26 January 1998: Link to Peter Gutmann's latest version

24 June 1997: Link to follow-up comments by Peter Gutmann

Link to NBR reports added 14 February 1997
Updated by the author 2 February 1997
20 January 1997

The NSA's Influence on
New Zealand Crypto Policy

Peter Gutmann

pgut001@cs.auckland.ac.nz

For nearly a year I've been involved in an ongoing battle with several government departments and the odd intelligence agency in an attempt to clarify NZ's position on the export of crypto software. The whole story has now got about as far as it can go, so I thought I'd share it with others. I've been trying to get the media to take an interest in this, but noone really seems to care... if anyone knows any journalists who might be interested in it, feel free to pass it on. I've got more details including names of contact people and phone numbers in case anyone needs to verify parts of the story.

The main players are:

• The Government Communications Security Bureau (GCSB), a New Zealand intelligence agency (for US readers, the GCSB is the NZ subsidiary of the NSA). The foremost authority on the GCSB is Nicky Hager, who recently published the book Secret Power which documents their activities.

• The Defence Signals Directorate (DSD), an Australian intelligence agency (the Australian version of the NSA).

• The Ministry of Foreign Affairs and Trade (MFAT), a New Zealand government department.

• New Zealand Customs.

• Cyphercom Solutions, a New York company which produces financial/online commerce systems.

• Kiss Audio Video, an Australian video production company.

• Orion Systems, a New Zealand company which produces medical information and communication systems for transmitting medical information.

• Myself (Peter Gutmann) and cryptlib, my free encryption library

In April 1996 I got a call from someone who worked for Cyphercom Solutions, a New York company who wanted to use my cryptlib encryption library in a project they were working on. Their lawyers wanted them to obtain an official, physically exported copy so that there wouldn't be any complications later on if the source of the software were ever called into question. The application involved financial transaction processing, and they had received indications from the NSA that it would be looked on favourably in terms of getting export permission. Somewhat strangely though, they were given the distinct impression that to get anywhere, they'd need to play ball with the NSA, even though it was NZ software being exported from NZ, where the NSA should have no jurisdiction.

At this point a brief explanation of the export law situation in NZ is in order. The Customs Act of 1996, Section 54, "Prohibited Exports", states that "The Governor-General may from time to time, by Order in Council, prohibit the exportation from New Zealand of any specified goods or goods of a specified class or classes" (followed by a list of specific conditions on prohibitions).

There's no further information in the Customs Act, but NZ Customs have a short publication "New Zealand Customs Fact Sheet: Export Prohibitions and Restrictions" which contains, among such curious items as cat skins and a large list of agricultural products which can't be exported without going via the appropriate government department, the item "Strategic goods such as computers, navigation and marine equipment, firearms, ammunition, explosives, military aircraft and vessels". The responsible government department is the Ministry of Foreign Affairs and Trade (MFAT, pronounced "em-fat"). Apparently computer software comes under the same classification as computers (MFAT extends the Customs definition of "Strategic goods" to cover "Computer technology, information security systems, and telecommunications equipment"). The entity within MFAT which handles this is the International Security and Arms Control Division, who are advised by the Government Communications Security Bureau (GCSB), the New Zealand NSA subsidiary.

Once you get past the part where NZ Customs are involved, the whole setup is run like the mafia. Nothing is ever written down, everything is done verbally. Although it took only a paragraph to describe how this works, it took more than two months of work to find out in practice. Unless you know exactly who to ask for information, noone has ever heard of these restrictions. A search of NZ legal databases found nothing. Several IP lawyers had never heard of these restrictions. Noone seemed to know anything about any restrictions. Finally in January 1997 I ran into someone who knew what to ask for and where, and got a copy of the regulations (this is covered further down).

An initial discussion with MFAT revealed that NZ Customs tend to apply restrictions based on the old COCOM rules, which have been superseded by the Wassenaar agreement (actually MFAT impose the restrictions, Customs only act as enforcers). For this reason export permits are required for shipments to certain eastern european countries, certain middle eastern countries, and the current UN politically-incorrect-country club. Export to countries other than that would be unlikely to require a permit.

In May, Cyphercom therefore decided to try to export the software to the US and Singapore. Initially MFAT said this was OK. Then at the last minute they changed their minds and imposed the following restrictions:

• No encryption algorithms except single DES.

• Keysize limited to 64 bits (this is peculiar, I assume it's to stop me from using tricks like key-dependant S-boxes and DESX, which I'd discussed in email with people in the US some time ago).

• Definitely no triple DES (this was specifically mentioned).

• Export limited to object code only (so the key size couldn't be changed).

