"This decision shouldn't be interpreted as meaning anything. I caution people against concluding the Internet is now free for export."
PRZ's experience underscores the importance of support from large institutions like MIT and AT&T. It's a lot easier to push around an individual who doesn't have a lot of money or clout than it is to push around MIT. We need a large sponser who is willing to run a more ambitious crypto archive. If an institution like MIT hosted a more generalized site where people could distribute code, it would go a long way towards thawing out the chill the government's managed to create by harassing PRZ. I know it took a lot of negotiating for MIT to set up the PGP distribution site. But now that they've provided a home for PGP, how much more risk would they be taking on if they added other crypto software to the archive? Would exporting other crypto software violate ITAR more significantly than exporting PGP would? The government's policy doesn't prevent crypto from spreading around the world, but it does discourage a lot of people from distributing code they've written or modified. That's the point of the policy, and from their point of view it's probably a big success. It would be a big win if we could come up with a system that would allow anyone to contribute code in relative safety. It would be the difference between having a lot of hand waving discussions about protocols and developing real tools. The groundwork is already there -- good crypto libraries exit. There's a lot of interest. We'd probably see an explosion of ideas and code if people weren't being intimidated. Even though it's possible for almost anyone to set up an archive that imposes the same sorts of rules as the MIT archive on downloaders, it's not the same thing. If Alice puts code up in MIT's archive, it's hard for the government to come at Alice without taking on MIT at the same time. Alice didn't export the code; she gave it to MIT. If they come after MIT, they know it will lead to lots of press coverage. People pay attention to what MIT has to say about technology, and if MIT says that it's important for people to be able to work on crypto code, it's going to carry a lot of weight. If I put up an archive, they can grind me out with legal fees in no time at all; MIT isn't so vulnerable to that kind of an attack. The point of the government's policy is to create a chilling effect on development. That's what we ought to fight against. Our position is similar to that of a little kid in grade school who's getting beat up by a bully every day. We need to make friends with a big guy who can keep the bully off our back.