From: Julian Assange <proff@suburbia.net>
Date: Tue, 28 May 1996 22:19:04 +0800
To: cypherpunks@toad.com
Subject: France's proposed telecoms law
Message-ID: <199605280918.TAA17579@suburbia.net>
MIME-Version: 1.0
Content-Type: text/plain



   Paris, May 23, 1996: There is an EC regulation called which applies to
all EC countries.
This restricts the use of cryptography in the context of weapons of
mass destruction, but not for any other purpose. The UK also has an
export licensing requirement which is similar in scope. France, on
the other hand, has much wider restrictions.  The EC regulation is
"Dual-Use and Related Goods (Export Control) Regulations" and the UK
is "Export of Goods (Control) Order".

   Attached is a message containing the pending French legislation,
followed by some comments. I hope this is helpful to readers on both
sides of the pond.

[Tuesday, 07 May 96 08:30:54 EST, "jean-bernard condat" <condat@atelier.fr>
writte:]
---------------
      Art. 12

      Article  28  of  the  Law No. 90-1170 dated December 29, 1990, on
      telecommunications regulation is hereby amended as follows:

      I - Section I is hereby amended as follows:

      1)  The  first  paragraph  shall  be  completed  by the following
      phrase: "Secret coding method denotes all materials  or  programs
      conceived or modified for the same purpose."

      2)  The  second  and  third paragraphs are hereby replaced by the
      following provisions:

      "To  preserve  the interests of national defense and the internal
      or  external  security  of  the  State,  while   permitting   the
      protection   of   information   and  the  development  of  secure
      communications and transactions,

      1) the use of a secret coding method or service shall be:

      a) allowed freely:

      -  if  the  secret  coding  method  or service does not allow the
      assurance of confidentiality, particularly when it  can  only  be
      used  to  authenticate a communication or ensure the integrity of
      the transmitted message;

      -  or  if  the  method or the service assures confidentiality and
      uses only coding conventions managed according to the  procedures
      and  by  an organization approved under the conditions defined in
      Section II;

      b)  subject  to  the authorization of the Prime Minister in other
      cases.

      2)  the  supply,  importation from countries not belonging to the
      European Community, and exportation of secret coding  methods  as
      well as services:

      a)  shall  require  the prior authorization of the Prime Minister
      when they assure confidentiality; the authorization  may  require
      the supplier to reveal the identity of the purchaser;

      b) shall require declaration in other cases."

      3)  A decree sets the conditions under which the declarations are
      signed and the authorizations  approved.   This  decree  provides
      for:

      a)  a  simplified  system  of  declaration  or  authorization for
      certain types of methods or services or for certain categories of
      users;

      b) the substitution of the declaration for the authorization, for
      transactions concerning secret coding methods or  services  whose
      technical  characteristics or conditions of use, while justifying
      a certain attention being paid with regard to the  aforementioned
      interests,  do  not  require  the  prior  authorization  of these
      transactions;

      c)   the   waiver  of  all  prior  formalities  for  transactions
      concerning secret coding  methods  or  services  whose  technical
      characteristics   or   conditions   of  use  are  such  that  the
      transactions are not capable of damaging the interests  mentioned
      at the beginning of this paragraph.

      II - Section II is hereby replaced by the following provisions:

      "II  -  Organizations  responsible  for  managing,  on  behalf of
      others, the coding  conventions  for  secret  coding  methods  or
      services  that  allow  the  assurance  of confidentiality must be
      approved in advance by the Prime Minister.

      They  are  obligated  to maintain professional confidentiality in
      the exercise of their approved activities.

      The approval shall specify the methods and services that they may
      use or supply.

      They shall be responsible to preserve the coding conventions that
      they manage. Within the framework of application of the  Law  No.
      91-646  dated  July  10,  1991, concerning the confidentiality of
      correspondence  sent  via  telecommunications,  and  within   the
      framework  of investigations made under the rubric of Articles 53
      et seq. and 75 et seq. of the Code of  Criminal  Procedure,  they
      must  release  them  to  judicial  authorities  or  to  qualified
      authorities, or implement them according to their request.

