Cryptome DVDs. Donate $25 for two DVDs of the Cryptome collection of 47,000 files from June 1996 to January 2009 (~6.9 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, cryptome.info, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,100 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

11 July 1999. Thanks to Nick Ellsmore and Brian Gladman.

This document available in original Zip-compressed .DOC format: http://jya.com/crypto97-ne.zip (zipped 75K; unzipped .DOC 243K; hardcopy 108 pages).

Introduction - Some words to remember...

Before reading this paper, it is important to have a general understanding of some of the most important concepts in cryptology. The following is an explanation of the terminology which should be understood before reading the body of the paper:

There are two ways to conceal a message. The first, steganography, involves concealing the existence of the message. This could be implemented by the use of invisible ink, or by concealing a secret message in apparently normal text - the message can be made up of every ninth letter. The second concealment method is cryptography, which doesn't conceal the existence of the message, but rather transforms it into unintelligible text which is meaningless to outsiders. Strong cryptography refers to cryptography of 64-bit strength or more, and weak cryptography refers to cryptography of a weaker than 64-bit strength.

A code is a set of all the words that will be used in any given message and the words (or numbers) with which to replace them. For example, It's Raining on Wednesday may be code for a given fighter plane to start a bomb run. There is no systematic method for generating or breaking a code - the only way to break a code is to guess correctly or get a copy of the list of codes.

A cipher uses a given system for scrambling information. This may take one of two forms: transposition or substitution. A transposition cipher keeps the same letters as the original message but changes their order. For example, PIC LTO CIA SPE is a very simple transposition of "special topic" - reverse the order of the groups of letters to get to the plaintext. A substitution cipher actually changes the letters in the message. The most famous substitution cipher is the Caesar cipher, which is explained in the section on history.

While a code operates on entire words or even sentences, ciphers often operate at a smaller level - for example, operating on individual letters. If you communicate using a code, you can only say something if a codeword exists to say it. Using a cipher, you can say anything.

The information to be scrambled is the plaintext. The scrambled information is either ciphertext or codetext, depending on the method. The final message sent is a cryptogram. If a message is not enciphered at all, it is cleartext.

While cryptography is the encoding of information, cryptanalysis (sometimes also called codebreaking) is the study of breaking codes and ciphers.

Together, cryptography and cryptanalysis make up cryptology.

Part I: A Historical Perspective

"It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously - as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write. Cultural diffusion seems a less likely explanation for its occurrence in so many areas, many of them distant and isolated."

- David Kahn, The Codebreakers

Cryptology

Cryptology has played a very important part in the history of civilisation as we know it today. From the first uses in Ancient Egypt to the beheading of Mary Queen of Scots and the Enigma codes of WW II, the making and breaking of ciphers and codes has been very influential.

The following is a brief history of cryptology - how we got to where we are today. The source of most of this information is David Kahn's 1967 book The Codebreakers, which to date is the most comprehensive and readable book on the underrated history of pre-computer codes and ciphers.

* * *

The first known use of cryptography is circa 1900 BC, in Egypt. An Egyptian scribe uses unusual hieroglyphic symbols in place of the more ordinary and common ones. This deliberate transformation of the writing is the oldest text known to do so.⁽¹⁾This use is better described as protocryptography⁽²⁾, as there was no intention to keep the information secret.

In the Old Testament of the Bible, written circa 500-600 BC, a simple substitution cipher known as ATBASH appears in Jeremiah 25:26 and 51:41. In this cipher, the last letter of the Hebrew alphabet replaces the first, and vice versa. In two instances, "Babylon" is replaced with "Sheshach."⁽³⁾Once again, however, there is no intention to keep the enciphered words secret, and the use of cryptography is civil in nature.

The first military use of encryption occurred around 475 BC, and it was the Spartans who used a device called the "skytale" to implement a transposition cipher for rendering communications between Spartan leaders and their subordinates unreadable to interceptors. The skytale was a staff around which parchment or leather was wrapped, and the message was then written down the length of the staff. When the leather or parchment was unwound from the staff, the letters were unintelligible until wrapped around a staff of the same thickness by the receiver of the message.^(4),(5) The skytale is therefore an early example of a transposition cipher. It should be noted, however, that the historical accuracy of the skytale's use as a cryptographic device has been questioned by an article in Cryptologia in late 1998.⁽⁶⁾

The first military use of a substitution cipher occurred during Caesar's reign, around 50-60 BC, and was named after him. The Caesar cipher is the simplest of substitution ciphers, and involves replacing each plaintext character with the letter three ahead in the alphabet. The number three was Caesar's choice - any number can be used.

The two alphabets were written one above the other:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

The plaintext characters (top row) were replaced with the characters on the bottom row. Hence SPECIAL TOPIC would become VSHFLDO WRSLF. Another example of a Caesar cipher is the classic computer HAL in 2001: A Space Odyssey. A single letter shift right turns H-A-L into I-B-M.

Looking at such a cipher today, it is hard to believe that it kept anything concealed from anyone - all it takes is about 25 English characters for an able cryptanalyst to reconstruct the plaintext through the use of frequency tables⁽⁷⁾ - but in Caesar's day, when few people could read at all, it was good enough.⁽⁸⁾

Despite the ease with which a Caesar cipher can be decrypted, it lives on today in the ROT13 encryption program. The ROT13 program uses a Caesar cipher which replaces each letter with the letter 13 ahead (ie "A" with "N" etc.). A rotation of 13 characters is special because with 26 letters in the alphabet, running the encryption program over the ciphertext returns to the plaintext (as "N" becomes "A" etc.). This program is not, however, intended to be used for security!⁽⁹⁾ Bruce Schneier, the author of Applied Cryptography, talks of two kinds of encryption - one keeps your kid sister from reading your work, the other stops the NSA. ROT13 is most definitely the former.

Written somewhere between 0 and 400AD, the Kama Sutra of Vatsayana lists cryptography as the 44th and 45th of 64 arts men and women should know and practice.⁽¹⁰⁾ The 44th is "the art of understanding writing in cipher, and the writing of words in a peculiar way," and the 45th is "the art of speaking by changing the forms of words."

At roughly the same time all around the world, cryptography in its most basic forms was springing up. This was the time when the level of sophistication and competency with language that Kahn referred to as leading to the spontaneous appearance of cryptography had been reached.⁽¹¹⁾

During the Dark Ages in Europe, writing itself almost disappeared.⁽¹²⁾ For this reason, between 500AD and 1400AD, Western cryptography stagnated.⁽¹³⁾When cryptography appeared again, it was at the most basic level. Messages were being sent with words written backwards, or vertically. Dots were substituted for vowels, and foreign alphabets were used.⁽¹⁴⁾

Towards the end of this period, some famous names turned their hands to cryptography. Francis Bacon, (c. 1214-1294) the English philosopher listed five methods of secret writing in his Epistle on the Secret Works of Art and the Nullity of Magic.⁽¹⁵⁾ About 1390, Geoffrey Chaucer also contributed to the history of cryptography by using a substitution cipher of invented symbols in his book The Equatorie of the Planetis.⁽¹⁶⁾

As cryptography began to lean more towards the concealment of information - due to increased military and government use - it began to be considered a black art. The gaining of knowledge from unintelligible text was considered akin to reading entrails or tealeaves.⁽¹⁷⁾

Through all these hundreds of years when cryptography had been progressing, its partner cryptanalysis had not yet been developed. Cryptology, as the combination of cryptography and cryptanalysis, was born among the Arabs.

The role of cryptology in history is generally not well understood, and is easily understated. It is not widely known that the beheading of Mary, Queen of Scots, was a direct result of the cryptanalysis and decipherment of secret messages sent between Mary and her conspirators in France. The messages were intercepted and read by Thomas Phelippes, Queen Elizabeth's cryptographer.^(18),(19)

The title "father of western cryptology" is given to Leon Battista Alberti, an artist-scholar, who in the late fifteenth century became the first cryptologist to use a polyalphabetic substitution cipher⁽²⁰⁾ - a cipher that uses more than one alphabet for substitutions, and hence defeats the common methods of decrypting substitution ciphers, such as the Caesar cipher.

In Alberti's polyalphabetic cipher, the alphabet used for encipherment is changed every few words. Alberti also took the step of using a code and a cipher, and enciphering the code words.⁽²¹⁾ This depth of encryption made Alberti's cipher unbreakable during the Renaissance. In fact, this class of cipher was not broken until the 1800s.⁽²²⁾However, they were not often used as they took much time and effort, and a single error in decryption rendered the rest of the message unrecoverable. This was the danger with polyalphabetic encipherment. Alberti's encryption was not entirely academic, however - it was used by the Union army during the American Civil War.⁽²³⁾

In 1518, Johannes Trithemius took Alberti's cipher one step further and changed the alphabet used for encryption after every letter.⁽²⁴⁾ The first systems of cryptography using "keys" appeared around 1553. This key system, although infinitely more complex, remains the basis of encryption today.

The greatest single leap in the creation of military ciphers was the invention of the telegraph, and later that of the radio.⁽²⁵⁾ "During the eighteenth and nineteenth centuries, cryptology became an almost universal practice, and non-secret codes came into existence for the use of merchants, bankers and businessmen as the use of Morse telegraphy became vital to expanding business as well as diplomatic operations."⁽²⁶⁾

During the nineteenth century, those governments that had previously used codes made the transition to ciphers. Once there was the capability of virtually instantaneous communication, foreign armies were employing machines to try to cope with the flood of encrypted messages.⁽²⁷⁾ "During the period 1914-1918 German messages totalling over one hundred million words had been intercepted by the Allies."⁽²⁸⁾

With each new technology invented, a means of encrypting data sent using that technology was invented. This first telephone scrambler was invented by James H. Rogers in 1881. This was only five years after Bell invented the telephone itself.⁽²⁹⁾

Mechanical encryption devices started appearing around the early 1920s, which were designed to automate encryption. Many of these machines were based on "rotors," a system where a mechanical wheel, or multiple wheels, were used to perform the required substitution.⁽³⁰⁾ Each rotor was an arbitrary permutation of the alphabet, and replaced one letter with another. The trick to these machines was having multiple rotors, and having the rotors shift between letters.⁽³¹⁾ The best known rotor device is the Enigma, the machine used by the Germans during WW II. The Enigma had five rotors, a plugboard for entering the message, and a reflecting rotor that caused each rotor to operate on each letter twice.⁽³²⁾ As complicated as this system was, it was broken during WW II, first by a team of Polish cryptographers, then by the British as the Germans modified the machine as the war progressed.⁽³³⁾

In The Codebreakers, Kahn makes the observation that "[m]odern western cryptology emerged directly from the flowering of modern diplomacy."⁽³⁴⁾ This is agreed to by Bielewicz, in Secret Language: "It was the world of diplomacy and warfare of the early European states that developed the modern science."⁽³⁵⁾It is this history of military and diplomatic cryptography that has current intelligence and law enforcement agencies feeling threatened by strong cryptography in the hands of the masses, and more specifically the potential for strong cryptography to fall into the hands of criminals. This fear is present in a 1994 Report into telecommunications interception in Australia - The Barrett Report - which concluded that "[w]hile Australian agencies all report that encryption has not been a problem to date, it is likely to become one in the future."⁽³⁶⁾

A good response to this perceived threat is found in the 1998 book Privacy on the Line, in which Diffie and Landau make the timely observation that:

"[t]he availability of wiretaps - legal or otherwise - for more than a lifetime has given us generations of police who cannot imagine a world without them."⁽³⁷⁾

As cryptography crossed the line from art to science, mathematicians started investing their time in creating stronger ciphers. The invention of the computer aided their work no end, and it is now true that the personal computer can encipher information to the point where without the key, the information is unrecoverable within the lifetime of the storage medium. This rapid development of cryptographic power has left legislators and governments in its wake, especially given that until recently there was very little demand for non-government cryptographic capabilities.⁽³⁸⁾

Ciphers as used by computers have two main components: an algorithm and a "key". There are two types of key systems: asymmetric and symmetric. In asymmetric (also known as 'public key') encryption, one key is public but the other key is kept secret. A message is encrypted using the public key and can only be decrypted by using the private key.⁽³⁹⁾ The keys, while being a pair, are created such that it is impossible in practice to determine the private key from the public key.

In symmetric (also known as 'secret key') encryption, the same key is used to encrypt as to decrypt. The practical weakness of symmetric cryptography is the security needed when transferring the key. To ensure the security of the key, public key encryption is often used for the communication of the secret key to be used for symmetric encryption, which is preferable for both security and speed. In both asymmetric and symmetric encryption, the bigger the range of possible keys, the longer it will take to break the cipher. Even with the international defence community's most powerful computer technology, it is possible for any person to encrypt data so that it is not currently possible to decrypt the data without the secret key.

* * *

Arms Control: COCOM & The Wassenaar Arrangement

The power of an encryption system is expressed by the length (in bits) of the key. The most common encryption used today - the Data Encryption Standard (DES) - uses a 56-bit algorithm. This means that there are 2⁵⁶ different permutations - in other words, there are 72,057,594,037,927,936 possible keys. While this is a lot of keys, a code-cracking contest was won recently by a group of computer experts who cracked a 56-bit key in 22hrs and 15mins.⁽⁴⁰⁾ While this may seem a long time, it is without a large investment of money or specialised equipment - both things many national Departments of Defence have at their disposal. Even in the civilian domain, with a machine costing between US$1 million and US$1.5 million, the 56-bit DES system can be cracked in an average of 3.5 hours.⁽⁴¹⁾

However, the difficulty of cracking a symmetric cipher rises exponentially. For an n-bit key, there are 2ⁿ possible keys to cycle through in a brute force attack. Hence each bit added to the key length doubles the amount of time required to try every possible key. William Crowell, Deputy Director of the US National Security Agency (NSA) stated in a 1997 US House of Representatives' Committee on International Relations hearing that with current technology, a 64-bit algorithm would take 7,000 years to crack, and a 128-bit algorithm would take 8.6 trillion times the age of the universe.⁽⁴²⁾ While being a typical national security exaggeration, it is true that 128-bit encryption is for all intents and purposes currently "uncrackable," and is becoming more widespread by the day.⁽⁴³⁾ It has been estimated by senior cryptographers that to protect a message for 20 years will take a minimum of 90-bit encryption.⁽⁴⁴⁾

From this comes the conflict between law enforcement and national security on the one side, and personal privacy, confidentiality, and human rights on the other. As the Australian Information Industry Association stated in its Draft Policy on Encryption:

"[e]ssentially the argument is whether to put the demands of crime-fighting before those of protecting the privacy of businesses and individuals."⁽⁴⁵⁾

The conclusion of Gerard Walsh's Review of Policy Relating to Encryption Technologies ("The Walsh Report") - performed on invitation from the Attorney-General's Department with the task of offering a view on whether legislative or other actions are required to cater for national security and law enforcement interests while being conscious of privacy issues⁽⁴⁶⁾ - identifies the conflict thus:

"[S]trong cryptography, imminently available to the mass market, will offer significant enhancement of data security and personal and corporate privacy, but also provide a powerful shield behind which criminals and others may operate."⁽⁴⁷⁾

The control of encryption is presently achieved through the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (The Wassenaar Arrangement), a multilateral agreement intended to restrict the proliferation of products with potential military applications. Encryption is explicitly included in the section regarding "dual-use goods and technologies" - products which have a genuine use in the civilian realm, whilst remaining potentially dangerous if used in war.^(48),(49)

Prior to the Wassenaar Arrangement, a similar function was performed by the Coordinating Committee for Multilateral Export Controls (COCOM), which was established in 1949 to control strategic goods and technology. Unusually, COCOM did not ever have a treaty or executive agreement, instead it was based on informal agreement and a rule of unanimity. The secretariat was located in Paris and member countries had permanent delegates.⁽⁵⁰⁾ Australia was not a member of COCOM until April 11, 1989 following changes in Australia's export controls bringing them in line with those operated by the Committee.⁽⁵¹⁾

In the early 1990s, as part of the fallout of the Cold War, it was decided that COCOM's East-West focus was no long appropriate. In June 1992, COCOM members invited the former Soviet republics to participate in a COCOM Cooperation Forum on Export Controls. At the Forum's first meeting, in Paris in November 1992, representatives from all Eastern European democracies, the Baltic states, and all but three of the former Soviet republics attended.⁽⁵²⁾ It was this forum that laid the path for the removal of COCOM itself. A new agreement was needed to "deal with risks to regional and international security and stability."⁽⁵³⁾

On the 16th November 1993, a High Level Meeting (HLM) of the COCOM member states agreed to terminate COCOM and establish a new arrangement. This was confirmed at a further HLM in Wassenaar, Netherlands on 29-30 March 1994. COCOM ceased to exist the next day, 31 March 1994.

