Is strong cryptography legal across the internet?

Question

In many countries strong cryptography is outlawed. That means you must store the data of your users in such a way, that government of that country can always decrypt it. And if you don't, you are a criminal.

Suppose, someone is an author of some security software (instant messenger, disk encryption, whatever), that utilizes strong security without any loopholes for governments and where encryption keys really belong to client only so author can provide no way of decrypting anything without changing the whole system's architecture. This software is sold or otherwise distributed on the net and it's legal to do that in the country of author's residence. Suppose also, that this software became so popular, that even Ben Laden decided to use it.

As I understand, the author can be arrested as soon as he crosses the boundary of any country where strong cryptography is illegal, being accused in helping terrorists, if for example, a legal case against Ben Laden is in process there and your cryptographic product is protecting the terrorist's data. Is that correct?

So, technically, if you invent a knife and some knife is used both to cut bread and to kill people, you are ok. But if you invent cryptography, that can serve the privacy of both good and bad people, you are in trouble?

Answer 1

Realistically, although there are a couple of countries who may arrest you for authoring a product which is illegal in that jurisdiction, they do this in breach of international law. caveat: I am not a lawyer, but deal a lot with international regulations around security works, and the real situation is as follows:

I could happily write an encryption product (well, it may not be very good, as I'm not a cryptographer, but anyway) which I pop onto the Internet - perfectly legal in my country.

(This wasn't the case in the US not so long ago - it was the exporting that was the issue, as the US government thought they could control strong crypto. This was nonsense as others around the globe were developing strong crypto as well, and the eventual relaxing of the rules was forced by people like Zimmerman exporting books with the algorithms in - which were protected under 'free speech' in the US. Some strong crypto still counts as munitions there though...)

But in any case, unless your particular country has export restrictions, you can pop crypto code up on the web. (Some draconian countries, such as the US, can put pressure on their residents to enforce access controls on some types of data to try and prevent it being accessible from prohibited countries, but realistically, if something is on a bit of the Internet, it is on The Internet)

The countries which may arrest you for providing code onto the Internet which is legal in your own country could only do it if you were on their own soil, and against all international guidance. I'm thinking of the countries that can arrest you for saying the wrong thing about someone in power, for example - which goes against most human rights legislation anyway.

Answer 2

"This software is sold or otherwise distributed on the net and it's legal to do that in the country of author's residence. Suppose also, that this software became so popular, that even Ben Laden decided to use it."

This depends on the license you have for your software. What I am aware of, is that you are not allowed to ship a product to Iraq (around 2003), for instance, with strong encryption and indeed you can be jailed for that. I never had a software for free and so popular that it was used in forbidden countries, but I would highly recommend you not to make that possible.

........