Secretary of Foreign Affairs and Trade
Ministry of Foreign Affairs and Trade
Private Bag 18 901
Wellington
New Zealand

Dear Sir/Madam,

In June of this year the International Security and Arms Control Division of your Ministry required that a software program designed to protect banking transactions have its security deliberately compromised in order for it to be exportable from New Zealand. As the author of the security portion of the software, I am very concerned at this decision, not only because it will seriously hurt New Zealand trade and the image of New Zealand as a potential provider of security software and expertise for electronic commerce, but also because of the unusual nature of the export requirements and the way in which they were imposed.

The security software offers users the following key features:

The software puts these features in a standardised bundle that is suitable for financial institutions and other organisations to easily implement and thus is eminently marketable worldwide.

Effects on Trade and Commerce

The initial concern is with the effects this decision will have on New Zealand trade. As you may be aware of from a number of media reports, a global Internet-based electronic commerce system will provide an extremely powerful magnet for all manner of hackers and criminals. The nature of the Internet enables a criminal to perform an attack over long distances with virtually no chance of detection, and to disseminate knowledge of the attack and the tools necessary to carry it out within a matter of hours. The ability to carry this out more or less anonymously, at low cost, and with little chance of being caught, encourages attacks on financial systems.

In the last few years the growth of the Internet has made the prospect of online electronic commerce very attractive for businesses. Because the Internet is fast becoming all-pervasive, it allows even smaller businesses easy access to previously inaccessible international markets and provides consumers with the ability to do business with companies which were unavailable to them.

The one thing standing in the way of a global electronic commerce system is the lack of security available on the Internet. The way to provide this security is through the use of encryption software, which scrambles data sent over the net so that only properly authorized persons will have access to it. This allows data for banking transactions and related commercial activities to be safely transmitted over an otherwise insecure network.

The reason why the necessary encryption software isn't used worldwide is because US software houses currently supply around 75% of all mass-market commercial software in the world, but are prohibited by an obscure US law (the ITAR, now DTR) passed in secret during World War II from exporting this kind of security technology. This restriction is proving a goldmine for non-US countries who are provided with a captive market for security technology, protected for them by the US government. One report has estimated that by the year 2000, US firms will be losing 30-60 billion US dollars each year in sales to overseas competitors if the current policy remains unchanged (Computer Systems Policy Project, "Perspectives on Security in the Information Age", January 1996). This figure itself pales into insignificance compared to the "collateral damage" when other software deals fall through because a crucial encryption component can't be provided. Reports in early 1996 estimated the electronic-commerce market to be worth hundreds of billions of US dollars per year by the year 2000. The software, in the form of an encryption "library" which provides a general-purpose toolkit for adding security functions to other programs, is just such a "crucial encryption component".

Effects on Personal Privacy

Another major use for the software is to protect sensitive personal information such as personal financial data, medical records, doctors prescriptions, tax records, and so on. For example without the use of this software, medical records which contain very sensitive information such as psychiatric histories, diseases, or medical conditions, which would be extremely damaging if disclosed, can be accessed by outsiders. Without this software, electronic drug prescriptions from doctors can be forged. Without this software, financial data such as credit card information can be gathered on a massive scale by anyone willing to tap into the flow of data over the Internet (and this is all too easy to do, just ask your local 14-year-old hacker). The only way to protect patient medical records, to protect drug prescriptions, to protect private financial data, is to use software tools such as the encryption library.

Finally, data such as business and private correspondence sent over the Internet is also very vulnerable to interception and monitoring. There have been many reports of businesses losing sales because of illicit interception of electronic mail, often by foreign competitors (W.Madsen, "Online Industrial Espionage", Network Security, November 1994), or even supposedly "friendly" governments (Reuter, "Clinton instructs CIA to focus on trade espionage", Los Angeles, 23 July 1995)

The use of the software for applications such as protecting medical records transmitted between doctors, medical labs, and hospitals, has attracted a considerable amount of attention overseas. Because the software can't be sourced from the US, New Zealand companies are in a position to become leading suppliers internationally of the technology required to protect this kind of information. The same goes for protection of business correspondence: a number of New Zealand companies are desperately in need of this kind of software to protect the details of dealings with overseas suppliers and customers. This, again, is the kind of service which the encryption library was designed to provide.

Implications of the ISAC decision

In the light of this, the ISAC decision seems very strange. It seems curious that a Ministry charged with fostering foreign trade is deliberately blocking the export of the software required to carry out this trade over computer networks. Although permission to export the software was granted, it was required that all but the weakest encryption present in the software be removed, and that the software only be exported in "object code" format which renders it unusable on a large number of computers. The software provides a variety of protection systems or "algorithms" which are tuned to provide various levels of service. A combination of two or three algorithms might be necessary to provide a full range of security services for an electronic banking transaction, for example. The other reason for including a choice of algorithms is that some countries prefer particular security methods: the RC2, RC4, and SHA algorithms are more popular (and therefore more marketable) in the US, the IDEA and RIPEMD-160 algorithms are more popular in Europe, the SAFER algorithm is more popular in Asia, and so on. Company policy or adherence to international security standards may also require the use of a certain type of algorithm.

