Why have export controls for cryptography?

Question

I've always heard someone justify the means for export restrictions with "it's for governmental control/spying". In most reasonable countries, the justice system asks people to adhere to the "spirit of the law".

What is "spirit of the law" regarding cryptography I should be aware of?

Are there any themes that are common, outside a countries borders?

Possible answers may be

• the protection of Intellectual Property
• the desire to protect corporate assets in a given country (as these businesses pay taxes)
• to protect the online identity of their citizens (in the case of certificates issued to individuals).

For those people doing business in unreasonable countries, I'll bet they have more worries than just the cryptographic security of your data.... so I don't think there is any "spirit of the law" to be concerned about.

Answer 1

Export regulations are the offspring of international treaties, in particular the Wassenaar Arrangement. The idea is that once countries decide that strong cryptography must be regulated within their borders, these countries make deals with other countries so that those other countries do not recklessly export strong cryptographic products, neither to them, nor to third parties who are deemed "not trustworthy enough" to receive them (e.g. the arrangement restricts export from USA to France and also from USA to North Korea, but not for the same reasons !).

Cryptography is here treated as if it was a kind of assault rifle. Indeed, until about a dozen years ago, cryptography was officially classified by the USA as ammunition. This implies the same kind of controls than those for importing or exporting weapons.

We can thank (or curse) the Web, and especially the whole let's-buy-things-on-the-Web business, for the normalization of cryptography: most crypto-related regulations which have been passed in the last decade have been designed so that it became legal to provide, export and import Web browsers with SSL support, for non-joke key lengths. Legislative bodies around the world are slowly coming to the realization that cryptography is not necessarily a bad guy tool; individuals and corporations may be entitled to use them for their own protection, too, especially in areas where more classical law enforcement agencies do not have the technical means to ensure the safety of everybody. SSL is legal because there is no practical way to proactively prevent eavesdropping.

Answer 2

The answer to the question is because the governments mandates it.

There was a time here in the US when the government was hobbled by “gentlemen don't read each other's mail" but the lessons of millions dead due to global war in the last century followed by thermonuclear brinksmanship nullified that quant idiom. Thus we find ourselves living in a time that cryptographic technology is seen at the state level as potentially enhancing the abilities of the state's enemies.

It is not a simple task to quarantine a scientific idea or computer algorithm but that is the only tool the state has at its disposal. Ideas tend to escape such controls but whether it is nuclear weapons design or the crypto used to tramsmit that design they fall under state control. As those details escape the world becomes a more complicated place for the state.

Answer 3

I think the reason why the US export controls for crypto was created in the first place was that it was most commonly used in the military, and part of why the early computers was created in the first place was to break crypto. Hence why it was classified as munitions in the ITAR.

Trivia: the infamous 40-bit limit was set as part of a deal between SPA and NSA in 1992 to make export of crypto easier than before.