On 30 March 1994, The White House issued a press release stating that:

"The members of COCOM have agreed to end the Cold War regime effective tomorrow. The end of the Cold War and the disintegration of the Soviet Union and the Warsaw Pact led us and our allies to the view that COCOM's strategic rationale was no longer tenable."⁽⁵⁴⁾

Agreement to establish the "Wassenaar Arrangement" was reached at the HLM on 19 December 1995.⁽⁵⁵⁾ The inaugural Plenary meeting of the Wassenaar Arrangement was held 2-3 April 1996 in Vienna, Austria, which is now where the office of the Wassenaar Arrangement Secretariat is located. Unlike COCOM, the member countries do not have permanent delegates, rather they send delegates to the meetings as they arise. Australian delegates to Wassenaar meetings have included representatives from the Department of Foreign Affairs and Trade and the Defence Signals Directorate. This meeting resumed on 11-12 July 1996, and final consensus on the "Initial Elements", the basic document of the Wassenaar Arrangement was reached. The new control lists came into effect 1 November 1996.⁽⁵⁶⁾

Whereas the COCOM regime consisted of 17 member states, The Wassenaar Arrangement expanded this to have 33 cofounding countries. The 33 cofounders were made up of the original 17 COCOM states (predominantly the member states of NATO): Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Netherlands, Norway, Portugal, Spain, Turkey, United Kingdom and United States; the six COCOM "cooperating countries": Austria, Finland, Ireland, New Zealand, Sweden and Switzerland; and new members Russian Federation, Czech Republic, Hungary, Poland, Slovak Republic, Argentina, Republic of Korea, Romania, Bulgaria and Ukraine.

In an explanatory document regarding the Wassenaar Agreement, the Secretariat stated that:

"[t]he Wassenaar Arrangement was designed to promote transparency, exchange of views and information and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations."⁽⁵⁷⁾

The Wassenaar Arrangement is implemented through the use of "control lists," which are lists negotiated at the Wassenaar Arrangement meetings, and contain sensitive goods and technologies which the parties to the Arrangement wish to control. These lists are intended to be incorporated into the domestic law of the signatories to the Arrangement. In Australia, these lists are incorporated into the Defence and Strategic Goods List which is referred to in the Customs Act.

Whether the Wassenaar Arrangement fosters transparency is very questionable, and as Dr Brian Gladman, Crypto Policy Co-ordinator for Cyber-Rights and Cyber-Liberties (UK) stated, via email, of the situation in the United Kingdom, "[The Wassenaar Arrangement] is an 'arrangement' and not a 'treaty' and this means that the UK government can agree to it without having to take its case through Parliament. Thus UK citizens cannot challenge it."

Analysts in the United States have estimated that existing export controls could cost the US software industry more than $30 billion in lost sales.⁽⁵⁸⁾ Despite this, the Wassenaar Arrangement Secretariat's explanatory document also claims that "[t]he Arrangement does not impede bona fide civil transactions."⁽⁵⁹⁾ Until the Wassenaar Arrangement meeting of December 1998, the Arrangement attempted to ensure this was so by including an exemption for mass market and public domain software from the controls of the Arrangement. This exemption, the General Software Note (GSN), stated that:

The Lists do not control "software" which is either:
1.   Generally available to the public by being:
     a.   Sold from stock at retail selling points
          without restriction, by means of:
          1.   Over-the-counter transactions;
	  2.   Mail order transactions; or
          3.   Telephone call transactions; and
     b.   Designed for installation by the user without
          further substantial support by the supplier; or


2.   "In the public domain".(60)

Australia, despite being a signatory of the Wassenaar Arrangement, did not allow this exemption. In the "Statements of Understanding" preceding the Defence and Strategic Goods List, the aforementioned General Software Note is prefaced with:

With the exception of Category 5, Part 2 (Information
Security) . . . this list does not control "software"
which is either: . . . [continued as above](61)

Along with Australia, four other countries also disallowed the GSN waiver: The USA, New Zealand, France and Russia.⁽⁶²⁾

At the December 1998 meeting of the Wassenaar Arrangement countries, it was decided to allow the export of sub-64 bit mass-market encryption products. This was essentially a concession to the reality that already existed, which was then traded off against the strengthening of restrictions placed on stronger encryption. Essentially, the US Government's doctrine of "if the Government can't easily crack it, you can't export it," has been adopted by the member countries.⁽⁶³⁾ In a public statement issued from Vienna on 3 December 1998, it was declared that the amendments:

"included . . . the modernisation of encryption controls to keep pace with developing technology and electronic commerce, while also being mindful of security interests."⁽⁶⁴⁾

The General Software Note has now been exempted for Category 5, Part 2 (Information Security) of the Dual-Use List. In its place is a new note which states:

"5.A.2 and 5.D.2 do not control items that meet all of
the following:
a.   Generally available to the public by being sold,
     without restriction, from stock at retail selling
     points by means of any of the following:
     1.  Over-the-counter transactions;
     2.  Mail order transactions;
     3.  Electronic transactions; or
     4.  Telephone call transactions;
b.   The cryptographic functionality cannot easily be
     changed by the user;
c.   Designed for installation by the user without
     further substantial support by the supplier;
d.   Does not contain a "symmetric algorithm" employing a
     key length exceeding 64 bits; and
e.   When necessary, details of the items are accessible
     and will be provided, upon request, to the
     appropriate authority in the exporter's country in
     order to ascertain compliance with conditions
     described in paragraphs a. to d. above."(65)

The similarities to the GSN are obvious, but the additions are striking and blatant attempts to keep the encryption genie in the box. While (d) restricts the strength of the encryption to 64 bits - a strength widely accepted as being inadequate, (e) ensures that national security agencies can get the code to the algorithms used for encryption to help them figure out how to break them.

The increased restrictions on cryptography came as a surprise given the recent outspokenness of many member states, including Canada, Ireland and Finland who have announced pro-cryptography policies.⁽⁶⁶⁾ In addition to these countries, many multinational corporations such as IBM, Sun, Microsoft and Netscape have lobbied against restrictions limiting the security they can include in the software sold on the international market.⁽⁶⁷⁾ Not surprisingly, the push for increasing restrictions was led by the United States, the international superpower of communications intelligence. David Aaron, the American special envoy on cryptography left the meeting claiming success, and claimed the new restrictions:

"enable[d] governments to review the dissemination of the strongest encryption products that might fall into the hands of rogue end-users."

Part II: The Current Situation

"Export controls and government-prescribed key recovery will not keep strong encryption out of the hands of criminals and terrorists, because the technology is readily available worldwide without key-recovery features . . . Recent calls for "balance" make enticing sound bites (who would be opposed to "balance?") but compromise the freedom to innovate and sacrifice vital civil liberties."

- Solveig Singleton, Director of Information Studies at the Cato Institute

The Requirement for Cryptography

Cryptography is needed because of the lack of transmission security in current electronic networks, especially the Internet. As the OECD Ad hoc Meeting of Experts on Cryptography Policy pointed out while discussing the proposed guidelines:

"in the emerging information and communications infrastructure neither open networks, nor many types of private networks, were designed with confidentiality of communications and storage of data in mind."⁽⁶⁸⁾

Cryptography's application in electronic commerce transactions is absolutely essential if the Global Information Infrastructure (GII) and business on the Internet are going to succeed. Electronic Frontiers Australia, in their Introduction to Cryptography, state that the major applications for encryption are:

"(1) To protect privacy and confidentiality.

(2) To transmit secure information (eg credit card details).

(3) To provide authentication of the sender of a message.

(4) To provide authentication of the time a message was sent."⁽⁶⁹⁾

* * *

Export Controls in Australian Domestic Law

The Wassenaar Arrangement control lists must be integrated into each signatory's domestic law before they become effective. In Austalia, this is achieved through the Customs Act 1901 and the Customs (Prohibited Exports) Regulations.

The Customs (Prohibited Exports) Regulations - Regulation 13E states that:

(2) The exportation from Australia of goods specified in 
the defence and strategic goods list is prohibited 
unless:
     (a)  a licence in writing to export such of those 
          goods as are specified in the licence has been 
          granted by the Minister for Defence Industry, 
          Science and Personnel or by an authorised 
          person, and the licence is produced to a 
          Collector; or
      (b) a permission to export such of those goods as 
          are specified in the permission has been 
          granted by the Minister for Defence Industry, 
          Science and Personnel or by an authorised 
          person, and the permission is produced to a 
          Collector; or
      (c) [material omitted] 

The Defence and Strategic Goods List as referred to in Reg 13E Sect 2 forms a part of the document entitled Australian Controls on the Export of Defence and Strategic Goods. The legislation that permits this reference is to be found in the Customs Act 1901, Section 112, which falls in Part VI (The Exportation of Goods), Division 1 (Prohibited Exports):

Section 112 Prohibited Exports 

(1) The Governor-General may, by regulation, prohibit 
the export of goods from Australia. 

(2) The power conferred by subsection (1) may be 
exercised:
     (a)  by prohibiting the exportation of goods 
          absolutely;
     (aa) by prohibiting the exportation of goods in 
          specified circumstances;
     (b)  by prohibiting the exportation of goods to a 
          specified place; or
     (c) by prohibiting the exportation of goods unless 
         specified conditions or restrictions are 
         complied with. 

(2A) Without limiting the generality of paragraph (2)(c), 
the regulations:
     (aa) may identify the goods to which the 
          regulations relate by reference to their 
          inclusion:
          (i)  in a list or other document formulated by 
               a Minister and published in the Gazette or 
               otherwise.
          (ii) in that list or document as amended by the 
               Minister and in force from time to time. 

(2AA) Where a Minister makes an amendment to a list or 
other document:
     (a) that is formulated and published by the 
         Minister; and
     (b) to which reference is made for the purposes of 
         paragraph (2)(c);
     the amendment is a disallowable instrument within 
the meaning of section 46A of the Acts Interpretation Act 
1901. 

(3) Goods the exportation of which is prohibited under 
this section are prohibited exports. 

The ability of the Minister to amend the list as required is a very powerful delegated legislation provision and puts the ability to legislate in this area squarely on the shoulders of the Executive, subverting many Parliamentary checks and balances and reducing the transparency of the process.

Prepared by the International Materiel Branch of the Industry Involvement and Contracting Division of the Department of Defence, the Australian Controls on the Export of Defence and Strategic Goods outlines all restrictions imposed on the export of conventional weapons as well as dual-use goods. These specific restrictions are found in the Defence and Strategic Goods List (DSGL).

According to the document, Australia's export controls on defence and strategic goods are "designed to ensure that such exports are consistent with broader Australian foreign, strategic and security policy objectives."⁽⁷⁰⁾

Part 3 of the DSGL deals with Dual-Use Goods. Category 5 is in regards to "Telecommunications and Information Security." Part 2 of Category 5 is entitled "Information Security", and deals with all forms of encryption, including hardware and software based systems.

Each of the dual-use categories are then broken down into five sub-categories:

A. Systems, Equipment and Components;

B. Test, Inspection and Production Equipment;

C. Materials;

D. Software; and

E. Technology.

Through these categories, the restrictions cover much more than simply cryptographic hardware and software. Also included is hardware and software used to test the effectiveness and security of such cryptographic equipment, and hardware and software used to break cryptographic systems.

The restrictions cover hardware which is:⁽⁷¹⁾

• Designed or modified to use 'cryptography' employing digital techniques to ensure 'information security' [5A002.a.1];

• Designed or modified to perform cryptanalytic functions [5A002.a.2];

• Designed of modified to use 'cryptography' employing analogue techniques to ensure 'information security' [5A002.a.3];

• Designed or modified to suppress the compromising emanations of information-bearing signals [5A002.a.4];

• Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion [5A002.a.7].

• Measuring equipment specially designed to evaluate and validate the 'information security' functions specified in 5A002 or 5D002. [5B002.b]

The restrictions also cover software which is:⁽⁷²⁾

• 'Software' having the characteristics, or performing or simulating the functions of the equipment specified in 5A002 or 5B002.

Both section 112 of the Customs Act and regulation 13E clearly state that they apply to "goods". In the Customs Act, "goods" is defined to "include (a) ships and aircraft; and (b) all kinds of movable personal property". The question regarding the application of the Customs laws to the making available of software for download over the Internet is discussed in Part IV of this paper.

The Australian Controls on the Export of Defence and Strategic Goods is very clear about the purpose of export controls. Although commonly referred to as 'prohibiting' the export of defence and strategic goods, the document is very clear that:

"[w]hile applications for the export of controlled items may occasionally be denied, the primary purpose of our export controls is not to prohibit exports but rather to facilitate scrutiny by the Government of all applications to ensure their export is consistent with Australia's broad interests."⁽⁷³⁾

In fact, the document goes as far as to say that:

"[t]he Government's policy is to encourage the export of defence and dual-use goods which are consistent with Australia's broad national interests."⁽⁷⁴⁾

Goods listed in the DSGL can only be exported from Australia if a licence or permit is obtained from the Minister for Defence Industry, Science and Personnel or an authorised person. The current authorised persons are:

• Deputy Secretary Acquisition Program;

• First Assistant Secretary Industry Involvement and Contracting Division;

• Assistant Secretary International Material Branch;

• Director, Strategic Trade Policy and Operations Section;

• Assistant Directors, Strategic Trade Policy and Operations Section.⁽⁷⁵⁾

There are a number of permits and licences available for the export of dual-use goods. However, many of them would have limited relevance to the export of cryptographic software by a medium such as the Internet.

The permits are:⁽⁷⁶⁾

DEC.IEP - Individual Export Permit: Issued to cover a single export of a specified quantity of goods to an identified consignee. Valid for 6 months from date of processing.

DEC.IEP - Temporary Individual Export Permit: Where goods are being exported temporarily for a specific reason. Conditions stating the use of the equipment will be noted on the permit. Valid for 6 months from date of processing.

And the licenses are:⁽⁷⁷⁾

DEC.GEL 1 - General Export Licence 1: Covers the export of a range of goods to unspecified consignees or end-users in listed countries. Exporters should specify countries they expect to export to during the license's validity. Valid for one year from the month of issue.

DEC.GEL 2 - General Export Licence 2: Covers the export of a range of industrial dual-use goods to countries participating in the Wassenaar Arrangement. Valid for two years.

DEC.GEL 3 - General Export Licence 3: Personal use provision as provided for in the Wassenaar Arrangement. Individuals may take cryptographic hardware or software with them overseas on the condition that (a) no transfer takes place; (b) the products remain under the control of and in the possession of the exporter; (c) the products are not copied; (d) they are returned to Australia when the exporter returns; and (e) the products are not used for demonstration or marketing of controlled products.⁽⁷⁸⁾

DEC.EDL - Export Distribution Licence: Available when an Australian Exporter wishes to export multiple shipments of goods which would normally require an Individual Export Permit. Covers the export of an approved range of goods to nominated, qualified consignees. Valid for two years.

DEC.MRR - Maintenance Repair and Return Licence: Where an Australian firm regularly requires to return goods for repair to an overseas supplier, or receives goods from overseas for repair and needs to return them. Covers the export of an approved range of goods to specified companies on the licence. Valid for two years.

DEC.SSL - Service Supply Licence: Where an Australian firm must send goods which would normally require an Individual Export Permit out of Australia at short notice to support a maintenance program where time is critical. Covers the export of nominated goods to specified companies on the licence. Valid for two years.

Partly, it is the lack of control over the Internet which has the export of encryption software in a bind. It is very difficult to make software available on the Internet and comply with the requirements of the above permits and licences. There is no way of ensuring that software exported over the Internet to 'friendly' countries such as the USA will not end up in one of the seven 'terrorist' states - Iran, Iraq, Libya, Syria, Sudan, North Korea, and Cuba. Hence export over the Internet makes it impossible to satisfy the requirements of all licenses and permits except DEC.GEL 1, which accepts "unspecified consignees or end-users". However, GEL 1 stops short of being an unrestricted green light for export, as it still requires a specified list of countries.

