[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The NSA's influence on New Zealand crypto policy



For nearly a year I've been involved in an ongoing battle with several
government departments and the odd intelligence agency in an attempt to clarify
NZ's position on the export of crypto software.  The whole story has now got
about as far as it can go, so I thought I'd share it with others.  I've been
trying to get the media to take an interest in this, but noone really seems to
care... if anyone knows any journalists who might be interested in it, feel
free to pass it on.  I've got more details including names of contact people
and phone numbers in case anyone needs to verify parts of the story.

The main players are:

The Government Communications Security Bureau (GCSB), a New Zealand
    intelligence agency (for US readers, the GCSB is the NZ subsidiary of the
    NSA).  The foremost authority on the GCSB is Nicky Hager, who recently
    published the book "Secret Power" which documents their activities.
The Defence Signals Directorate (DSD), an Australian intelligence agency (the
    Australian version of the NSA).
The Ministry of Foreign Affairs and Trade (MFAT), a New Zealand government
    department.
New Zealand Customs.
Cyphercom Solutions, a New York company which produces financial/online
    commerce systems.
Kiss Audio Video, an Australian video production company.
Orion Systems, a New Zealand company which produces medical information and
    communication systems for transmitting medical information.
Myself (Peter Gutmann) and cryptlib, my free encryption library
    http://www.cs.auckland.ac.nz/~pgut001/cryptlib.html

In April 1996 I got a call from someone who worked for Cyphercom Solutions, a
New York company who wanted to use my cryptlib encryption library in a project
they were working on.  Their lawyers wanted them to obtain an official,
physically exported copy so that there wouldn't be any complications later on
if the source of the software were ever called into question.  The application
involved financial transaction processing, and they had received indications
from the NSA that it would be looked on favourably in terms of getting export
permission.  Somewhat strangely though, they were given the distinct impression
that to get anywhere, they'd need to play ball with the NSA, even though it was
NZ software being exported from NZ, where the NSA should have no jurisdiction.

At this point a brief explanation of the export law situation in NZ is in
order.  The Customs Act of 1996, Section 54, "Prohibited Exports", states that
"The Governor-General may from time to time, by Order in Council, prohibit the
exportation from New Zealand of any specified goods or goods of a specified
class or classes" (followed by a list of specific conditions on prohibitions).
There's no further information in the Customs Act, but NZ Customs have a short
publication "New Zealand Customs Fact Sheet: Export Prohibitions and
Restrictions" which contains, among such curious items as cat skins and a large
list of agricultural products which can't be exported without going via the
appropriate government department, the item "Strategic goods such as computers,
navigation and marine equipment, firearms, ammunition, explosives, military
aircraft and vessels".  The responsible government department is the Ministry
of Foreign Affairs and Trade (MFAT, pronounced "em-fat").  Apparently computer
software comes under the same classification as computers (MFAT extends the
Customs definition of "Strategic goods" to cover "Computer technology,
information security systems, and telecommunications equipment").  The entity
within MFAT which handles this is the International Security and Arms Control
Division, who are advised by the Government Communications Security Bureau
(GCSB), the New Zealand NSA subsidiary.

Once you get past the part where NZ Customs are involved, the whole setup is
run like the mafia.  Nothing is ever written down, everything is done verbally.
Although it took only a paragraph to describe how this works, it took more than
two months of work to find out in practice.  Unless you know exactly who to ask
for information, noone has ever heard of these restrictions.  A search of NZ
legal databases found nothing.  Several IP lawyers had never heard of these
restrictions.  Noone seemed to know anything about any restrictions.  (In an
October newsletter, MFAT retroactively gave themselves jurisdiction over this
area, this is covered further down).

An initial discussion with MFAT revealed that NZ Customs tend to apply
restrictions based on the old COCOM rules, which have been superseded by the
Wassenaar agreement.  For this reason export permits are required for shipments
to certain eastern european countries, certain middle eastern countries, and
the current UN politically-incorrect-country club.  Export to countries other
than that would be unlikely to require a permit.

