.

Often, once overseas customers have acquired a product stripped of its cryptographic capabilities, they'll insert a different, home-grown encryption algorithm in the product.

By the same token, there are countries whose governments do not wish their populace to have access to powerful encryption. This was in fact the case here in the United States, where the developer of the Pretty Good Privacy encryption system found himself in no end of trouble for a few years for developing a powerful and efficient method of encrypting documents and email.

Generally speaking, encryption control falls into the categories of input, export, and domestic use, with come countries denying all three. A useful table is maintained by RSA Laboratories at the following web address: http://www.rsasecurity.com/rsalabs/node.asp?id=2333.