v2.6 for the rest of us

[hughes@ah.com (Eric Hughes)]

   Versions 2.5 and 2.6 however are obviously illegal exports, and I
   think that it is the fact that people think of one as legal and the
   other as illegal that makes the difference, and therefore we who
   are outside the USA need our own version to be brought up to date.

Legality is always relative to some jurisdiction.  Let us stipulate
for discussion that export of PGP 2.6 from the USA was in violation of
the ITAR.

Is PGP 2.6 in Europe an "illegal export"?  To wit, it is in the USA,
but not in Europe, barring specific reciprocity agreements.  Under USA
law, it violates the ITAR (by stipulation--now may be the time to
reach for the dictionary).  So, if the USA could manage to extradite a
2.6-user from Europe, that person could be tried under USA law,
convicted, and jailed.

Think not?  One word: Noriega.

Noriega was tried under USA law for activities which never took place
in the USA.  You think that sucks?  Well, expect the tendrils of law
to extend past the nominal geographic borders more often.  If
individuals can become locationally ambiguous, there's no reason to
expect governments to remain locationally confined.

Now, is USA law a threat?  Now is the time to estimate the cost of
extradition, trial, incarceration, etc. relative to other law
enforcement priorities.  It's pretty unlikely, in the case of PGP-2.6.
No need to lose sleep.

So, is it illegal in Europe?  Well, not usually.  What law of any
European state has a 2.6-user broken?  The ITAR is a USA law, not,
say, a German one.  There may be other statutes, as in France, which
could restrict its use, but they're not the ITAR.  So if I were living
in England, using PGP 2.6, I'd have nothing to fear from local
authorities as such.  (Maybe from them acting as extradition officers,
but you can figure out that difference easily.)

And I haven't even addressed detection yet.

Eric