From: pgut001@cs.auckland.ac.nz
To: cypherpunks@toad.com
Message Hash: 8e4d3811db1882e22ba9912dd47263a73e54ad08ce9010565f609415e68d99de
Message ID: <85481663218919@cs26.cs.auckland.ac.nz>
Reply To: N/A
UTC Datetime: 1997-02-01 17:05:18 UTC
Raw Date: Sat, 1 Feb 1997 09:05:18 -0800 (PST)
From: pgut001@cs.auckland.ac.nz
Date: Sat, 1 Feb 1997 09:05:18 -0800 (PST)
To: cypherpunks@toad.com
Subject: Crypto in New Zealand - an update
Message-ID: <85481663218919@cs26.cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain
This is a continuation of the article I posted here a few weeks ago. You can
find the whole thing at http://jya.com/nsazeal.htm.
Peter.
-- Snip --
On the 17th January significant parts of this story appeared on the front page
of the National Business Review (NBR), a fairly influential paper read by
(apparently) half the NZ business world. The GCSB declined to comment on
anything except to acknowledge that there had been a meeting between a GCSB
person and the manager of Orion Systems. The story also confirms (from talking
to some of the people involved) the GCSB - MFAT and GCSB - DSD connections.
The following week Andrew Mayo wrote a letter to the editor of the NBR
containing an eloquent defense of the use of encryption to protect personal
privacy. MFAT replied to say that they were only following orders, and were
required by the Wassenaar agreement to restrict crypto exports:
"Export permits normally were required only if the encryption was 40-bit or
stronger, so most commercial encryption would not be affected".
I wonder where the 40-bit limit suddenly came from? Note also the phrasing
"40-bit or stronger". This means that anything including 40 bits is
restricted. If they're going to try to blindly parrot US policy then they
should at least get their facts straight.
A few days later I found someone who knew what to ask for in order to get a
copy of the NZ export regulations. I called MFAT and talked to a gentleman by
the name of John Borrie, who had recently taken over responsibility for this
affair from someone else who, to put it mildly, had been annoying to deal with.
I suggested to him that the GCSB were feeding him just the information they
wanted him to know and no more, and that perhaps he should avail himself of
alternate sources of advice. He didn't see it quite that way.
The export regulations are identical to the Australian regulations, even down
to the layout style. A few of the fonts differ, but that may be due to
different systems/printers/whatever. There are several obvious holes in these
regulations, but I won't mention them now because they'll probably be used in
court fairly soon.
The following week the story was again on the front page of the NBR. This time
the story covered the financial difficulties that Cyphercom had been plunged
into. Because MFAT had stopped them from having any access to their product
for nine months, the company was considering filing for bankruptcy. MFAT
spokesperson Caroline Forsyth commented:
"US controls on the export of strategic goods are at least as strict as those
of New Zealand... an export permit would normally only be required for
encryption if it was 40-bit or stronger. Most commercial encryption is well
below 40-bit strength. Almost all New Zealand exporters of software are
unaffected".
The confused and nonsensical nature of these statements presents a scary
picture. MFAT are a government department who (in this area) have no idea what
they're doing, but don't know that they have no idea. Combined with the
sterling advice they seem to be getting from the GCSB, this could make them a
tough nut to crack.
In anticipation of what MFAT would say, I wrote a letter to the NBR editor
(which won the "Letter of the Week" award :-) which refuted their claims. The
letter ended with:
It appears that MFAT's position is based on an antiquated outlook which
regards software to secure electronic commerce as some form of special
military technology, a position which might have been reasonable a few
decades ago but is totally out of touch with the modern use of computers and
electronic communications. In their October 1996 "Business File", MFAT claim
that "New Zealand... is helping to limit the spread of increasingly
sophisticated military technology and weapons of mass destruction". Whether
mass-market commercial software which protects financial transactions and
medical records counts as "sophisticated military technology" or "weapons of
mass destruction" is unclear (I suppose it's possible to beat someone to
death with a floppy disk if you were very determined, but that hardly
qualifies as "mass destruction").
Finally, one of the goals of the Wassenaar agreement was to "not impede bona
fide civil transactions", which MFAT have certainly done, and are continuing
to do. In the meantime anyone with a credit card and phone, or the ability
to walk into a software store, can buy the same software overseas. Stopping
New Zealand companies from exporting widely available mass-market computer
software of this kind "because terrorists might use it" makes about as much
sense as stopping farmers from exporting beef and lamb "because terrorists
might eat it".
The issue of Management Technology Briefing included with last weeks NBR
reports on page 22 that there will be "a US$186 billion market in global
transactions by the year 2000", along with a comment that securing these
transactions - one of the goals cryptlib was designed for - remains a problem
area. Within the next few years the push towards electronic commerce will
become a veritable steamroller. By needlessly blocking the export of the
technology required to secure this market, MFAT is helping ensure that New
Zealand becomes part of the roadkill.
MFAT's parting shot was:
"People trying to export encryption without clearance can be prosecuted under
the Customs and Excise Act".
I should certainly hope so! It's going to be difficult creating a test case to
get this nonsense thrown out if they refuse to prosecute me.
Stay tuned, this is going to get entertaining...
Return to February 1997
Return to “pgut001@cs.auckland.ac.nz”
1997-02-01 (Sat, 1 Feb 1997 09:05:18 -0800 (PST)) - Crypto in New Zealand - an update - pgut001@cs.auckland.ac.nz