26 January 1998: Link to Peter Gutmann's latest version
24 June 1997
Source: Mail list email@example.com
To: firstname.lastname@example.org, email@example.com From: firstname.lastname@example.org (Peter Gutmann) Date: Wed, 25 Jun 1997 08:10:07 (NZST) Subject: Re: spook pressure on crypto exports (was Re: cypherpunks coding challenge) Adam Back <email@example.com> writes: >Bill Stewart <firstname.lastname@example.org> writes: >>(Though actually SSLeay has been very useful to a lot of the >>world's free cryptography, and has prompted the US spooks >>to pressure the Australian spooks into restricting crypto exports, >>just as they've pressured the NZs into restricting them for >>Peter Gutman, and have been trying to work on the Irish...) >Could you elaborate on these. I caught Peter Gutmann's comments on the >hassles a company he did some work for were having with the NZ spooks. (The >spooks intercepted their mailed disk, plus some other cloak and dagger >spookish stuff). Nothing was intercepted. They (the GCSB, NZ subsidiary of the NSA) came up with some phony story about NZ customs intercepting a shipment of military-grade encryption (or something similar) which they fed to the Australian spooks (DSD). NZ Customs knew nothing of this, and the DSD were apparently also considerably surprised by it. As far as I can tell it was a very amateurish attempt to intimidate one of the companies involved (frighteningly amateurish in fact - a single phonecall was enough to confirm that they'd invented the whole incident themselves, the only real effect it had was to get them a front-page story in the National Business Review and (presumably) piss off the DSD for sending them on a wild goose chase and risking media exposure). >Is this still going on, was it ever resolved? Can the next version of >cryptlib be exported legally? Or are we relying on Peters bravery? It can be legally exported. Although the people pulling the strings are the GCSB, the group enforcing it is the Ministry of Foreign Affairs and Trade (MFAT)'s export control group, who are idiots (I can elaborate on this in great detail at some point, preferably over a beer). I have several written statements from them that I can freely export it electronically (along with all sorts of bogosities such as a letter signed by the minister in which the first sentence of the second paragraph says exactly the opposite of the last sentence in the paragraph, and other, similar gems). At one point I was firing off one letter after another to them just to see how silly they would get, but it got boring after awhile. I'll put these letters online at some point for people to have a laugh at. I should also clarify a point about the online writeup of my experiences, which imply that the NSA was active in directing the GCSB over export controls. I'd had some feedback from a high-level US spook source that this wasn't quite the case, but the source has some rather unusual opinions on spooks and their activities (something along the lines of "Civilization would collapse tomorrow if it wasn't for the fine efforts of the CIA and NSA") which made me somewhat suspicious about the accuracy of the information. Anyway, what this source said (and this bit I can believe) was that NZ was completely out of its depth with this (which was obvious from the way it was handled) and was terrified of offending the US. According to the source, the NSA was exerting a *moderating* influence on the whole thing, and that any progress made was because the NSA told the GCSB to back off. This would indicate an interesting case of the NSA exerting very strong indirect influence on determining crypto policy. The GCSB knew the NSA didn't want crypto being distributed, and when they heard of the export they went into overdrive to show the NSA what good boys they could be and how keen they were to help the US by enforcing US policy for NZ crypto. This interpretation is believable, NZ is very much a junior member of the UKUSA alliance and really doesn't want to do anything which might offend the other partners. They knew the US didn't want crypto being made available, so they went out of their way to try to show the NSA that they could be trusted to do their bit in restricting crypto (I'm certain that something as amateurish as the NZ Customs story didn't come from the NSA, even the DSD seemed unaware of it). This means that it doesn't actually require any direct intervention from the USG to control crypto policy, the mere knowledge that the NSA doesn't like something is enough to make the local spooks (who, in NZ's case, rely on the NSA for much of their hardware and training) do whatever they think will keep the NSA happy. It's perfect for the NSA I guess, because they get complete deniability (Just yell "Will noone rid me of this troublesome crypto" and sit back and wait). Peter.