The process for obtaining a permit or license to export a product listed in the Defence and Strategic Goods List is as follows: Firstly, an application must be made to the Strategic Trade Policy and Operations (STPO) section of the Department of Defence using the forms available from the Department of Defence, and also available online. This application must be lodged by mail or fax at least 37 days before the proposed date of export. Once STPO has the necessary paperwork, they determine whether the products to be exported fall within the control guidelines. Information technology applications are normally referred to the Defence Signals Directorate (DSD), which considers applications and conducts technical evaluation. ⁽⁷⁹⁾

It is common for DSD to seek more information from the applicant and may require declarations regarding the use of the products by the end user and confirmation that the receiving party will not retransfer the products to circumvent our export restrictions. DSD then makes a recommendation to the STPO Director - currently Robbie Costmeyer - who makes a decision as the ministerial delegate. The final stage is for the STPO Director formally grant or deny an export permit or licence.⁽⁸⁰⁾

When additional consultation is required by the government, it is done through the Standing Interdepartmental Committee on Defence Exports (SIDCDE) which comprises representatives from the Department of Defence, Foreign Affairs and Trade, Attorney-Generals, Prime Minister and Cabinet, Industry Science and Tourism, Austrade and the Australian Customs Service.⁽⁸¹⁾

However, only the Minister for Defence Industry, Science and Personnel may deny approval to export. It would seem that this is consistent with the objectives of export policy referred to above - that the policy is not about rejecting applications, rather that it is a means of ensuring national security objectives are met.

The assessment criteria are explained in section 4.4.3 "Industrial Dual-Use Goods" of the Australian Controls on the Export of Defence and Strategic Goods which states that "[t]here are no formal criteria for denial", but:

"the Australian government will seek to ensure that any transfers of these goods do not contribute to the development or enhancement of military capabilities which undermine international and regional security and stability, and are not diverted to support such capabilities."⁽⁸²⁾

In a guidance document for Australian industry, the Department of Defence clarifies the denial process by stating that:

"[p]roposed exports may be denied if they are:

• to countries against which the United Nations Security Council or United Nations General Assembly has imposed a mandatory arms embargo;

• to countries with policies or interests which are hostile to the strategic interests of Australia or its friends and allies, such as countries developing weapons of mass destruction or supporting terrorism;

• to governments that seriously violate their citizens' rights unless there is no reasonable risk that the goods might be used against those citizens in violation of their human rights;

• where foreign and strategic policy interests outweigh export benefits. If the goods would be used contrary to an international agreement, be used in conflict, either internal or external and if bilateral relations with regional countries could be damaged; or

• if the export would be reasonably judged to adversely affect Australian military capability."⁽⁸³⁾

When asked about the application of the restrictions taking into consideration the availability of similar products on the Internet, Steve Anderssen, a spokesperson for the Defence Signals Directorate stated that:

"All export applications are assessed on a case-by-case basis with relevant factors taken into account, including the availability of equivalent products."⁽⁸⁴⁾

The penalties for non compliance with the export controls are contained in s.233AB(2) of the Customs Act 1901. The relevant sections are:

Customs Act 1901 - Sect 233 

(1) A person shall not

   (a) smuggle any goods; or
   (b) import any prohibited imports; or
   (c) export any prohibited exports; or
   (d) unlawfully convey or have in his possession any 
       smuggled goods or prohibited imports or 
       prohibited exports. 

(1AA) A person who contravenes subsection(1) is guilty of 
an offence punishable upon conviction: 

     (a) in the case of an offence against paragraph 
         (1)(a) or an offence against paragraph (1)(d) 
         in relation to smuggled goods - as provided by 
         subsection 233AB(1); or
     (b) in any other case - as provided by subsection 
         233AB(2)

Customs Act 1901 - Sect 233AB 

(2) Where an offence is punishable as provided by this 
subsection, the penalty applicable to the offence is:

     (a) where the Court can determine the value of the 
         goods to which the offence relates, a penalty 
         not exceeding:
         (i) 3 times the value of the goods; or
         (ii) $50,000;
          which ever is the greater; or

     (b) Where the Court cannot determine the value of 
         the goods - a penalty not exceeding $50,000. 

According to the Australian Controls on the Export of Defence and Strategic Goods document:

"in addition the goods as well as a conveyance used for the unlawful export of the goods may be seized and forfeited to the Commonwealth.⁽⁸⁵⁾

One of the greatest grey areas in the export of cryptographic materials is the fundamental legal concept of 'export'. While exporting a book, disk or CD-ROM containing cryptography is a clear breach of the Australian export controls, export over the Internet is not so clear cut. In the Defence and Strategic Goods List Statements of Understanding, General Note 2 reads:

"The control of technology transfer in the Defence and Strategic Goods List is limited to tangible forms."

This is almost completely opposite to the position of the United States, where prosecutions occur for placing cryptographic software on the Internet, but an OCR-friendly printout of the source code can be openly exported and is not seen as a threat. This difference can be attributed to the Constitutional rights given to Americans. No vote-conscious American politician would dare challenge the freedom of speech exercised in publishing a book (albeit in largely unintelligible source code).

However, people attempting to export intangibles over the Internet from Australia may not be entirely free from another lesser-known and somewhat more vague law affecting cryptographic exports. This piece of legislation is The Weapons of Mass Destruction (Prevention of Proliferation) Act ("the WMD Act"), which came into force on 29 November 1995.

According to an explanatory document on the WMD Act written by the Department of Defence:

"in 1992. . .the Government became concerned that certain goods and technologies (and services) not covered by the export regulations could contribute to the development of WMD projects."⁽⁸⁶⁾

The document goes on to detail the scope of the Act as covering:

"the supply of goods or technologies both within and outside Australia, the export of goods and technologies which are not controlled under export regulations, the provision of services in Australia, and the provision of services external to Australia, where it is suspected that these goods or services will or may assist a WMD program."^(87),(88)

Essentially, the WMD Act is a flexible piece of legislation that can be used to stop almost anything not covered by other Acts. This broad power is due to the fact that:

"[t]he final decision as to whether an export or other dealing in goods, or the provision of a service would assist a WMD program rests with the Minister for Defence."⁽⁸⁹⁾

As the explanatory document issued by the Department of Defence states that:

"the onus is placed on you to make reasonable enquiries in relation to how your products, information and know-how will be used and by whom."^(90),(91)

It is possible that a library lending a foreign student Bruce Schneier's book Applied Cryptography could be considered a breach of the WMD Act. The information that is contained in that book could almost certainly be used to secure communications related to a WMD program.

Mr Aldo Borgu, an advisor to the Minister for Defence, has stated that the export of cryptographic software over the Internet could be a breach of the WMD Act, if it could be demonstrated that it assisted a WMD program. However, he went on to say that although the Minister for Defence has the final decision, that decision would be based on a submission prepared by Robbie Costmeyer, Director of the Strategic Trade Policy and Operations section of the Department of Defence.⁽⁹²⁾

The penalties for breaching the WMD Act are considerably more severe than those under the Customs Act. Criminal penalties, including an eight-year jail sentence or a maximum fine of $52,800 for an individual and $240,000 for a body corporate, are available for a breach. The Director of Strategic Trade Policy and Operations (STPO) at the Department of Defence (DoD), Robbie Costmeyer, stated in 1998 that because the customs provisions are uncertain, the DoD is contemplating a criminal prosecution under the WMD Act against Australians who make 128-bit encryption available for download on the Internet.⁽⁹³⁾

* * *

The Walsh Report

The Walsh Report was initiated by an invitation from the Secretary of the Attorney-General's Department on the heels of the Barrett Report which concluded that:

"[w]hile Australian agencies all report that encryption has not been a problem to date, it is likely to become one in the future."⁽⁹⁴⁾

The objective of the Walsh Report was:

"to present options for encryption policies and legislation which adequately address national security, law enforcement and privacy needs while taking account of policy options being developed to address commercial needs."⁽⁹⁵⁾

The Walsh Report, formally entitled Review of policy relating to encryption technologies, is the result of a study conducted in 1996 by Gerard Walsh, a former Deputy Director-General of ASIO.⁽⁹⁶⁾ The report was listed for sale by the Australian Government Publishing Service (AGPS) in January 1997, but was withdrawn three weeks later following an enquiry by Electronic Frontiers Australia as to why it was not actually for sale.⁽⁹⁷⁾ In March 1997, EFA applied for the report to be released under the Freedom of Information Act. The request was denied, but a review of the decision was requested by EFA and this was successful, resulting in an edited version of the report being released in June 1997.⁽⁹⁸⁾ The censoring of certain sections in the report was justified under paras 33, 36, and 37 of the Freedom of Information Act 1982. These sections are:

(i) "Documents affecting national security, defence or international relations" (s.33);

(ii) "Internal working documents" (s.36); and

(iii) "Documents affecting enforcement of law and protection of public safety" (s.37).

It seems strange that the document, clearly designed for public release - Walsh clearly stated that "there is an immediate need for broad public discussion of cryptography"⁽⁹⁹⁾ - needed to be censored, given the high-ranking intelligence position of its author. If the Deputy Director-General of ASIO doesn't know what's safe for public release, who does?

In December 1998, while researching this paper, the author came upon a copy of the report in the State Library of Tasmania. After noting the sections censored from the previously released copy, it was found that the copy in the library was in fact unedited. Electronic Frontiers Australia was alerted to the availability of the report, and the censored sections were added to the copy on the EFA's web site, this time highlighted in red. The release of the complete Walsh Report caused somewhat of a media frenzy. The issues involved were covered in The Australian, The Sydney Morning Herald, The Sun-Herald in Melbourne, a large number of Internet news sites, radio stations in Sydney and Perth, and The Mercury in Hobart.

In a procedural bungle, it appears the AGPS supplied all state and university libraries with a copy of the report which it neglected to recall after the report was deemed to be a threat to national security and international relations.

Conclusion 1.1.2 of The Walsh Report states that:

"Individuals living in community cede certain rights and privileges to ensure order, equity and good government, even if sometimes reluctantly. To this end, a lawful right to conduct intrusive investigations has been given to law enforcement and national security organisations."⁽¹⁰⁰⁾

The report does take a very strong stance on the action that is required to be taken. The main finding of the review, given in s. 1.2.1, was that:

"major legislative action is not advised at this time. . .though a range of minor legislative and other actions are indicated"⁽¹⁰¹⁾

In the edited version of The Walsh Report, the remainder of this section was removed, quoting s.37 of the Freedom of Information Act. The recently discovered complete version continues s. 1.2.1 thus:

"The 1994 judgement [from The Barrett Report], that encryption was a looming problem which warranted close monitoring, remains substantially valid. The problem, in a substantive sense, still lies ahead of law enforcement and national security agencies but the distance is shortening rapidly."⁽¹⁰²⁾

Additionally, the "minor legislative and other actions" alluded to in section 1.2.1 were also removed under sections 36 and 37 of the Freedom of Information Act. They are now available and are detailed later in this paper.

The Walsh Report states openly that the purpose and impact of the export controls is questionable.⁽¹⁰³⁾ Very few Australians know such controls exist, and trying to "watch" the Internet for illegal exports is very difficult and time consuming.

On their own, Australian export controls on cryptography would be fairly impotent, and certainly would not stop the proliferation of strong encryption technologies. The Hon. Justice Michael Kirby, giving a speech at the International Symposium on the Public Voice and the Development of International Cryptography Policy, commented that:

"attempts of individual member states to 'go it alone' are likely to prove ineffective, inefficient, such as will impair international trade and the development of the Global Information Infrastructure and the Global Information Society."⁽¹⁰⁴⁾

The fact that the USA has similar restrictions, whilst being the leading exporter of software in the world, assists the Australian effort greatly. In The Walsh Report, Gerard Walsh observes that:

"As the Review was enjoined to consider Australia's national security and defence interests as key factors, it may be argued Australia's export controls were effective, though American export controls may have had greater influence on the limited proliferation of 'strong' forms of encryption in the region."⁽¹⁰⁵⁾

Through the discovery of the unedited version of The Walsh Report, a revealing insight is gleaned into the psyche behind the current controls on cryptography.

It is interesting to see sections such as 1.2.16 censored under s. 37 of the Freedom of Information Act. This section is the simple acknowledgement that:

"[d]ata is being stored securely on computer systems or being sent over the telephone system beyond the reach or visibility of the investigative agencies."⁽¹⁰⁶⁾

The only possible purpose of censoring this section is what is affectionately known as 'security through obscurity' - what they don't tell us can't hurt them.

* * *

Global Surveillance

Governments around the world are now beginning to realise the problems that encryption can pose their surveillance systems. But what are these surveillance systems?

Towards the end of 1998, the International Police (Interpol) decided to implement a system known as ENFOPOL. This initiative is intended to provide European and International Police with access to any and all kinds of electronic transmissions - voice, fax, data, the Internet, and all other forms of communications. The recently launched Iridium global satellite phone system was singled out for surveillance.⁽¹⁰⁷⁾

A similar surveillance system, known as Echelon, run by the USA, Great Britain, Canada, Australia and New Zealand intelligence agencies, is a science-fiction story come to life. The Echelon system pulls data from satellites, the telephone system, and various other sources, searches the data for keywords, and extracts suspicious messages.⁽¹⁰⁸⁾ When the existence of such technology was challenged, a former NSA officer commented that:

"anyone can type a keyword into a Net search engine and get back tens of thousands of hits in a few seconds. Assume that people working on the outer edges have capabilities far in excess of what you do."⁽¹⁰⁹⁾

When the European Parliament found out about the Echelon surveillance system and the fact that they too had been watched, they began an investigation into the truth or otherwise of the information about this system. The report - Interception Capabilities 2000 (the IC 2000 Report) - was released in May 1999, and revealed that most of the information circulating about Echelon was true. The IC 2000 Report identified the UKUSA alliance made up of the United States, United Kingdom, Australia, Canada and New Zealand, and observed that these states run a hugely complex surveillance system consisting of at least 120 satellite based collection systems, submarine cable interception, and "sniffer" software at major Internet exchange points.⁽¹¹⁰⁾

This surveillance also extends to economic intelligence. According to the IC 2000 Report:

"In Australia, commercially relevant [communication intelligence] is passed by DSD to the Office of National Assessments, who consider whether, and if so where, to disseminate it. Staff there may pass information to Australian companies if they believe that an overseas nation has or seeks an unfair trade advantage. . . Similar systems operating in the other UKUSA nations."⁽¹¹¹⁾

This Government-sponsored corporate espionage shows that the information collected form the Echelon global surveillance system serves purposes other than catching international terrorists and criminals. The claims that encryption endangers the ability of law enforcement to perform their jobs is not in question here. As David Herson, head of the EU Senior Officers' Group on Information Security has stated in regards to the US "key recovery" project:

" 'Law Enforcement' is a protective shield for all the other governmental activities ... We're talking about foreign intelligence, that's what all this is about. There is no question [that] 'law enforcement' is a smoke screen."⁽¹¹²⁾

With the enormous value of information being pulled down from the Echelon surveillance system, the spectre of encryption is cause for concern for many national intelligence agencies. The head of staff of the US House of Representatives Permanent Select Committee on Intelligence, ex CIA officer John Millis explains that:

"signals intelligence is in a crisis ... In the past, technology has been the friend of NSA, but in the last four of five years technology has moved from being the friend to the enemy of [signals intelligence]."⁽¹¹³⁾

In Australia, the availability of strong encryption is acknowledged in the Review of Policy Relating to Encryption Technologies in section 1.2.15 which was censored from the original release:

"Strong encryption, which cannot be defeated by law enforcement and national security agencies, is already available commercially or in the public domain."⁽¹¹⁴⁾

The supposed "right" of law enforcement and intelligence agencies to access communications is clearly expressed in the US Government's defence of the Clipper Chip proposal, where they:

"flatly reject[ed] the civil-liberties position and maintain[ed] the view that the government has the right not only to intercept citizen's communications but also to ensure that it will be able to understand the intercepted material."⁽¹¹⁵⁾

It should not be thought that it is only the US that holds this position. The US Department of State's 1996 Country Reports on Human Rights Practices found that widespread illegal or uncontrolled use of wiretaps by both government and private groups was occurring in over 90 countries.⁽¹¹⁶⁾

Although the Australian Government has not yet openly taken such a hard-line approach to the issues, Stewart Baker, the acting chairman of the US President's Export Council's Subcommittee on Encryption, and a former NSA general counsel has said that:

"Australia is a traditional ally of the US on crypto policy, probably the result of cooperation on intelligence matters generally. This suggests that Australia is not likely to be a reliable haven for cryptoliberatarians."⁽¹¹⁷⁾

As the OECD Ad hoc Meeting of Experts on Cryptography Policy pointed out in December 1995, the:

"[l]ack of security or lack of confidence in security of these systems may hinder the development and use of new information and communication technologies."⁽¹¹⁸⁾

This was the core reason for the demise of the Clipper chip proposal.