The first problem with the ISAC decision is that it is unnecessary. Encryption software ceased to have any special status 20-25 years ago. Strong encryption software is available from virtually any country in the world (I could supply a list, but it would make this letter even longer than it already is), can be typed in from books available in bookstores (Whitcoulls and Dymocks in Auckland, for example), is taught in university mathematics and computer science courses (first-year maths lectures and second-year computer science at Auckland university), and includes algorithms so simple they can be implemented in about 10 minutes by anyone with the necessary typing skills (the algorithms used were RC4 and TEA, taken from a book available in Whitcoulls. The test subject was 12 years old). Any foreign competitor of a New Zealand company can walk into a bookstore, choose the algorithm they feel most comfortable with, type it in (using a 12-year-old child for the typing if they feel like it), and then sell it into a market which the ISAC has stopped New Zealand companies from competing in. Exactly the same software which was blocked from export can be downloaded from virtually anywhere over the Internet in a matter of seconds (if you have a world-wide web browser available, go to the http://www.altavista.digital.com (Altavista) site and type in "crypt" as the search string. This one index lists just under 45,000 locations worldwide for encryption information and software (it will only show the first 10,000 locations, which stretch on for around 1000 A4 pages which I won't include with this letter). I have included with this letter a sample of around half a dozen brochures from companies around the world who are selling the same encryption software internationally which the ISAC blocked from being exported. This is merely a sample, taken from a stack of brochures around 20cm high, and represents products from Alwil Software (Czech republic), Concord-Eracom (Germany and the Netherlands), uti-maco (Belgium), Crypto AG (Switzerland), LAN Crypto (Russia and eastern Europe, run by a division of the former KGB), Editel (Czech republic), TeamWare (Finland and the UK), Algorithmic Research (Germany), and Ascom Tech (Switzerland). These products more or less cover every single function in the library which ISAC blocked, and this is not including the 45,000 Internet sites which contain the same information.

A problem related to this is that most of the software in the library comes from outside New Zealand anyway. The RC2 code comes from the Netherlands, the RC5 code comes from the proceedings of a UK conference published in a German journal, the DES and triple DES code comes from Australia, the Safer code comes from Switzerland and Singapore, the Blowfish code comes from Germany and Finland, and the IDEA code comes from Switzerland. The logic of prohibiting the export of, say, Swiss encryption code back to Switzerland is baffling, especially since foreign competitors are free to do the same thing.

Finally, the validity of the decision to disallow the export is questionable. Although ISAC never explained their decision, it is likely that they will claim that the software is covered by (originally) the old COCOM rules, now superseded by the Wassenaar agreement. However a few months ago the Canadian government, which follows exactly the same regulations as New Zealand and other countries under the Wassenaar agreement, ruled that the entire library was freely exportable without any need for permits to any country except Libya, Angola and Iraq. I have attached the appropriate form and a covering letter from the Canadian Ministry of Foreign Affairs and International Trade which covers the library and another encryption program, showing that this is freely exportable.

In the light of this information - that New Zealand trade and the image of New Zealand as a potential provider of security software and expertise for electronic commerce are being damaged, and that the software which ISAC blocked from export is not subject to export controls - I would ask that you reconsider the decision and allow the full export of the encryption library as has been done by the Canadian government.

In addition, in order to help my understanding of the issue, I would appreciate it if you could provide answers to the following two questions:

  • Under which New Zealand law is the ISAC decision to limit the export of the encryption library provided for? An extensive search of legal databases and consultation with lawyers could find no reference to restrictions on encryption software.

  • Given that there appears to be no New Zealand law covering the export of encryption software, and that the terms of the Wassenaar agreement allow the free export of the library (as the Canadian government has acknowledged), there is no reason to apply the export conditions which ISAC applied. The only country which requires exactly these conditions for export of financial software is the US under the ITAR/DTR, a situation which is completely out of line with the rest of the world. Does this mean that a part of New Zealand's trade policy is being dictated by arcane US regulations?

    I would appreciate it if you could treat this matter with some urgency as a number of sales depend on the availability of the library, and the inability to supply it to customers will result in lost business for New Zealand companies. In addition, there are three bills currently before the US Congress which would allow unrestricted export of US encryption software. Furthermore a US attempt to prosecute a programmer for export of the PGP encryption software was recently abandoned on the grounds that there was no case to answer. There are also two other cases working their way towards the Supreme Court to have the ITAR/DTR struck down as being unconstitutional. It is only a matter of time before any one of these will result in the US flooding the international market with encryption software. This makes it essential that New Zealand companies exploit the gap in the market to the maximum possible extent and generate a good customer base before US companies step in and dominate the field.

    Yours sincerely,

    Peter Gutmann

    Attachments:

    ISAC fax of 11 June 1996 blocking export unless the security is deliberately compromised, making the product unmarketable.

    Canadian Ministry of Foreign Affairs and Trade form and accompanying letter permitting unrestricted export (except to Libya, Angola, and Iraq) with no requirement for export permits.

    Assorted brochures from overseas companies selling the same software which ISAC wouldn't allow the export of (I apologise for the quality of the copies, some of the coloured brochures didn't copy well).