Comment by jackgavigan

The whole "publish the source code as a book" thing was really more of a publicity stunt to demonstrate how absurd the regulations were. It was inspired by an earlier case (brought by Phil Karn), in which the US government ruled that Bruce Schneier's "Applied Cryptography" book did not fall under the export restrictions but a disk containing the source code that was printed in the book did.

The absurdity reached its peak when some bright spark wrote a three-line implementation of the RSA algorithm as a perl script (intended to be used as an email signature) and submitted it to the appropriate US government department for classification under the export controls, who promptly declared that anyone who wanted to export it needed to obtain a licence.

So, people started putting it on t-shirts ("This t-shirt is a munition!"), getting it tattooed on themselves ("I am a munition!"), etc.

Of course, this was all beside the point because the source code for all this stuff was widely available on the Internet.

The net effect of the export restrictions was that companies like Netscape and Microsoft had to create "export" versions of their browsers that were limited to a maximum key size of 56 bits. In '98 (I think), the US authorities relented somewhat, by allowing a scheme whereby financial institutions could get a special "Global ID" SSL certificate from Verisign that allowed the web server to persuade export browsers to "step up" their encryption to 128 bits.

Even after the US government relaxed the restrictions (in early January 2000), it took a long time for people to upgrade their browsers. I went to work at Deutsche Bank in the summer of 2000, where I was responsible for setting up the web servers for online trading systems and I can remember having to carefully craft the SSLCipherSuite section of httpd.confs to force export browsers to step up to a key length and encryption algorithm that satisfied the regulatory requirements for protecting trading systems.

It wasn't just the US who had controls on crypto either. I can remember learning far more than I ever wanted to know about the Wassenaar Agreement and the UK's Open General Export Licence because somebody wanted to give Identrus smartcards to clients who were located elsewhere in Europe.

And then, of course, the UK introduced RIPA, which allows the police to demand that anyone who has access to an encryption key turn it over. If you refuse, you can be sent to prison.