Cautionary Tales of Restrictive U.S. Internet Policies

Posted Saturday, August 10, 2013 in Online, Mobile & IT by Peter Horne

Can you believe that it is 20 years this year since the release of the Mosaic Internet Browser in 1993?  I remember 1993 very well; it was the year our first child was born and I moved from working in research to the finance industry. The two events were highly related as there is nothing that gets you more focused on the financial practicalities of life than the arrival of a pooing and gooing bundle of future potential that is dependent on you to realise their potential. So when I was invited to join a U.S. investment bank to research the application of new technology in their business, and even though I didn't really know what that meant, I jumped.

The original project was a flop but I landed on my feet pretty solidly when in 1994, after the release of the Netscape browser, my knowledge of the internet from being a hacker and having access to internet systems at the university meant I was able to come out of the blocks at full speed to start work on the transition from internal, disconnected financial systems to the unbelievably connected world of finance that we live in today.

But while I was able to come out of the blocks at full speed, Australian eCommerce could not. We take our strongly encrypted SSL (secure socket layer) links to our banks and other online providers for granted, but in 1994 the technology that enabled strong SSL encryption was locked up in the U.S. and unavailable outside of the U.S. The reason for this was that the U.S. government was absolutely paranoid about the use of encryption by their "enemies". In fact they controlled encryption technology by classifying it as a "munition" which meant that its export was regulated and subject to arms traffic controls.

They were also ruthless in pursuing anyone who disagreed with this point of view; in particular, those involved in the cypherpunk movement. This was basically a group of hippie technologists who saw encryption as being a tool for social change by increasing the freedom of the individual by keeping away the prying eyes of the state. Both sides of the debate were comical except for its seriousness - hippies creating T-shirts with math formulas printed on them to make a point that no one could understand, and government officials arresting them for breaching export controls for publishing on T-shirts the algorithms that were deemed to be munitions.

And so when I started in finance in an American investment bank, the bank I worked for was actually a registered arms dealer for the purposes of exporting the encryption technology that it needed in order to communicate from Sydney Australia, back to the head office. And as part of the Federal audit that occurred every two years in Sydney, some strange people that looked like Mr Smith from the Matrix would also audit our compliance with munitions export controls.

So when the internet started to take off in 1994, the world outside the U.S. found itself in a bit of a bind. You see the American government used its powers to restrict Netscape Corporation, and soon after, Microsoft Corporation, from exporting versions of their browsers that had production strength SSL keys in them. That meant that in the U.S. a normal citizen, good or bad, could get access to 128bit encryption, while outside the U.S. anyone else, including good Australian citizens could only have 40Bit keys; a key strength that the U.S. government, or your local bank thief, could comfortable crack should they feel the need to do so. This ban also went to web server software and the encryption libraries in programming environments such as the Java programming language released in 1995.

This went on until 1996 when Bill Clinton signed an executive order allowing 128bit keys to be used, however the NSA continued to fight against it and even tried to make the use of an encryption chip called "Clipper" mandatory so that the U.S. government could intercept foreign communications. Those efforts failed, but the delays meant that we could not start full scale eCommerce projects in Australia for over 2 years from when we could have started them, and it meant that we were at a competitive disadvantage to U.S. companies.

But these shenanigans by the zealots of the U.S. intelligence communities not only disadvantaged non-U.S. companies; they were in serious danger of putting U.S. companies at serious risk of losing their place in the new race. The U.S. does not have the monopoly on knowledgeable, smart, and motivated technologists, and so people started to solve the problem for themselves.  In fact during the period of restrictions on the use of SSL outside of the U.S., an enterprising pair of Australians called Eric Young and Tim Hudson created an SSL library called SSLeay which became the defacto global standard implementation of the SSL protocol to the point where it is also now used as a default around the world in the OpenSSL package (every Mac has it). The rather strangely named "legion of the bouncy castle" is also a website domiciled in Australia that hosts the development of the benchmark SSL library for the Java environment. What was starting to happen was that the open source movement and smart people outside the U.S. were working their way around restrictive U.S. policies, and I have no doubt that had the restrictions continued both Netscape and Microsoft would have been toppled by a foreign developed web browser.

Now wind forward 20 years, and this weekend we are hearing of cloud based web email services from LavaBit and Silent Circle closing their doors because (and it is illegal for them to give any specific detail) they would rather close their doors than allow U.S. intelligence agencies to demand access to their networks and databases. We also know that while Google and Microsoft were willing participants in the NSA data collection processes revealed by the whistle blower Edward Snowden, the NSA was able to coerce Yahoo and Apple against their will to do the same.

I hope someone with some ounce of wisdom is thinking about this in the U.S. government. The drums are banging, the technologists are activating, and the cypherpunks are printing new t-shirts.  History tells us that if you keep going you are going to find that those outside the U.S. actually have the smarts and economic power to hit you where it hurts - in your tech industry. Things will slow down, tempers will go up, industry will get hurt, not a lot will be achieved, and you'll have to change because if there is one thing America likes more than chasing boogie men, it is its industries making money and it's people in jobs.

We don't have to go through this lesson again, do we? It's only been 20 years since the last time.


Be the first one to comment.

You must be a member to comment. Sign in or create a free account.