news

Remember that Cryptography was on the US Munitions List until roughly the year 2000.

Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive Order 13026 transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. The Commodity Jurisdiction process was replaced with a Commodity Classification process, and a provision was added to allow export of 56-bit encryption if the exporter promised to add "key recovery" backdoors by the end of 1998. In 1999, the EAR was changed to allow 56-bit encryption (based on RC2, RC4, RC5, DES or CAST) and 1024-bit RSA to be exported without any backdoors, and new SSL cipher suites were introduced to support this (RSA_EXPORT1024 with 56-bit RC4 or DES). In 2000, the Department of Commerce implemented rules that greatly simplified the export of commercial and open source software containing cryptography, including allowing the key length restrictions to be removed after going through the Commodity Classification process (to classify the software as "retail") and adding an exception for publicly available encryption source code.

Current Status
As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security.[6] Some restrictions still exist, even for mass market products; particularly with regards to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license.[6]: 6–7  Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). For elliptic curves algorithms and asymmetric algorithms, the requirements for key length are 128 bit and 768 bits, respectively.[7] In addition, other items require a one-time review by, or notification to, BIS prior to export to most countries.[6] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[8] Export regulations have been relaxed from pre-1996 standards, but are still complex.[6] Other countries, notably those participating in the Wassenaar Arrangement,[9] have similar restrictions.[10] On March 29, 2021, the Implementation of Wassenaar Arrangement 2019 Plenary Decisions[11] was published in the Federal Register. This rule included changes to license exception ENC Section 740.17 of the EAR[12][13]

So they could be trying to nab them for exporting cryptography to China under some vague enemy nation, "rouge state" designation or whatever. They can cook the books on that however they want.