Maths are munitions, you know

Posted on by

It’s a little known fact (amongst normal people) that encryption algorithms are considered to be munitions in law. Thus those little equations are governed by the same laws as exports of fighter jets, etc. Why should you care? Well, if you use a laptop for QUB work, you should be encrypting its storage to protect any sensitive content on it – and given that ‘sensitive’ is a loose term it’s best to encrypt under all circumstances. If, however, you go travelling then suddenly you have a dangerous item under your control.

While most jurisdictions permit the personal use of encryption, some forbid it without explicit permission. While unlikely, it’s possible that a border guard could insist on the machine being decrypted, and it could be seized. Thus the sensible approach is to *not* bring your laptop to one of these countries, but to bring a spare system which is unencrypted but contains nothing but the bare essentials for your trip.

The university is not aware of any staff being affected by this as yet, but it is best to be aware of the possibilities. I had a conversation about this last week with senior folks in IS.

You can find a list of the “difficult” destinations at http://www.cryptolaw.org/cls-sum.htm

The destinations which some of you may go to, which do require care, are:

  • China – a permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
  • Hungary – an International Import Certificate is required.
  • Israel – a license from the Director-General of the Ministry of Defense is required.
  • Russia – licenses issued by both the Federal Security Service and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia.
  • Saudi Arabia  – it has been reported that the use of encryption is generally banned, but inconsistent information exists.
  • Ukraine – a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.

Especially in the case of Russia and China, given the known risks of state-sponsored (highly competent) hacking, it would be prudent to adopt maximum paranoia, use a loaner laptop which is erased on return, and change all passwords. Indeed, one might well set up a ‘burner’ email address to use for the trip, and not touch normal accounts in the meantime.

As Snowden has shown, you can’t be too paranoid these days.