* * *

The OECD Proposal

In recent years there has been a rapidly increasing interest in the technology and policy issues relating to cryptography. The issue was raised at the G7 Summit meeting on anti-terrorism in July 1996, and the OECD has itself released a set of guidelines for cryptography policy.

The OECD guidelines were released on 27 March 1997. The main documents relating to this policy, including the Report on Background and Issues of Cryptography Policy, Guidelines for Cryptography Policy, and Recommendation of the Council Concerning Guidelines for Cryptography Policy, seem much more enlightened on the true issues involved than do those surrounding the Wassenaar Arrangement, which although no longer East-West focused, has clearly been formed with remnants of the US Cold War mindset in place.

This enlightenment is shown clearly in the suggestion that:

"[p]ublic education on the issues and technologies, including a full discussion of cryptography in the context of electronic commerce, could help raise consumer confidence."⁽¹¹⁹⁾

Such a doctrine has been shunned by the Australian Government, whose attempts to withhold The Walsh Report - a document written specifically for public comment - have shown without doubt the Government's unwillingness to bring the issues out into the public forum.

Making specific reference to the EU Directive [95/46/EC], on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the OECD recognise that some Governments are already requiring the use of cryptography of a minimum strength. In addition to the EU Directive, Europe has shown a recent tendency to lean towards releasing encryption from the current restrictions, including the October 1997 Communication adopted by the European Commission, entitled Towards a European Framework for Digital Signatures and Encryption, which remarks that:

"restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies."⁽¹²⁰⁾

The OECD Guidelines have eight "principles" for cryptographic policy. The first is trust in cryptographic methods. The methods that are used must be trustworthy. This principle on its own invalidates the use of DES encryption, which is widely accepted as being inadequate. Choice of cryptographic methods is the second principle, and suggests that:

"Government controls on cryptographic methods should be no more than are essential to the discharge of government responsibilities and should respect user choice to the greatest extent possible."

The third principle is market driven development of cryptographic methods, and the fourth is standards for cryptographic methods - both of which suggest that the development and standardisation of cryptographic methods should be done in the open market, with communication between all those involved. The most important of the principles is the fifth, which is titled protection of privacy and personal data. The subtext of principle five reads:

"The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptographic policies and in the implementation and use of cryptographic methods."

Principle six is lawful access, which suggests that national policies may allow access to plaintext or cryptographic keys of encrypted data when required. Principle seven is liability, and recommends that the liability of all groups involved in cryptographic policy - certification authorities, escrowing agencies, authors, law enforcement and individuals - should be clearly stated.

The last principle is international cooperation, and includes the subtext "Governments should remove, or avoid creating in the name of cryptography policy, unjustified obstacles to trade." It could definitely be suggested that the current export restrictions, as impotent as the Internet renders them, are such unjustified obstacles.

Part III: The Application of the Law

The issue of export restrictions on cryptography is a much more visible issue in the United States than it currently is in Australia. There have been a number of cases taken to court by both the US government and cryptolibertarians to try to get the restrictions confirmed or struck down.

Before examining these cases, a brief look at the differences between the US and Australian Constitutional guarantees is required.

* * *

American and Australian Constitutional Guarantees

In the United States, freedom of speech is protected by the First Amendment to the Constitution, which guarantees that:

"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances."

This guarantee is broad-ranging and has been upheld in court in the United States many times (including the recent Bernstein v Department of State discussed below). Relevant to the current debate about cryptography, the American Civil Liberties Union (ACLU) explain that:

"while the Supreme Court has recognised the government's interest in keeping some information secret ... the Court has never actually upheld an injunction against speech on national security grounds."⁽¹²¹⁾

The ACLU have claimed that the United States is the most speech-protective country in the world.⁽¹²²⁾ In Australia, however, there is no Consitutional guarantee of the freedom of speech. The only freedom of speech present in Australia is an implied Constitutional freedom of expression in relation to public and political affairs.⁽¹²³⁾ The First Amendment protection given to the "publishers" of cryptographic material in some of the US decisions below, therefore, does not translate into Australian law.

Another important issue when looking at the cases below is the Government department with ownership of this area. In Australia, the controls are administered by the Department of Defence, which makes it very clear where the Government's affiliations lie. Until recently, this was also the case in the United States, where the controls on cryptography used to reside under the International Traffic in Arms Regulations (ITAR), which are administered by the State Department, but were moved completely in 1996 to the Export Administration Regulations (EAR) which are administered by the Bureau of Export Administration (BXA), in the US Department of Commerce.⁽¹²⁴⁾

This transfer of jurisdiction was completed on 15 November 1996 by an Executive Order and Memorandum from President Clinton, and was preceded by a gradual transfer of cryptographic items from the ITAR Munitions List to the BXA Commerce Control List.⁽¹²⁵⁾ The Commerce Department isssued regulations implementing the Executive Order on 30 December 1996.⁽¹²⁶⁾

The most important cases in establishing the current enforcement of export controls are explored here.

The United States of America

Philip Zimmermann and Pretty Good Privacy (PGP)

PGP is the most popular program that exists today for the encryption of email to ensure its security and privacy. It was written in 1990 by a US computer programmer, Philip Zimmermann. The same year, the program was made available for download over the Internet.⁽¹²⁷⁾ The issue of exporting PGP may not have come to light if not for Zimmermann offending RSA Data Security. PGP was a blatant infringement of the Rivest-Shamir-Adleman (RSA) patent, and the initial investigation into Zimmermann was in regards to the alleged theft and international shipment of stolen intellectual property - an allegation made by RSA Data Security.⁽¹²⁸⁾

A federal prosecutor began an investigation and a grand jury heard testimony for over a year. The court case did nothing to slow the spread of PGP over the Internet, and the program was improved and further developed by programmers around the world.⁽¹²⁹⁾

During the case, RSA Data Security changed a part of its licence, the effect of which permitted a "legal" US version of PGP. This rendered the patent-infringement aspect of the case moot, and the investigation ended when the Department of Justice decided not to prosecute.⁽¹³⁰⁾ The Department of Justice's reasoning behind dropping the case is unknown. An interesting aside to the case was the action of the MIT Press, which published the source code to PGP as a 600-page hardbound OCR-friendly book, and sold the book through worldwide channels of distribution.⁽¹³¹⁾ While the government let the case drop in regards to PGP, this dichotomy of publishing electronically and in conventional print was to make frequent appearances in the US courts [Karn v Department of State, Bernstein v Department of State].

Since the investigation ceased and the threat of prosecution dropped, Zimmermann has founded a company and expanded the PGP product line, with PGP becoming the most common form of cryptography used for protecting email because of its security and ease of use.⁽¹³²⁾

Karn v Department of State

Karn v Department of Commerce

(Civil Action No. 95-1812-LFO)

In early 1994, the "Applied Cryptography" case, so called because it revolved around a textbook on cryptography by that title, was very important in establishing the extent of protection given to cryptography under the First Amendment to the US Constitution (the freedom of speech discussed above). Applied Cryptography, by Bruce Schneier, included source code in 'C' for about a dozen popular encryption algorithms.⁽¹³³⁾ This source code was printed in the back part of the book. The book also came with a disk which contained the same source code as was printed in the book. Phil Karn first applied for an export permit for the book, and The State Department responded that no permit was necessary for the export of the book, based on First Amendment concerns. Karn then requested an export permit for a small part of the book (the source code) transcribed onto a floppy disk. The State Department refused export of the disk, which was deemed to be a munition.⁽¹³⁴⁾

In justifying the decision to refuse export of the disk, the State Department stated that

"[t]he text files on the subject disk are not an exact representation of what is found in Applied Cryptography. Each source code listing has been partitioned into its own file and has the capability of being easily compiled into an executable subroutine. This article is designated as a defence article under category XIII(b)(1) of the United States Munitions List."⁽¹³⁵⁾

It was not the code itself that was threatening, rather it was the fact that it was in a useful form on disk which made it a threat to national security. While the decision seemed too silly to be true to many observers, the decision is still used as precedent for justifying refusal to export.

Karn v Department of State was heard by Judge Richey in the US District Court for the District of Columbia, and the government filed a motion to dismiss which was successful, with Richey handing down a strongly-worded decision in favour of the export controls. This decision was then appealed to the United States Circuit Court of Appeals for the District of Columbia.⁽¹³⁶⁾

When Karn argued that cryptographic software was already readily available on the Internet, the Court of Appeal held that:

"the President's decision to regulate cryptographic software under the ITAR was a foreign policy decision not subject to judicial review."⁽¹³⁷⁾

A final decision in Karn v Department of State has not yet been reached, as just days before oral arguments were to begin in the case, the administration of the export restrictions on cryptography was shifted from the State Department to the Commerce Department. Applications for the export of the book and disk were refiled and Karn was again refused permission to export. Karn v Department of Commerce, the new suit was reassigned to District Judge Louis Oberdorfer after the death in March 1997 of Judge Richey and is still being fought.

Bernstein v. Department of State

Another critical case revolved around Daniel Bernstein, a graduate student at UC Berkeley, who invented an encryption system called Snuffle. Bernstein asked the State Department if he could publish a short paper describing the algorithm, and two pages of source code in 'C' that implement the system.⁽¹³⁸⁾ The State Department denied his request. To force the Department to clarify its decision, Bernstein sent in five different requests, asking for permission to publish:

(i) the paper;

(ii) the encryption source code;

(iii) the decryption source code;

(iv) an English description of how to encrypt; and

(v) an English description of how to decrypt.⁽¹³⁹⁾

The State Department consolidated and denied all five.

Bernstein, with the help and funding of the Electronic Frontier Foundation, filed suit against the State Department alleging that the export controls were unconstitutional due to protection of publishers under the First Amendment. The final decision was a crucial victory for cryptoliberatarians. In the decision handed down in the Federal District Court in San Francisco, Judge Marilyn Hall Patel declared that:

"the Export Administration Regulations . . . insofar as they apply to or require licensing for encryption and decryption software and related devices and technology, are in violation of the First Amendment on the grounds of prior restraint and are, therefore, unconstitutional as discussed above, and shall not be applied to plaintiff's publishing of such items, including scientific papers, algorithms or computer programs."⁽¹⁴⁰⁾

Judge Patel went on to comment that the government's:

"distinction between paper and electronic publication . . . makes little or no sense and is untenable."⁽¹⁴¹⁾

This statement has direct relevance to Karn v Department of State, in which export permission of source code in text form was permitted, but in a text-file on a disk was rejected.

Interestingly, the Judge also commented that:

"most important, and most lacking, are any standards for deciding an application. The [Export Administration Regulations] reviews applications for licenses "on a case-by-case basis" and appears to impose no limits on agency discretion."⁽¹⁴²⁾

This is also the case in Australia, where no formal criteria exist.⁽¹⁴³⁾ As in the United States, the lack of transparency in the review process is one of the greatest problems with Australian export restrictions on cryptography.

Despite the clear decision in this case, the court declined to issue a nationwide injunction declaring the regulations void.⁽¹⁴⁴⁾ The US Government's press release in regards to the Bernstein case attempts to dilute the significance of the decision through reference to Karn v Department of State, in which:

"the District Court ruled that export controls on encryption software are constitutional under the First Amendment and serve important interests of the United States."⁽¹⁴⁵⁾

The case was appealed by the US Government, and on 6 May 1999, the Ninth Circuit Court of Appeals found in favour of Bernstein and declared that the export restrictions, as far as they applied to the source code of a program - in human-readable form - were a breach of the First Amendment right to free speech. In an amusing twist of fate, the decision, as posted on the Internet, included the source code of Bernstein's encryption program. As such, the Ninth Circuit Court could itself have breached the export regulations as intended by the Clinton Government.⁽¹⁴⁶⁾

* * *

Australia

In Australia, no cases have appeared in court in relation to the unlicensed exportation of cryptographic software. This is despite the large number of Australian Internet sites which have strong encryption programs available.

The lack of US-style court cases should not be interpreted to suggest that the export restrictions are not being implemented. In 1998, the Defence Signals Directorate received about 280 applications, of which none were denied.⁽¹⁴⁷⁾

In addition to the formal applications received and processed by the DSD, there are some well known examples of companies who have been approached by the Defence Signals Directorate and denied approval to export before such approval was requested. One example of the DSD's approach is the case of Nexus Solutions, who were told they could not export their archiving software because it used extremely strong encryption.⁽¹⁴⁸⁾ As Dan Tebbutt reported in his investigation into the cryptographic controls in Australia, the Defence Signals Directorate told Nexus director Peter Pavlovic in November 1996 that Ntrust - the archiving product - would not receive export approval, despite the fact that neither Mr Pavlovic nor Nexus had applied for such export approval.⁽¹⁴⁹⁾

The economic risk factor felt by many companies operating on the fringe of this area is identified by a cryptographic software developer who wishes to remain anonymous, who recounts that:

"In 1986 Advance Bank poured millions of dollars into the development of its own strong cryptography helper application - reinventing the wheel [due to the export restrictions] - in order to launch its online banking facility. Thankfully the project succeeded, and they were for a long time a lonely pioneer in the Australian on-line scene. It was only when international banks were granted access to strong-crypto that any of Australia's "big four" banks launched on-line banking systems."⁽¹⁵⁰⁾

It would seem the Defence Signals Directorate pursues a policy of avoiding rejecting applications. Whether this is through denial before an application is lodged, as in the Nexus example, or by granting the applications with "restrictions," which essentially render the permit useless for the purpose intended, the statistics show a 100% approval rate for the past year, a statistic that would paint a picture of the DSD as a very reasonable and flexible body.

However, the "balance" and transparency suggested by the DSD's statistics is very misleading. A cryptographic software developer who wishes to remain anonymous explained the transparency thus:

"DSD represents power without accountability. They wield discretionary control. Their evaluation standards are not available. Their judgements, or the reasons behind them, are not recorded. They operate outside the scope of the Freedom of Information Act. They rarely go on the record. Their decisions cannot be appealed. Even something as simple as a register of the companies with whom they are dealing is not available."⁽¹⁵¹⁾

The effect of this lack of transparency is large. Due to the lack of accountability imposed upon the DSD, it has been suggested that getting on the wrong side of the DSD could have dire consequences. As such, very few software developers working with cryptographic technology are willing to speak out against the DSD for fear of jeopardising their chances of future approvals. In the presumed democratic and free nation we live in, where the government supposedly works for the people, such a situation is truly frightening.

Part IV: The Issues

We. . .concluded that many national intelligence and law enforcement agencies seem to have "hijacked" the cryptography issue for their own benefits, in many cases leaving foreign affairs and trade ministries unaware of what policies governments were following. Our own quizzical responses from some embassies in Washington, including those of large countries like Australia, support this argument.

- Wayne Madsen in the Global Internet Liberty Campaign's survey of International crypto policies.

The Push for Law Reform

The push for law reform in the area of cryptographic export controls is being led both domestically and internationally by Electronic Frontiers Australia. Many other international liberty groups have supported this campaign, including the Electronic Frontier Foundation, the Global Internet Liberty Campaign, the Cato Institute, and the Electronic Privacy Information Centre.

