11 February 2003

Noticed the following on your 'Website:

"Encryption export controls protect U.S. national security, foreign policy, and law enforcement interests. Encryption products can, for example, be used to conceal the communications of terrorists, drug smugglers, and others intent on harming U.S. interests. Cryptographic products and software also have military and intelligence applications that, in the hands of hostile nations, could pose a threat to U.S. national security.

The Secretary has determined the United States has the ability to effectively enforce these controls. Detection of some encryption transactions is difficult since encryption components are often incorporated into other products and encryption software can be transferred over the Internet. However, the importance and value ascribed to commercial encryption products does lead to transfers and distributions that leave a trail that can be followed. In FY 2002, the Department of Commerce fined companies a total of $230,000 for export violations that involved controlled encryption items. It is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it is to restrict free distributions of "open source" encryption.

-- Bureau of Industry and Security, 2003 Foreign Policy Report, January 29, 2003"

Please see the attached letter dated February 6, 2003.  If Hacktivismo / Cult of the Dead Cow can export 256-bit AES all over the world from US-based servers (and Hacktivismo can do so as official U.S. policy now), I will respectfully suggest that the quotation, "It is easier to enforce controls on proprietary encryption technology and commercial encryption commodities and software than it is to restrict free distributions of 'open source' encryption," somewhat understates the reality that robust, ubiquitous, anonymous Internet use is about to become a reality for anyone who wants it -- *for free*.

Eric Grimm

http://cryptome.org/DOC_BIS.pdf