Policy & Law

Why Some Encryption Apps Geofence Certain Countries

July 14, 2026 8 min read Haven Team

In 1993, US Customs opened a criminal investigation into a computer programmer for publishing source code. The code was a piece of encryption software called PGP, and under the law at the time, exporting it was legally equivalent to exporting a weapon.


That investigation into Phil Zimmermann, PGP's author, never resulted in charges, but it's the clearest illustration of a period now generally called the Crypto Wars, a decade-plus fight over whether strong encryption software counted as a munition subject to arms control law. The Crypto Wars mostly ended by the early 2000s. The regulatory apparatus built during them didn't disappear, and pieces of it are still why a privacy app you download today might refuse to work in a handful of countries.

When code was a weapon under US law

Until 1996, cryptographic software with a key length above a fairly short threshold was classified under the International Traffic in Arms Regulations, the same regime governing tanks and missiles, administered by the State Department. Exporting it, which under the regulation's broad definition included publishing source code where a non-US person might read it, required the same kind of license as exporting military hardware.

This produced some genuinely strange outcomes. T-shirts printed with a few lines of RSA encryption code became a small act of protest, since wearing the shirt abroad was, on paper, an unlicensed export of munitions. Zimmermann's PGP source code ended up published as a physical book, because the First Amendment's protection for printed text was clearer than its protection for a floppy disk, and the book was then legally exported and scanned back into digital form overseas.

Bernstein v. United States and the code-as-speech argument

The case that did the most to unwind this framework was brought by Daniel Bernstein, a graduate student who wanted to publish an encryption algorithm called Snuffle along with an academic paper explaining it, and was told he'd need State Department authorization first. Bernstein sued, represented by the Electronic Frontier Foundation, arguing that source code is a form of expression protected by the First Amendment, and that requiring a license to publish it was unconstitutional prior restraint.

The Ninth Circuit Court of Appeals agreed with the core of that argument in 1999, ruling that source code is speech for First Amendment purposes, a decision that reshaped how later export rules had to be written.

By the time the case fully resolved, the regulatory landscape had already shifted. In 1996, President Clinton moved jurisdiction over most encryption software from the State Department's arms list to the Commerce Department's Export Administration Regulations, a civilian framework with meaningfully lighter restrictions. Commerce rules were relaxed further in 2000, adding exemptions for mass-market software and publicly available source code, which is the exemption that let ordinary encrypted apps ship internationally without a case-by-case license.

Year Development
1991 Zimmermann releases PGP; investigation into export violations opens two years later.
1995 Bernstein files suit challenging export licensing for the Snuffle algorithm.
1996 Crypto jurisdiction moves from State Department munitions list to Commerce Department EAR.
1996 The Wassenaar Arrangement, a multilateral export control regime, adds cryptography to its dual-use list.
1999 Ninth Circuit rules source code is protected speech in Bernstein v. United States.
2000 Commerce rules add mass-market and public-source exemptions still in use today.

What's left today: Wassenaar and sanctions, not crypto law itself

The modern legal picture splits into two mostly separate things, and they get confused constantly. Wassenaar Arrangement, the multilateral export control framework 42 countries participate in, still lists cryptography as a dual-use technology, meaning it has both civilian and military applications. But the mass-market and publicly available exemptions carved out in 2000 mean nearly all consumer encryption software, anything sold off the shelf or published as open source, is exempt from case-by-case licensing under Wassenaar today. This is why the export-control side of the Crypto Wars is, practically speaking, over for the apps most people use.

What still causes real geofencing is a different body of law entirely: economic sanctions administered by the Treasury Department's Office of Foreign Assets Control, covering countries like Iran, North Korea, Cuba, and Syria, along with the Crimea, Donetsk, and Luhansk regions of Ukraine. OFAC sanctions restrict US companies from providing services, not just munitions-grade technology, to sanctioned jurisdictions, and that's the reason a lot of US-based apps, encrypted messaging included, block sign-ups from those countries. It has nothing to do with cryptography specifically; the same restriction applies to a US company offering cloud storage or payment processing there.

This split explains a pattern that otherwise looks inconsistent: a fully open-source, freely downloadable encrypted messaging app can be legal to use anywhere in the world under export law, while the company behind it is still barred from operating an account or processing payment for a user in a sanctioned country, for reasons that have nothing to do with the strength of the encryption. It also explains why the answer to "can I use strong encryption here" and "can this specific US company serve me here" are frequently two different questions with two different legal bases, even though users experience both as the same app simply not working.

The distinction that gets lost

"This app doesn't work in country X" is almost always a sanctions compliance decision, not an encryption export restriction. Conflating the two makes people think strong encryption is still legally exotic to distribute, when the actual live constraint is a much more ordinary one: which countries a company is allowed to do business with at all.

Why the history still matters

None of this is dead history. Governments have proposed reviving elements of the old debate more than once, usually framed around lawful access or backdoor requirements rather than export licensing (the same fight we cover in our piece on encryption backdoor proposals), but resting on the same underlying tension: whether strong, unbreakable encryption is a right the public gets to have, or a capability governments get to gatekeep. The Crypto Wars ended with code recognized as speech and mass-market encryption freed from arms-control licensing. That outcome wasn't inevitable. It came from a small number of people, Zimmermann, Bernstein, the EFF's lawyers, treating the fight as worth having, and the reason building and using strong encryption isn't legally exotic today is that they won it.

It's also part of why open protocols like PGP and modern successors matter beyond the technical details: they exist as publicly available, auditable software specifically because that status is what carries the lightest regulatory footprint, a legacy of a fight that was as much about the law as the math.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →