I may be able to contribute a little regarding the export issue. I am a
member of the Telecommunications Equipment Technical Advisory
Committee (TETAC), which is chartered to provide advice to the Department
of Commerce and the US Government regarding export issues. However,
I am neither a lawyer nor an export administration specialist, so take what
I say with a grain or two of salt.
Most of the TETAC's work over the last few years has focussed on the
COCOM agreements for export of so-called "dual use" technology to the
Soviets and various other unfriendly governments. The agreements in these
areas have the status almost equivalent to treaties, and the high level
negotiations are directed by senior staff within the administration, up to and
including the National Security Council. (Our role within TETAC is to provide
expert technical advice, not to make policy, so please don't shoot the
messenger!)
As a result of the collapse of the "evil empire," the various export
regulations
are changing literally faster than Commerce staff can rewrite and publish them.
Whole broad sections of technology that used to be considered strictly
verbotten are now eligible for export to the capitals of the former Soviet
states, with only a few restrictions. Although some of the other export
restrictions have not yet been relaxed, e.g., of certain telecommunications
equipment to Mexico, Thailand, and other countries that were heretofore
regarded as not having sufficiently strong controls regarding re-export, these
are up for review and changes will no doubt be forthcoming.
Unfortunately, despite a lot of clamor by industry and some members of
Congress, the situation with respect to encryption hasn't changed very much.
Because encryption equipment is listed as one of the categories under the
Munitions Act, the operating assumption to date is that it is _not_, repeat
_not_ dual use, but rather of primarily military use. It doesn't seem to
matter how much we in industry protest, NSA (and some of their counterparts
in other countries) want to maintain strong controls in this area. For that
reason,
anyone wishing to export any kind of cryptography (DES or other) is normally
required to obtain a license from the Deparment of State, who bucks it over
to NSA for a ruling. These controls are imposed unilaterally by the US, but
many other countries impose almost equivalent controls for many of the same
reasons. (In France, for example, you can't even _import_ encryption
equipment.)
Unlike most of the COCOM dual-use technologies, commercial availability of
encryption technology in the target country does not matter much. Only exports
from the US
to Canada are exempt from these restrictions, and only because the Canadians
impose similar export controls themselves.
(By the way, the export controls apply to technical data, as well as to hardware
or software, except when the technical data is protected by the First Amendment
as published "speech." Presumably that is why these pem-dev discussions
haven't landed us all in trouble.)
However, to finally come to the point, there are several potential "outs" for
people who want/need to export encryption in either hardware or software
form. First, the COCOM people have agree to exempt "personalized" encryption
equipment. This means that if you have a smart card or a cellular telephone that
makes use of encryption, you can carry it back and forth across the border
without
that constituting "export" (but see your lawyer if you have any doubts.)
Second, it is possible to apply for a jurisdictional ruling as to the dual-use
nature of the
encryption hardware or software. Someone who is selling a shrink-wrapped
word-processing
program or spreadsheet can usually convince the appropriate export specialist
that in fact
the encryption capability is _not_ militarily significant, and then the
responsibility
for licensing falls under the Dept. of Commerce. This jurisdictional ruling is
on a product-by-
product basis, but I am told that no one who has applied for one of these
rulings has been
denied.
This is far from nirvana, still, but it does represent a reasonable compromise
between
the unfettered export of cryptography to all of the "bad guys" (whoever they
might be at
any particular moment) and the rights of our society and others to enjoy a
reasonable amount
of privacy.