The text of the message (with a few names removed) is:

"The Secretary of Foreign Affairs and Trade has no objection to the export of the XXX financial package, as detailed in the following application from YYY, provided that the library of encryption algorithms is limited to DES (but not triple DES) and any required hash algorithms, dated 15 May 1996".

In the accompanying description of the library, every single algorithm except DES and the hash algorithms have been crossed out. Note that this is for export to the US, which has its own export restrictions anyway (the same thing was done for the Singapore export).

Inquiries by lawyers in the US indicated that there had been a flurry of communication between the NSA and the GCSB over this (as one person - not one of the lawyers BTW - I talked to put it, "When the NSA says 'Bend over', the GCSB says 'How far?'"). The NSA might as well have signed the export (non-)permit themselves. The story from the US lawyers was that there was "repeated intervention of the NSA" and that "NZ is out of its depth, it was terrified of offending the US".

From the information I've been able to gather the whole thing seems to have been initiated by the GCSB rather than the NSA, who were afraid to do anything without NSA approval. The GCSB went to the NSA and asked them what they should do, the result was the (non-)permit. A DSD person also later told a reporter that the GCSB had gone to the DSD and asked them "Would you allow the export under these conditions?". The DSD said "No".

Shortly before this, the Canadian government, which follows the same export guidelines as New Zealand (dual-use technology under the Wassenaar agreement), had ruled that cryptlib was exportable to anywhere except the previously mentioned restricted countries, with no permit necessary, and no need to apply for a permit:

"Application No.278466 covering cryptographic software proposed for export to England, this software is not controlled according to Canada's ECL. Therefore, provided the product noted in this application is not of US origin within the meaning of the ECL item 5400, these goods may be exported to any country, except Libya and Angola, without an export permit. Please note that most goods to Iraq are still prohibited at this time, as well".

The interesting thing about the Canadian decision was that I was contacted twice by Canadian export controls people who asked me a number of very detailed questions about the software, whereas MFAT managed to come to their decision without ever examining the encryption software or talking to its author. As far as I've been able to tell MFAT had very little to do with the decision: They have to follow the GCSB's advice, and the GCSB won't do anything without the NSA's permission.

The opinion from lawyers in NZ was that they were acting far outside their authority. In any case in late May two copies of the crippled version of the software on 3.5" disks were sent out by a large accounting firm acting for Cyphercom, one to the US and one to Singapore as provided for in the export permit.

At about the time the original export appeal was lodged, the GCSB had told another NZ company, Orion Systems, that they couldn't export a product with the encryption necessary to protect patient medical data, lab results, patient referrals, and so on, without obtaining an end user certificate for each user. To sell a copy to just one overseas site would have required obtaining two thousand certifications from all the end users. Larger sites with ten thousand users are not unknown. This meant that Orion would have had to somehow obtain 2000 signed declarations from users just to allow the exchange of medical records (this tactic has also been successfully used by the US government to effectively block certain software exports by US firms). Orion didn't even bother going to MFAT, because if the GCSB required these impossible-to-meet conditions then going to the next level down in the chain of command would make no difference.

After chasing my way around a number of government departments I talked to some people in the Ministry of Commerce who advised that the best way to resolve this craziness was to write to MFAT and inform them that the Canadian government had ruled that the library was freely exportable and that there was no reason for them blocking the export, and ask under what authority the export was being blocked. This letter was sent to MFAT in mid-September. Incidentally, the way government departments refer to the GCSB is weird. Noone ever says "the GCSB", it's always "another government department" or "an organisation which I won't name", as if there was some belief that using The Dreaded Name will cause evil to descend upon the person who utters it, much like the use of the work J*h*v* or Lovecraft's "He Who Is Not To Be Named".

Anyway, at this point, things started to get weird. At about the time I wrote the letter, I was FedEx'd an NDA sent from lawyers representing PGP Inc (a US encryption software vendor) to Orion Systems, sent in a standard FedEx letter envelope. It was intercepted by NZ Customs and opened, and the contents examined, before I got it. This wasn't the usual random (and quite rare) "Examined by Customs" spot check, the letter had a large red "Customs - Hold" sticker on it with an LAX flight number, so I assume they knew in advance what they were looking for. NZ Customs couldn't tell me why it was intercepted, but seemed a bit surprised that the letter had been opened. They said that they may have been "acting on information".