The Global Internet Liberty Campaign (GILC), was established in June 1996 "to protect civil liberties and human rights in the online world."⁽¹⁵²⁾ One of the key principles adopted by GILC at its original meetings was that users of the Internet should have the right to "encrypt their communication and information without restriction."⁽¹⁵³⁾

Such electronic civil-rights groups are playing a crucial role in the new wired world, but the fight is made much more difficult by the anti-Government stance many of these groups have been forced to take. The Hon. Justice Michael Kirby makes a very important point when he states that:

"The voices of national security and law enforcement agencies will generally be close to the ear of government. It is important that there be voices of equal strength to speak for human rights, the rule of law and protecting the privacy of citizens from the technologically enhanced capacity of the State to monitor their communications."⁽¹⁵⁴⁾

* * *

Human & Civil Rights

Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights both state that:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The current regime of controls on cryptographic software treads a fine line on the boundary of being a human rights abuse under both these Articles. While governments will justify acts such as wiretapping and the collection of information through interception of communications as being necessary for the common good, these activities are not in question. What is being challenged is the global Arrangement and local legislation which effectively forces individuals to make themselves available for surveillance by prohibiting the wide dissemination of communication-securing items such as encryption software.

The Global Internet Liberty Campaign released a statement on the 50th anniversary of the Universal Declaration of Human Rights which stated that:

"it is essential that the international community reassert its commitment to respect and promote human rights regardless of physical borders."⁽¹⁵⁵⁾

This is a fight which will continue into the forseeable future, as Governments attempt to deal with the "wild west" of the Internet through legislation they will find hard to enforce.

The International Survey of Encryption Policy, carried out by the Global Internet Liberty Campaign, concludes that:

"[a]ttempts by the United States to influence the development of restrictive national and international regimes on the use of cryptography should be raised as a political and civil rights issue by sympathetic political parties and organisations."⁽¹⁵⁶⁾

It would seem that Australian political parties would prefer to stand by the US Government's directions on cyber-policy than break away from these and support the human rights of its citizens.

It is interesting that one of the reasons given by the Department of Defence for denying approval to export is if that export is going:

"to governments that seriously violate their citizens' rights unless there is no reasonable risk that the goods might be used against those citizens in violation of their human rights."⁽¹⁵⁷⁾

Although there is no specific mention of cryptography in this context, the association of proliferation of cryptographic products with human rights abuses is ironic, when the restrictions placed on such products could be a human rights abuse in their own right. In countries where human rights abuses take place, encryption can be the only way for political activists and others to communicate with the outside world without persecution.

As Diffie & Landau point out:

"[t]he fact that if cryptography has the potential to interfere with police investigations it also has the potential to prevent crimes and thus make society more secure has often been overlooked."⁽¹⁵⁸⁾

The individual privacy and security, and hence society's added security, offered by cryptography has been largely ignored by the government through its blinkered, Defence-oriented view.

This point is reiterated by Dr Brian Gladman, Crypto Policy Co-ordinator of Cyber-Rights and Cyber-Liberties (UK), and a 35 year employee of Defence in the UK, who stated via email that "cryptography can be used for both good and bad in society and it makes no sense to restrict the good uses in order to stop the bad unless we can show that we obtain an overwhelming benefit for society by doing this. And this case has not been made."

In retaliation for the most recent strengthening of restrictions placed on encryption technologies under the Wassenaar Arrangement, John Gilmore, cofounder of the EFF has started a people-power movement to undermine the restrictions. The idea is simple: If someone in each country under the Wassenaar Arrangement builds a database of the software likely to be banned under the new provisions of the Arrangement, that software can be provided to domestic users even if the new amendments are made.⁽¹⁵⁹⁾

* * *

Proposed Amendments to Australian Domestic Legislation

While much of the debate in the area of cryptography takes place at an International level, it is domestic law which must be changed to effect the Australian people. The Walsh Report, an objective of which was to recommend legislative initiatives to "adequately address national security, law enforcement and privacy needs while taking account of policy options being developed to address commercial needs,"⁽¹⁶⁰⁾ included a number of such recommendations for amendments to the Australian Federal Police Act 1979, The Telecommunications Act, and the Crimes Act 1914. These amendments included:

Australian Federal Police Act 1979

- "the authority to alter proprietary software so that it may provide additional and unspecified features. . . the introduction of other commands, such as diversion, copy, send, dump memory to a specified site. . ." (Walsh Report s. 6.2.20)

This would allow law enforcement agencies to modify software such as Microsoft Windows, or any other proprietary software, to perform "unspecified features," which could include storing passwords, copying encryption keys, keeping access records, or any other required information.

- "the creation of a statutory exemption from any order or direction by a court or process of discovery by an officer of the court or any other person from disclosing information concerning sensitive operational matters. . . the fact and category of those matters authorised by magistrate or judicial warrant not to be included in any unclassified and unprotected forms of reporting and be exempt from discovery under 0the Freedom of Information Act 1982." (s. 6.2.20)

This provision ensures that there is absolutely no transparency in the actions of law enforcement and national security agencies. This wall of silence in regards to process is a grave threat to the judicial review process in place to keep the Executive honest. The ability to challenge the legality of the process followed in obtatining evidence used in a prosecution is eroded greatly by this provision.

Telecommunications Act

- "maintain the licence requirement for carriers who wish to market a service which is not susceptible to interception to first obtain the explicit approval of the Minister for Communications and the Arts who shall be required to consult with the Attorney-General." (s. 6.2.21)

Just as the export restrictions are attempting to prevent citizens from securing their communications, this provision ensures that avenues for secure communications are closed off where possible.

Crimes Act 1914

- "establish an additional and more serious category of offence where encryption is used to obstruct investigation by law enforcement agencies into the preparation for or commission of a criminal offence." (s. 6.2.22)

- "the authority to 'hack', under warrant, into a nominated computer system as a necessary search power and to secure electronic evidence of an attack on a computer system." (s. 6.2.22)

- "the authority be created for the Commissioner of the AFP to require persons to answer questions, notwithstanding the principle of non self-incrimination, concerning passwords or codes relating to material seized in the course of investigation of serious criminal offences and found to be encrypted or to produce materials relating to the cryptographic processes employed." (s. 6.2.22)

A number of these provisions, along with other complimentary provisions, were introduced into the House of Representative on 25 March 1999, as the Australian Security Intelligence Organisation Legislation Amendment Bill 1999, a section of which is reproduced below:

Australian Security Intelligence Organisation Legislation Amendment Bill
1999 

25A Computer access warrant 

    Issue of computer access warrant
   (1) If the Director-General requests the Minister to do 
       so, and the Minister is satisfied as mentioned 
       in subsection (2), the Minister may issue a 
       warrant in accordance with this section. 

    Test for issue of warrant
   (2) The Minister is only to issue the warrant if he 
       or she is satisfied that there are reasonable 
       grounds for believing that access by the 
       Organisation to data held in a particular 
       computer (the target computer) will substantially 
       assist the collection of intelligence in 
       accordance with this Act in respect of a matter 
       (the security matter) that is important in 
       relation to security.


    Authorisation in warrant
   (3) The warrant must be signed by the Minister and 
       must authorise the Organisation to do specified 
       things, subject to any restrictions or conditions
       specified in the warrant, in relation to the 
       target computer, which must also be specified in 
       the warrant. 

    Things that may be authorised in warrant
   (4) The things that may be specified are any of the 
       following that the Minister considers appropriate 
       in the circumstances:
       (a)  using:
           (i)   a computer; or
           (ii)  a telecommunications facility 
               operated or provided by the Commonwealth or 
               a carrier; or
           (iii) any other electronic equipment;
           for the purpose of obtaining access to data that 
           is relevant to the security matter and is stored 
           in the target computer and, to assist in that 
           purpose, adding, deleting or altering data in the 
           target computer;


       (b) copying any data to which access has been 
           obtained, that appears to be relevant to the 
           collection of intelligence by the 
           Organisation in accordance with this Act;
       (c) any thing reasonably necessary to conceal the 
           fact that any thing has been done under the 
           warrant;
       (d) any other thing reasonably incidental to any 
           of the above.


       Note: As a result of the warrant, an ASIO 
       officer who, by means of a telecommunications 
       facility, obtains access to data stored in the 
       target computer etc. will not commit an offence 
       under section 76D or 76E of the Crimes Act 1914 
       or equivalent State or Territory laws (provided 
       that the ASIO officer acts within the authority 
       of the warrant).


    Certain acts not authorised
   (5) Subsection (4) does not authorise the addition, 
       deletion or alteration of data, or the doing of 
       any thing, that interferes with, interrupts or 
       obstructs the lawful use of the target computer 
       by other persons, or that causes any loss or 
       damage to other persons lawfully using the target 
       computer.

The Parliamentary Joint Committee on the Australian Security Intelligence Organisation released an Advisory Report on the ASIO Legislation Amendment Bill, having received submissions from the Australian Council for Civil Liberties, the Australian Information Industry Association, the Australian Privacy Charter Council, Electronic Frontiers Australia, and other concerned parties.⁽¹⁶¹⁾

The concerns of the privacy and civil liberties groups are clear, as the Bill extends the powers of ASIO far beyond those currently exercised. One of the most concerning parts of the Bill is the proposal that the Attorney-General be given the power to issue search warrants. In the current process, it is the Courts who have the power to issue search warrants, and hence the judiciary can watch over the actions of the Executive.

As the Australian Council for Civil Liberties argued in their submission to the Parliamentary Joint Committee on ASIO:

"For a mainstream law enforcement agency ... the justification for the issue of search warrants can and frequently is challenged in the courts as a means of maintaining the balance between police powers and the civil liberties of individuals."⁽¹⁶²⁾

Once again, the Government is attempting to subvert this process by squeezing the judiciary out, along with the checks and balances the independent judiciary bring to the process. When this is looked at alongside the ability of the Minister to amend the Defence and Strategic Goods List, and the lack of accountability of the DSD, a clear trend becomes apparent, which is the subversion of the checks and balances inherent in the Westminster system by transferring roles traditionally held by the Legislature and Judiciary to the Executive.

Section 25A(4)(a) as recommended in the ASIO Legislation Amendment Bill contains a provision allowing ASIO to add, delete or alter data for the purpose of gaining access to data in a target computer. The explanatory memorandum explicitly states that this would include the modification of encryption systems. Such an amendment could render the debate about the necessity for cryptography to be publicly available moot, as the Government could alter encryption systems, resulting in a huge loss of data integrity. As Chris Connolly of the Financial Services Consumer Policy Centre suggests, the debate about government access to cryptographic keys should be played out in full, rather than being resolved by a little-publicised amendment which renders encryption systems vulnerable to government modification.⁽¹⁶³⁾ The Government's ability to use this power to alter encryption systems is shown by the Director-General of ASIO's comments that:

"[ASIO] would be allowed to interfere with a computer in so far as it enables us to compromise the protection mechanisms that may surround the information in the computer."⁽¹⁶⁴⁾

It seems that the Australian Government is going to continue extending the powers of its law enforcement and national security bodies into the foreseeable future with no end in sight. While the law must be able to be enforced effectively, the cost-benefit analysis of the ever-increasing surveillance regime is swinging close to the point where additional capabilities will have a greater social cost than benefit. It is groups like Electronic Frontiers Australia who are watching the Government edge ever closer to this point. The Government's apparent decision to move these increased powers through by stealth poses some strong questions about their justification.

That said, the Government is entering a difficult period for law enforcement. In addition to lacking the ability to decrypt intercepted communications, law enforcement agencies have also had difficulties in forcing individuals to give up the cryptographic key with which their data is encrypted. While it would seem that this is a natural extension of a search warrant, courts have held that a cryptographic key need not be produced if the information that key is concealing would be self-incriminating.

* * *

Self Incrimination and The Right to Silence

The protection against self-incimination referred to above is based on the Fifth Amendment to the United States Consitution, which reads:

"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation." (emphasis added)

While Australia does not have such a Constitutional guarantee of the right to silence, such a right is recognised in all Australian jurisdictions and all Common Law countries.⁽¹⁶⁵⁾ The Australian right to silence has been clearly stated by the High Court in Petty v The Queen (1991) 173 CLR 95, which states that:

"A person who believes on reasonable grounds that he or she is suspected of having been a party to an offence is entitled to remain silent when questioned or asked to supply information by any person in authority about the occurrence of an offence, the identity of participants and the roles which they played ... An incident of that right of silence is that no adverse inference can be drawn against an accused person by reason of his or her failure to answer such questions or to provide such information."⁽¹⁶⁶⁾

In the United States, as Greg Sergienko states in his article Self Incrimination and Cryptographic Keys:

"The [US] Court's precedents suggest that it can be expected to hold that the documents produced from a cryptographic key cannot be used against the producer of the key, because a cryptographic key authenticates and confers testimonial content on documents that are otherwise unauthenticated and meaningless."⁽¹⁶⁷⁾

Whether the Australian precedent would result in a similar ruling is unclear.

* * *

Departmental Responsibility for Cryptographic Export Controls

A major issue in the cryptography debate is which government department should have the responsibility in this area. With the US having transferred ownership from the State Department to the Department of Commerce, there is pressure on the Australian Government to do the same. In regard to cryptographic policy falling under the Department of Defence's jurisdiction in Australia, Senator Alston, Minister for Communications, the Information Economy and the Arts, has stated that:

"The Government's cryptography policy is developed through consultation with all relevant portfolios, including Communications, Information Technology and the Arts; Industry, Science and Resources; Foreign Affairs and Trade; and Defence."

As a consequence of this widespread consultation, he continues to say that "wherever [the responsibility for cryptographic policy] was located within government, those agencies would still be involved."⁽¹⁶⁸⁾ And hence Senator Alston proposes that the jurisdiction need not be moved.

Mr Martyn Evans MP, Shadow Minister for Science and Resources, disagrees, claiming that while "Defence has a legitimate interest in crypto policy," the overriding control of this area "should move to the Attorney-General or Industry and Science. [Cryptography] is now a mainstream commercial tool and it needs to be regulated accordingly."⁽¹⁶⁹⁾

At the least, a move to Industry and Science, the Information Economy or a similar portfolio would signal the Government's acceptance of cryptography as a mainstream tool. As long as software developers must deal first-hand with the secretive DSD, an open working relationship between industry and Government will not exist.

* * *

The need for "balance"

While governments have been calling for "balance" and showing their commitment to this ideal by removing restrictions on the export of cryptographic software with a given maximum key length (currently 56-bit under the new Wassenaar changes), in effect this may as well be a total restriction on exports, as the demand for weak cryptographic products is very small.⁽¹⁷⁰⁾

The Australian government has been fairly quiet on the issues involved in the debate surrounding the restrictions on cryptography, however prior to the March 1996 election, the Liberal/National Coalition released a statement which acknowledged that:

"[h]eavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile."⁽¹⁷¹⁾

Given the current Coalition Government's policy, this can only be seen as political rhetoric. Any action to suggest a true belief in such a policy is sadly lacking.

A cryptographic software developer, who wishes to remain anonymous, has commented that:

"From the inside of the U.S. 'fence', companies rightly see the export controls as a trading disadvantage in an international marketplace. But on the outside of the 'fence', in Australia, the controls act more as a brake on the construction and deployment of truly useful networked services, such as electronic commerce systems."⁽¹⁷²⁾

It is hard to see who is intended to benefit from a fence which keeps in that which is already out.

Martyn Evans, MP, then Shadow Minister for Science and IT, commented in parliament that:

"It would seem. . .that the government has not yet recognised, unfortunately, the importance of encryption. . .to the development of a sound information based economy."⁽¹⁷³⁾

Senator Alston, Minister for Communications, the Information Economy and the Arts, challenges this, stating that:

"The Government is committed to facilitating the development and use of software that will enhance business and consumer confidence in electronic commerce, and the development of a strong domestic and export industry, while honouring our international commitments."⁽¹⁷⁴⁾

* * *

Transparency of Government

Despite Senator Alston's claims, there is an undeniable lack of transparency in both the government's legislative and executive actions in this area. As Martyn Evans MP, has said about encryption policy, the government "is progressing the legislation in a subtle, almost quiet fashion, avoiding the public debate on this issue which we should reasonably have."⁽¹⁷⁵⁾

Mr Evans has also stated that:

"The debate has been far from open and inclusive as there is as yet little widespread public interest in this field and the Government has not sought to ensure that the issues are placed before the public."⁽¹⁷⁶⁾

A key example of the legislative secrecy was the Australian Security Intelligence Organisation Legislation Amendment Bill 1999, introduced into the House of Representatives on 25 March 1999. This bill proposed to extend the surveillance powers of ASIO as recommended in the Walsh Report, sections 1.2.28, 1.2.33, 6.2.3, 6.2.10-11, 6.2.20, and 6.2.22, all of which were censored by the government in the copy of the Walsh Report released under the Freedom of Information Act. The government's willingness to deal with this legislation after having eliminated any opportunity for public debate is a dangerous sign for the future.

