This is a continuation of the article I posted here a few weeks ago. You can find the whole thing at http://jya.com/nsazeal.htm. Peter. -- Snip -- On the 17th January significant parts of this story appeared on the front page of the National Business Review (NBR), a fairly influential paper read by (apparently) half the NZ business world. The GCSB declined to comment on anything except to acknowledge that there had been a meeting between a GCSB person and the manager of Orion Systems. The story also confirms (from talking to some of the people involved) the GCSB - MFAT and GCSB - DSD connections. The following week Andrew Mayo wrote a letter to the editor of the NBR containing an eloquent defense of the use of encryption to protect personal privacy. MFAT replied to say that they were only following orders, and were required by the Wassenaar agreement to restrict crypto exports: "Export permits normally were required only if the encryption was 40-bit or stronger, so most commercial encryption would not be affected". I wonder where the 40-bit limit suddenly came from? Note also the phrasing "40-bit or stronger". This means that anything including 40 bits is restricted. If they're going to try to blindly parrot US policy then they should at least get their facts straight. A few days later I found someone who knew what to ask for in order to get a copy of the NZ export regulations. I called MFAT and talked to a gentleman by the name of John Borrie, who had recently taken over responsibility for this affair from someone else who, to put it mildly, had been annoying to deal with. I suggested to him that the GCSB were feeding him just the information they wanted him to know and no more, and that perhaps he should avail himself of alternate sources of advice. He didn't see it quite that way. The export regulations are identical to the Australian regulations, even down to the layout style. A few of the fonts differ, but that may be due to different systems/printers/whatever. There are several obvious holes in these regulations, but I won't mention them now because they'll probably be used in court fairly soon. The following week the story was again on the front page of the NBR. This time the story covered the financial difficulties that Cyphercom had been plunged into. Because MFAT had stopped them from having any access to their product for nine months, the company was considering filing for bankruptcy. MFAT spokesperson Caroline Forsyth commented: "US controls on the export of strategic goods are at least as strict as those of New Zealand... an export permit would normally only be required for encryption if it was 40-bit or stronger. Most commercial encryption is well below 40-bit strength. Almost all New Zealand exporters of software are unaffected". The confused and nonsensical nature of these statements presents a scary picture. MFAT are a government department who (in this area) have no idea what they're doing, but don't know that they have no idea. Combined with the sterling advice they seem to be getting from the GCSB, this could make them a tough nut to crack. In anticipation of what MFAT would say, I wrote a letter to the NBR editor (which won the "Letter of the Week" award :-) which refuted their claims. The letter ended with: It appears that MFAT's position is based on an antiquated outlook which regards software to secure electronic commerce as some form of special military technology, a position which might have been reasonable a few decades ago but is totally out of touch with the modern use of computers and electronic communications. In their October 1996 "Business File", MFAT claim that "New Zealand... is helping to limit the spread of increasingly sophisticated military technology and weapons of mass destruction". Whether mass-market commercial software which protects financial transactions and medical records counts as "sophisticated military technology" or "weapons of mass destruction" is unclear (I suppose it's possible to beat someone to death with a floppy disk if you were very determined, but that hardly qualifies as "mass destruction"). Finally, one of the goals of the Wassenaar agreement was to "not impede bona fide civil transactions", which MFAT have certainly done, and are continuing to do. In the meantime anyone with a credit card and phone, or the ability to walk into a software store, can buy the same software overseas. Stopping New Zealand companies from exporting widely available mass-market computer software of this kind "because terrorists might use it" makes about as much sense as stopping farmers from exporting beef and lamb "because terrorists might eat it". The issue of Management Technology Briefing included with last weeks NBR reports on page 22 that there will be "a US$186 billion market in global transactions by the year 2000", along with a comment that securing these transactions - one of the goals cryptlib was designed for - remains a problem area. Within the next few years the push towards electronic commerce will become a veritable steamroller. By needlessly blocking the export of the technology required to secure this market, MFAT is helping ensure that New Zealand becomes part of the roadkill. MFAT's parting shot was: "People trying to export encryption without clearance can be prosecuted under the Customs and Excise Act". I should certainly hope so! It's going to be difficult creating a test case to get this nonsense thrown out if they refuse to prosecute me. Stay tuned, this is going to get entertaining...