13 February 1997

Mr Peter Gutmann
24 Durness Place

Dear Mr Gutmann,

Thank you for your letter of 2 February 1997 with regard to the possible restrictions on the export books[sic], magazines and journals containing encryption code.

As you will be aware from your copy of "New Zealand's Controls on the Export of Strategic Goods", "software" is defined as "... a collection of one or more "programmes" or "microprogrammes" fixed in any tangible medium of expression". This would appear to cover encryption code printed in books, magazines, and journals as well as data reproduced on a computer disk. Technically, the export of code in any form is regulated in New Zealand in terms of the guidelines below:

a. They contain encryption limited to
(i) 40-bit key lengths for symmetric algorithms;
(ii) 512 bits for asymmetric algorithms;
(iii) 56-bit DES for dedicated financial algorithms[1]

b. They are dedicated to specific applications and cannot be easily diverted to other uses;

c. Strict control is maitained over the distribution and ultimated[sic] end users of products.

We are unsure what your statement that your technical report "includes the right by recipients to disseminate it freely with no limitations on how it may be used" actually means [2]. It should be noted that at this time the New Zealand regulation does not include the General Software Note of the EU and Wassenaar Arrangement control lists. Therefore basic scientific research is not exempted from the requirement to obtain an export permit[3].

However, as we have said before, the intent of New Zealand's strategic export controls is towards ends such as reducing crime and fighting terrorism [4] - not to limit academic knowledge.

Accordingly, while we cannot make any commitment before receiving a permit application we would be inclined to consider favourably the physical export of your computer science report "Secure Online Electronic Commerce: The View from Outside the US" either in text, electronic or other storage format for academic purposes (for example, evaluation) provided that acceptable end user certification was produced in each case [5].

Yours sincerely

John Borrie
for Secretary of Foreign Affairs and Trade

[1] These requirements aren't recorded anywhere and have never been mentioned before they appeared in this letter. This is the NSA speaking (via the GCSB), not MFAT.

[2] I meant that libraries could put it on their shelves so people could read it, and even loan it out for people to read at home.

[3] In case there's any doubt about what this entails, each "end user" (ie anyone entering the library where the report was held) would have to fill out an end user certificate - a sworn statement certifying that the reader wasn't a terrorist or criminal - and return it to Foreign Affairs and wait for the 9 months it typically takes for them to grant approval to read the publication. What it means in practice (since it's completely impossible to meet these requirements) is that publication of academic research is prohibited.

[4] Their cunning plan to reduce crime is to halt the distribution of software tools specifically designed to safeguard data and stop criminals. Uh, yeah.

Imagine that the code were published in Dr.Dobbs Journal or Communications of the ACM and then try and figure out how the publishers, distributors, and readers could comply the with the MFAT requirements.