As Downing (1996) observes, there has been much criticism regarding the perceived lack of public or parliamentary scrutiny of International agreements. This criticism is highlighted by the situation resulting from the December 1998 amendments, which have not yet been formally implemented. Despite this fact, the Defence Signals Directorate (DSD) has stated that:

"in the meantime [before the amendments are officially made] Defence will administer the controls in the spirit of the new regulations."⁽¹⁷⁷⁾

The ability of the DSD to enforce not-yet-existing export controls on Australian businesses and individuals undermines the democratic process and is yet another example of the Executive arm of Government taking ever more control of this area.

* * *

The "export" of software over the Internet

The issue of whether making cryptographic software available on the Internet is exportation or publishing is one of the most important and far-reaching questions that needs to be answered in the near future. The issue lies at the heart of the Internet, and is still unclear despite a number of cases appearing in court involving Internet Service Providers (ISPs) and the determination of liability for the content displayed which depends to a large part on whether they are considered publishers (like newspapers) or carriers (like the postal system).

In the most recent decision, handed down in the United Kingdom in late March 1999, the London High Court ruled that an ISP, Demon Internet, could not claim to bear no responsibility for an allegedly libelous newsgroup posting hosted on its servers. The posting had originated from an unknown user in the United States, who was not a Demon Internet customer. Demon Internet had attempted to use an "innocent dissemination" defense under Great Britain's 1996 Defamation Act, which allows an ISP to claim that it is not liable for messages traveling through its system,⁽¹⁷⁸⁾ however, the judge rejected this defence. Demon Internet have appealed the decision.

Simon Davies, director of Privacy International has commented on the decision, saying that:

"[ISPs] have some very unfortunate black holes in terms of protection. The 'common carrier' argument, the whole question of store-and-forward, is hotly contested here."⁽¹⁷⁹⁾

A decision such as the UK decision in Demon Internet clearly makes ISPs publishers. As this decision was made in the UK, it has no binding effect on a similar case in Australia. However, the global nature of the Internet, and the lack of law in this area, has resulted in many countries looking at the decisions of foreign courts to get some indication of how to deal with the issues.

While in the US the issue of common-carrier versus publisher is crucial due to the protection given to publishers under the First and Fifth Amendments, in Australia, the decision may not be as important as freedom of speech is currently limited to the implied Constitutional guarantee of freedom of political speech. Regardless of whether placing software on the Internet is publishing or export, there is no inherent protection given by the Australian Consitution.

However the whole debate about freedom of speech and Constitutional protection is also currently of questionable relevance in reference to cryptographic software exports over the Internet from Australia, as the Defence and Strategic Goods List Statements of Understanding specifically limits the control of export to "tangible forms." It is questionable whether a string of zeros and ones, communicated using electric pulses, could be considered tangible. A spokesperson for the Defence Signals Directorate, Steve Anderssen, stated in relation to the issue of tangibility that "the application of export restrictions is unclear."

In the United States the issue was clearly defined by President Clinton in the 1996 Executive Order and Memorandum moving jurisdiction from the State Department to the Commerce Department. This Order stated that it would consitute an export of encryption software:

"for a person to make such software available for transfer outside the United States, including transfer from electronic bulletin boards and Internet file transfer protocol sites, unless the party making the software available takes precautions adequate to prevent the unauthorized transfer of such [software] outside the United States."⁽¹⁸⁰⁾

As Patrick Gunning, a solicitor at the legal firm Mallesons Stephen Jaques, Sydney, points out in his article Distributing encryption software by the Internet: loopholes in Australian export controls, for the current Australian export laws to cover making encryption software available for download over the Internet, two conditions would need to be met:

1.) Software must fall within the definition of "goods"; and

2.) The transmission of data from a server in Australia to a person outside Australia must constitute an "exportation".⁽¹⁸¹⁾

In regards to the first point, that software must be considered "goods," Gunning refers to Vickers v Young (1982) 65 FLR 260, in which Mr Vickers had $8,000 in cash and $15,000 credit in a bank account seized by Customs officers who had the power to seize "goods." Mr Vickers challenged the decision to seize the cash and credit, and Morling J held that "goods," within the context of the Customs Act, was ordinarily a reference to tangible things that are physically movable. As a result of this definition, the cash, in the form of banknotes, was clearly "goods," but the bank credit - in electronic form only - was not. Morling J held that it was "inappropriate to treat intangible things ... as 'movables' for any purpose other than the conflict of laws."⁽¹⁸²⁾ Gunning argues that using this precedent:

"It is unlikely that software made available for download (clearly an intangible) would be found to be "goods" for the purposes of the Customs Act."⁽¹⁸³⁾

In considering the issue of whether software can be considered "goods," it is useful to look at three cases which have dealt with the issue under the auspices of Sale of Goods or Trade Practices legislation. Firstly, in Toby Constructions Products Pty Ltd v Computa Bar (Sales) Pty Ltd [1983] 2 NSWLR 48, Rogers J concluded that hardware and software which are bundled together are goods for the purposes of the Sale of Goods Act. However, he continued on to comment that it is debatable as to whether the mere licensing of software (without the supply of any tangible products) also constituted a sale of goods.^(184),(185)

Secondly, in ASX Operations Pty Ltd v Pont Data Australia Pty Ltd (1990) 27 FCR 460, it was decided that although goods is defined in the Trade Practices Act to include "electricity," this does not stretch to include encoded electrical signals.⁽¹⁸⁶⁾ Finally, in St Albans City and District Council v International Computers Ltd (1996) 4 All ER 481, in the England Court of Appeal, Sir Iain Glidewell made the important distinction between the software program and the physical medium on which it was encoded. The physical medium was clearly "goods," but the program was not "goods" if it was independent of the physical medium.⁽¹⁸⁷⁾ Sir Iain Glidewell also made the important point that the intellectual property involved in the software program had remained with the author at all times. St Albans had merely received a licence to use the software.⁽¹⁸⁸⁾

From these three cases, it can be seen that there is a substantial precedent which suggests software on its own, without a physical medium, cannot be considered "goods." Such a precedent would suggest the Customs Act as it currently stands does not cover the exportation of software via the Internet, or any other electronic medium. Additionally, Gunning argues that "if this is correct, those parts of the defence and strategic goods list that refer to software per se are ultra vires and of no effect."⁽¹⁸⁹⁾

On the second of the above conditions, that "the transmission of data from a server in Australia to a person outside Australia must constitute an "exportation," there are also several relevant cases. Unlike "goods," however, neither "export" nor "exportation" are defined in the Customs Act.⁽¹⁹⁰⁾

The first case to consider is Wesley-Smith v Balzary (1977) 14 ALR 681, which involved charges under the Customs Act of exporting prohibited goods (firearms). It was held that the relevant definition of "export" for this offence was:

"knowingly to take goods out of Australia with the intention of landing them at some place out of Australia and actually landing them there or trans-shipping them so that they eventually land there."⁽¹⁹¹⁾

It is questionable as to whether placing software on an Australian server available for download from anywhere in the world would qualify as "knowlingly taking goods out of Australia," and the intention required by the above judgement would also be hard to establish in Court.

The second relevant case in this area is Australian Trade Commission v Film Funding and Management Pty Ltd (1989) 24 FLR 595. This case dealt with a claim under the Export Market Development Grants Act 1974 ("the Grants Act") as amended by Part VI of the Australian Trade Commission (Transitional Provisions and Consequential Amendments) Act 1985. The dispute was in regard to the claimed "export earnings" of the respondent which effected the amount of the grant they were eligible to receive under the Grants Act. These "export earnings" were claimed to arise from the disposal of eligible industrial property rights in the US, UK, and Europe, in relation to certain films.

Sub-section 3A (1) (d) of the Grants Act states that:

3A (1) A reference in this Act to the export earnings 
of a person, in relation to a grant year, shall be read, 
subject to the operation of this section, as a reference 
to the sum of -

       (d) the amount or value of the consideration 
           received by that person during that grant 
           year for the disposal by that person at any 
           time to persons resident outside Australia, 
           for use and enjoyment outside Australia, of 
           eligible industrial property rights or of 
           eligible know-how;

Under this section, it seems that the concept of export can apply to intangibles. As Gummow J states in Australian Trade Commission v Film Funding and Management:

"A dealing by an exclusive licensee of copyright, for example, by granting a sub-licence, may be disposal of an eligible industrial property right within the meaning of the Grants Act."⁽¹⁹²⁾

However, Gummow J also states that:

"A person who pays money for use and enjoyment outside Australia of rights which arise under Australian law is not paying for rights which are only protected in Australia."⁽¹⁹³⁾

In this statement, Gummow J is referring the international conventions on intellectual property protection, such as the Berne convention, which results in copyright protection in foreign countries. As Gunning points out, copyright is territorial in nature, and a person in a foreign country paying for the right to use a software program is paying for the right granted by the Berne convention under that foreign country's law, not the law of the place of origin of the software.⁽¹⁹⁴⁾ Using this line of thinking, it could be suggested that no export of intellectual property rights is taking place, rather the rights are being granted in the destination country.

Judging from the above decisions, it seems unlikely a prosecution for exporting encryption software over the Internet would be successful in Australia. As Gunning concludes from examining these cases:

"Based on the present state of the Customs Act, there are strong grounds to suggest that Australian cryptographers would prevail in a test case if they were to make software containing strong encryption available for download from an Australian server."⁽¹⁹⁵⁾

While the Department of Defence have used the threat of prosecution to scare people away from putting strong encryption on Australian servers, the Government is yet to bring an action in Court. Perhaps the apparent unwillingness of the Government to act on its threats is due to the fact that a defeat in Court would render the export restrictions impotent and would be an embarrassment for Australia in the eyes of fellow Wassenaar countries.

While the Strategic Trade Policy and Operations (STPO) Section of the Department of Defence is responsible for administering the export controls, "barrier control rests with the Australian Customs Service."⁽¹⁹⁶⁾ While this is understandable given the export of tangible items, it is hard to see the Customs Service performing "barrier control" on the Internet. For the foreseeable future, the Internet will remain largely uncontrolled, and the speed and ease of the dissemination of information ensures that attempts by the government to restrict information flow are doomed.

* * *

Key Escrow

Many governments, especially that of the United States, have proposed key escrow arrangements as an alternative to the current restrictions on cryptographic exports. Under this system, cryptographic keys would be lodged with a third party which would then be able to provide law enforcement with the means to decrypt communications when provided with a legal warrant for communications interception.

The effectiveness of such a system has been challenged for many reasons, the most compelling of which is the behaviour of criminals. Criminals are not likely to use such an escrowing arrangement, and it is unlikely that they would be swayed by legislation that criminalises the unlicenced use of cryptographic technologies.⁽¹⁹⁷⁾ The consequence of such logic is that the government will gain access to communications they don't need, while criminals will continue to communicate securely.

It has also been pointed out that an intelligent criminal would simply encrypt their communication with a non-escrowed key then encrypt the resulting cryptogram with an escrowed key, making the communication look legitimately encrypted to eavesdroppers. However, peeling off the escrowed-key layer would reveal a further layer of much more sophisticated protection.

The United Kingdom have recently dealt with the issue of key escrow, and a report by the House of Commons Trade & Industry Select Committee into the Electronic Commerce Bill, concluded that:

"UK electronic commerce policy was for so long entrapped in the blind alley of key escrow that fears have been expressed that the UK's reputation ... for electronic commerce is now severely damaged."⁽¹⁹⁸⁾

Key escrow is a fight that is largely yet to be waged in Australia, but statements in the Advisory Report on the Australian Security Intelligence Organisation Legislation Amendment Bill 1999 suggest that key escrow is by no means being overlooked:

"Norman Reaburn (from the Attorney-General's Department) argued that the debate about whether governments would, at some point in the future, only permit the use of encryption devices to which law enforcement and intelligence agencies have a key is not relevant to this Bill."⁽¹⁹⁹⁾

* * *

Defence or Offence?

The Initial Elements of the Wassenaar Arrangement clearly state that the Arrangement "will [not] interfere with the rights of states to acquire legitimate means with which to defend themselves."⁽²⁰⁰⁾

There has been no attempt by defence organisations to claim that cryptographic products have an offensive military capability. It is widely accepted that the only purpose of cryptographic products is "to defend and protect information assets from an aggressor who, for their own reasons, is seeking to gain access to them."⁽²⁰¹⁾ Given that cryptography is purely defensive in nature, it is a tenuous assertion that the export controls in place are due to international agreement.

As Dr Brian Gladman observes in his report Wassenaar Controls, Cyber-Crime and Information Terrorism for the civil liberties organisation Cyber-Rights and Cyber-Liberties (UK):

"[i]t appears, therefore, that this arrangement is being used by some nations to sustain controls on cryptography that are in no way justified by its aims."⁽²⁰²⁾

This proposition is echoed by Ed Black, president of the US Computer and Communications Industry Association, who has stated that:

"Some of the hard-core export control people have never adjusted to the undeniable reality of technological availability ... This gives them a chance to raise the emotional fever pitch to a point where they hope it will cloud rational thinking."⁽²⁰³⁾

* * *

Our Choice

The Wassenaar Arrangement is not binding on its member states. In Germany, also a signature to the Wassenaar Arrangement, the Federal Minister of Economic Affairs and Technology recently released a report stating that:

"[Germany] considers the application of secure encryption to be a crucial requirement for citizens' privacy, for the development of electronic commerce, and for the protection of business secrets."⁽²⁰⁴⁾

In fact, the document goes on to state that:

"For reasons of national security, and the security of business and society, the federal government considers the ability of German manufacturers to develop and manufacture secure and efficient encryption products indispensable."⁽²⁰⁵⁾

As Germany has clearly accepted, the widespread dissemination of strong encryption systems is an aid to national security, not a hindrance.

Conclusions & Recommendations

As Dr Brian Gladman, Crypto Policy Co-ordinator, Cyber-Rights and Cyber-Liberties (UK) has stated:

"I don't think there is any middle ground - we must sweep away all restrictions on crypto and, if we need to do so, introduce laws that control the bad uses of this technology. It is not illegal to own a kitchen knife but it is illegal to use one for murder. This is the only logical way forward."⁽²⁰⁶⁾

This is what Gerard Walsh foresaw in the Walsh Report, which recommended that the Crimes Act be modified to:

"establish an additional and more serious category of offence where encryption is used to obstruct investigation by law enforcement agencies into the preparation for or commission of a criminal offence." (s. 6.2.22)

While the Australian Government does not seem to be responsive to the public's calls for reform, it is possible that reform in this area may come sooner than it at first seems. In the United States, over 200 Members of the House of Representatives re-introduced the Security and Freedom through Encryption (SAFE) bill, HR 850 on 25 February 1999. This bill proposes the lifting of export controls on encryption, and also:

"Affirms the right of all Americans to use whatever form of encryption they choose and prohibits the government from imposing domestic controls on encryption through mandatory "key-escrow" or "backdoor" systems."⁽²⁰⁷⁾

As The Center for Democracy and Technology points out, the large number of original co-sponsors signing onto the bill at the outset demonstrates bipartisan, widespread support for promoting the availability and use of strong encryption. The 200-plus member long co-sponsor list includes the entire House Republican leadership (with the exception of the Speaker who, by tradition, does not co-sponsor bills), as well as Democrat leaders. Additionally, members of the US Senate have stated an intention of putting forward a similar bill to remove the export controls.⁽²⁰⁸⁾

It is likely that any change made to US export restrictions would quickly filter through the Wassenaar Arrangement to other countries such as Australia. However, regardless of the strong support for the SAFE Bill, the likelihood of any significant relaxation of controls in the US is unlikely, as US Department of Justice and FBI officials are still pushing for a complete ban on non-approved encryption products.⁽²⁰⁹⁾

In Australia, it is the lack of the Constitutional protection of civil rights, which can be contrasted with that of the United States, which has resulted in the Wassenaar restrictions potentially having a profoundly larger impact in this country than in the US.

