From: Julian Assange <proff@suburbia.net>
To: cypherpunks@toad.com
Message Hash: ad331e15e3d3a5c3e6babe4538e374fa0544000cbdbbde014abb46caad857585
Message ID: <199605280918.TAA17579@suburbia.net>
Reply To: N/A
UTC Datetime: 1996-05-28 14:19:04 UTC
Raw Date: Tue, 28 May 1996 22:19:04 +0800
From: Julian Assange <proff@suburbia.net>
Date: Tue, 28 May 1996 22:19:04 +0800
To: cypherpunks@toad.com
Subject: France's proposed telecoms law
Message-ID: <199605280918.TAA17579@suburbia.net>
MIME-Version: 1.0
Content-Type: text/plain
Paris, May 23, 1996: There is an EC regulation called which applies to
all EC countries.
This restricts the use of cryptography in the context of weapons of
mass destruction, but not for any other purpose. The UK also has an
export licensing requirement which is similar in scope. France, on
the other hand, has much wider restrictions. The EC regulation is
"Dual-Use and Related Goods (Export Control) Regulations" and the UK
is "Export of Goods (Control) Order".
Attached is a message containing the pending French legislation,
followed by some comments. I hope this is helpful to readers on both
sides of the pond.
[Tuesday, 07 May 96 08:30:54 EST, "jean-bernard condat" <condat@atelier.fr>
writte:]
---------------
Art. 12
Article 28 of the Law No. 90-1170 dated December 29, 1990, on
telecommunications regulation is hereby amended as follows:
I - Section I is hereby amended as follows:
1) The first paragraph shall be completed by the following
phrase: "Secret coding method denotes all materials or programs
conceived or modified for the same purpose."
2) The second and third paragraphs are hereby replaced by the
following provisions:
"To preserve the interests of national defense and the internal
or external security of the State, while permitting the
protection of information and the development of secure
communications and transactions,
1) the use of a secret coding method or service shall be:
a) allowed freely:
- if the secret coding method or service does not allow the
assurance of confidentiality, particularly when it can only be
used to authenticate a communication or ensure the integrity of
the transmitted message;
- or if the method or the service assures confidentiality and
uses only coding conventions managed according to the procedures
and by an organization approved under the conditions defined in
Section II;
b) subject to the authorization of the Prime Minister in other
cases.
2) the supply, importation from countries not belonging to the
European Community, and exportation of secret coding methods as
well as services:
a) shall require the prior authorization of the Prime Minister
when they assure confidentiality; the authorization may require
the supplier to reveal the identity of the purchaser;
b) shall require declaration in other cases."
3) A decree sets the conditions under which the declarations are
signed and the authorizations approved. This decree provides
for:
a) a simplified system of declaration or authorization for
certain types of methods or services or for certain categories of
users;
b) the substitution of the declaration for the authorization, for
transactions concerning secret coding methods or services whose
technical characteristics or conditions of use, while justifying
a certain attention being paid with regard to the aforementioned
interests, do not require the prior authorization of these
transactions;
c) the waiver of all prior formalities for transactions
concerning secret coding methods or services whose technical
characteristics or conditions of use are such that the
transactions are not capable of damaging the interests mentioned
at the beginning of this paragraph.
II - Section II is hereby replaced by the following provisions:
"II - Organizations responsible for managing, on behalf of
others, the coding conventions for secret coding methods or
services that allow the assurance of confidentiality must be
approved in advance by the Prime Minister.
They are obligated to maintain professional confidentiality in
the exercise of their approved activities.
The approval shall specify the methods and services that they may
use or supply.
They shall be responsible to preserve the coding conventions that
they manage. Within the framework of application of the Law No.
91-646 dated July 10, 1991, concerning the confidentiality of
correspondence sent via telecommunications, and within the
framework of investigations made under the rubric of Articles 53
et seq. and 75 et seq. of the Code of Criminal Procedure, they
must release them to judicial authorities or to qualified
authorities, or implement them according to their request.
They must exercise their activities on domestic soil.
A decree in the Council of State sets the conditions under which
these organizations shall be approved, as well as the guarantees
which the approval shall require; it specifies the procedures and
the technical provisions allowing the enforcement of the
obligations indicated above.
III - a) Without prejudice to the application of the Customs
Code, the fact of supplying, importing from a country not
belonging to the European Community, or exporting, a secret
coding method or service, without having obtained the prior
authorization mentioned in I or in violation of the conditions of
the granted approval, shall be punishable by six months
imprisonment and a fine of FF 200,000.
The fact of managing, on behalf of others, the coding conventions
for secret coding methods or services that allow the assurance of
confidentiality, without having obtained the approval mentioned
in II or in violation of the conditions of this approval, shall
be punishable by two years imprisonment and a fine of FF 300,000.
The fact of supplying, importing from a country not belonging to
the European Community, or exporting, a secret coding method or
service, in order to facilitate the preparation or commission of
a felony or misdemeanor, shall be punishable by three years
imprisonment and a fine of FF 500,000.
The attempt to commit the infractions mentioned in the preceding
paragraphs shall be punishable by the same penalties.
b) The natural persons guilty of the infractions mentioned under
a) shall incur the complementary penalties provided for in
Articles 131-19, 131-21, and 131-27, as well as, either
indefinitely or for a period of five years or longer, the
penalties provided for in Articles 131-33 and 131-34 of the
Criminal Code.
c) Judicial persons may be declared criminally responsible for
the infractions defined in the first paragraph under the
conditions provided for in Article 121-2 of the Criminal Code.
