Restrictive US Internet Policies Backfire

Posted Sunday, November 22, 2015 in Online, Mobile & IT by Peter Horne

Can you believe that it's over 20 years since the release of the Mosaic Internet Browser in 1993?  I remember 1993 very well; it was the year our first child was born and I moved from working in research to the finance industry.  The two events were highly related as there is nothing that gets you more focused on the financial practicalities of life than the responsibility of helping your children grow and reach their full potential.

So when I was invited to join a US investment bank to research the application of new technology in their business, and even though I didn’t really know what that meant, I jumped.

The original project was a flop, but I landed on my feet pretty solidly. In 1994, after the release of the Netscape browser, my knowledge of the internet from being a hacker and having access to internet systems at the university helped a lot. It meant I was able to come out of the blocks at full speed to start work on the transition from internal, disconnected financial systems to the unbelievably-connected world of finance that we live in today.

Encryption was considered “a Munition” in 1994

But while I was able to come out of the blocks at full speed, Australian eCommerce could not. We take our strongly encrypted SSL (secure socket layer) links to our banks and other online providers for granted, but in 1994 the technology that enabled strong SSL encryption was locked up in the US and unavailable outside of the US. The reason for this was that the US government was absolutely paranoid about the use of encryption by their “enemies.”  In fact, they controlled encryption technology by classifying it as a “munition,” which meant that its export was regulated and subject to arms traffic controls.

The US government was also ruthless in pursuing anyone who disagreed with this point of view; especially those involved in the cypherpunk movement. This was basically a group of hippie technologists who saw encryption as a tool for social change. They believed that encryption could blind the prying eyes of the state, and, in so doing, increase individual freedom.

Cypherpunk T-Shirt

Both sides of the debate were almost comical, except for its seriousness. On the one side you had bearded hippies creating T-shirts with math formulas printed on them to make a point that no one could understand, and on the other side were government officials charging them for breaching export controls for publishing on T-shirts the algorithms that were deemed to be munitions.

Cypherpunk T-Shirt

Banks Registered as Arms Dealers to Provide Encrypted Communications. American businesses had found their own way around these restrictions, and so, when I started working for the American investment bank, the bank was both a bank and a registered arms dealer, for the purposes of exporting the encryption technology that it needed in order to communicate securely from Sydney Australia back to the head office in New York. 

This approach was a serious matter; as part of the banking license audit conducted by “the feds” that occurred every two years at the branch office in Sydney, some strange people that looked like Mr. Smith from the Matrix would also audit the compliance with munitions export controls.

So when the internet started to take off in 1994, the world outside the US found itself in a bit of a bind. You see, the US government used these same export powers to restrict Netscape Corporation, and soon after, Microsoft Corporation, from exporting versions of their browsers that had production strength SSL keys in them. That meant that in the US, a normal citizen, good or bad, could get access to full strength encryption. Outside the US, anyone else, including Australian citizens, could only have limited encryption from US suppliers. The US would only let US suppliers export a key strength that the US government, or your local bank thief, could comfortably crack, should they feel the need to do so.

This ban also impacted web server software and the encryption libraries in programming environments such as the Java programming language released in 1995.

1996: US Lifted Encryption Ban

The policy continued until 1996 when Bill Clinton signed an executive order allowing the export of encryption technology by US-controlled entities. Nevertheless, the NSA continued to fight against this change, and even tried to make the use of an encryption chip called “Clipper” mandatory so that the US government could have a process that allowed them to continue to intercept communications and access data.  Those efforts ultimately failed, and encryption ceased to be an issue for the growing internet.

Negative Consequences of Refusing to Allow Encryption Outside the US

Delayed Global ecommerce. This process was not free of consequences. In Australia, it meant that we could not start full-scale internet projects for over 2 years from when we could have started them, and it significantly slowed the realisation of the economic advantages of the internet.

Put US Companies at Competitive Risk. The attitude of the US intelligence communities not only disadvantaged the rest of the world; the intelligence community was putting US companies at serious risk of losing their place in the new technology race.

Stimulated Innovative Work-Arounds Outside the US. The US does not have the monopoly on knowledgeable, smart, and motivated technologists; people outside the US started to solve the problem for themselves. During the period of restrictions on the use of SSL outside of the US, an enterprising pair of Australians--Eric Young and Tim Hudson--created an SSL library called SSLeay, which became the de facto global standard implementation of the SSL protocol, to the point where it is also now used as a default around the world in the OpenSSL package.

The rather strangely named “Legion of the Bouncy Castle” is also a not-for-profit organisation domiciled in Australia that hosts the development of the benchmark SSL library for the Java and Microsoft C# environment.

What was starting to happen was that the open source movement and smart people outside the US were working their way around restrictive US policies. I have no doubt that had the restrictions continued, both Netscape and Microsoft would have been toppled by a foreign- developed web browser.

FREAK Exploit. Another serious consequence of this policy was that the weak keys caused the “FREAK” exploit.  This was discovered in early 2015, and showed that more than a third of servers expose their clients to the risk of what is known as a “man in the middle” attack.  This attack allows an attacker to get between the client browser and web server and collect client-submitted data, such as user names, passwords, and credit card details. It also could enable States to monitor communications.

Europeans Don’t Accept US Govt. Surveillance

Now wind forward to today, and there is a renewed push by US agencies and law-makers to weaken the encryption systems that are used to protect data transmission and storage on cell phones and any other connected device.

The US is also pushing US companies with overseas data centers to provide the US government with access to data regardless of where the data is stored, for example, in the case of Microsoft vs US over emails in Dublin. Now Europe is pushing back. The European Court of Justice annulled the EU-US “Safe Harbor” agreement, on the grounds that US mass surveillance put the personal data of Europeans at risk. Despite efforts to find a new solution, an entirely possible result could be that EU citizen data will no longer be transferred to and stored in US territory. The US is now assumed, and proven, to be hostile to the privacy rights of non-US citizens.

I hope someone with some ounce of wisdom is thinking about this in the US government. History shows that if they keep going, they are going to find that those outside the US actually have the technology smarts, economic power, and regulator willingness, to hit you where it hurts most – in the US tech industry. Innovation will slow down, tempers will go up, industry will get hurt, not a lot will be achieved, and you will increase risk, rather than reduce it.

Encryption is math, and US law cannot hobble the laws of math; US law can only hobble US companies and US citizens.  You don’t have to go through this lesson again, do you? It’s only been 20 years since the last time. 

0 comments


Be the first one to comment.

You must be a member to comment. Sign in or create a free account.