      They must exercise their activities on domestic soil.

      A  decree in the Council of State sets the conditions under which
      these organizations shall be approved, as well as the  guarantees
      which the approval shall require; it specifies the procedures and
      the  technical  provisions  allowing  the  enforcement   of   the
      obligations indicated above.

      III  -  a)  Without  prejudice  to the application of the Customs
      Code, the  fact  of  supplying,  importing  from  a  country  not
      belonging  to  the  European  Community,  or  exporting, a secret
      coding method or  service,  without  having  obtained  the  prior
      authorization mentioned in I or in violation of the conditions of
      the  granted  approval,  shall  be  punishable  by   six   months
      imprisonment and a fine of FF 200,000.

      The fact of managing, on behalf of others, the coding conventions
      for secret coding methods or services that allow the assurance of
      confidentiality,  without  having obtained the approval mentioned
      in II or in violation of the conditions of this approval,  shall
      be punishable by two years imprisonment and a fine of FF 300,000.

      The  fact of supplying, importing from a country not belonging to
      the European Community, or exporting, a secret coding  method  or
      service,  in order to facilitate the preparation or commission of
      a felony or misdemeanor,  shall  be  punishable  by  three  years
      imprisonment and a fine of FF 500,000.

      The  attempt to commit the infractions mentioned in the preceding
      paragraphs shall be punishable by the same penalties.

      b)  The natural persons guilty of the infractions mentioned under
      a) shall  incur  the  complementary  penalties  provided  for  in
      Articles   131-19,   131-21,  and  131-27,  as  well  as,  either
      indefinitely or for  a  period  of  five  years  or  longer,  the
      penalties  provided  for  in  Articles  131-33  and 131-34 of the
      Criminal Code.

      c)  Judicial  persons  may be declared criminally responsible for
      the  infractions  defined  in  the  first  paragraph  under   the
      conditions  provided  for  in Article 121-2 of the Criminal Code.
      The penalties incurred by judicial persons are:

      1)  the  fine according to the modalities provided for by Article
      131-38 of the Criminal Code;

      2)  the penalties mentioned in the Article L.  131-39 of the same
      code. The prohibition mentioned in 2) of this article  L.  131-39
      concerns  activities,  during  the  exercise  of which, or on the
      occasion of the exercise of which, the infraction was committed."

      III - Section III becomes IV.

      Its   last   paragraph   is  hereby  replaced  by  the  following
      provisions:

      "The  fact  of refusing to supply information or documents, or of
      obstructing the progress of the investigations mentioned in  this
      section  IV, shall be punishable by six months imprisonment and a
      fine of FF 200,000."

      IV - Section IV becomes V.

      After the word "authorizations," the words "and declarations" are
      hereby inserted.

      V - A section VI is hereby added, formulated as follows:

      "VI  -  The  provisions  of  this  article  shall  not hinder the
      application of the Decree dated April 18, 1939, establishing  the
      regulation of war materials, arms, and munitions, to those secret
      coding methods which are specially conceived or modified to allow
      or facilitate the use or manufacture of arms."

      VI  -  This  article is applicable to overseas territories and to
      the territorial commonwealth of Mayotte.

                    Copyright 1996 Steptoe & Johnson LLP

      Steptoe  & Johnson LLP grants permission for the contents of this
      publication to be reproduced and  distributed  in  full  free  of
      charge,  provided that: (i) such reproduction and distribution is
      limited to educational and professional non-profit use only  (and
      not  for  advertising  or  other  use); (ii) the reproductions or
      distributions make no edits or changes in this  publication;  and
      (iii) all reproductions and distributions include the name of the
      author(s) and the copyright notice(s) included  in  the  original
      publication.
  ---------------
In trying to analyze the impact of the proposed law, I would note
the following:

Section I:

Paragraph 1 (a), first bullet, seems to explicitly allow digital
signatures, and does not require that the secret keys used for such
purposes be escrowed.

