Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's an oversimplification and also inferring a completely incorrect situation.

It was perfectly fine for American citizens to use cryptography amongst each other or with outside nationals. It was also completely fine to download and use externally developed software.

What was illegal was developing and exporting cryptographic software. This is why, for the longest time, you would see warnings on web pages (puTTy, for instance) saying the software was only intended for use in the United States.



I remember publishing some apps to the iOS App Store and was asked to “declare cryptography to the US government”. I’m not even American.

The form made it clear that using HTTPS is considered cryptography, so I’m fairly sure almost every app on the store has checked “yes” to that question.


I disagree.

To fully comply with this you would need as a library provider to fully KYC your clients so that there is a firewall between their US and non-US entities, and that travelling people don't bring out an encryption library at the same time.

It would be a operational nightmare.


Which part are you disagreeing with? I'm literally laymaning the law.

The law never covered using cryptography, it was always about exporting it. Mostly it was written around keeping military specific cryptography from entering rival powers hands, but was overbearing. So they amended it to allow commercially developed/homegrown cryptography (explicitly not developed for governmental/military use) to be distributed normally. In practice, it's still a little muddy as many of those use DoJ/DoS-funded cryptography patterns, but the government has chosen to take a fairly hands off approach on those (RSA and DSA are key examples).

You're correct that it would also be almost impossible to enforce the original wording in today's world of globalization. They also have little power to enforce it on foreign nationals, which is why a warning was usually Good Enough(TM) for American software developers.


Using is exporting though. If you made a client that had https, and a customer downloaded it in Toronto, you were breaking the law.


This is....yes, the exact point; thank you for finally getting to what everyone was saying from the outset. Now follow the conversation forward.

Re-read the first post and the last paragraph of the one you're replying to. Everything you're knee jerk contrarianizing is covered.


In the time period we're discussing, I was on a team shipping a commercial (shrink-wrap!) software project that extensively used cryptography, including an export version of same. It was not a big deal; it was not an operational nightmare; in the North American market, it wasn't a thing at all, you just did whatever you wanted.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: