From: E.J.Koops@kub.nl
Date: Wed, 26 Jul 95 03:54:47 PDT
To: cypherpunks@toad.com
Subject: Crypto Law Survey
Message-ID: <MAILQUEUE-101.950726125335.448@frw3.kub.nl>
MIME-Version: 1.0
Content-Type: text/plain


    CRYPTO LAW SURVEY
    Version July 1995
    Bert-Jaap Koops (koops@kub.nl)
    Please credit if quoting.
    
    This survey of cryptography laws is based on several reports and on
    replies to a posting on Internet discussion lists. Only for France, The
    Netherlands, and Russia have I consulted original texts of relevant
    regulations; for the other countries, the reports listed below served as the
    only source. These findings, therefore, do not pretend to be exhaustive
    or fully reliable.
    I thank all who have provided me with information for this survey.
    Please send comments, corrections, updates, additional information, and
    questions to E.J.Koops@kub.nl.
    
    SOURCES
    [1]   KPMG EDP Auditors, Rapport aan de Ministers van 
    Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake
    de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie
     (Amstelveen, 7 april 1994), pp. 27-38, 107-114
    [2]   Moret Ernst & Young EDP Audit Management Services,
    Eindrapport onderzoek ontwerp-regeling encryptie,
    (Amsterdam, 1 maart 1994), pp. 21-30
    [3]   James P. Chandler, Diana C. Arrington, Donna R.
    Berkelhammer, and William L. Gill, Identification and Analysis
    of Foreign Laws and Regulations Pertaining to the Use of 
    Commercial Encryption Products for Voice and Data 
    Communications, DOE Project No. 2042-E024-A1, Washington, January 1994
    [4]   Andr Sylvain, Data Encryption and the Law(s) - Results, 
    posted on talk.politics.crypto, 15 December 1994
    [5]   various references; personal communications by Adam Back, 
    Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot.
    
    -----------------------------------------------------------------------------------
    SURVEY PER COUNTRY
    1. Export/ import regulations
    2. Other laws/regulations pertaining to encryption
    3. Threats/ intentions to regulate encryption
    4. Regulations stimulating encryption use
    -----------------------------------------------------------------------------------
    
    _COCOM_
    1. COCOM (Coordinating Committee for Multilateral Export Controls)
    is an international organization (Japan, Australia, and all NATO
    members, Ireland excluded) for the mutual control (and restriction) of
    strategic arms export. It maintains, among others, the International
    Industrial List and the International Munitions List. In 1991, COCOM
    has decided to allow export of mass-market cryptographic software
    (including public domain software). Some member countries of COCOM
    follow its regulations, but others, such as Germany and the
    United States, maintain separate regulations.
    
    _Australia_ [1, 3]
    1. Written permission is needed for exporting cryptographic equipment
    designed to ensure the secrecy of communications or stored information.
    2. no
    3. no
    
    _Austria_ [1]
    2. no
    3. no
    
    _Belgium_ [1, 3]
    1. no
    2. no
    3. no
    
    _Brazil_ [3]
    1. no
    
    _Canada_ [1, 3, 4, 5]
    1. Canada follows COCOM regulations. The exportation of items from
    Canada may be subject to restriction if they are included on the Export
    Control List. All types of cryptography can be transported between
    Canada and the United States, but cryptography imported from the US
    remains under US ITAR rules and cannot be exported if the US does not
    allow export.
    2. no
    3. no (but Canada is monitoring the debate in the US)
    
    _People's Republic of China_ [3]
    1.China restricts the importation and exportation of voice-encoding
    devices.
    
    _Denmark_ [1, 4]
    2. no
    3. no
    4. The Danish Teletrust Group has set up an Encryption Group to work
    on the technical and legal concept of public-key certifying authorities. A
    Centre Certifying Auhtority (CCA) would coordinate control and
    certification of key centres to provide secure keys within
    telecommunications. It would be necessary for such a CCA to have a
    legal basis. The Danish government has not (yet) implemented the
    initiative into law.
    