Paragraph 1 (a), second bullet, in combination with Section II,
strongly hints at a requirement for key escrow. Conceivably,
depending on the details of Law No 91-646 dated July 10, 1991
concerning the confidentiality of correspondence sent via
telecommunications, the use of short keys that might expose
information to unauthorized individuals (a la the IBM masked DES
and Lotus Notes solution) might even be prohibited!

Paragraph 1 (b) provides an escape clause for certain favored
activities (and/or organizations?). Presumably international
standards such as Visa/MasterCard's SET, which apply strong
confidentiality to only certain data fields, notably the
cardholders account number, would be permitted under this kind of
an exception.  Banking transactions and other sensitive information
may also be excluded from the key escrow requirement, especially if
(since) the Government could subpoena the bank's records directly.
This is further borne out by paragraph 3, (a, b, and c).

Paragraph 1 seems to apply to the use of encryption, as opposed to
the supply, import, or export. However, unless such use is covered
by Law No. 91-646, the proposed amendment does not seem to apply
criminal or civil penalties to such use.

Paragraph 2 is interesting, in that it differentiates between
"supply" and "importing from countries not belonging to the
European community". This may be a techni-cality of the European
Community import/export laws -- perhaps importation from countries
within the European Community no longer has any meaning, since such
customs barriers were supposed to have been removed. I would
interpret "supply" to include the offering for sale, or even
distributing for free, such code, even by a French citizen. This
would therefore appear to apply to the (re-)distribution of PGP
and/or any home-grown French products, as well as any encryption
products originating within the EC. If so, this would seem to be
more even-handed with respect to imports from the US and elsewhere
than might otherwise appear, and may obviate any claim that the law
would violate the World Trade Organization's Most Favored Nation
agreements. The apparent import preference for EC products simply
reflect's France's obligation to allow the free flow of goods
within the EC.

Paragraph 3 seems to provide for some simplified administrative
mechanisms that may be less onerous than a case by case review. IN
US terms, this may be similar to requesting a commodity
jurisdiction from Commerce, rather than having encryption being
construed as following under the ITARs. If so, we should certainly
investigate these options. Subparagraphs b and c may apply to the
use of relatively short keys, or for transactions of limited scope,
e.g., for SET.

Section II defines conditions for establishing and approving escrow
agencies.  Given the requirement for "professional
confidentiality", I would not be at all surprised if the civil law
"notaires" didn't jump at the chance to get into this business.

The requirement that they exercise their activities on French soil
is rather obscure.  The prior language doesn't explicitly say that
anything about escrow, nor where the escrowed keys must be
maintained -- it only talks about the management of coding
conventions, and the requirement to comply with the requirements of
the Code of Civil Procedure, which presumably requires that they
divulge the keys and/or the text of any confidential messages upon
demand by a proper authority. But a literal reading of the text
would suggest that a standards organization that manages and
preserves the coding conventions would have to carry out their
activities on French soil, while the escrow repository might be
elsewhere.

Section III certainly makes it clear that they are serious about
all this.  The natural persons who have committed, or even
attempted to commit acts in violation of the Act are subject to
fines and imprisonment, and I would hazard a guess that the
Articles 131-33 and 131-34 would debar them from participating in
any future importing or exporting.

Corporations (judicial persons) may be held criminally responsible
for any infractions caused by their employees, and I would assume
that Article 131-39 would also lead to a debarment for future
import or export, in exactly the same manner as US export
violations would.

Section VI makes the Act applicable to overseas territories, which
means that some of the more obscure areas and countries would also
be covered, such as French Guiana, etc.

Disclaimer: I am not a French attorney, nor someone who is at all
knowledgeable about EC law. The preceding analysis should not be
construed as any kind of an official position.  Go get your own
hired guns if you need advice!