
PGP released its source code as a book to get around US export law - WhiteDawn
http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation
======
rdl
I actually moved to Anguilla for the same reason -- outside the USA, I could
sit in a room next to a Dutch (non-US) citizen, and I could write/publish (to
the Internet, accessible to at least 50 people) an academic paper describing
an algorithm. He could download it, implement it in Java, publish it, and I
could look over it and give comments. Thus, complying with ITAR.

(This was for anonymous electronic cash, in a better system than bitcoin,
invented in the 1980s; there were _also_ RSA patent and Chaum patent
considerations at the time, which were also not valid outside the US, and
ML/etc. reasons why non-US providers were more likely to adopt it. We ended up
getting fucked when a different political party got elected on the island and
residence visas were pulled (we'd supported the other one), and then the
e-gold federal indictment/prosecution/etc. (they were an investor). Also,
living on a Caribbean island is not actually as much fun as you'd think.)

~~~
da02
Just out of curiosity, can you go more into detail about "Also, living on a
Caribbean island is not actually as much fun as you'd think."?

Is it the boredom and bureaucracy? Or something else?

~~~
rdl
Boredom when all the tourists are gone (they were only there a couple months
out of the year; the locals were either old retired expats, or locals who all
knew one another and were related since birth; the 3-5 of us who were western
hacker types were totally isolated). Beaches/etc. sucking. I was also not paid
enough in cash to eat anything but shitty "goat roti" or other stuff like
that, and I didn't really drink (I was 18) which was the main recreational
activity on the island. I didn't smoke mj, which was the other recreational
activity.

The Internet was maybe 200-300Kbps tops, and kind of unreliable, and sucked a
lot since I'd just been at MIT with a "huge" 3x45Mbps connection, working at
Media Lab with the SGI Onyxes for anyone, etc.

------
st3fan
Yeah I helped verifying the scanned and OCRed pages of code at the HIP97
conference in The Netherlands. A lot of cypher punks got together there to
finalize the legally exported code on paper and turn it into a new digital
distribution that was put back online outside of the US.

Anyone else here who was at HIP97?

~~~
sopooneo
I am missing something here. It seems a restriction on exporting software is
like a regulation on which air molecules can flow out the door. It's
impossible to enforce in the internet age. So why all this workaround? Why not
just give it freely to people in the US with the full knowledge that one or
more of them would _email_ it to people in other countries, possibly
compressed or encrypted so that it wouldn't be recognizable if someone scanned
the files?

Was this all just so that there was a plausible legal explanation for the
code's existence outside the US, even though the means to make it happen
otherwise were already obvious and undetectable?

~~~
rdl
Yes -- the issue was the code was strongly associated with named US persons in
the US. If the code appeared outside the uS, it would have been difficult or
impossible for any entity complying with US law to make use of that code, and
there might have been serious repercussions on the named US people (PRZ,
specifically).

The source code itself got posted anonymously before this point (I believe on
cypherpunks@toad.com list), but officially exporting it like this was still
helpful.

The goals were: staying out of jail but ALSO potentially making money through
commercial versions, support, etc. There have been at least 3 incarnations of
PGP as a commercial company.

------
michaelfeathers
Even more interesting - Richard White's tattoo of the RSA algorithm back in
the 1990s. It was an open question whether his arm could travel outside the
US.

[http://cypherpunks.venona.com/date/1995/12/msg00332.html](http://cypherpunks.venona.com/date/1995/12/msg00332.html)

~~~
martindale
Damnit, we need a better culture surrounding publishing on the web, and
specifically around maintaining links. All of the interesting hyperlinks there
are dead.

