[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Crypto in New Zealand - an update



This is a continuation of the article I posted here a few weeks ago.  You can
find the whole thing at http://jya.com/nsazeal.htm.
 
Peter.
 
-- Snip --
 
On the 17th January significant parts of this story appeared on the front page
of the National Business Review (NBR), a fairly influential paper read by
(apparently) half the NZ business world.  The GCSB declined to comment on
anything except to acknowledge that there had been a meeting between a GCSB
person and the manager of Orion Systems.  The story also confirms (from talking
to some of the people involved) the GCSB - MFAT and GCSB - DSD connections.
 
The following week Andrew Mayo wrote a letter to the editor of the NBR
containing an eloquent defense of the use of encryption to protect personal
privacy.  MFAT replied to say that they were only following orders, and were
required by the Wassenaar agreement to restrict crypto exports:
 
  "Export permits normally were required only if the encryption was 40-bit or
   stronger, so most commercial encryption would not be affected".
 
I wonder where the 40-bit limit suddenly came from?  Note also the phrasing
"40-bit or stronger".  This means that anything including 40 bits is
restricted.  If they're going to try to blindly parrot US policy then they
should at least get their facts straight.
 
A few days later I found someone who knew what to ask for in order to get a
copy of the NZ export regulations.  I called MFAT and talked to a gentleman by
the name of John Borrie, who had recently taken over responsibility for this
affair from someone else who, to put it mildly, had been annoying to deal with.
I suggested to him that the GCSB were feeding him just the information they
wanted him to know and no more, and that perhaps he should avail himself of
alternate sources of advice.  He didn't see it quite that way.
 
The export regulations are identical to the Australian regulations, even down
to the layout style.  A few of the fonts differ, but that may be due to
different systems/printers/whatever.  There are several obvious holes in these
regulations, but I won't mention them now because they'll probably be used in
court fairly soon.
 
The following week the story was again on the front page of the NBR.  This time
the story covered the financial difficulties that Cyphercom had been plunged
into.  Because MFAT had stopped them from having any access to their product
for nine months, the company was considering filing for bankruptcy.  MFAT
spokesperson Caroline Forsyth commented:
 
  "US controls on the export of strategic goods are at least as strict as those
   of New Zealand... an export permit would normally only be required for
   encryption if it was 40-bit or stronger.  Most commercial encryption is well
   below 40-bit strength.  Almost all New Zealand exporters of software are
   unaffected".
 
The confused and nonsensical nature of these statements presents a scary
picture.  MFAT are a government department who (in this area) have no idea what
they're doing, but don't know that they have no idea.  Combined with the
sterling advice they seem to be getting from the GCSB, this could make them a
tough nut to crack.
 
In anticipation of what MFAT would say, I wrote a letter to the NBR editor
(which won the "Letter of the Week" award :-) which refuted their claims.  The
letter ended with:
 
  It appears that MFAT's position is based on an antiquated outlook which
  regards software to secure electronic commerce as some form of special
  military technology, a position which might have been reasonable a few
  decades ago but is totally out of touch with the modern use of computers and
  electronic communications.  In their October 1996 "Business File", MFAT claim
  that "New Zealand... is helping to limit the spread of increasingly
  sophisticated military technology and weapons of mass destruction".  Whether
  mass-market commercial software which protects financial transactions and
  medical records counts as "sophisticated military technology" or "weapons of
  mass destruction" is unclear (I suppose it's possible to beat someone to
  death with a floppy disk if you were very determined, but that hardly
  qualifies as "mass destruction").
 
  Finally, one of the goals of the Wassenaar agreement was to "not impede bona
  fide civil transactions", which MFAT have certainly done, and are continuing
  to do.  In the meantime anyone with a credit card and phone, or the ability
  to walk into a software store, can buy the same software overseas.  Stopping
  New Zealand companies from exporting widely available mass-market computer
  software of this kind "because terrorists might use it" makes about as much
  sense as stopping farmers from exporting beef and lamb "because terrorists
  might eat it".
 
  The issue of Management Technology Briefing included with last weeks NBR
  reports on page 22 that there will be "a US$186 billion market in global
  transactions by the year 2000", along with a comment that securing these
  transactions - one of the goals cryptlib was designed for - remains a problem
  area.  Within the next few years the push towards electronic commerce will
  become a veritable steamroller.  By needlessly blocking the export of the
  technology required to secure this market, MFAT is helping ensure that New
  Zealand becomes part of the roadkill.
 
MFAT's parting shot was:
 
  "People trying to export encryption without clearance can be prosecuted under
   the Customs and Excise Act".
 
I should certainly hope so!  It's going to be difficult creating a test case to
get this nonsense thrown out if they refuse to prosecute me.
 
Stay tuned, this is going to get entertaining...