In May, Cyphercom therefore decided to try to export the software to the US and
Singapore.  Initially MFAT said this was OK.  Then at the last minute they
changed their minds and imposed the following restrictions:

 - No encryption algorithms except single DES.
 - Keysize limited to 64 bits (this is peculiar, I assume it's to stop me from
   using tricks like key-dependant S-boxes and DESX, which I'd discussed in
   email with people in the US some time ago).
 - Definitely no triple DES (this was specifically mentioned).
 - Export limited to object code only (so the key size couldn't be changed).

The text of the message (with a few names removed) is:

  "The Secretary of Foreign Affairs and Trade has no objection to the export of
   the XXX financial package, as detailed in the following application from
   YYY, *provided that* the library of encryption algorithms is limited to DES
   (but not triple DES) and any required hash algorithms, dated 15 May 1996".

In the accompanying description of the library, every single algorithm except
DES and the hash algorithms have been crossed out.  Note that this is for
export to the US, which has its own export restrictions anyway (the same thing
was done for the Singapore export).

Inquiries by lawyers in the US indicated that there had been a flurry of
communication between the NSA and the GCSB over this (as one person - not one
of the lawyers BTW - I talked to put it, "When the NSA says 'Bend over', the
GCSB says 'How far?'").  The NSA might as well have signed the export
(non-)permit themselves.  The story from the US lawyers was that there was
"repeated intervention of the NSA" and that "NZ is out of its depth, it was
terrified of offending the US".

>From the information I've been able to gather the whole thing seems to have
been initiated by the GCSB rather than the NSA, who were afraid to do anything
without NSA approval.  The GCSB went to the NSA and asked them what they should
do, the result was the (non-)permit.  A DSD person also later told a reporter
that the GCSB had gone to the DSD and asked them "Would you allow the export
under these conditions?".  The DSD said "No".

Shortly before this, the Canadian government, which follows the same export
guidelines as New Zealand (dual-use technology under the Wassenaar agreement),
had ruled that cryptlib was exportable to anywhere except the previously
mentioned restricted countries, with no permit necessary, and no need to apply
for a permit:

  "Application No.278466 covering cryptographic software proposed for export to
   England, this software is not controlled according to Canada's ECL.
   Therefore, provided the product noted in this application is not of US
   origin within the meaning of the ECL item 5400, these goods may be exported
   to any country, except Libya and Angola, without an export permit.  Please
   note that most goods to Iraq are still prohibited at this time, as well".

The interesting thing about the Canadian decision was that I was contacted
twice by Canadian export controls people who asked me a number of very detailed
questions about the software, whereas MFAT managed to come to their decision
without ever examining the encryption software or talking to its author.  As
far as I've been able to tell MFAT had very little to do with the decision:
They have to follow the GCSB's advice, and the GCSB won't do anything without
the NSA's permission.

The opinion from lawyers in NZ was that they were acting far outside their
authority.  In any case in late May two copies of the software on 3.5" disks
were sent out by a large accounting firm acting for Cyphercom, one to the US
and one to Singapore as provided for in the export permit.

At about the time the original export appeal was lodged, the GCSB had told
another NZ company, Orion Systems, that they couldn't export a product with the
encryption necessary to protect patient medical data, lab results, patient
referrals, and so on, without obtaining an end user certitificate for each
user.  To sell a copy to just the one overseas site which the inquiry was about
would have required otaining two thousand certifications from all the end
users.  Larger sites with ten thousand users are not unknown.  This meant that
Orion would have had to somehow obtain 2000 signed declarations from users just
to allow the exchange of medical records (this tactic has also been
successfully used by the US government to effectively block certain software
exports by US firms).  Orion didn't even bother going to MFAT, because if the
GCSB required these impossible-to-meet conditions then going to the next level
down in the chain of command would make no difference.

After chasing my way around a number of government departments I talked to some
people in the Ministry of Commerce who advised that the best way to resolve
this craziness was to write to MFAT and inform them that the Canadian
government had ruled that the library was freely exportable and that there was
no reason for them blocking the export, and ask under what authority the export
was being blocked.  This letter was sent to MFAT in mid-September
(incidentally, the way government departments refer to the GCSB is wierd. Noone
ever says "the GCSB", it's always "another government department" or "an
organisation which I won't name", as if there was some belief that using The
Dreaded Name will cause evil to descend upon the person who utters it, much
like the use of the work J*h*v* or Lovecraft's "He Who Is Not To Be Named").

