[Cryptography] Laws and cryptography

John Gilmore gnu at toad.com
Wed Sep 11 16:20:13 EDT 2013

> ... the Wassenaar Arrangement clearly says that
> material, software and technology need an authorization to be exported /
> published.
> What is actually the status of the law about cryptography and publishing
> new algorithms ? Is the cryptographer that publish a paper without
> governmental authorization an outlaw

There is a tension between fundamental freedoms and crypto controls.
Often fundamental freedoms win (as they should).  The Wassenaar
Arrangement is a private agreement among a bunch of governments -- it
is not a treaty -- and has no legal force at all.  What matters are
the statutes in your own country, and how they are interpreted.

I don't know of any cryptographers who have been punished under crypto
export controls, anywhere in the world, for publishing papers about
encryption.  So invent your own cryptosystem if you want, write about
it, and publish!

Human-written software was considered to be different from
human-written papers for a while; in the US it took three court cases
(Bernstein v. US being the first winner) to sort this out.  In the
1990s, Europe did not control freely published ("mass-market and
public-domain") software, and by 2000 that was true in the US also.

Unless you want to find and pay a lawyer with relevant expertise, the
best way to get a more-or-less definitive answer for your particular
country is to look in Bert-Jaap Koops' "Crypto Law Survey".  He has
been maintaining it for decades, and actually did his PhD thesis on
global regulations about encryption.  See:


> The department of the ministry of defense that handle this regulation
> can't answer if publishing a cryptographic algorithm needs an
> authorization.

Can't answer, or won't?  In the United States, both the NSA and the
agencies responsible for the export controls (State Department and
Commerce Department) have been known to lie to the public,
unofficially, about what is actually allowed.  Their tendency is to
talk you into assuming that you have no rights, even if the law is
clear that you do.  Or they will tie you up in knots over how you
might be able to comply with finicky regulations, without ever telling
you that you are exempt from those regulations.  We even caught them
lying officially once or twice (e.g. refusing export of Kerberos
authentication software on the bogus theory that someone, someday,
might adapt it to do encryption).


More information about the cryptography mailing list