315 lines
12 KiB
Plaintext
315 lines
12 KiB
Plaintext
|
|
|||
|
|
CRYPTO LAW SURVEY
|
|||
|
|
Version July 1995
|
|||
|
|
Bert-Jaap Koops (koops@kub.nl)
|
|||
|
|
Please credit if quoting.
|
|||
|
|
|
|||
|
|
This survey of cryptography laws is based on several reports and on
|
|||
|
|
replies to a posting on Internet discussion lists. Only for France, The
|
|||
|
|
Netherlands, and Russia have I consulted original texts of relevant
|
|||
|
|
regulations; for the other countries, the reports listed below served as the
|
|||
|
|
only source. These findings, therefore, do not pretend to be exhaustive
|
|||
|
|
or fully reliable.
|
|||
|
|
I thank all who have provided me with information for this survey.
|
|||
|
|
Please send comments, corrections, updates, additional information, and
|
|||
|
|
questions to E.J.Koops@kub.nl.
|
|||
|
|
|
|||
|
|
SOURCES
|
|||
|
|
[1] KPMG EDP Auditors, Rapport aan de Ministers van
|
|||
|
|
Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake
|
|||
|
|
de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie
|
|||
|
|
(Amstelveen, 7 april 1994), pp. 27-38, 107-114
|
|||
|
|
[2] Moret Ernst & Young EDP Audit Management Services,
|
|||
|
|
Eindrapport onderzoek ontwerp-regeling encryptie,
|
|||
|
|
(Amsterdam, 1 maart 1994), pp. 21-30
|
|||
|
|
[3] James P. Chandler, Diana C. Arrington, Donna R.
|
|||
|
|
Berkelhammer, and William L. Gill, Identification and Analysis
|
|||
|
|
of Foreign Laws and Regulations Pertaining to the Use of
|
|||
|
|
Commercial Encryption Products for Voice and Data
|
|||
|
|
Communications, DOE Project No. 2042-E024-A1, Washington, January 1994
|
|||
|
|
[4] Andr<64> Sylvain, Data Encryption and the Law(s) - Results,
|
|||
|
|
posted on talk.politics.crypto, 15 December 1994
|
|||
|
|
[5] various references; personal communications by Adam Back,
|
|||
|
|
Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot.
|
|||
|
|
|
|||
|
|
-----------------------------------------------------------------------------------
|
|||
|
|
SURVEY PER COUNTRY
|
|||
|
|
1. Export/ import regulations
|
|||
|
|
2. Other laws/regulations pertaining to encryption
|
|||
|
|
3. Threats/ intentions to regulate encryption
|
|||
|
|
4. Regulations stimulating encryption use
|
|||
|
|
-----------------------------------------------------------------------------------
|
|||
|
|
|
|||
|
|
_COCOM_
|
|||
|
|
1. COCOM (Coordinating Committee for Multilateral Export Controls)
|
|||
|
|
is an international organization (Japan, Australia, and all NATO
|
|||
|
|
members, Ireland excluded) for the mutual control (and restriction) of
|
|||
|
|
strategic arms export. It maintains, among others, the International
|
|||
|
|
Industrial List and the International Munitions List. In 1991, COCOM
|
|||
|
|
has decided to allow export of mass-market cryptographic software
|
|||
|
|
(including public domain software). Some member countries of COCOM
|
|||
|
|
follow its regulations, but others, such as Germany and the
|
|||
|
|
United States, maintain separate regulations.
|
|||
|
|
|
|||
|
|
_Australia_ [1, 3]
|
|||
|
|
1. Written permission is needed for exporting cryptographic equipment
|
|||
|
|
designed to ensure the secrecy of communications or stored information.
