Disclaimer: I am not a lawyer and this post should not be considered legal advice. It may contain errors in both the interpretation and explanation of the new legislation.

Restrictions on the Trade of Cryptography

This week a news article resurfaced, courtesy of a friend. "Teaching Encryption Soon to Be Illegal in Australia" it proclaimed! What a terrible idea! How could the government think this was a good idea? Of course the devil is in the details. The article claims that one you spend up to 10 years in gaol for teaching encryption without a permit thanks to amendments to the Defence Trade Control Act (DTCA). The DTCA exists to control the transfer of military and other strategic technologies. It works hand in hand with the Defence and Strategic Goods List (DSGL), a list that identifies what these military and strategic technologies are.

Luckily, the DSGL is rather easy to navigate and one can soon locate the section that covers encryption technologies. Section 5A002 covers "Information Security systems, equipment and components" which includes cryptographic primitives. For Example: "A symmetric algorithm employing a key length in excess of 56 bits" or "An asymmetric algorithm where the security of the algorithm is based on any of the following: Factorisation of integers in excess of 512 bits (e.g., RSA);". The first thing to note about this list, is the bit sizes are trivially low. They are in fact referred to as "export grade encryption" and have bit sizes that are low enough to be brute forced. This may have been chosen in order to allow a government to ensure that any cryptography using these ciphers could be easily broken. The result of this is that almost all modern cryptography falls under DSGL as a controlled technology.

The Australian government has provided a paper that explains the new changes, making it relatively easy to understand the changes to legislation. There are two sections within the DTCA that are relevant to us; the first being publication. Publication is defined as making the details of a technology public. For example, this blog is considered a publication (as would most websites). The second section is supply. Supply is defined as the communication of DSGL technology to a person outside Australia. It generally would take the form of providing a person with instructions or access to instructions on how to reproduce a particular technology. Verbal communication is excluded from supply due to difficulty of enforcement. The use of websites or systems that require membership are more complicated in determining if their use is supply or publication. If the only requirement for access to a particular website or system is payment; then that website or system would be deemed a publication. Any other system that would require selection by the operating organisation would be deemed supply.

Cryptographic technologies are regarded as dual use technologies under the DSGL (as opposed to military technologies), which results in less restrictions on their trade. According the DTCA dual-purpose technologies require a permit for their supply, but not for their publication. There are two notable exceptions. The first is that the Defence Minister may override the standard DTCA and restrict a dual-purpose technology from publication if they consider its publication to have a negative impact on Australia's defence and strategic capabilities. The second is that public domain technologies are excluded and may be supplied or published without restriction.

Scenarios

The first set of scenarios we will consider is the main headline of the article: teaching encryption. Firstly, we must consider if the teaching is supply or publication. If students must attend physical classes then the teaching would be considered supply. If recordings of the lecture are placed online, but you must be a registered student that meets certain requirements (entry exams etc) then this would still be considered supply. If however the lecture recordings were made available to anyone (even if it behind a pay wall) then it would be considered a publication. Thus it is very likely that traditional teaching of encryption within universities would be considered supply. Secondly we must consider what is being taught. If technologies that are being taught are new and are covered by the DSGL (e.g. a new symmetric cipher that exceed 56 bits), then this would require a permit to teach. However the far more likely case is that existing public domain technologies are being taught, as a result these are excluded from supply restrictions and thus teaching (supply) could occur without a permit.

Continuing on from the teaching of encryption is the development of new forms of cryptography within academia. The first test for this would be to establish whether it comes under the DSGL or not; given current trends in cryptography, it is highly likely that it would be. As a result we now must consider how this new technology is communicated. If the technology is to be fully published then this would not require a permit, unless the Defence Minister deems that it would threaten the defence capabilities and strategic effectiveness of Australia in which case its publication could be suppressed from publication. Other situations will be similar to that of teaching encryption above and will depend on the specific circumstances surrounding communication methods. However unlike teaching of encryption, these newly developed technologies will not be public domain and thus their supply will require a permit.

Finally we have bitcoin software. Much of this software is open source making algorithms and implementations public. As such, despite most of the cryptographic functions within the software being covered by the DSGL, they are exempt from requiring a permit due to their public domain availability. Again, the exception to this is the Defence Minister deeming that the supply of bitcoin software is likely to threaten Australia's defence and strategic capabilities. I would suggest that this is unlikely and that bitcoin software would easily be developed and distributed without a permit.