My experience is that government and gov't contractors have been turning their heads. The proliferation of E2E communication has been too fast to analyze and regulate with respect to WWII era regulations, similar to how cryptocurrency is to the financial market.
Interesting to note:
>Publicly available software under the EAR, as under the ITAR, is exempt from export control. However, before strong dual-use encryption code is made publicly available via the internet or otherwise placed electronically in the public domain, exporters must provide the US Government with either a copy of the strong dual-use encryption code or a one-time notification of the internet location (URL) of the code. This must be done before making the software publicly available. Notification after transmission or transfer of the software outside the US is an export control violation
Why do you think strong encryption will have an export problem now when it hasn't for decades? Keep in mind that Signal is already open source and the algorithm is already widely distributed. Any restriction on export at this time would be closing the barn doors after the horses have all escaped.
I hate these regulations but EAR and ITAR with respect to crypto seem to be concerned with the key length and algorithm. Over a certain strength the software using the encryption seems to be still treated as a munition!? I've heard of people who ignore this getting huge fines.
And any export to Cuba, N. Kora, Sudan, Syria, and Iran is banned by OFAC (Office of Foreign Assets Control). Yes, the very countries that need Signal the most are banned!
Hopefully I'm wrong and we are free of regulatory issues in the US so I'm asking a serious question here - how does Signal solve this problem?
I've tried reading the regulations (but IANAL) and am almost certain that over a key-length for given algorithms its a munition and an export license or similar is required with regular updates.
And then still there is the issue of the OFAC banned countries list.
I'm hoping Signal's compliance can show other hackers how to also comply without hassle or fear.
> You must submit a classification request or self-classification report to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 740.17(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.
If it's illegal and in a surveillance state, they can selectively prosecute or just coerce people any time they want. I tried to dig into the export regulations one night at this link:
My research suggested they did not change the status of encryption products in general: it was a narrow set of them like mass-market, downloadable stuff that got that designation. They kept high-assurance security, tools for building secure systems, customized secure software, and so on classified as munitions needing a license.
What I can't tell you is anything about that process since I never asked for an export license for any software. Maybe it's easy as some people told me with no restrictions. They weren't doing high-security stuff that irritates surveillance states, though. There could be pressure on big companies or providers of strong stuff. There could be nothing for now but something down the road. It's kind of a black box for me from this vantage point except the parts where it straight-up says specific things have old classification.
I'm really curious what experiences any of you have had that made strong security products on hardened OS's you requested permission to export.
I read in the CFR (Code of Federal Regulations) somewhere that 128-bit AES is under the threshold so can be self-classified (but IANAL!). Anything stronger and the legal constraints seemed to be more than onerous.
Cat is quantum undetermined in my book - maybe someone from Open Whisper Systems, Signal Foundation, or the Freedom of the Press Foundation will share some wisdom.
How do you address the EARs (Export Administration Regulations) and ITARs (International Traffic in Arms Regulations)?
These regulations look like a tar pit to me.