The penalties incurred by judicial persons are:
1) the fine according to the modalities provided for by Article
131-38 of the Criminal Code;
2) the penalties mentioned in the Article L. 131-39 of the same
code. The prohibition mentioned in 2) of this article L. 131-39
concerns activities, during the exercise of which, or on the
occasion of the exercise of which, the infraction was committed."
III - Section III becomes IV.
Its last paragraph is hereby replaced by the following
provisions:
"The fact of refusing to supply information or documents, or of
obstructing the progress of the investigations mentioned in this
section IV, shall be punishable by six months imprisonment and a
fine of FF 200,000."
IV - Section IV becomes V.
After the word "authorizations," the words "and declarations" are
hereby inserted.
V - A section VI is hereby added, formulated as follows:
"VI - The provisions of this article shall not hinder the
application of the Decree dated April 18, 1939, establishing the
regulation of war materials, arms, and munitions, to those secret
coding methods which are specially conceived or modified to allow
or facilitate the use or manufacture of arms."
VI - This article is applicable to overseas territories and to
the territorial commonwealth of Mayotte.
Copyright 1996 Steptoe & Johnson LLP
Steptoe & Johnson LLP grants permission for the contents of this
publication to be reproduced and distributed in full free of
charge, provided that: (i) such reproduction and distribution is
limited to educational and professional non-profit use only (and
not for advertising or other use); (ii) the reproductions or
distributions make no edits or changes in this publication; and
(iii) all reproductions and distributions include the name of the
author(s) and the copyright notice(s) included in the original
publication.
---------------
In trying to analyze the impact of the proposed law, I would note
the following:
Section I:
Paragraph 1 (a), first bullet, seems to explicitly allow digital
signatures, and does not require that the secret keys used for such
purposes be escrowed.
Paragraph 1 (a), second bullet, in combination with Section II,
strongly hints at a requirement for key escrow. Conceivably,
depending on the details of Law No 91-646 dated July 10, 1991
concerning the confidentiality of correspondence sent via
telecommunications, the use of short keys that might expose
information to unauthorized individuals (a la the IBM masked DES
and Lotus Notes solution) might even be prohibited!
Paragraph 1 (b) provides an escape clause for certain favored
activities (and/or organizations?). Presumably international
standards such as Visa/MasterCard's SET, which apply strong
confidentiality to only certain data fields, notably the
cardholders account number, would be permitted under this kind of
an exception. Banking transactions and other sensitive information
may also be excluded from the key escrow requirement, especially if
(since) the Government could subpoena the bank's records directly.
This is further borne out by paragraph 3, (a, b, and c).
Paragraph 1 seems to apply to the use of encryption, as opposed to
the supply, import, or export. However, unless such use is covered
by Law No. 91-646, the proposed amendment does not seem to apply
criminal or civil penalties to such use.
Paragraph 2 is interesting, in that it differentiates between
"supply" and "importing from countries not belonging to the
European community". This may be a techni-cality of the European
Community import/export laws -- perhaps importation from countries
within the European Community no longer has any meaning, since such
customs barriers were supposed to have been removed. I would
interpret "supply" to include the offering for sale, or even
distributing for free, such code, even by a French citizen. This
would therefore appear to apply to the (re-)distribution of PGP
and/or any home-grown French products, as well as any encryption
products originating within the EC. If so, this would seem to be
more even-handed with respect to imports from the US and elsewhere
than might otherwise appear, and may obviate any claim that the law
would violate the World Trade Organization's Most Favored Nation
agreements. The apparent import preference for EC products simply
reflect's France's obligation to allow the free flow of goods
within the EC.
Paragraph 3 seems to provide for some simplified administrative
mechanisms that may be less onerous than a case by case review. IN
US terms, this may be similar to requesting a commodity
jurisdiction from Commerce, rather than having encryption being
construed as following under the ITARs. If so, we should certainly
investigate these options. Subparagraphs b and c may apply to the
use of relatively short keys, or for transactions of limited scope,
e.g., for SET.
Section II defines conditions for establishing and approving escrow
agencies. Given the requirement for "professional
confidentiality", I would not be at all surprised if the civil law
"notaires" didn't jump at the chance to get into this business.
The requirement that they exercise their activities on French soil
is rather obscure. The prior language doesn't explicitly say that
anything about escrow, nor where the escrowed keys must be
maintained -- it only talks about the management of coding
conventions, and the requirement to comply with the requirements of
the Code of Civil Procedure, which presumably requires that they
divulge the keys and/or the text of any confidential messages upon
demand by a proper authority. But a literal reading of the text
would suggest that a standards organization that manages and
preserves the coding conventions would have to carry out their
activities on French soil, while the escrow repository might be
elsewhere.
Section III certainly makes it clear that they are serious about
all this. The natural persons who have committed, or even
attempted to commit acts in violation of the Act are subject to
fines and imprisonment, and I would hazard a guess that the
Articles 131-33 and 131-34 would debar them from participating in
any future importing or exporting.
Corporations (judicial persons) may be held criminally responsible
for any infractions caused by their employees, and I would assume
that Article 131-39 would also lead to a debarment for future
import or export, in exactly the same manner as US export
violations would.
Section VI makes the Act applicable to overseas territories, which
means that some of the more obscure areas and countries would also
be covered, such as French Guiana, etc.
Disclaimer: I am not a French attorney, nor someone who is at all
knowledgeable about EC law. The preceding analysis should not be
construed as any kind of an official position. Go get your own
hired guns if you need advice!
Return to May 1996
Return to “Julian Assange <proff@suburbia.net>”
1996-05-28 (Tue, 28 May 1996 22:19:04 +0800) - France’s proposed telecoms law - Julian Assange <proff@suburbia.net>