Versions 2.5 and 2.6 however are obviously illegal exports, and I think that it is the fact that people think of one as legal and the other as illegal that makes the difference, and therefore we who are outside the USA need our own version to be brought up to date. Legality is always relative to some jurisdiction. Let us stipulate for discussion that export of PGP 2.6 from the USA was in violation of the ITAR. Is PGP 2.6 in Europe an "illegal export"? To wit, it is in the USA, but not in Europe, barring specific reciprocity agreements. Under USA law, it violates the ITAR (by stipulation--now may be the time to reach for the dictionary). So, if the USA could manage to extradite a 2.6-user from Europe, that person could be tried under USA law, convicted, and jailed. Think not? One word: Noriega. Noriega was tried under USA law for activities which never took place in the USA. You think that sucks? Well, expect the tendrils of law to extend past the nominal geographic borders more often. If individuals can become locationally ambiguous, there's no reason to expect governments to remain locationally confined. Now, is USA law a threat? Now is the time to estimate the cost of extradition, trial, incarceration, etc. relative to other law enforcement priorities. It's pretty unlikely, in the case of PGP-2.6. No need to lose sleep. So, is it illegal in Europe? Well, not usually. What law of any European state has a 2.6-user broken? The ITAR is a USA law, not, say, a German one. There may be other statutes, as in France, which could restrict its use, but they're not the ITAR. So if I were living in England, using PGP 2.6, I'd have nothing to fear from local authorities as such. (Maybe from them acting as extradition officers, but you can figure out that difference easily.) And I haven't even addressed detection yet. Eric