In early October, about a fortnight after I sent the letter to MFAT questioning the export refusal and asking for clarification on what law they were using to block the export (and many months after the export itself), the Australian parent of the US company who wanted the export got a call from the Australian Ministry of Defence (it was actually the DSD, but they generally identify themselves as Ministry of Defence just like NSA employees are always identified as Department of Defence rather than NSA). This company, Kiss Audio Visual, are a video production house who have nothing at all to do with encryption software (or, in fact, anything but video production and graphics design, which they are very good at). They were called by Alan Owen of the DSD who said that they had been informed that NZ Customs had intercepted a shipment containing a high-security encryption product which was being illegally exported from New Zealand. According to the story, when NZ Customs went back to the party who exported the software, they claimed it was on behalf of Kiss. The Managing Director of Kiss called the Ministry of Defence to make sure this was actually for real, and they confirmed that it was.

This story has several very large holes in it:

• NZ Customs never intercepted anything. The package containing the disks arrived in the US unopened, there was no "high-security encryption product" on the disks, and a Customs person has verified that NZ Customs have never intercepted any crypto software shipped overseas.

• There was no illegal export of any kind. All the necessary permissions had been obtained from MFAT before the disks were shipped.

• The export was performed by Cyphercom, not Kiss. Kiss happens to be the parent company, but (apart from a few business discussions carried out over international phone links), there was no other connection between Kiss and Cyphercom.

Alan said that this export had very serious consequences, and that they would be coming to Melbourne to talk to Kiss at 2pm the next day. The Kiss Director immediately called Cyphercom in the US, and they discussed having serious quantities of lawyers present at the meeting, and taking the whole story to the media.

The visit was cancelled without any explanation. Who says governments never listen to their citizens?

(The DSD side of the story was that they were rather busy that day and didn't have time to carry out their investigation).

The implications of this are interesting. Despite the fact that MFAT had already (in effect) denied permission for the export, someone with the ability to listen in to international phone conversations had used discussions about the export to fabricate a story about NZ Customs with which the Australian government could harass Kiss, who had done nothing wrong and in fact had nothing to do with the whole affair (unfortunately I don't have any proof of the phone-conversation monitoring, but I can't see how anyone could possibly have connected Kiss with Cyphercom except for the phone conversations - they simply have nothing else in common). Apparently whoever was pulling the strings saw it necessary to bypass MFAT entirely in an attempt to suppress the encryption software (this does not inspire confidence in the working relationship between MFAT and the unnamed agency. The identity of the unnamed agency was later revealed by the DSD - see below).

Also in October, an article "Trade in Strategic Goods - An Update" in MFAT's "Business File" publication, Vol. 3, No. 7 made specific mention that MFAT were in charge of controlling the export of encryption hardware and software. It's pretty certain that this special mention was motivated entirely by attempts to export cryptlib, because MFAT stated in a letter to me that they'd never encountered anything like this before, so the claim that:

"..the most commonly affected exports from New Zealand are of encryption hardware and software..."

is distinctly peculiar. The last time anyone checked (a KPMG report from mid-1994) NZ had no restrictions on the export of crypto. Some time between mid-94 and October 1996, official mention of export controls appeared, with MFAT having jurisdiction.

In any event the article contains some rather curious comments. "Run-of-the mill exports have usually been processed within 48 hours". MFAT have now taken 9 months without showing any results, causing considerable financial hardship for Cyphercom who are unable to ship a product or even obtain a sample copy for demonstration to customers. "New Zealand... is helping to limit the spread of increasingly sophisticated military technology and weapons of mass destruction". Whether software to protect financial transactions and medical records counts as "sophisticated military technology" or "weapons of mass destruction" is unclear.

In late October I called MFAT to see what the delay was in replying to my earlier letter, and received a reply the following week. In their reply, MFAT stated that the export (non-)permit was in fact not final, and was still under consideration, which was at odds with what they had told Cyphercom and with the wording of the permit itself (see above). The letter also states:

"We made it clear that it would take some time, as the application dealt with a relatively new area in terms of our export controls, and was in a rapidly changing and advancing field. We... are currently discussing it and other issues it raises with relevant government departments".

(the "relevant government department" is the GCSB, this has been confirmed by the DSD). I interpret this paragraph to mean "We're making up the rules as we go along". The Canadian government certainly didn't seem to have any of these problems when they covered the same issue.

MFAT declined to answer my question as to whether this portion of NZ's foreign trade policy was being controlled by US intelligence agencies.

In early January 1997, Kiss were informed by the same Ministry of Defence/DSD person (Alan Owen) that he and an associate would again be flying in from Canberra to talk to them, using as justification the same fictitious story about NZ Customs that they had used before. They spent about two hours at Kiss, saw that they were indeed a video production house (and nothing but a video production house), and left. Before they left, they told the Kiss people that the source of the story about NZ Customs was "their counterparts in NZ" (the GCSB). Kiss had a lawyer present to witness this.

