Suppose that I was able to create a really strong cypher algorithm and then I decided to publish it on a website for anyone to implement. Bearing in mind some countries have restrictions on the strength of encryption that is allowed to be exported (I know the US does, does the UK?), could I get into trouble?
If not, what’s the point in the restrictions? It seems to me that any nation could employ virtually any computer science graduate to implement my strong cypher and be out of the reaches of the NSA, GCHQ et al.
From what I understand (I’m a little too pressed for time to look it up) you wouldn’t be able export a program that does strong encryption but you can export the source code to such a program because that would be consittered free speech.
I remember somebody put source code of DES on a t-shirt. The appeal of it was that you could wear it across the border and break the law, and there was virtually no chance of getting arrested for it.
No. Publishing an algorithm isn’t going to get you in trouble. Emailing a working program to someone in North Korea is much more likely to get you in trouble, as would shipping a secure telephone system to an enemy state. The law and regulations are primarily concerned about militarily useful hardware and software. One area that is treated differently is missile technology. Exporting technical data about missile technology can get you in a great deal of trouble.
The US export regulations have relaxed considerably from the old days when encryption was regulated by DoD as a munition. In the old days, source code was regulated and it would have been illegal, for instance, to email a non-US person the source code for PGP or the contents of the CD-ROM that accompanied the book “Applied Cryptography”.
Encryption export is now regulated by DoC with other technology exports. You can export almost anything these days, but some products require different levels of review and licensing. I am not an export expert, but it’s my understanding that source code is not restricted as long as it is “publicly available” but may require notification (not review or license). Export basics can be found here. A clarification of the rules for source code is here.
What’s the point of the restrictions? I don’t know. The old restrictions seemed to rely on the fact that only good loyal patriotic Americans can do math. The fact that plenty of non-Americans can do math and/or write software implementations of other peoples’ math was inconvenient and ignored. The US government was trying to limit the export of anything that could be used against it. This makes sense when talking about hardware like weapons, but makes no sense when talking about software. Luckily, they’ve realized that the export controls only hurt American business and don’t do anything to increase national security, so we’ve come a long way in approaching a more rational stance. /rant off.
Actually, it was RSA not DES, which may be why google was no help. I haven’t seen a link to the shirts in a long time since the export rules changed. Having RSA in a few lines of Perl on a tshirt was funny when encryption actually was classed as a munition, but now it’s just quaint.