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Austria_ [1]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Belgium_ [1, 3]
|
|||
|
|
1. no
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Brazil_ [3]
|
|||
|
|
1. no
|
|||
|
|
|
|||
|
|
_Canada_ [1, 3, 4, 5]
|
|||
|
|
1. Canada follows COCOM regulations. The exportation of items from
|
|||
|
|
Canada may be subject to restriction if they are included on the Export
|
|||
|
|
Control List. All types of cryptography can be transported between
|
|||
|
|
Canada and the United States, but cryptography imported from the US
|
|||
|
|
remains under US ITAR rules and cannot be exported if the US does not
|
|||
|
|
allow export.
|
|||
|
|
2. no
|
|||
|
|
3. no (but Canada is monitoring the debate in the US)
|
|||
|
|
|
|||
|
|
_People's Republic of China_ [3]
|
|||
|
|
1.China restricts the importation and exportation of voice-encoding
|
|||
|
|
devices.
|
|||
|
|
|
|||
|
|
_Denmark_ [1, 4]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
4. The Danish Teletrust Group has set up an Encryption Group to work
|
|||
|
|
on the technical and legal concept of public-key certifying authorities. A
|
|||
|
|
Centre Certifying Auhtority (CCA) would coordinate control and
|
|||
|
|
certification of key centres to provide secure keys within
|
|||
|
|
telecommunications. It would be necessary for such a CCA to have a
|
|||
|
|
legal basis. The Danish government has not (yet) implemented the
|
|||
|
|
initiative into law.
|
|||
|
|
|
|||
|
|
_European Union_ [5]
|
|||
|
|
2. no
|
|||
|
|
3. There are rumours that the EU is working on the establishment of a
|
|||
|
|
key escrow system to counter the US Clipper initiative. The EU system
|
|||
|
|
would allow member states to choose escrow agents where keys have to
|
|||
|
|
be deposited. The European Community's Green Book on the Security
|
|||
|
|
of Information Systems (Draft 4.0, 18 October 1993) poses a case for
|
|||
|
|
the provision of "Public Confidentiality Services" (which offer some sort
|
|||
|
|
of Government Access to Keys).
|
|||
|
|
|
|||
|
|
_Finland_ [4, 5]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_France_ [1, 3, 4]
|
|||
|
|
1. a) For exporting authentication- or integrity-only cryptography, a
|
|||
|
|
declaration dossier of export delivery must be deposited. A copy of the
|
|||
|
|
receipt of declaration must be presented to customs at each exportation.
|
|||
|
|
For temporary exportation, a user declaration will serve as export
|
|||
|
|
declaration in the case of cryptography used exclusively for personal use
|
|||
|
|
by an individual. A delivery declaration will serve as temporary-export
|
|||
|
|
declaration for a sample.
|
|||
|
|
b) For exporting any other kind of cryptography, apart from once
|
|||
|
|
depositing administrative and technical details needed for user or
|
|||
|
|
delivery authorisation, a license is needed for each exportation.
|
|||
|
|
2. Delivery, exportation, and use of cryptography are subjected to:
|
|||
|
|
a) previous declaration if the cryptography can have no other object than
|
|||
|
|
authenticating communications or assuring the integrity of transmitted
|
|||
|
|
messages;
|
|||
|
|
b) previous authorisation by the Prime Minister in all other cases.
|
|||
|
|
Simplified procedures exist for certain cryptography products or certain
|
|||
|
|
user categories.
|
|||
|
|
For both declaration and authorisation, a dossier containing technical
|
|||
|
|
details and administrative data must be submitted. Authorisation can be
|
|||
|
|
subjected to certain conditions in order to reserve the use of certain
|
|||
|
|
types of cryptography to defined user or application categories.
|
|||
|
|
It is unclear to what extent this regulation is being maintained in practice.
|
|||
|
|
It seems impossible for individuals or enterprises to obtain authorisation
|
|||
|
|
for "strong" cryptography, such as RSA. Moreover, the office dealing
|
|||
|
|
with authorisation renders decisions without motivation.
|
|||
|
|
|
|||
|
|
_Germany_ [1, 3, 4, 5]
|
|||
|
|
1. COCOM regulations, but Germany maintains export control of both
|
|||
|
|
public domain and mass-market encryption software.
|
|||
|
|
2. no
|
|||
|
|
3. Some politicians have expressed a desire to regulate cryptography,
|
|||
|
|
but, on the whole, there seems to be no threat that Germany will prepare
|
|||
|
|
a law on cryptography.
