I'm sure that back in the '60s, agents of the then-young National Security Agency would have had a collective aneurysm at the thought of commonplace digital watches with 16-bit processors and 32K of memory -- about the same computing power as the NASA guidance computer systems that managed Apollo missions to the Moon. But today's critical computing infrastructure and top-secret technology is tomorrow's disposable tchotchke, and it took a long time for the policy-makers to realize that they needed a comparative standard rather than an absolute one.

A similar situation arose in the U.S. around encryption technology, but with different effect. The U.S. Department of State's Directorate of Defense Trade Controls (DDTC) is responsible for defining munitions, and for publishing the official United States Munitions List of weapons and information that we wouldn't want to end up in the hands of naughty people. The munitions list enumerates such specific cases as "Technical Data and Defense Services Not Otherwise Enumerated" and "Miscellaneous Articles." This leaves plenty of room for computer hardware and software that make governmental people nervous. The DDTC is also given the authority to regulate the export of anything defined as a munition under the Arms Export Control Act. AECA is in turn implemented as the International Trafficking in Arms Regulations or ITAR.

It's this ITAR that caused Phil Zimmerman, the author of Pretty Good Privacy, so much trouble. ITAR prohibited the export of any encryption using more than 40 bits for its key until 1996. When Zimmerman and RSA couldn't settle a dispute in 1993 regarding an early agreement, RSA complained to U.S. Customs that Zimmerman was exporting munitions-grade encryption. But a funny thing happened: Zimmerman was harassed and investigated about the export of 128-bit encryption but never prosecuted. By the time a thorough investigation had taken place in Zimmerman's case and others, it was pretty clear the effect of the law was to wash a lot of encryption research and product development away from U.S. shores.

The prohibition on the export of strong encryption technology led several commercial research organizations to relocate or outsource their encryption groups and projects to more friendly locales. Over the course of a half-dozen years, a significant chunk of state-of-the-art encryption research and development left the United States for Finland, Russia, Ireland, Australia, India and the like. Of course, not everyone left in the U.S. was hung out to dry. Major academic institutions and commercial powerhouses such as RSA still cranked out encryption tools, but the availability of top-notch commercial products from outside the U.S. (such as the Finnish-developed BestCrypt) made many portions of the U.S. export restrictions meaningless.

Subsequent relaxing of export controls over encryption didn't undo the spread of technology to other nations. For example, in late 1997, a year after the first major easing of encryption export controls, RSA acquired a Japanese company to form Nihon-RSA, a subsidiary not subject to U.S. encryption export rules. At the same time, Sun Microsystems announced it would begin selling a 128-bit VPN product developed by a Moscow firm called ElvisPlus Co. as part of its own SunScreen product line.