Without protected freedom of speech, Australians cannot communicate information about cryptography, or cryptographic processes without running the risk of prosecution.

Without the constitutional protection of the right to silence, it is not clear as to whether law enforcement agencies can force defendents to disclose cryptographic keys resulting in self-incrimination.

And the accountability of Government in this area of law is dwindling through:

- The ASIO Legislation Amendment Bill 1999 allowing the Attorney-General to grant search warrants, removing judicial review of their necessity;

- The "untouchable" DSD working outside the scope of the Freedom of Information Act and judicial review;

- The Wassenaar Arrangement not being a treaty and hence cutting out any review by the legislature;

- The Weapons of Mass Destruction Act having the effect of a driftnet, catching anything slipping through the Customs Act;

- The suppression of reports aimed at bringing the issues surrounding cryptography into the public domain;

- The enforcement of the export controls by stealth - not prosecuting 'offenders' so as to avoid judicial interpretation of the provisions; and

- Putting up a wall of silence in front of anyone who starts asking questions, the author of this paper included.

The law in this area is posing a massive threat to the civil liberties of all Australians. Public awareness of the issues surrounding cryptography is extremely low, and publicity and debate are well overdue. If the Australian Government wants the trust of the people in the digital age, it must dramatically increase transparency and must take these issues to the public, rather than waiting until the public find them on dusty library shelves.

Opinions

"In my view the use of the WA to restrict crypto is a shameful abuse of democratic principles and a shameful misuse of power by the US, the UK and a few other coutries (Australia included)."

- Dr Brian Gladman, Crypto Policy Co-ordinator, Cyber-Rights and Cyber-Liberties (UK).

"We cannot allow law enforcement issues - for a small percentage of the community who undertake criminal activity - to hold back the 98 per cent of the community who are honest and law abiding and who wish to advance Australia's commercial interests in the world."

- Mr Martyn Evans MP, Shadow Minister for Science and Resources.

"There is an immediate need for broad public discussion of cryptography."

- Gerard Walsh, Foreword of the Review of policy relating to encryption technologies.

"The right to privacy should not depend on the ability to encrypt the message - that almost assumes that your privacy will be subject to arbitrary interference."

- Mr Martyn Evans MP, Shadow Minister for Science and Resources.

"It appears to me that the points you're putting forth are reminiscent of the Maginot Line from World War One. It's a finger in the dike."

- Rep. William Delahunt, D-Mass, speaking to the NSA and Justice Department's points for restricting strong encryption.

"Neither I nor any of my staff are prepared to discuss the subject to which you refer."

- Dr AJ (Tony) Bedford, Chief, Communications Division, DSTO, answering a request for information on cryptographic policy.

Appendix A: Bibliography

Australian WWW Sources

Australian Computer Society (ACS), "ACS Welcomes IFIP Position on Cryptography" (Media Release), <http://www.acs.org.au/news/caelli.htm>, 23 May 1997.

Australian Information Industry Association (AIIA), "AIIA Draft Policy on Encryption", Version 2, <http://www.aiia.com.au/4AIIApubencry9806.html>, 24 July 1998.

Australian Information Industry Association (AIIA), "AIIA's directions for Information Industry Strategy for Australia", <http://www.aiia.com.au/4influgovt.position.html>, 4 August 1998.

AUSTRAC (Australian Transaction Reports and Analysis Centre), "RGEC (Research Group into the Law Enforcement Implications of Electronic Commerce) Issues Paper Series No. 1," online at <http://www.austrac.gov.au/publications/RGEC/RGEC_Papers.html>.

Department of Defence, "Australian Export Controls - a general information guide for the general public," March 1998, online at <http://www.defence.gov.au/dao/exportcontrols/br/genb.htm>.

Department of Defence, "Australian Export Controls - a general information guide for Australian Industry," March 1998, online at <http://www.defence.gov.au/dao/exportcontrols/br/indb.htm>.

Department of Defence, "Australian Export Controls - an information guide for Industry, Universities and the General Public - The Weapons of Mass Destruction (Prevention of Proliferation) Act 1995 (WMD Act)", September 1998, online at <http://www.defence.gov.au/dao/exportcontrols/br/wmd.htm>.

Davidson J, "E-commerce under threat from encryption deal", The Australian Financial Review, 11 December 1998, online at <http://www.afr.com.au/content/981211/inform/inform6.html>.

DSD (Australian Defence Signals Directorate), "Australian Cryptographic Export Controls," A presentation to the IT&T Security Forum, Canberra, 22nd February 1999, online at <http://www.dsd.gov.au/exportcontrol/>

Electronic Frontiers Australia (EFA), "The Australian Crypto FAQ", <http://www.efa.org.au/Issues/Crypto/cryptfaq.html>, 1 August 1998.

Electronic Frontiers Australia (EFA), "Introduction to Cryptography", <http://www.efa.org.au/Issues/Crypto/crypto1.html>, 1997.

Electronic Frontiers Australia (EFA), "The Walsh Report", <http://www.efa.org.au/Issues/Crypto/Walsh/>, 1998.

Gunning P, "Distributing encryption software by the Internet: loopholes in Australian export controls," January 1998, online at <http://www2.austlii.edu.au/itlaw/articles/Gunning_Encryption.html>.

Tebbutt D, "Leaders back US limits on encryption", The Australian, online at <http://www.theaustralian.com.au/techno/4278505.htm>, 8 December 1998.

Tebbutt D, "Cryptography: Brute Force Attack - Strong Medicine", LAN Magazine, 1 June 1998, online at <http://203.18.241.26/4a2565590015021d/c77369c769fd0d0b4a25653c004282b2/c70aa77fd4cf080a4a25662e002e811a?OpenDocument>.

Walsh G, Review of policy relating to encryption technologies, <http://www.efa.org.au/Issues/Crypto/Walsh/walsh1.htm>, February 1997.

International WWW Sources

Acey M, "Key Escrow Bill Slammed by Parliament Inquiry," 19 May 1999, online at <http://www.techweb.com/wire/story/TWB19990519S0001>

Acey M, "US Uses Key Escrow to Steal Secrets," 18 May 1999, online at <http://www.techweb.com/wire/story/TWB19990518S0004>

ACLU (American Civil Liberties Union), "ACLU Briefing Paper No. 10 - Freedom of Expression," online at <http://www.aclu.org/library/pbp10.html>.

Department of Justice, "Justice Department Still Reviewing District Court Decision on Export Controls On Encryption Software", August 26 1997, online at <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoJ/19970826_govt.pressrel>.

EFF, "Legal Cases - Crypto - Karn v. US Dept. of State Archive", online at <http://www.eff.org/pub/Legal/Cases/Crypto_export/Karn_v_DoS_and_DoC/>

EFF, "Crypto Export Restrictions Are Unconstitutional: Professor Bernstein is free to publish his software", August 26 1997, online at <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoJ/19970826.pressrel>.

Ellison C, "Cryptography Timeline", <http://mediafilter.org/CAQ/caq63/caq63madsen.html>, 2 June 1996.

Gilmore J, "Cryptography Export Control Archives", <ftp://ftp.crygnus.com/pub/export/export.html>, 18 January 1996.

Gladman Dr B for Cyber-Rights & Cyber-Liberties (UK), "Wassenaar Controls, Cyber-Crime and Information Terrorism", <http://www.cyber-rights.org/crypto/wassenaar.htm>, September 1998.

Global Internet Liberty Campaign (GILC), "Cryptography and Liberty - An International Survey of Encryption Policy", <http://www.gilc.org/crypto/crypto-survey.html>.

International Federation for Information Processing (IFIP), "The IFIP TC11 Position on Cryptopolicies", <http://www.ifip.tu-graz.ac.at/TC11/TC11.crypto/index.html>, 20 October 1996.

"International Covenant on Civil and Political Rights", online at <http://www.pch.gc.ca/ddp-hrd/english/iccpr/cn_5.htm>.

Karn P, "The Applied Cryptography Case - Detailed History", online at <http://people.qualcomm.com/karn/export/history.html> (last modified 28 April 1998).

Hon. Justice Michael Kirby AC CMG, "OECD Cryptography Guidelines in Context", presented at the International Symposium on the Public Voice and the Development of International Cryptography Policy, 25 September 1996, <http://www.epic.org/events/crypto_paris/speech_kirby.html>.

McCullagh D, "Spy Report Imperils Crypto Bills," 25 May 1999, online at <http://www.wired.com/news/news/email/member/politics/story/19864.html>

McCullagh D, "McCain Offers Crypto Compromise," 1 April 1999, online at <http://www.wired.com/news/news/email/member/politics/story/18903.html>.

Moechel E, "Wassenaar on the Danube", <http://www.telepolis.de/tp/english/inhalt/te/1535/1.html>, 21 August 1998.

Organisation for Economic Co-operation and Development (OECD), "Report on Background Issues of Cryptography Policy", <http://www.oecd.org/dsti/sti/it/secur/prod/crypto3.htm>, 19 December 1997.

Organisation for Economic Co-operation and Development (OECD), "Guidelines for Cryptography Policy", <http://www.oecd.org/dsti/sti/it/secur/prod/crypto2.htm>, 19 December 1997.

Organisation for Economic Co-operation and Development (OECD), "Recommendation of the Council Concerning Guidelines for Cryptography Policy", <http://www.oecd.org/dsti/sti/it/secur/prod/crypto1.htm>, 27 March 1997.

Oram A, "Double blow dealt to privacy by international negotiations", American Reporter, 9 December 1998, <http://www.american-reporter.com/957/2.html>.

Oram A, "Little-Known International Agreement May Determine Internet Privacy", <http://www.oreilly.com/people/staff/andyo/ar/cypto_wassenaar.html>, 11 August 1998.

Reuters, "Step Two for Encryption Bill," online at <http://www.wired.com/news/news/email/member/politics/story/18708.html>

Sergienko G, "Self Incrimination and Cryptographic Keys", 2 RICH. J.L. & TECH. 1 (1996), online at <http://www.urich.edu/~jolt/v2i1/sergienko.html>.

Singleton S, "Policy Analysis: Encryption policy for the 21st Century - A Future without Government-Prescribed Key Recovery", <http://www.cato.org/pubs/pas/pa-325es.html>, 19 November 1998.

United Nations, "Universal Declaration of Human Rights", online at <http://www.unhcr.ch/udhr/lang/eng.htm>.

US Department of State, "COCOM - An End and A Beginning", Defense Trade News, Volume 5 Number 2, April 1994, online at <http://jya.com/dtn0494.htm>.

Vest J, "US 'Echelon' Spy Network Monitoring Email-Fax-Cell Phones Worldwide", 19 September 1998, <http://politicaltexan.com/wwwboard/messages/58.html>.

The Wassenaar Arrangement Secretariat, "The Wassenaar Arrangement", <http://www.wassenaar.org/docs/talkpts.html>.

The Wassenaar Arrangement Secretariat, "History of the Wassenaar Arrangement", <http://www.wassenaar.org/docs/History.html>.

The Wassenaar Arrangement Secretariat, "Wassenaar Arrangement Public Statement", Vienna, December 3, 1998, <http://www.wassenaar.org/docs/press_4.html>.

Wired News, "Germany Endorses Strong Crypto," 3 June 1999, online at <http://www.wired.com/news/news/email/member/politics/story/20023.html>.

Australian Other Sources

Bielewicz JA, Secret Language: Communicating in Codes and Ciphers, Sydney, Hold Rinehart and Winston, 1976.

Blair T, "Online and Out of Reach", TIME Magazine, 1 February 1999.

Department of Defence - Industry Involvement and Contracting Division - International Material Branch, Australian Controls on the Export of Defence and Strategic Goods - A Guide for Exporters and Importers, Australia, November 1996. Copy downloaded from <http://iic.spirit.net.au/imat/publications/excontrl/excohome.htm>.

Department of Defence - Industry Involvement and Contracting Division - International Material Branch, Defence and Strategic Goods List, Australia, November 1996. Copy downloaded from <http://iic.spirit.net.au/imat/publications/excontrl/excohome.htm>.

Downing S, 1996, "Treaty-Making Options for Australia", Current Issues Brief No. 17 1995-96, Department of the Parliamentary Library, Canberra.

Electronic Frontiers Australia (EFA), "Cryptography is Not a Weapon" (Media Release), Australia, 15 September 1998.

Parliamentary Joint Committee on the Australian Security Intelligence Organisation, "An Advisory Report on the Australian Security Intelligence Organisation Legislation Amendment Bill 1999," May 1999. Online at <http://www.aph.gov.au/house/committee/pjcasio/report.pdf>

Terry A & Giugni D, 1997, Business, Society and the Law, 2nd Ed., Harcourt Brace, Sydney.

Walsh G, "The Right to Silence - A sanctuary for sophisticated offenders, or central to the presumption of innocence?," Law Society Journal, April 1999, pp 40-45.

International Other Sources

Becker S, "US Restrictions on Exports of Cryptographic Equipment and Software", Journal of World Trade, Vol. 32 No. 1 Feb 1998, pp. 5-18.

The Center for Democracy and Technology, "Bill Lifting Encryption Controls Re-Introduced in Congress", CDT Policy Post, Volume 5 Number 4, February 25, 1999.

Deavours CA, Kahn D, Kruh L, Mellen G & Winkel B, Cryptology: Yesterday, Today, and Tomorrow, Norwood MA, Artech House Inc., 1987.

Diffie W & Landau S, Privacy on the Line: The Politics of Wiretapping and Encryption, Cambride MA, The MIT Press, 1998.

Directorate General for Research, "Development of Surveillance Technology and Risk of Abuse of Economic Information (an appraisal of technologies for political control) - Part 4/4 The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition - Interception Capabilities 2000," May 1999. Online at <http://www.iptvreports.mcmail.com/stoa_cover.htm>

Electronic Frontier Foundation (EFF), Cracking DES - Secrets of Encryption Research, Wiretap Politics & Chip Design, USA, Electronic Frontier Foundation, May 1998. [http://cryptome.org/cracking-des.htm]

Hingenbottam F, Codes and Ciphers, London, The English Universities Press Ltd., 1973.

Kahn D, The Codebreakers: The Story of Secret Writing, USA, The New American Library Inc., February 1973.

Rengger N (Ed.), 1990, Treaties and Alliances of the World, 5th Ed., Longman Group UK Ltd, Essex UK.

Schneier B, Applied Cryptography, 2nd Edition: Protocols, Algorithms, and Source Code in C, New York, John Wiley & Sons Inc., 1996.

Szafran E, "Regulatory issues raised by cryptography on the Internet", Tolley's Communications Law, Vol. 3 No. 2 1998, pp.38-50.

Thompson JW & Padover SK, Secret Diplomacy: Espionage and Cryptography 1500-1815, New York, Frederick Ungar Publishing Co., 1963.

United States District Court for the District of Columbia, Philip R. Karn, Jr v. United States Department of State etc and United States Department of Commerce and William A. Reinsch Undersecretary Bureau of Export Administration U.S. Department of Commerce, Amended Complaint, Civil Action No. 95-1812-LFO, January 16, 1998. Online at <http://people.qualcomm.com/karn/export/amended_complaint.html>.

Vesely R, "Securing a Crypto Standard", WIRED Magazine 6.06, June 1998.

The White House - Office of the Press Secretary, "Statement by the Press Secretary - Administration Updates Encryption Policy" (Media Release), USA, 16 September 1998.

The Wassenaar Secretariat, WA LIST (98) 1, 3 December 1998, online at <http://www.wassenaar.org/>

Notes

1. Kahn, The Codebreakers, (Abridged version 1973 The New American Library Inc.) at p.69

2. Ibid, at p.72

3. Ibid, at p.72.

4. Ibid, at p.75

5. Ellison C, "Cryptography Timeline", <http://www.clark.net/pub/cme/html/timeline.html> (last modified June 2 1996), at p. 2

6. Ibid, at p. 2.

7. Schneier, Applied Cryptography, p. 11, originally from C.E. Shannon, "Predication and Entropy in Printed English," Bell System Technical Journal, v.30, n. 1, 1951, pp. 50-64.