|
|||
|
|
|
|||
|
|
_Hungary_ [5]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
4. There is a law that provides an agency with the competence to assess
|
|||
|
|
cryptography; the agency can declare that it satisfies a minimum security
|
|||
|
|
level.
|
|||
|
|
|
|||
|
|
_Iceland_ [1]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_India_ [3]
|
|||
|
|
1. no
|
|||
|
|
|
|||
|
|
_Ireland_ [1]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Israel_ [3]
|
|||
|
|
1. Israel imposes restrictions on encryption, but the scope of its
|
|||
|
|
restrictions is not clear.
|
|||
|
|
|
|||
|
|
_Italy_ [1, 3]
|
|||
|
|
1. COCOM regulations.
|
|||
|
|
2. There is a law that demands accessibility of encrypted records for the
|
|||
|
|
treasury.
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Japan_ [1, 3]
|
|||
|
|
1. COCOM regulations.
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Latvia_ [4]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Mexico_ [3]
|
|||
|
|
1. no
|
|||
|
|
|
|||
|
|
_The Netherlands_ [3, 4, 5]
|
|||
|
|
1. Public domain and mass-market software generally does not require a
|
|||
|
|
validated license. Items capable of file encryption do require a validated
|
|||
|
|
license.
|
|||
|
|
2. no
|
|||
|
|
3. In March 1994, a Dutch predraft law on cryptography leaked out, the
|
|||
|
|
drift of of which was a prohibition of having, using, or trading strong
|
|||
|
|
cryptography. Those with a "legitimate concern" could apply for a user
|
|||
|
|
license or a trade authorization. One condition for granting a license was
|
|||
|
|
giving information to an administration agency; the text did not state
|
|||
|
|
whether this information concerned only the algorithm or also all the
|
|||
|
|
keys used.
|
|||
|
|
After many protests from those who would be affected by the proposed
|
|||
|
|
regulation, it was withdrawn. The Dutch authorities are currently
|
|||
|
|
studying on alternatives to handle the issue.
|
|||
|
|
Although the draft regulation will not be continued in its present scope,
|
|||
|
|
it shows how much the judicial authorities fear wide dissemination of
|
|||
|
|
strong cryptography. It is to be expected that the Dutch government will
|
|||
|
|
want to regulate encryption in some way.
|
|||
|
|
|
|||
|
|
_New Zealand_ [1]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Norway_ [1]
|
|||
|
|
2. no.
|
|||
|
|
4. A bill on information security has been proposed, which indicates that
|
|||
|
|
cryptography can be used for the storage of passwords. It is not sure if
|
|||
|
|
and when this bill will come into force.
|
|||
|
|
A bill has been proposed on central medical registries that would use
|
|||
|
|
cryptographically pseudonimized entries.
|
|||
|
|
|
|||
|
|
_Russia_ [3, 5]
|
|||
|
|
1. A license is required for the importation of encryption facilities
|
|||
|
|
manufactured abroad.
|
|||
|
|
2. On 3 April 1995, president Jeltsin issued a decree prohibiting
|
|||
|
|
unauthorized encryption. State organizations and enterprises need a
|
|||
|
|
license to use encryption (for both authentication and secrecy, for
|
|||
|
|
storage as well as transmission). Other enterprises and organizations
|
|||
|
|
using uncertified cryptography do not receive state orders. The Central
|
|||
|
|
Bank shall take measures against commercial banks that do not use
|
|||
|
|
certified cryptography when communicating with divisions of the Central
|
|||
|
|
Bank. The development, production, implementation, or operation of
|
|||
|
|
cryptography without a license is prohibited.
|
|||
|
|
|
|||
|
|
_Saudi Arabia_ [3]
|
|||
|
|
1. no
|
|||
|
|
|
|||
|
|
_South Africa_ [1, 3]
|
|||
|
|
1. no
|
|||
|
|
2. The South African situation is unclear. There appears to be legislation
|
|||
|
|
prohibiting the encryption of data on public telephone networks, but
|
|||
|
|
many companies and banks seem to ignore the legislation and do encrypt
|
|||
|
|
their data.