Anyway, at this point, things started to get weird.  At about the time I wrote
the letter, I was FedEx'd an NDA sent from lawyers representing PGP Inc (a US
encryption software vendor) to Orion Systems, sent in a standard FedEx letter
envelope.  It was intercepted by NZ Customs and opened, and the contents
examined, before I got it.  This wasn't the usual random (and quite rare)
"Examined by Customs" spot check, the letter had a large red "Customs - Hold"
sticker on it with an LAX flight number, so I assume they knew in advance what
they were looking for.  NZ Customs couldn't tell me why it was intercepted, but
seemed a bit surprised that the letter had been opened.  They said that they
may have been "acting on information".

In early October, about a fortnight after I sent the letter to MFAT questioning
the export refusal and asking for clarification on what law they were using to
block the export (and many months after the export itself), the Australian
parent of the US company who wanted the export got a call from the Australian
Ministry of Defence (it was actually the DSD, but they generally identify
themselves as Ministry of Defence just like NSA employess are always identified
as Department of Defence rather than NSA).  This company, Kiss Audio Visual,
are a video production house who have nothing at all to do with encryption
software (or, in fact, anything but video production and graphics design, which
they are very good at).  They were called by Alan Owen of the DSD who said that
they had been informed that NZ Customs had intercepted a shipment containing a
high-security encryption product which was being illegally exported from New
Zealand.  According to the story, when NZ Customs went back to the party who
exported the software, they claimed it was on behalf of Kiss.  The Managing
Director of Kiss called the Ministry of Defence to make sure this was actually
for real, and they confirmed that it was.

This story has several very large holes in it:

- NZ Customs never intercepted anything.  The package containing the disks
  arrived in the US unopened, there was no "high-security encryption product"
  on the disks, and a Customs person has verified that NZ Customs have never
  intercepted any crypto software shipped overseas.

- There was no illegal export of any kind.  All the necessary permissions had
  been obtained from MFAT before the disks were shipped.

- The export was performed by Cyphercom, not Kiss.  Kiss happens to be the
  parent company, but (apart from a few business discussions carried out over
  international phone links), there was no other connection between Kiss and
  Cyphercom.

Alan said that this export had very serious consequences, and that they would
be coming to Melbourne to talk to Kiss at 2pm the next day.  The Kiss Director
immediately called Cyphercom in the US, and they discussed having serious
quantities of lawyers present at the meeting, and taking the whole story to the
media.

The visit was cancelled without any explanation.  Who says governments never
listen to their citizens?

(The DSD side of the story is that they were rather busy that day and didn't
have time to carry out their investigation).

The implications of this are interesting.  Despite the fact that MFAT had
already (in effect) denied permission for the export, someone with the ability
to listen in to international phone conversations had used discussions about
the export to fabricate a story about NZ Customs with which the Australian
government could harass Kiss, who had done nothing wrong and in fact had
nothing to do with the whole affair (unfortunately I don't have any proof of
the phone-conversation monitoring, but I can't see how anyone could possibly
have connected Kiss with Cyphercom except for the phone conversations - they
simply have nothing else in common).  Apparently whoever was pulling the
strings saw it necessary to bypass MFAT entirely in an attempt to suppress the
encryption software (this does not inspire confidence in the working
relationship between MFAT and the unnamed agency.  The identity of the unnamed
agency was later revealed by the DSD - see below).

Also in October, an article "Trade in Strategic Goods - An Update" in MFAT's
"Business File" publication, Vol.3, No.7 made specific mention that MFAT were
in charge of controlling the export of encryption hardware and software.  It's
pretty certain that this special mention was motivated entirely by attempts to
export cryptlib, because MFAT stated in a letter to me that they'd never
encountered anything like this before, so the claim that:

  "..the most commonly affected exports from New Zealand are of encryption
   hardware and software..."

is distinctly peculiar.  The last time anyone checked (a KPMG report from
mid-1994) NZ had no restrictions on the export of crypto.  Some time between
mid-94 and October 1996, export controls (or at least some vague mention of
controls) appeared, with MFAT having jurisdiction.  I suspect this was in
October 1996, *after* the whole export/non-export fiasco took place.