8. Supra n 5, at p.2.

9. Supra n 7, at p.11

10. Supra n 5, at p.3

11. Supra n 1, at p.79

12. Higenbottam, Codes and Ciphers (1973 The English Universities Press Ltd), at p.7

13. Supra n 1, at p.79

14. Supra n 12, at p.7

15. Supra n 12, at p.9

16. Supra n 12, at p.8

17. Supra n 1, at p.79

18. Supra n 1, at p.89

19. Supra n 12, at p.11

20. Supra n 1, at p.90

21. Supra n 1, at p.94

22. Supra n 5, at p.4

23. Supra n 7, at p.11

24. Supra n 1, at p.95

25. Supra n 12, at p.13

26. Bielewicz J, Secret Language: Communicating in Codes and Ciphers (1976 Holt, Rinehart and Winston), at p.10

27. Supra n 12, at p.13

28. Supra n 12, at p.13

29. Supra n 12, at p.13

30. Supra n 7, at p.12

31. Supra n 7, at p.13

32. Supra n 7, at p.13

33. Supra n 7, at p.13

34. Supra n 1, at p.83

35. Supra n 26, at p.7

36. Barrett P, Review of the Long Term Cost Effectiveness of Telecommunications Interception, March 1994, sect 5.3.19. Quoted in Walsh G, Review of Policy relating to Encryption Technologies, sect 2.1.2.

37. Diffie & Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (1998 The MIT Press), at p.7

38. Madsen W (for GILC), "Cryptography and Liberty: An International Survey of Encryption Policy" at <http://www.gilc.org/crypto/crypto-survey.html>, at p.2

39. EFA, "The Australian Crypto FAQ" at <http://www.efa.org.au/Issues/Crypto/cryptfaq.html> (last modified 1 August 1998), p.7.

40. Blair T, "Online and out of reach", TIME Magazine, 1 February 1999, at p.49

41. EFF, Cracking DES, p 1-8.

42. EFF, Cracking DES p 1-2.

43. No encryption is truly "uncrackable", but the time required to crack encryption of 128-bit or higher strength is so long as to make the data useless once decoded.

44. EFF, Cracking DES, p 1-5. Original source: Blaze M, Diffie W, Rivest R, Schneier B, Shimomura T, Thompson E, Wiener M, "Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security: A Report By An Ad Hoc Group Of Cryptographers And Computer Scientists", January 1996.

45. AIIA, "AIIA Draft Policy on Encryption", p 1.

46. Walsh G, Review of Policies relating to Encryption Technologies, Annex A - Frames of Reference.

47. Ibid, Foreword.

48. Moechel E, "Wassenaar on the Danube" at http://www.telepolis.de/tp/english/inhalt/te/1535/1.html (last modified 21 August 1998), at p.1.

49. Oram A, "Little-Known International Agreement May Determine Internet Privacy" at http://www.oreilly.com/people/staff/andyo/ar/cypto_wassenaar.html (last modified 11 August 1998), at p.1.

50. US Department of State, "COCOM - An End and A Beginning" at <http://jya.com/dtn0494.htm>.

51. Rengger N (Ed.), 1990, Treaties and Alliances of the World, 5th Ed., Longman Group UK Ltd, Essex UK, p 197.

52. Supra n 50.

53. The Wassenaar Arrangement Secretariat, "History of the Wassenaar Arrangement" at <http://www.wassenaar.org/docs/History.html>, at p.1.

54. Supra n 50.

55. Supra n 53, at p.1.

56. Supra n 53, at p.1.

57. Supra n 53, at p.1.

58. Reuters, "Step Two for Encryption Bill," online at <http://www.wired.com/news/news/email/member/politics/story/18708.html>

59. The Wassenaar Arrangement Secretariat, "The Wassenaar Arrangement" at <http://www.wassenaar.org/docs/talkpts.html>, at p.1.

60. Quoted from Electronic Frontiers Australia, "The Australian Crypto FAQ", pp 6-7.

61. Department of Defence - Industry Involvement and Contracting Division - International Material Branch, Defence and Strategic Goods List (1996). Copy downloaded from <http://iic.spirit.net.au/imat/publications/excontrl/excohome.htm>. Statement of Understanding at p.2.

62. Supra n 39, at p.7.

63. Davidson J, "E-commerce under threat from encryption deal" (The Australian Financial Review, 11 December 1998), online at <http://www.afr.com.au/content/981211/inform/inform6.html>, at p.1

64. Wassenaar Arrangement Secretariat, "Wassenaar Arrangement Public Statement", Vienna, December 3, 1998, at <http://www.wassenaar.org/docs/press_4.html>, at p.2

65. The Wassenaar Secretariat, WA LIST (98) 1, 3 December 1998, at p.74

66. Tebbutt D, "Leaders back US limits on encryption" at <http://www.theaustralian.com.au/techno/4278505.htm>, 8 December 1998, at p.2

67. Supra n 66, at p.2

68. OECD, "Report on Background and Issues of Cryptography Policy", p. 6

69. EFA, "Introduction to Cryptography", p 1.

70. Department of Defence - Industry Involvement and Contracting Division - International Materiel Branch, Australian Controls on the Export of Defence and Strategic Goods - A Guide for Exporters and Importers, Australia, November 1996, p 2.

71. Department of Defence - Industry Involvement and Contracting Division - International Materiel Branch, Defence and Strategic Goods List, Australia, November 1996, at Cat 5 - Page 7. Copy downloaded from <http://iic.spirit.net.au/imat/publications/excontrl/excohome.htm>.

72. Supra n 71, p 8.

73. Ibid.

74. Ibid, p 7.

75. Ibid, p 8.

76. Supra n 70, at Annex A - p 2.

77. Ibid, at Annex A - pp 2-3.

78. Department of Defence, "Australian Export Controls - a general information guide for Australian Industry," March 1998, online at <http://www.defence.gov.au/dao/exportcontrols/br/indb.htm>.

79. Tebbutt D, "Cryptography: Brute Force Attack - Strong Medicine".

80. Ibid.

81. Supra n 78.

82. Supra n 70, at pp 16-17.

83. Supra n 78.

84. Anderssen S, pers. comm., 24 Feb 1999.

85. Supra n 70, at pp 16-17.

86. Department of Defence, "Australian Export Controls - an information guide for Industry, Universities and the General Public - The Weapons of Mass Destruction (Prevention of Proliferation) Act 1995 (WMD Act)", September 1998, online at <http://www.defence.gov.au/dao/exportcontrols/br/wmd.htm>.

87. Ibid.

88. Emphasis added.

89. Supra n 70, p. 31

90. Supra n 86.

91. Emphasis added.

92. Borgu A, pers. comm., 2 March 1999.

93. Supra n 79.

94. Supra n 36.

95. Supra n 46, Annex A - Terms of Reference.

96. EFA, "The Walsh Report", p 1.

97. Ibid.

98. Ibid.

99. Supra n 46, Foreword.

100. Ibid, sect 1.1.2.

101. Ibid, sect 1.2.1.

102. Ibid.

103. Ibid, sect 1.2.61.

104. The Hon. Justice Michael Kirby, "OECD Cryptography Guidelines in Context", p 2.

105. Supra n 46, sect 1.2.59.

106. Ibid, sect 1.2.16

107. Oram A, "Double blow dealt to privacy by international negotiations", p. 1

108. Ibid, p. 2

109. Vest J, "US 'Echelon' Spy Network Monitoring Email-Fax-Cell Phones Worldwide", p. 4

110. Directorate General for Research, 1999, "Development of Surveillance Technology and Risk of Abuse of Economic Information (an appraisal of technologies for political control) - Part 4/4 The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition - Interception Capabilities 2000," at pp 10-14.

111. Supra n 110, p 19.

112. Interview with David Herson, Head of Senior Officers' Group on Information Security, EU, by staff of Engineering Weekly (Denmark), 25 September 1996. Online at <http://www.ing.dk/arkiv/herson.htm>. Quoted in Supra n 110, p 17.

113. Supra n 110, p 21.

114. Supra n 46.

115. Supra n 37, p. 8

116. Madsen W (for GILC), "Cryptography and Liberty: An International Survey of Encryption Policy", p. 2

117. Blair T, "Online and out of reach", p. 49

118. OECD, "Report on Background and Issues of Cryptography Policy", p.5.

119. Ibid.

120. Szafran E, "Regulatory issues raised by cryptography on the Internet", Tolley's Communications Law, Vol. 3 No. 2 1998, at p.47.

121. ACLU, "ACLU Briefing Paper No. 10 - Freedom of Expression," online at <http://www.aclu.org/library/pbp10.html>, at p 3.

122. ACLU, "ACLU Briefing Paper No. 10 - Freedom of Expression," online at <http://www.aclu.org/library/pbp10.html>, at p 1.

123. Terry A & Giugni D, 1997, Business, Society and the Law, 2nd Ed., Harcourt Brace, Sydney, at p 301.

124. Karn P, "The Applied Cryptography Case - Detailed History", online at <http://people.qualcomm.com/karn/export/history.html> (last modified 28 April 1998).

125. Becker S, "US Restrictions on Exports of Cryptographic Equipment and Software", Journal of World Trade, Vol. 32 No. 1 Feb 1998, pp. 9-10.

126. Becker S, "US Restrictions on Exports of Cryptographic Equipment and Software", Journal of World Trade, Vol. 32 No. 1 Feb 1998, pp. 10.

127. Supra n 37, at p. 205.

128. Ibid.

129. Ibid, at p. 206.

130. Ibid.

131. Ibid.

132. Ibid.

133. Gilmore J, "Cryptography Export Controls Archives", p. 5

134. Ibid.

135. EFF, "Legal Cases - Crypto - Karn v. US Dept. of State Archive", online at <http://www.eff.org/pub/Legal/Cases/Crypto_export/Karn_v_DoS_and_DoC/>

136. Karn P, "The Applied Cryptography Case - Detailed History", online at <http://people.qualcomm.com/karn/export/history.html> (last modified 28 April 1998).

137. Becker S, "US Restrictions on Exports of Cryptographic Equipment and Software", Journal of World Trade, Vol. 32 No. 1 Feb 1998, pp. 14.

138. Supra n 133, p. 3

139. Ibid.

140. EFF, "Crypto Export Restrictions are Unconstitutional", online at <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoJ/19970826.pressrel>.

141. Ibid.

142. Ibid.

143. Supra n 70, at p. 16-17.

144. Supra n 157, pp. 15.

145. Department of Justice, "Justice Department Still Reviewing District Court Decision on Export Controls On Encryption Software", online at <http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoJ/19970826_govt.pressrel>

146. Pressman A, "Scientist gets court relief from encryption limits," Reuters, 6 May 1999 (received via e-mail). The decision can be found at <http://jya.com/bernstein-9th.htm>

147. Anderssen S, pers. comm., February 1999.

148. Supra n 79.

149. Ibid.

150. Anonymous, pers. comm., March 1999.

151. Anonymous, pers. comm., March 1999.

152. Supra n 116, at p. 3

153. Ibid, p. 3

154. Supra n 104, at p 6.

155. GILC, "GILC Statement on the 50th Anniversary of the Universal Declaration of Human Rights", at p 1.

156. Supra n 116, at p 7.

157. Supra n 78.

158. Supra n 37, at p 8.

159. Supra n 63, at p 3.

160. Supra n 46, Annex A - Terms of Reference.

161. Parliamentary Joint Committee on the Australian Security Intelligence Organisation, "An Advisory Report on the Australian Security Intelligence Organisation Legislation Amendment Bill 1999," May 1999.

162. Australian Council for Civil Liberties, Submission to the Parliamentary Joint Committee on the Australian Security Intelligence Organisation, quoted in Supra n 161, at p 10.

163. Connolly C, Transcript of Parliamentary Joint Committee on the Australian Security Intelligence Organisation hearing, 27 April 1999, at p 40, in Supra n 161, at p 19.

164. Richardson D (ASIO Director-General), Transcript of Parliamentary Joint Committee on the Australian Security Intelligence Organisation hearing, 27 April 1999, at p 13, in Supra n 161, at p 20.

165. Walsh G, "The Right to Silence," Law Society Journal, April 1999, p 40.

166. (1991) 173 CLR 95 at 99.

167. Sergienko G, "Self Incrimination and Cryptographic Keys", 2 RICH. J.L. & TECH. 1 (1996), online at http://www.urich.edu/~jolt/v2i1/sergienko.html.

168. Senator Richard Alston, pers. comm. (e-mail), 22 March 1999.

169. Mr Martyn Evans MP, pers. comm. (e-mail), 30 March 1999.

170. Szafran E, "Regulatory issues raised by cryptography on the Internet", Tolley's Communications Law, Vol. 3 No. 2 1998, at p.44.

171. Gunning P, "Distributing encryption software by the Internet: loopholes in Australian export controls," January 1998, online at <http://www2.austlii.edu.au/itlaw/articles/Gunning_Encryption.html>, originally from <http://www.liberal.org.au/ARCHIVES/ONLINE/online.htm>.

172. Anonymous, pers. comm., March 1999.

173. Evans M, MP, Australian House of Representatives Hansard for 19th November 1997, Telecommunications Legislation Amendment Bill 1997, online at <http://demos.anu.edu.au:7007/cgi-bin/pastimepub/article.pl?dir=years/1997/nov/19/hansard/reps&art=86>

174. Senator Richard Alston, pers. comm. (e-mail), 22 March 1999.

175. Mr Martyn Evans MP, Australian House of Representatives Hansard for 19th November 1997, Telecommunications Legislation Amendment Bill 1997, online at <http://demos.anu.edu.au:7007/cgi-bin/pastimepub/article.pl?dir=years/1997/nov/19/hansard/reps&art=86>

176. Evans M, MP, pers. comm., 30 March 1999.

177. DSD, "Australian Cryptographic Export Controls," A presentation to the IT&T Security Forum, Canberra, 22nd February 1999, online at <http://www.dsd.gov.au/exportcontrol/>

178. Glave J, "Sweeping UK Net Libel Decision," Wired News, <http://www.wired.com/news/news/email/member/politics/story/18764.html>, 26 March 1999.

179. Ibid.

180. Memorandum of the President on Encryption Export Policy (15 November 1996), reprinted in BNA Daily Rep. Execs., 18 November 1996 at M-1; Executive Order No. 13026 of 15 November 1996, 61 Fed. Reg. 58767 (19 November 1996), quoted in supra n 137, p 10.

181. Supra n 171.

182. (1982) 65 FLR 260 at 276, quoted in Supra n 171.

183. Supra n 171.

184. Gordon B, "Computers and the Law", presented at 1997 Annual Referees' Conference of the Consumer Claims and Building Disputes Tribuals, 1997.

185. Supra n 171.

186. Supra n 184.

187. Ibid.

188. Ibid.

189. Supra n 171.

190. Ibid.

191. (1977) 14 ALR 681 at 688, sourced from Supra n 171.

192. (1989) 24 FCR 595 at para 54.

193. (1989) 24 FCR 595 at para 44.

194. Supra n 171.

195. Ibid.

196. Supra n 78.

197. Supra n 170, at p.48.

198. Acey M, "Key Escrow Bill Slammed by Parliament Inquiry," 19 May 1999, online at <http://www.techweb.com/wire/story/TWB19990519S0001>

199. Supra n 161, p 20.

200. Gladman B, "Wassenaar Controls, Cyber-Crime and Information Terrorism", Cyber-Rights and Cyber-Liberties (UK), September 1998, online at <http://www.cyber-rights.org/crypto/wassenaar.htm>.

201. Ibid.

202. Ibid.

203. McCullagh D, "Spy Report Imperils Crypto Bills," 25 May 1999, online at <http://www.wired.com/news/news/email/member/politics/story/19864.html>

204. Translated from German in Wired News, "Germany Endorses Strong Crypto," 3 June 1999, online at <http://www.wired.com/news/news/email/member/politics/story/20023.html>

205. Ibid.

206. Gladman Dr B, pers. comm., February 1999.

207. The Center for Democracy and Technology, "Bill Lifting Encryption Controls Re-Introduced in Congress", CDT Policy Post, Volume 5 Number 4, February 25, 1999.

208. Ibid.

209. McCullagh D, "McCain Offers Crypto Compromise," 1 April 1999, online at <http://www.wired.com/news/news/email/member/politics/story/18903.html>.

[End]

Conversion to HTML by JYA/Urban Deadline.