    _European Union_ [5]
    2. no
    3. There are rumours that the EU is working on the establishment of a
    key escrow system to counter the US Clipper initiative. The EU system
    would allow member states to choose escrow agents where keys have to
    be deposited. The European Community's Green Book on the Security
    of Information Systems (Draft 4.0, 18 October 1993) poses a case for
    the provision of "Public Confidentiality Services" (which offer some sort
    of Government Access to Keys).
    
    _Finland_ [4, 5]
    2. no
    3. no
    
    _France_ [1, 3, 4]
    1. a) For exporting authentication- or integrity-only cryptography, a
    declaration dossier of export delivery must be deposited. A copy of the
    receipt of declaration must be presented to customs at each exportation.
    For temporary exportation, a user declaration will serve as export
    declaration in the case of cryptography used exclusively for personal use
    by an individual. A delivery declaration will serve as temporary-export
    declaration for a sample.
    b) For exporting any other kind of cryptography, apart from once
    depositing administrative and technical details needed for user or
    delivery authorisation, a license is needed for each exportation.
    2. Delivery, exportation, and use of cryptography are subjected to:
    a) previous declaration if the cryptography can have no other object than
    authenticating communications or assuring the integrity of transmitted
    messages;
    b) previous authorisation by the Prime Minister in all other cases.
    Simplified procedures exist for certain cryptography products or certain
    user categories. 
    For both declaration and authorisation, a dossier containing technical
    details and administrative data must be submitted. Authorisation can be
    subjected to certain conditions in order to reserve the use of certain
    types of cryptography to defined user or application categories.
    It is unclear to what extent this regulation is being maintained in practice.
    It seems impossible for individuals or enterprises to obtain authorisation
    for "strong" cryptography, such as RSA. Moreover, the office dealing
    with authorisation renders decisions without motivation.
    
    _Germany_ [1, 3, 4, 5]
    1. COCOM regulations, but Germany maintains export control of both
    public domain and mass-market encryption software.
    2. no
    3. Some politicians have expressed a desire to regulate cryptography,
    but, on the whole, there seems to be no threat that Germany will prepare
    a law on cryptography.
    
    _Hungary_ [5]
    2. no
    3. no
    4. There is a law that provides an agency with the competence to assess
    cryptography; the agency can declare that it satisfies a minimum security
    level.
    
    _Iceland_ [1]
    2. no
    3. no
    
    _India_ [3]
    1. no
    
    _Ireland_ [1]
    2. no
    3. no
    
    _Israel_ [3]
    1. Israel imposes restrictions on encryption, but the scope of its
    restrictions is not clear.
    
    _Italy_ [1, 3]
    1. COCOM regulations.
    2. There is a law that demands accessibility of encrypted records for the
    treasury.
    3. no
    
    _Japan_ [1, 3]
    1. COCOM regulations.
    2. no
    3. no
    
    _Latvia_ [4]
    2. no
    3. no
    
    _Mexico_ [3]
    1. no
    
    _The Netherlands_ [3, 4, 5]
    1. Public domain and mass-market software generally does not require a
    validated license. Items capable of file encryption do require a validated
    license.
    2. no
    3. In March 1994, a Dutch predraft law on cryptography leaked out, the
    drift of of which was a prohibition of having, using, or trading strong
    cryptography. Those with a "legitimate concern" could apply for a user
    license or a trade authorization. One condition for granting a license was
    giving information to an administration agency; the text did not state
    whether this information concerned only the algorithm or also all the
    keys used.
    After many protests from those who would be affected by the proposed
    regulation, it was withdrawn. The Dutch authorities are currently
    studying on alternatives to handle the issue.
    Although the draft regulation will not be continued in its present scope,
    it shows how much the judicial authorities fear wide dissemination of
    strong cryptography. It is to be expected that the Dutch government will
    want to regulate encryption in some way.
    
    _New Zealand_ [1]
    2. no
    3. no
    
    _Norway_ [1]
    2. no.
    4. A bill on information security has been proposed, which indicates that
    cryptography can be used for the storage of passwords. It is not sure if
    and when this bill will come into force.
    A bill has been proposed on central medical registries that would use
    cryptographically pseudonimized entries.
    
