textfiles/law/cryptlaw

315 lines
12 KiB
Plaintext

CRYPTO LAW SURVEY
Version July 1995
Bert-Jaap Koops (koops@kub.nl)
Please credit if quoting.
This survey of cryptography laws is based on several reports and on
replies to a posting on Internet discussion lists. Only for France, The
Netherlands, and Russia have I consulted original texts of relevant
regulations; for the other countries, the reports listed below served as the
only source. These findings, therefore, do not pretend to be exhaustive
or fully reliable.
I thank all who have provided me with information for this survey.
Please send comments, corrections, updates, additional information, and
questions to E.J.Koops@kub.nl.
SOURCES
[1] KPMG EDP Auditors, Rapport aan de Ministers van
Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake
de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie
(Amstelveen, 7 april 1994), pp. 27-38, 107-114
[2] Moret Ernst & Young EDP Audit Management Services,
Eindrapport onderzoek ontwerp-regeling encryptie,
(Amsterdam, 1 maart 1994), pp. 21-30
[3] James P. Chandler, Diana C. Arrington, Donna R.
Berkelhammer, and William L. Gill, Identification and Analysis
of Foreign Laws and Regulations Pertaining to the Use of
Commercial Encryption Products for Voice and Data
Communications, DOE Project No. 2042-E024-A1, Washington, January 1994
[4] André Sylvain, Data Encryption and the Law(s) - Results,
posted on talk.politics.crypto, 15 December 1994
[5] various references; personal communications by Adam Back,
Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot.
-----------------------------------------------------------------------------------
SURVEY PER COUNTRY
1. Export/ import regulations
2. Other laws/regulations pertaining to encryption
3. Threats/ intentions to regulate encryption
4. Regulations stimulating encryption use
-----------------------------------------------------------------------------------
_COCOM_
1. COCOM (Coordinating Committee for Multilateral Export Controls)
is an international organization (Japan, Australia, and all NATO
members, Ireland excluded) for the mutual control (and restriction) of
strategic arms export. It maintains, among others, the International
Industrial List and the International Munitions List. In 1991, COCOM
has decided to allow export of mass-market cryptographic software
(including public domain software). Some member countries of COCOM
follow its regulations, but others, such as Germany and the
United States, maintain separate regulations.
_Australia_ [1, 3]
1. Written permission is needed for exporting cryptographic equipment
designed to ensure the secrecy of communications or stored information.
2. no
3. no
_Austria_ [1]
2. no
3. no
_Belgium_ [1, 3]
1. no
2. no
3. no
_Brazil_ [3]
1. no
_Canada_ [1, 3, 4, 5]
1. Canada follows COCOM regulations. The exportation of items from
Canada may be subject to restriction if they are included on the Export
Control List. All types of cryptography can be transported between
Canada and the United States, but cryptography imported from the US
remains under US ITAR rules and cannot be exported if the US does not
allow export.
2. no
3. no (but Canada is monitoring the debate in the US)
_People's Republic of China_ [3]
1.China restricts the importation and exportation of voice-encoding
devices.
_Denmark_ [1, 4]
2. no
3. no
4. The Danish Teletrust Group has set up an Encryption Group to work
on the technical and legal concept of public-key certifying authorities. A
Centre Certifying Auhtority (CCA) would coordinate control and
certification of key centres to provide secure keys within
telecommunications. It would be necessary for such a CCA to have a
legal basis. The Danish government has not (yet) implemented the
initiative into law.
_European Union_ [5]
2. no
3. There are rumours that the EU is working on the establishment of a
key escrow system to counter the US Clipper initiative. The EU system
would allow member states to choose escrow agents where keys have to
be deposited. The European Community's Green Book on the Security
of Information Systems (Draft 4.0, 18 October 1993) poses a case for
the provision of "Public Confidentiality Services" (which offer some sort
of Government Access to Keys).
_Finland_ [4, 5]
2. no
3. no
_France_ [1, 3, 4]
1. a) For exporting authentication- or integrity-only cryptography, a
declaration dossier of export delivery must be deposited. A copy of the
receipt of declaration must be presented to customs at each exportation.
For temporary exportation, a user declaration will serve as export
declaration in the case of cryptography used exclusively for personal use
by an individual. A delivery declaration will serve as temporary-export
declaration for a sample.
b) For exporting any other kind of cryptography, apart from once
depositing administrative and technical details needed for user or
delivery authorisation, a license is needed for each exportation.
2. Delivery, exportation, and use of cryptography are subjected to:
a) previous declaration if the cryptography can have no other object than
authenticating communications or assuring the integrity of transmitted
messages;
b) previous authorisation by the Prime Minister in all other cases.
Simplified procedures exist for certain cryptography products or certain
user categories.
For both declaration and authorisation, a dossier containing technical
details and administrative data must be submitted. Authorisation can be
subjected to certain conditions in order to reserve the use of certain
types of cryptography to defined user or application categories.
It is unclear to what extent this regulation is being maintained in practice.
It seems impossible for individuals or enterprises to obtain authorisation
for "strong" cryptography, such as RSA. Moreover, the office dealing
with authorisation renders decisions without motivation.
_Germany_ [1, 3, 4, 5]
1. COCOM regulations, but Germany maintains export control of both
public domain and mass-market encryption software.
2. no
3. Some politicians have expressed a desire to regulate cryptography,
but, on the whole, there seems to be no threat that Germany will prepare
a law on cryptography.
