5 February 1997

Mr Peter Gutmann
24 Durness Place

Dear Mr Gutmann,

Thank you for your letter of 20 January 1997 with regard to exporting two sets of encryption software to recipients in various countries in Europe. In the abscence of a formal application for an export permit, this letter provides some general comments on the points you raise.

First, perhaps we should explain the major factors involved when considering applications for the export of strategic goods including "dual use" goods such as encryption software. As you know from the copy of New Zealands Controls on the Export of Strategic Goods we sent you, the rationale behind strategic export controls is not only to limit the proliferation of weapons but also to inhibit terrorist and criminal activities. In making decisions on application for export permits for limited items, the considerations include not only (i) the nature of the good to be exported by also (ii) the destination of the goods and (iii) where required, sufficient end user certification for the goods. The point of strategic export controls is not to restrict trade, though in rare cases the very nature of controls means that a few exporters cannot distribute their products quite as freely as they would wish.

The export of strong encryption software

Both the software encryption products on which you have sought our comments contain a general purpose "cryptlib" encryption library[1]. This sort of product is considered a "dual use" good in terms of the New Zealand Export Controls which means that they are able to be adapted for military, terrorist or criminal use [2].

Many of the library components in the products for which you have sought our comment implement strong encryption. This aspect, in itself, is not necessarily grounds for declining a permit application, but it does mean that we would require certain assurances to the end user. Strong encryption features "almost identical" to the products you have described here were part of a recent application to the United States. You will be aware that the "Paysafe" software package was finally approved for export to Netsafe in its entirety because acceptable end user certification could be and was provided [3]. Similarly, an export of a version of "Paysafe" was approved to Singapore without complication [4].

From the product descriptions you have given us and the fact that those receiving the software products in Finland, Germany, the Netherlands and Great Britain are only intermediate consignees and clearly intend to distribute the products to be "obtained by any individual or organisation and there would be no control over who the end users would be"[5], it is unlikely we would be satisfied that the products would not fall into terrorist or criminal hands [6].

Enclosed is an export of strategic goods application form for your use should you wish to make a formal application in the future [7].

I hope this helps with your enquiries.

Yours sincerely

John Borrie
for Secretary of Foreign Affairs and Trade

[1] Apparently anything which performs encryption is called a "cryptlib". At least I've got mindshare.

[2] As can just about any other item which New Zealand exports, although they forget to mention this in the letter.

[3] After a nine month delay which helped drive the company into bankruptcy. The export was only approved after the company had ceased to exist.

[4] Again, there was a nine month delay, as much as US$20,000 in legal costs incurred by the company, the threat of legal action, two front-page stories in the National Business Review, and the bankruptcy of the company which applied for the export permit. Apart from that though, there were no complications.

[5] I have no idea where they got this quote from.

[6] This means that MFAT don't trust the people who originally wrote the code with a copy of their own software. Wow.

[7] It wasn't enclosed.