26 January 1998: Link to Peter Gutmann's latest version

24 June 1997
Source: Mail list cypherpunks@cyberpass.net

To: aba@dcs.ex.ac.uk, cypherpunks@cyberpass.net
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Wed, 25 Jun 1997 08:10:07 (NZST)
Subject: Re: spook pressure on crypto exports (was Re: cypherpunks coding challenge)

Adam Back <aba@dcs.ex.ac.uk> writes:
>Bill Stewart <stewarts@ix.netcom.com> writes:
>>(Though actually SSLeay has been very useful to a lot of the
>>world's free cryptography, and has prompted the US spooks
>>to pressure the Australian spooks into restricting crypto exports,
>>just as they've pressured the NZs into restricting them for
>>Peter Gutman, and have been trying to work on the Irish...)
>Could you elaborate on these.  I caught Peter Gutmann's comments on the 
>hassles a company he did some work for were having with the NZ spooks.  (The 
>spooks intercepted their mailed disk, plus some other cloak and dagger 
>spookish stuff).  
Nothing was intercepted.  They (the GCSB, NZ subsidiary of the NSA) came up 
with some phony story about NZ customs intercepting a shipment of 
military-grade encryption (or something similar) which they fed to the 
Australian spooks (DSD).  NZ Customs knew nothing of this, and the DSD were 
apparently also considerably surprised by it.  As far as I can tell it was a 
very amateurish attempt to intimidate one of the companies involved 
(frighteningly amateurish in fact - a single phonecall was enough to confirm 
that they'd invented the whole incident themselves, the only real effect it 
had was to get them a front-page story in the National Business Review and 
(presumably) piss off the DSD for sending them on a wild goose chase and 
risking media exposure).
>Is this still going on, was it ever resolved?  Can the next version of 
>cryptlib be exported legally?  Or are we relying on Peters bravery?
It can be legally exported.  Although the people pulling the strings are the 
GCSB, the group enforcing it is the Ministry of Foreign Affairs and Trade 
(MFAT)'s export control group, who are idiots (I can elaborate on this in 
great detail at some point, preferably over a beer).  I have several written 
statements from them that I can freely export it electronically (along with 
all sorts of bogosities such as a letter signed by the minister in which the 
first sentence of the second paragraph says exactly the opposite of the last 
sentence in the paragraph, and other, similar gems).  At one point I was 
firing off one letter after another to them just to see how silly they would 
get, but it got boring after awhile.  I'll put these letters online at some 
point for people to have a laugh at.
I should also clarify a point about the online writeup of my experiences, 
which imply that the NSA was active in directing the GCSB over export 
controls.  I'd had some feedback from a high-level US spook source that this 
wasn't quite the case, but the source has some rather unusual opinions on 
spooks and their activities (something along the lines of "Civilization would 
collapse tomorrow if it wasn't for the fine efforts of the CIA and NSA") which 
made me somewhat suspicious about the accuracy of the information.  Anyway, 
what this source said (and this bit I can believe) was that NZ was completely 
out of its depth with this (which was obvious from the way it was handled) and 
was terrified of offending the US.  According to the source, the NSA was 
exerting a *moderating* influence on the whole thing, and that any progress 
made was because the NSA told the GCSB to back off.  This would indicate an 
interesting case of the NSA exerting very strong indirect influence on 
determining crypto policy.  The GCSB knew the NSA didn't want crypto being 
distributed, and when they heard of the export they went into overdrive to 
show the NSA what good boys they could be and how keen they were to help the 
US by enforcing US policy for NZ crypto.
This interpretation is believable, NZ is very much a junior member of the 
UKUSA alliance and really doesn't want to do anything which might offend the 
other partners.  They knew the US didn't want crypto being made available, so 
they went out of their way to try to show the NSA that they could be trusted 
to do their bit in restricting crypto (I'm certain that something as 
amateurish as the NZ Customs story didn't come from the NSA, even the DSD 
seemed unaware of it).
This means that it doesn't actually require any direct intervention from the 
USG to control crypto policy, the mere knowledge that the NSA doesn't like 
something is enough to make the local spooks (who, in NZ's case, rely on the 
NSA for much of their hardware and training) do whatever they think will keep
the NSA happy.  It's perfect for the NSA I guess, because they get complete 
deniability (Just yell "Will noone rid me of this troublesome crypto" and sit 
back and wait).