Why do you think strong encryption will have an export problem now when it hasn't for decades? Keep in mind that Signal is already open source and the algorithm is already widely distributed. Any restriction on export at this time would be closing the barn doors after the horses have all escaped.
I hate these regulations but EAR and ITAR with respect to crypto seem to be concerned with the key length and algorithm. Over a certain strength the software using the encryption seems to be still treated as a munition!? I've heard of people who ignore this getting huge fines.
And any export to Cuba, N. Kora, Sudan, Syria, and Iran is banned by OFAC (Office of Foreign Assets Control). Yes, the very countries that need Signal the most are banned!
Hopefully I'm wrong and we are free of regulatory issues in the US so I'm asking a serious question here - how does Signal solve this problem?
I've tried reading the regulations (but IANAL) and am almost certain that over a key-length for given algorithms its a munition and an export license or similar is required with regular updates.
And then still there is the issue of the OFAC banned countries list.
I'm hoping Signal's compliance can show other hackers how to also comply without hassle or fear.
> You must submit a classification request or self-classification report to BIS for mass market encryption commodities and software eligible for the Cryptography Note employing a key length greater than 64 bits for the symmetric algorithm (or, for commodities and software not implementing any symmetric algorithms, employing a key length greater than 768 bits for asymmetric algorithms or greater than 128 bits for elliptic curve algorithms) in accordance with the requirements of § 740.17(b) of the EAR in order to be released from the “EI” and “NS” controls of ECCN 5A002 or 5D002.
If it's illegal and in a surveillance state, they can selectively prosecute or just coerce people any time they want. I tried to dig into the export regulations one night at this link:
My research suggested they did not change the status of encryption products in general: it was a narrow set of them like mass-market, downloadable stuff that got that designation. They kept high-assurance security, tools for building secure systems, customized secure software, and so on classified as munitions needing a license.
What I can't tell you is anything about that process since I never asked for an export license for any software. Maybe it's easy as some people told me with no restrictions. They weren't doing high-security stuff that irritates surveillance states, though. There could be pressure on big companies or providers of strong stuff. There could be nothing for now but something down the road. It's kind of a black box for me from this vantage point except the parts where it straight-up says specific things have old classification.
I'm really curious what experiences any of you have had that made strong security products on hardened OS's you requested permission to export.
