Groups condemn Wassenaar crypto pact

Several privacy advocacy groups have condemned the recent revision of the Wassenaar Arrangement — a protocol designed to limit the export of strategic military weapons — which includes new controls on encryption software.

Electronic Frontiers Australia (EFA) condemned the new restrictions in a statement on its Web site, saying the changes mean “the threat of global surveillance,” by governments. And a U.S.-based group called Zero Knowledge Systems has called for Internet users to protest the Wassenaar arrangement.

The revision to the Wassenaar Arrangement — signed by 33 countries in Vienna in early December — calls for restrictions on the export of “mass market” encryption

software using keys greater than 64 bits, according to numerous sources who participated in the meeting.

However, provisions of the pact exclude restrictions on specific types of software including programs that are: considered generally available to the public; in the public domain; or designed for installation by the user without further substantial support by the supplier. Details of the agreement have been posted on the Wassenaar Web site (

But these new controls are enough to disturb privacy organizations such as EFA. In a statement posted on its Web site, EFA decried the restrictions, saying that Australia — among the signatories — had knuckled under to U.S. demands, thus depriving Australian citizens access to high-strength security products.

Encryption tools are needed to help human rights organizations such as Amnesty International to inform the world of atrocities committed by repressive governments, EFA said. The controls on exporting encryption software defy rational analysis, EFA added, “because high-quality strong crypto products are freely available in the public domain. The real reasons behind such controls can only be speculated upon,” EFA said.

Encryption software enables people to send electronic messages which are scrambled, so that they cannot be read by outside parties before its recipients see it. The U.S. has in the past restricted export of encryption technology software, fearing that criminals could get their hands on the technology.

But, until now, many countries have had no restrictions whatsoever on exporting encryption software. It is generally acknowledged that 128-bit software is more secure.

EFA plans to step up its public awareness campaign on the restrictions and Web sites are now

springing up around the world making available high-strength security products for downloading, EFA said.

“At a time when governments are preaching the benefits of electronic commerce, it is incredible that security tools should be restricted,” said EFA in its statement.

Another U.S.-based group, called Zero Knowledge Systems, has also called for Internet users to protest the new restrictions.

The group blames the U.S. Department of Commerce under secretary for “taking credit for convincing all other Wassenaar countries to imposed these added restrictions over cryptography designed for average citizens.”

It offers Internet users the chance to fill out a form on its Web site which will go straight to a government representative (

But several European sources who attended the Wassenaar meeting were at pains to stress their governments had not merely given in to U.S. demands for tighter controls.

The Wassenaar arrangement actually represents a loosening of export controls, a European diplomatic source, who declined to be identified, told IDG News Service last week, because it also lifts controls on mass market software under 64 bits.

“It is absurd to say that the group (of 33 countries) decided to increase controls,” he said.

Software deemed “publicly available” is completely free of restrictions, according to Joachim Wahren, spokesperson with Germany’s Auffuhramt, the government organization which signed the Wassenaar arrangement. Hardware regulations have also been loosened, he said. For example, companies no longer have to get approval to export hardware encryption devices, according to Wahren.

Lastly, the other signatories did not accept the U.S. proposal for instituting key recovery, Wahren said. A key recovery program gives the government the right to hold keys that unlock encrypted communications should they deem the content to be in violation of the law.

But he conceded that there is “a certain tightening” of the regulations for software not deemed public.

One IT security analyst sees the move as a definite step backwards. “On balance, this seems retrogressive,” said Ken Frasier, security analyst with Dataquest Corp. in London, England.

“The Clinton administration has been able to persuade 32 other countries to impose explicit restrictions, whereas before, it was a matter of discretion in each country.”

But it could be some countries hope that they can circumvent the restrictions, he said. “There is an indeterminate time before this can be implemented into local law. And even when countries do so, there may be loopholes or relaxations of the arrangement. This is not an instant cure,” Frasier said.

The current Wassenaar signatories are: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Kingdom and United States.