Export of cryptography from the United States

In the early days of the Cold War, the U.S. and its allies developed an elaborate series of export control regulations designed to prevent a wide range of Western technology from falling into the hands of others, particularly the Eastern bloc.

Since in the immediate post WWII period the market for cryptography was almost entirely military, the encryption technology (techniques as well as equipment and, after computers began to play a larger role in modern life, crypto software) was included as "Category XI - Miscellaneous Articles" and later "Category XIII - Auxiliary Military Equipment" item into the United States Munitions List on November 17, 1954.

By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer.

Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM, and by their large corporate customers.

Phil Zimmermann's PGP encryption software and its distribution on the Internet in 1991 was the first major 'individual level' challenge to controls on export of cryptography.

[1] In 1992, an exception was formally added in the USML for non-encryption use of cryptography (and satellite TV descramblers) and a deal between NSA and the Software Publishers Association made 40-bit RC2 and RC4 encryption easily exportable using a Commodity Jurisdiction with special "7-day" and "15-day" review processes (which transferred control from the State Department to the Commerce Department).

Shortly afterward, Netscape's SSL technology was widely adopted as a method for protecting credit card transactions using public key cryptography.

In 2000, the Department of Commerce implemented rules that greatly simplified the export of commercial and open source software containing cryptography, including allowing the key length restrictions to be removed after going through the Commodity Classification process (to classify the software as "retail") and adding an exception for publicly available encryption source code.

[6] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.

This rule included changes to license exception ENC Section 740.17 of the EAR[12][13] U.S. non-military exports are controlled by Export Administration Regulations (EAR), a short name for the U.S. Code of Federal Regulations (CFR) Title 15 chapter VII, subchapter C. Encryption items specifically designed, developed, configured, adapted or modified for military applications (including command, control and intelligence applications) are controlled by the Department of State on the United States Munitions List.

Export-restricted RSA encryption source code printed on a T-shirt made the T-shirt an export-restricted munition, as a freedom of speech protest against U.S. encryption export restrictions ( Back side ). [ 1 ] Changes in the export law means that it is no longer illegal to export this T-shirt from the U.S., or for U.S. citizens to show it to foreigners.
Netscape Navigator Install Disk stating "Not For export"