New Zealand's Crypto Controls - The Final Chapter

This is (hopefully) the final chapter in the saga of New Zealand's crypto controls, and documents two final issues: The changes made to the Wassenaar arrangement in 1999, and the real situation with our export controls. The following text is taken from a post to assorted crypto mailing lists and newsgroups in mid-1999.

What happened

I've finally (it took more than a month to get a response) managed to get hold of the General Technology Note and General Software Note from NZ's version of the Wassenaar control lists (the other parts took mere days to obtain). In previous versions, NZ has followed the US lead and altered the text so that the GSN, which provides a more or less blanket exception for mass-market and freely-distributable (which Wassenaar calls "public domain") software, itself had an exception for crypto software, which reversed the intent of the GSN exception. In the 1999 version, this change hasn't been made, and NZ now has, for the first time, the same version of Wassenaar as most of the rest of the world.

Here's the current New Zealand GSN text, which is identical to the text used by Australia:

  General Software Note

  The Lists do not control "software" which is either:
     1.   Generally available to the public by being:
          a.  Sold from stock at retail selling points without restriction,
              by means of:
              1.   Over-the-counter transactions;
              2.   Mail order transactions; or
              3.   Telephone call transactions; and
          b.  Designed for installation by the user without further
              substantial support by the supplier; or

     N.B.  Entry 1 of the General Software Note does not release "software"
           controlled by Category 5 - Part 2.

     2.   "In the public domain".
For comparison, here's the more traditional, doctored version:

  GENERAL SOFTWARE NOTE (GSN)

  (This note overrides any control within section D of Categories 0 to 9.)

  With the exception of Category 5, Part 2 (Information Security) Categories 0
  to 9 of this list do not control "software" which is either:

  [...]
[Australia still had this change made at the time the message was originally posted, but the text was later restored to its original form. Apparently the change was "an editing error"]

Why the change (or non-change) was made

I doubt the real reason will ever be known, but I have a possible explanation. As I've documented in the past, NZ has, in theory, some of the strictest export controls of any country. Since I believe the basis for these controls (a version of the Wassenaar control lists altered by the Ministry of Foreign Affairs and Trade (MFAT) to suit their own requirements) is completely bogus and has no hope of surviving a court challenge, for about the past 1 1/2 years I've been systematically violating the controls in an attempt to get MFAT to enforce them. At every possible opportunity I've exported any kind of crypto I could think of, and been fairly open about telling people about it (having a series of letters from MFAT telling me everything I couldn't do made it a lot easier to ensure I did, although that wasn't the original intent of writing to them). For example, I was quite happy to tell journalists that I'd been exporting crypto in violation of the controls, and this has appeared in print a number of times (eg one national magazine carried an article which said I was exporting hundreds of copies of my crypto software a week as a protest against MFAT). In the most extreme case, I stood up in front of a roomful of people at an overseas conference, waved all the crypto (one example of everything :-) which I'd exported around while explaining what I'd done, and later collected the business cards of people I'd distributed it to in order to make absolutely sure there was no disputing what had happened. I'm still waiting to be prosecuted for this.

Eventually it became evident that MFAT were never going to enforce the controls, because they had everything to lose and nothing to gain by doing so. On the other hand forcing them into an open confrontation (for example by taking out an ad in the paper saying I'd exported crypto) didn't seem like a good idea either. The result was a stalemate.

The 1999 version of Wassenaar gave them a way out. Given the choice of having to enforce the controls (resulting in a practically suicidal court case and publicity they couldn't afford) or moving the boundary markers back six inches in the night and hoping noone would notice, it looks like they decided to do the latter. The result is that I can keep doing what I've been doing already, and they don't have to take any action over it.

Obviously this is pure speculation, but the fact that they've been adamant about sticking to their policy in the past ("This is our policy and we're not changing it") would indicate that this wasn't a change made voluntarily. It's nice to at least think that civil disobedience in the face of unworkable government restrictions can still work, and it saved me a small fortune in legal costs (I'd had estimates of up to NZ$100K in court costs if MFAT decided to drag things out for as long as possible in court).

Further thoughts

The fact that tactics like this worked show just how precarious the position of those trying to enforce crypto controls is. Their position wasn't made any easier by the fact that in NZ the controls were applied in an illogical fashion (even more illogical than the US) by a combination of MFAT and a secretive government agency with no apparent accountability to anybody (the Government Communications Security Bureau (GCSB), the local NSA subsidiary), the fact that some of the shenanigans they'd engaged in in the past meant they really couldn't afford to go to court over this, and the fact that the controls, being based on a doctored form of the Wassenaar lists, were of questionable legitimacy to begin with. MFAT found it easier to alter the controls in order to avoid having to enforce them, than to try to enforce them (which is a pretty sad indictment of crypto export controls as a whole).

To quote the Ninth Circuit court's ruling in the Bernstein case, MFAT used a routine update of the controls to "line edit the regulations in an attempt to rescue them". The same trick has been used before, when the US used the ITAR to EAR switch to add a minor change which specifically allowed the export of crypto in printed form, eliminating the ambiguity which Phil Karn challenged where a book was exportable but the same material on disk wasn't. Similarly, by fiddling with the details of New Zealand's controls, MFAT have moved themselves out of an absolutely impossible position into a merely unreasonable position. At the same time they've retroactively legitimised all my export control violations (if such a thing is possible) so they don't have to take any action over them, and made it very difficult for me to repeat this exercise, because while it's easy enough to distribute a continuous stream of freely-available material, doing the same with copyrighted commercial products would run into problems for reasons other than export control violations.

Still, it's nice to know that they blinked first :-).