In any event the article contains some rather curious comments.  "Run-of-the
mill exports have usually been processed within 48 hours".  MFAT have now taken
9 months without showing any results, causing considerable financial hardship
for Cyphercom who are unable to ship a product or even obtain a sample copy for
demonstration to customers.  "New Zealand... is helping to limit the spread of
increasingly sophisticated military technology and weapons of mass
destruction".  Whether software to protect financial transactions and medical
records counts as "sophisticated military technology" or "weapons of mass
destruction" is unclear.

In late October I called MFAT to see what the delay was in replying to my
earlier letter, and received a reply the following week.  In their reply, MFAT
stated that the export (non-)permit was in fact not final, and was still under
consideration, which was at odds with what they had told Cyphercom and with the
wording of the permit itself (see above).  The letter also states:

  "We made it clear that it would take some time, as the application dealt with
   a relatively new area in terms of our export controls, and was in a rapidly
   changing and advancing field.  We... are currently discussing it and other
   issues it raises with relevant government departments".

(the "relevant government department" is the GCSB, this has been confirmed by
the DSD).  I interpret this paragraph to mean "We're making up the rules as we
go along".  The Canadian government certainly didn't seem to have any of these
problems when they covered the same issue.

MFAT declined to answer my question as to whether this portion of NZ's foreign
trade policy was being controlled by US intelligence agencies.

In early January 1997, Kiss were informed by the same Ministry of Defence/DSD
person (Alan Owen) that he and an associate would again be flying in from
Canberra to talk to them, using as justification the same fictitious story
about NZ Customs that they had used before.  They spent about two hours at
Kiss, saw that they were indeed a video production house (and nothing but a
video production house), and left.  Before they left, they told the Kiss people
that the source of the story about NZ Customs was "their counterparts in NZ"
(the GCSB).  Kiss had a lawyer present to witness this.

The implications of this are pretty scary.  The GCSB first used their position
to impose impossible-to-meet conditions on Orion and influence MFAT to
indefinitely delay export of software which isn't export-restricted anyway (or
at least not by any known NZ law) and which the Canadian government had already
ruled wasn't export restricted.  However, not content with this, they then fed
a fictitious story to the Australian government to convince them to begin an
investigation into a company which had done nothing wrong, and had very little
to do with the whole issue.

Foreign competitors of NZ companies will ship their encryption products within
15 minutes of a credit card order being received.  The GCSB, by employing all
sorts of devious measures, has managed to suppress distribution of the same
software by NZ individuals and companies.  Under their influence, MFAT have now
spent nine solid months brooding over the export of one single copy of
equivalent encryption software without showing any results.  This has had the
effect of protecting overseas markets for exploitation by foreign
competitors... by a ministry supposed to be in charge of promoting NZ trade.

To summarise, the situation is as follows:

1.There is absolutely no way that anyone could reasonably be expected to find
  out about what to do with crypto software in New Zealand.  NZ Customs have
  been extremely helpful throughout this affair, but had to keep deferring to
  MFAT, where everything stops.  Even the people charged with enforcing export
  conditions don't know what it is they're supposed to be enforcing.  If it
  wasn't for a number of lucky coincidences and occasionally knowing or running
  into the right people, I still wouldn't know any more about the situation.

2.Anyone trying to follow the vaguely-defined, possibly nonexistant rules, at
  least in New Zealand, is opening themselves up to government harassment, no
  matter how hard they try to follow whatever rules and regulations someone in
  the government comes up with.  The only safe way to distribute crypto
  software seems to be to either distribute it over the Internet, or to make
  sure you have enough media and political contacts to raise hell over any
  ensuing mail interception, possible phone tapping, government investigations,
  bogus stories about crimes being committed, and other niceties which may crop
  up.