~~~
rdl
Sorry, that's my web archive of a mailing list. List traffic was supposed to
be ephemeral at the time, not some kind of list of record. (and running list
archives got some people in trouble, including me with the IRS CID, which was
less fun but also less dangerous than it could have been)

------
emillon
When Debian decided to incorporate crypto code in main (before, a "non-us"
section was dedicated to that), it became necessary to declare the export. So
they printed descriptions of the software and mailed it to the Department of
Commerce:

[https://ftp-master.debian.org/crypto-in-main/](https://ftp-
master.debian.org/crypto-in-main/) (with pictures of course)

~~~
slashdotaccount
We no longer do this because they didn't like the volume of mail they were
getting :)

------
jackgavigan
The whole "publish the source code as a book" thing was really more of a
publicity stunt to demonstrate how absurd the regulations were. It was
inspired by an earlier case (brought by Phil Karn), in which the US government
ruled that Bruce Schneier's "Applied Cryptography" book did _not_ fall under
the export restrictions but a disk containing the source code that was printed
in the book _did_.

The absurdity reached its peak when some bright spark wrote a three-line
implementation of the RSA algorithm as a perl script (intended to be used as
an email signature) and submitted it to the appropriate US government
department for classification under the export controls, who promptly declared
that anyone who wanted to export it needed to obtain a licence.

So, people started putting it on t-shirts ("This t-shirt is a munition!"),
getting it tattooed on themselves (" _I_ am a munition!"), etc.

Of course, this was all beside the point because the source code for all this
stuff was widely available on the Internet.

The net effect of the export restrictions was that companies like Netscape and
Microsoft had to create "export" versions of their browsers that were limited
to a maximum key size of 56 bits. In '98 (I think), the US authorities
relented somewhat, by allowing a scheme whereby financial institutions could
get a special "Global ID" SSL certificate from Verisign that allowed the web
server to persuade export browsers to "step up" their encryption to 128 bits.

Even after the US government relaxed the restrictions (in early January 2000),
it took a long time for people to upgrade their browsers. I went to work at
Deutsche Bank in the summer of 2000, where I was responsible for setting up
the web servers for online trading systems and I can remember having to
carefully craft the SSLCipherSuite section of httpd.confs to force export
browsers to step up to a key length and encryption algorithm that satisfied
the regulatory requirements for protecting trading systems.

It wasn't just the US who had controls on crypto either. I can remember
learning far more than I ever wanted to know about the Wassenaar Agreement and
the UK's Open General Export Licence because somebody wanted to give Identrus
smartcards to clients who were located elsewhere in Europe.

And then, of course, the UK introduced RIPA, which allows the police to demand
that anyone who has access to an encryption key turn it over. If you refuse,
you can be sent to prison.

------
Perseids
Something I was always curious about since I first found out about this trick:
Why did the book not contain some error correcting codes at the bottom of each
page to simplify the scanning process? Would it have somehow lessened the
legal protection of Zimmerman's free speech?

~~~
rdl
I think later versions did.

~~~
cyber
Yes, the first book set was to test the "bandsaw" protocol and getting it back
into electronic format.

IIRC, they also tweaked the font for better OCR.

------
taftster
The preface from the author is a great read, better than the Wikipedia
article:

[http://www.mit.edu/~prz/EN/essays/BookPreface.html](http://www.mit.edu/~prz/EN/essays/BookPreface.html)

------
gioele
Please note that the "war on cryptography" is not over. There are still export
controls in most of the world (including USA and EU).

For an up-to-date reference see [http://www.cryptolaw.org/cls-
sum.htm](http://www.cryptolaw.org/cls-sum.htm)

------
bostik
Heh, I remember when PGP 2.6i became available. I ended up using it very early
on, to the point of where I actually came up with a (really sketchy)
translation for it.

This would have been late 1992 or early 1993.

------
yeukhon
Is there a list of cryptographic algorithms I cannot export / share / write
for clients outside of the U.S? My guess is they are things hidden from us but
I could be wrong.

~~~
sgdread
Anything with 64b+ encryption must be reported [1]. Strong encryption is still
subject of export restrictions. For example, Java need special unlock to
enable encryption 128bits+

[1]
[https://www.federalregister.gov/articles/2010/06/25/2010-150...](https://www.federalregister.gov/articles/2010/06/25/2010-15072/encryption-
export-controls-revision-of-license-exception-enc-and-mass-market-eligibility-
submission)