_Hungary_ [5]
2. no
3. no
4. There is a law that provides an agency with the competence to assess
cryptography; the agency can declare that it satisfies a minimum security
level.
_Iceland_ [1]
2. no
3. no
_India_ [3]
1. no
_Ireland_ [1]
2. no
3. no
_Israel_ [3]
1. Israel imposes restrictions on encryption, but the scope of its
restrictions is not clear.
_Italy_ [1, 3]
1. COCOM regulations.
2. There is a law that demands accessibility of encrypted records for the
treasury.
3. no
_Japan_ [1, 3]
1. COCOM regulations.
2. no
3. no
_Latvia_ [4]
2. no
3. no
_Mexico_ [3]
1. no
_The Netherlands_ [3, 4, 5]
1. Public domain and mass-market software generally does not require a
validated license. Items capable of file encryption do require a validated
license.
2. no
3. In March 1994, a Dutch predraft law on cryptography leaked out, the
drift of of which was a prohibition of having, using, or trading strong
cryptography. Those with a "legitimate concern" could apply for a user
license or a trade authorization. One condition for granting a license was
giving information to an administration agency; the text did not state
whether this information concerned only the algorithm or also all the
keys used.
After many protests from those who would be affected by the proposed
regulation, it was withdrawn. The Dutch authorities are currently
studying on alternatives to handle the issue.
Although the draft regulation will not be continued in its present scope,
it shows how much the judicial authorities fear wide dissemination of
strong cryptography. It is to be expected that the Dutch government will
want to regulate encryption in some way.
_New Zealand_ [1]
2. no
3. no
_Norway_ [1]
2. no.
4. A bill on information security has been proposed, which indicates that
cryptography can be used for the storage of passwords. It is not sure if
and when this bill will come into force.
A bill has been proposed on central medical registries that would use
cryptographically pseudonimized entries.
_Russia_ [3, 5]
1. A license is required for the importation of encryption facilities
manufactured abroad.
2. On 3 April 1995, president Jeltsin issued a decree prohibiting
unauthorized encryption. State organizations and enterprises need a
license to use encryption (for both authentication and secrecy, for
storage as well as transmission). Other enterprises and organizations
using uncertified cryptography do not receive state orders. The Central
Bank shall take measures against commercial banks that do not use
certified cryptography when communicating with divisions of the Central
Bank. The development, production, implementation, or operation of
cryptography without a license is prohibited.
_Saudi Arabia_ [3]
1. no
_South Africa_ [1, 3]
1. no
2. The South African situation is unclear. There appears to be legislation
prohibiting the encryption of data on public telephone networks, but
many companies and banks seem to ignore the legislation and do encrypt
their data.
_Spain_ [1]
2. no
3. no
_Sweden_ [3, 4]
1. no
2. no
3. no
_Switzerland_ [1, 3]
1. no
2. no
3. no
_Turkey_ [1]
2. no.
3. no
_United Kingdom_ [1, 3, 4, 5]
1. COCOM regulations.
2. no
3. In its policy on the information superhighway, Labour states it does
not approve of escrowed encryption, but it wishes authorities to have the
power to demand decryption under judicial warrant. It seems, then, that
Labour intends to penalize a refusal to comply with a demand to decrypt
under judicial warrant.
_United States of America_ [1, 2, 4]
1. The International Traffic in Arms Regulation restricts export of
"dual-use" cryptography (that is, cryptography that can serve both
civilian and military purposes) by placing it on the Munitions List. For
(relatively strong) products that can encipher information, an export
license is usually issued only for use by foreign branches of American
enterprises and for use y financial institutions. "Weak" cryptography
(e.g., with a certain maximum key-length) can also be exported.
Export of cryptography that serves only authentication or integrity
purposes is ruled by the Export Administration Regulations. Some types
of public domain software have been decontrolled and are now on the
Commerce Control List.
Several initiatives, as yet unsuccessful, have been taken, both in
Congress and by the public, to try to mitigate the cryptography export
restrictions.
2. no
3. In 1993, the Clinton Administration announced the Escrowed
Encryption Initiative (EEI), usually referred to as the Clipper Initiative,
after its first implementation in the Clipper chip. A classified, secret-key
algorithm, SKIPJACK, has been implemented in an Escrowed
Encryption Standard (EES). The reported basic idea of the EEI is to
provide citizens with a safe cryptosysem for securing their
communications without threatening law enforcement.
The EES procures law enforcement access by means of a Law
Enforcement Access Field (LEAF) that is transmitted along with each
encrypted message; the field contains information identifying the chip
used. Law enforcement agencies wire-tapping communications
encrypted with EES can decipher tapped messages by obtaining the two
parts of the chip's master key that are deposited with two escrow
agencies (National Institute of Standards and Technology
and the Treasury Department's Automated Systems Division), provided
they have a court order for the tapping.
The EES is a voluntary standard to be used in telephone
communications. Privacy advocates fear that the government may
declare escrowed encryption obligatory once it has captured a
sufficient portion of the market. It is doubtful that EES will be widely
accepted, though, given the scepticism with which the majority of US
citizens presently regard escrowed encryption or government access to
keys.
On June 27, 1995, Senator Grassley introduced the Anti-Electronic
Racketeering Act (S.974), which, if enacted, would virtually ban
encryption. Only the use of escrow-like software would be an
affirmative defense for those prosecuted for using cryptography. The bill
doesn't seem to have much support at present.
4. The Utah Digital Signatures Act of 1995 provides a legal framework
for the use of cryptography for authentication and integrity purposes.