    _Russia_ [3, 5]
    1. A license is required for the importation of encryption facilities
    manufactured abroad.
    2. On 3 April 1995, president Jeltsin issued a decree prohibiting
    unauthorized encryption. State organizations and enterprises need a
    license to use encryption (for both authentication and secrecy, for
    storage as well as transmission). Other enterprises and organizations
    using uncertified cryptography do not receive state orders. The Central
    Bank shall take measures against commercial banks that do not use
    certified cryptography when communicating with divisions of the Central
    Bank. The development, production, implementation, or operation of 
    cryptography without a license is prohibited.
    
    _Saudi Arabia_ [3]
    1. no
    
    _South Africa_ [1, 3]
    1. no
    2. The South African situation is unclear. There appears to be legislation
    prohibiting the encryption of data on public telephone networks, but
    many companies and banks seem to ignore the legislation and do encrypt
    their data.
    
    _Spain_ [1]
    2. no
    3. no
    
    _Sweden_ [3, 4]
    1. no
    2. no
    3. no
    
    _Switzerland_ [1, 3]
    1. no
    2. no
    3. no
    
    _Turkey_ [1]
    2. no.
    3. no
    
    _United Kingdom_ [1, 3, 4, 5]
    1. COCOM regulations.
    2.  no
    3.  In its policy on the information superhighway, Labour states it does
    not approve of escrowed encryption, but it wishes authorities to have the
    power to demand decryption under judicial warrant.  It seems, then, that
    Labour intends to penalize a refusal to comply with a demand to decrypt
    under judicial warrant.
    
    _United States of America_ [1, 2, 4]
    1. The International Traffic in Arms Regulation restricts export of
    "dual-use" cryptography (that is, cryptography that can serve both
    civilian and military purposes) by placing it on the Munitions List. For
    (relatively strong) products that can encipher information, an export
    license is usually issued only for use by foreign branches of American
    enterprises and for use y financial institutions. "Weak" cryptography
    (e.g., with a certain maximum key-length) can also be exported.
    Export of cryptography that serves only authentication or integrity
    purposes is ruled by the Export Administration Regulations. Some types
    of public domain software have been decontrolled and are now on the
    Commerce Control List.
    Several initiatives, as yet unsuccessful, have been taken, both in
    Congress and by the public, to try to mitigate the cryptography export
    restrictions.
    2. no
    3. In 1993, the Clinton Administration announced the Escrowed
    Encryption Initiative (EEI), usually referred to as the Clipper Initiative,
    after its first implementation in the Clipper chip. A classified, secret-key
    algorithm, SKIPJACK, has been implemented in an Escrowed
    Encryption Standard (EES). The reported basic idea of the EEI is to
    provide citizens with a safe cryptosysem for securing their
    communications without threatening law enforcement.
    The EES procures law enforcement access by means of a Law
    Enforcement Access Field (LEAF) that is transmitted along with each
    encrypted message; the field contains information identifying the chip
    used. Law enforcement agencies wire-tapping communications
    encrypted with EES can decipher tapped messages by obtaining the two
    parts of the chip's master key that are deposited with two escrow
    agencies (National Institute of Standards and Technology
    and the Treasury Department's Automated Systems Division), provided
    they have a court order for the tapping.
    The EES is a voluntary standard to be used in telephone
    communications. Privacy advocates fear that the government may
    declare escrowed encryption obligatory once it has captured a
    sufficient portion of the market. It is doubtful that EES will be widely
    accepted, though, given the scepticism with which the majority of US
    citizens presently regard escrowed encryption or government access to
    keys.
    On June 27, 1995, Senator Grassley introduced the Anti-Electronic
    Racketeering Act (S.974), which, if enacted, would virtually ban
    encryption. Only the use of  escrow-like software would be an
    affirmative defense for those prosecuted for using cryptography. The bill
    doesn't seem to have much support at present.
    4. The Utah Digital Signatures Act of 1995 provides a legal framework
    for the use of cryptography for authentication and integrity purposes.