8

As a followup from Is the right to keep and bear crypto protected by the Second Amendment?, for export control purposes, United States has been classifying crypto as munition. In the old days, maybe late 1990s and very early 2000s, it was not uncommon for there to be two version of Netscape Navigator -- one with and one without "strong crypto".

Bernstein v. United States. http://export.cr.yp.to/

On what exact legal basis is crypto considered munition?

I mean, has anyone ever been killed with crypto? Is that even possible?

Kozuch
  • 440
  • 4
  • 14
cnst
  • 5,128
  • 4
  • 33
  • 58

3 Answers3

5

Encryption is not a weapon.

Encryption, or rather cryptographic technology and systems, is a munition. What makes it a munition is the International Traffic in Arms Regulations (ITAR) managed by the U.S. Department of State.

Weapons are a subset of munitions.

Many U.S. laws grant authority to the executive branch to promulgate regulations for enforcement of the law. ITAR is a set of regulations managed by the U.S. Department of State to implement 22 U.S.C 2778 of the Arms Export Control Act (AECA).

As part of the implementation, ITAR must define those items that are regulated by the AECA. Part 121 of those regulations defines "The United States Munitions List."

There are many items on that list that are not weapons, yet they are regulated under the authority of the Commerce Clause of the United States Constitution granting power to the U.S. government to regulate international commerce.

The extent of the definition of cryptography as a munition, for purposes of this discussion, is limited to the meaning created in the AECA and ITAR.

There has been a somewhat successful challenge to the ITAR definition as it relates to cryptography mounted by the Electronic Frontier Foundation.

Dave D
  • 5,654
  • 22
  • 39
3

I'll give the explanation for the thinking here. Since that is what you seem to be asking about. Please, don't take it to mean that I am endorsing this point of view.

In the sword/shield analogy, encryption is the shield.

No one has ever been killed with a bullet-proof vest, either. But a bullet-proof vest can be used to protect a criminal from being taken down while he is shooting at a police officer. So it would increase the deadliness of other weapons wielded by someone.

In the same way, encryption can be used to make deployment of sophisticated attack vectors more difficult to uncover. Ultimately, it can even make attacks more potent and deadlier. This is the function of any shield in the sword/shield analogy. The shield protects the wielder of the sword.

grovkin
  • 2,654
  • 2
  • 20
  • 41
2

I sense the classification of cryptography as a munition is a relic from the past.

Cryptography has historically been the domain of the military

Look at this NY Times article from 1996, for example. There it describes "boxes used to surf the World Wide Web" as weapons.

Cryptography has historically been a major deal in warfare. Sending messages to coordinate troop movements without the enemy being able to decode them in order to maintain the element of surprise is a huge strategic and tactical advantage in combat.

Historical Examples

Consider the following subjects of history:

Before the internet, the military (and banking and finance) was the primary domain for encryption technology. The NYT article suggests to me that when the internet became popular, it fueled military concern of superior encryption technology being used for its historical military purpose. They had no frame of reference in history to give them a sense of its peaceful, commercial applications. Most likely.

Courts haven't caught up yet

If encryption is still classified as a munition, it's probably because that issue has not had time to work its way through the legal system. And that might likely be because it hasn't been enforced in a way that would lead a company like, say Google or Amazon, to challenge it.

Alexanne Senger
  • 10,010
  • 3
  • 31
  • 61