|
|||
|
|
|
|||
|
|
_Spain_ [1]
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Sweden_ [3, 4]
|
|||
|
|
1. no
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Switzerland_ [1, 3]
|
|||
|
|
1. no
|
|||
|
|
2. no
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_Turkey_ [1]
|
|||
|
|
2. no.
|
|||
|
|
3. no
|
|||
|
|
|
|||
|
|
_United Kingdom_ [1, 3, 4, 5]
|
|||
|
|
1. COCOM regulations.
|
|||
|
|
2. no
|
|||
|
|
3. In its policy on the information superhighway, Labour states it does
|
|||
|
|
not approve of escrowed encryption, but it wishes authorities to have the
|
|||
|
|
power to demand decryption under judicial warrant. It seems, then, that
|
|||
|
|
Labour intends to penalize a refusal to comply with a demand to decrypt
|
|||
|
|
under judicial warrant.
|
|||
|
|
|
|||
|
|
_United States of America_ [1, 2, 4]
|
|||
|
|
1. The International Traffic in Arms Regulation restricts export of
|
|||
|
|
"dual-use" cryptography (that is, cryptography that can serve both
|
|||
|
|
civilian and military purposes) by placing it on the Munitions List. For
|
|||
|
|
(relatively strong) products that can encipher information, an export
|
|||
|
|
license is usually issued only for use by foreign branches of American
|
|||
|
|
enterprises and for use y financial institutions. "Weak" cryptography
|
|||
|
|
(e.g., with a certain maximum key-length) can also be exported.
|
|||
|
|
Export of cryptography that serves only authentication or integrity
|
|||
|
|
purposes is ruled by the Export Administration Regulations. Some types
|
|||
|
|
of public domain software have been decontrolled and are now on the
|
|||
|
|
Commerce Control List.
|
|||
|
|
Several initiatives, as yet unsuccessful, have been taken, both in
|
|||
|
|
Congress and by the public, to try to mitigate the cryptography export
|
|||
|
|
restrictions.
|
|||
|
|
2. no
|
|||
|
|
3. In 1993, the Clinton Administration announced the Escrowed
|
|||
|
|
Encryption Initiative (EEI), usually referred to as the Clipper Initiative,
|
|||
|
|
after its first implementation in the Clipper chip. A classified, secret-key
|
|||
|
|
algorithm, SKIPJACK, has been implemented in an Escrowed
|
|||
|
|
Encryption Standard (EES). The reported basic idea of the EEI is to
|
|||
|
|
provide citizens with a safe cryptosysem for securing their
|
|||
|
|
communications without threatening law enforcement.
|
|||
|
|
The EES procures law enforcement access by means of a Law
|
|||
|
|
Enforcement Access Field (LEAF) that is transmitted along with each
|
|||
|
|
encrypted message; the field contains information identifying the chip
|
|||
|
|
used. Law enforcement agencies wire-tapping communications
|
|||
|
|
encrypted with EES can decipher tapped messages by obtaining the two
|
|||
|
|
parts of the chip's master key that are deposited with two escrow
|
|||
|
|
agencies (National Institute of Standards and Technology
|
|||
|
|
and the Treasury Department's Automated Systems Division), provided
|
|||
|
|
they have a court order for the tapping.
|
|||
|
|
The EES is a voluntary standard to be used in telephone
|
|||
|
|
communications. Privacy advocates fear that the government may
|
|||
|
|
declare escrowed encryption obligatory once it has captured a
|
|||
|
|
sufficient portion of the market. It is doubtful that EES will be widely
|
|||
|
|
accepted, though, given the scepticism with which the majority of US
|
|||
|
|
citizens presently regard escrowed encryption or government access to
|
|||
|
|
keys.
|
|||
|
|
On June 27, 1995, Senator Grassley introduced the Anti-Electronic
|
|||
|
|
Racketeering Act (S.974), which, if enacted, would virtually ban
|
|||
|
|
encryption. Only the use of escrow-like software would be an
|
|||
|
|
affirmative defense for those prosecuted for using cryptography. The bill
|
|||
|
|
doesn't seem to have much support at present.
|
|||
|
|
4. The Utah Digital Signatures Act of 1995 provides a legal framework
|
|||
|
|
for the use of cryptography for authentication and integrity purposes.
|
|||
|
|
|