The implications of this are pretty scary. The GCSB first used their position to impose impossible-to-meet conditions on Orion and influence MFAT to indefinitely delay export of software which the Canadian government had already ruled wasn't export restricted. However, not content with this, they then fed a fictitious story to the Australian government to convince them to begin an investigation into a company which had done nothing wrong, and had very little to do with the whole issue.

On the 17th January significant parts of this story appeared on the front page of the National Business Review (NBR), a fairly influential paper read by (apparently) half the NZ business world. The GCSB declined to comment on anything except to acknowledge that there had been a meeting between a GCSB person and the manager of Orion Systems. The story also confirms (from talking to some of the people involved) the GCSB - MFAT and GCSB - DSD connections.

The following week Andrew Mayo wrote a letter to the editor of the NBR containing an eloquent defense of the use of encryption to protect personal privacy. MFAT replied to say that they were only following orders, and were required by the Wassenaar agreement to restrict crypto exports:

"Export permits normally were required only if the encryption was 40-bit or stronger, so most commercial encryption would not be affected".

I wonder where the 40-bit limit suddenly came from? Note also the phrasing "40-bit or stronger". This means that anything including 40 bits is restricted. If they're going to try to blindly parrot US policy then they should at least get their facts straight.

A few days later I found someone who knew what to ask for in order to get a copy of the NZ export regulations. I called MFAT and talked to a gentleman by the name of John Borrie, who had recently taken over responsibility for this affair from someone else who, to put it mildly, had been annoying to deal with. I suggested to him that the GCSB were feeding him just the information they wanted him to know and no more, and that perhaps he should avail himself of alternate sources of advice. He didn't see it quite that way.

The export regulations are identical to the Australian regulations, even down to the layout style. A few of the fonts differ, but that may be due to different systems/printers/whatever. There are several obvious holes in these regulations, but I won't mention them now because they'll probably be used in court fairly soon.

The following week the story was again on the front page of the NBR. This time the story covered the financial difficulties that Cyphercom had been plunged into. Because MFAT had stopped them from having any access to their product for nine months, the company was considering filing for bankruptcy. MFAT spokesperson Caroline Forsyth commented:

"US controls on the export of strategic goods are at least as strict as those of New Zealand... an export permit would normally only be required for encryption if it was 40-bit or stronger. Most commercial encryption is well below 40-bit strength. Almost all New Zealand exporters of software are unaffected".

The confused and nonsensical nature of these statements presents a scary picture. MFAT are a government department who (in this area) have no idea what they're doing, but don't know that they have no idea. Combined with the sterling advice they seem to be getting from the GCSB, this could make them a tough nut to crack.

In anticipation of what MFAT would say, I wrote a letter to the NBR editor (which won the "Letter of the Week" award :-) which refuted their claims. The letter ended with:

It appears that MFAT's position is based on an antiquated outlook which regards software to secure electronic commerce as some form of special military technology, a position which might have been reasonable a few decades ago but is totally out of touch with the modern use of computers and electronic communications. In their October 1996 "Business File", MFAT claim that "New Zealand... is helping to limit the spread of increasingly sophisticated military technology and weapons of mass destruction". Whether mass-market commercial software which protects financial transactions and medical records counts as "sophisticated military technology" or "weapons of mass destruction" is unclear (I suppose it's possible to beat someone to death with a floppy disk if you were very determined, but that hardly qualifies as "mass destruction").

Finally, one of the goals of the Wassenaar agreement was to "not impede bona fide civil transactions", which MFAT have certainly done, and are continuing to do. In the meantime anyone with a credit card and phone, or the ability to walk into a software store, can buy the same software overseas. Stopping New Zealand companies from exporting widely available mass-market computer software of this kind "because terrorists might use it" makes about as much sense as stopping farmers from exporting beef and lamb "because terrorists might eat it".

The issue of Management Technology Briefing included with last week's NBR reports on page 22 that there will be "a US$186 billion market in global transactions by the year 2000", along with a comment that securing these transactions - one of the goals cryptlib was designed for - remains a problem area. Within the next few years the push towards electronic commerce will become a veritable steamroller. By needlessly blocking the export of the technology required to secure this market, MFAT is helping ensure that New Zealand becomes part of the roadkill.

MFAT's parting shot was:

"People trying to export encryption without clearance can be prosecuted under the Customs and Excise Act".

I should certainly hope so! It's going to be difficult creating a test case to get this nonsense thrown out if they refuse to prosecute me.

Stay tuned, this is going to get entertaining...

Added 14 February 1997 by JYA:

National Business Review reports (use search feature):

1997-02-07 Letters

1997-02-07 Mfat defends delay in export a Stephen Ward

1997-01-31 Letters

1997-01-31 Software delays hit hard Stephen Ward

1997-01-24 Letters

1997-01-17 Encryption exporters say state Stephen Ward

HTML by JYA