PGP (and all encryption schemes that offered key lengths greater than 40-bits) were banned under the State Department ITAR regulations.
These are the same regulations that prohibit the export of 3D model files over the internet if the model is a weapon or a part of a weapon.
The 3D models are banned because they are "technical documentation" (blueprints, manufacturing information). I would argue that the source code to encryption (a "weapon" according to the regulations) also counts are technical documentation. Therefor I think that printing the source code was just as illegal as sending the source code (or compiled software) over the internet.
Try exporting the blueprints or software source for a Gen III+ night vision and see how quickly you are picked up by the FBI.
I can't help but think this whole book thing was more designed to shame the government into letting it be exported, or for a judge to declare that the regulations were unconstitutional, or the guys who did it were misinformed about the law.
The theory was that this was protected as free speech. There's a very strong precedent for the courts protecting arbitrary printed text.
It's difficult to say one way or the other whether it would have held up in the long run because the government backed out of prosecuting without further comment. There were similar issues with DeCSS, the various 'illegal primes', etc . . .
I had trouble finding this with Google-fu but was there not discussion a while back of a format for stringifying file content and encrypting it for printing and dead-tree archiving in a safe or whatnot? I am having trouble finding any info about. I found OllyDbg Paperback, but I am not sure that is what I was looking for. Anyone remember?
I am curious if someone could "paper up" something like PGP to be stored in a safe, if the format I vaguely recall did not go that far.
Is it naive of me to think that subsequent "book releases" of the software would be best encoded as patchsets against the original release? It seems wasteful to re-print and then re-OCR the entirety of the codebase.
While I was typing that, I thought of a second point: would it still be a munition if it were only diffs? E.g. Could one put the patchsets on a public server without legal woes, because it's only the full source that's problematic?
I guess you could say that this is the first copy of PGP that an American could legally use outside the country, or give to somebody outside the country?
Otherwise yeah, I agree that what they are saying is strange. The fact that prior to this any German using a copy of PGP was using a copy that an American broke the law to give him doesn't mean that the German was himself breaking the law.
Wouldn't it have been sufficient to scan only the crypto-code? I guess that the bulk of the code deals with UI, keyservers, file formats, etc, so why bother with exporting the non-crypto stuff in paper form?