Crypto Law Survey
by Bert-Jaap Koops ([email protected])
Version July 1995, PLEASE CREDIT IF QUOTING
This survey of cryptography laws is based on several reports and on
replies to a posting on Internet discussion lists. Only for France, The
Netherlands, and Russia have I consulted original texts of relevant
regulations; for the other countries, the reports listed below served as
the only source. These findings, therefore, do not pretend to be
exhaustive or fully reliable. I thank all who have provided me with
information for this survey. Please send comments, corrections, updates,
additional information, and questions to
[email protected].
SOURCES
[1] KPMG EDP Auditors, Rapport aan de Ministers van
Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake
de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie
(Amstelveen, 7 april 1994), pp. 27-38, 107-114
[2] Moret Ernst & Young EDP Audit Management Services,
Eindrapport onderzoek ontwerp-regeling encryptie,
(Amsterdam, 1 maart 1994), pp. 21-30
[3] James P. Chandler, Diana C. Arrington, Donna R.
Berkelhammer, and William L. Gill, Identification and Analysis
of Foreign Laws and Regulations Pertaining to the Use of
Commercial Encryption Products for Voice and Data
Communications, DOE Project No. 2042-E024-A1, Washington, January 1994
[4] Andr\351 Sylvain, Data Encryption and the Law(s) - Results,
posted on talk.politics.crypto, 15 December 1994
[5] various references; personal communications by Adam Back,
Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot.
SURVEY PER COUNTRY
1. Export/ import regulations
2. Other laws/regulations pertaining to encryption
3. Threats/ intentions to regulate encryption
4. Regulations stimulating encryption use
COCOM
1. COCOM (Coordinating Committee for Multilateral Export Controls)
is an international organization (Japan, Australia, and all NATO
members, Ireland excluded) for the mutual control (and restriction) of
strategic arms export. It maintains, among others, the International
Industrial List and the International Munitions List. In 1991, COCOM
has decided to allow export of mass-market cryptographic software
(including public domain software). Some member countries of COCOM
follow its regulations, but others, such as Germany and the
United States, maintain separate regulations.
Australia [1, 3]
1. Written permission is needed for exporting cryptographic equipment
designed to ensure the secrecy of communications or stored information.
2. no
3. no
Austria [1]
2. no
3. no
Belgium [1, 3]
1. no
2. no
3. no
Brazil [3]
1. no
Canada [1, 3, 4, 5]
1. Canada follows COCOM regulations. The exportation of items from
Canada may be subject to restriction if they are included on the Export
Control List. All types of cryptography can be transported between
Canada and the United States, but cryptography imported from the US
remains under US ITAR rules and cannot be exported if the US does not
allow export.
2. no
3. no (but Canada is monitoring the debate in the US)
People's Republic of China [3]
1.China restricts the importation and exportation of voice-encoding
devices.
Denmark [1, 4]
2. no
3. no
4. The Danish Teletrust Group has set up an Encryption Group to work
on the technical and legal concept of public-key certifying authorities.
A Centre Certifying Authority (CCA) would coordinate control and
certification of key centres to provide secure keys within
telecommunications. It would be necessary for such a CCA to have a
legal basis. The Danish government has not (yet) implemented the
initiative into law.
European Union [5]
2. no
3. There are rumours that the EU is working on the establishment of a
key escrow system to counter the US Clipper initiative. The EU system
would allow member states to choose escrow agents where keys have to
be deposited. The European Community's Green Book on the Security
of Information Systems (Draft 4.0, 18 October 1993) poses a case for
the provision of "Public Confidentiality Services" (which offer some
sort of Government Access to Keys).
Finland [4, 5]
2. no
3. no
France [1, 3, 4]
1. a) For exporting authentication- or integrity-only cryptography, a
declaration dossier of export delivery must be deposited. A copy of the
receipt of declaration must be presented to customs at each exportation.
For temporary exportation, a user declaration will serve as export
declaration in the case of cryptography used exclusively for personal
use by an individual. A delivery declaration will serve as temporary-
export declaration for a sample.
b) For exporting any other kind of cryptography, apart from once
depositing administrative and technical details needed for user or
delivery authorisation, a license is needed for each exportation.
2. Delivery, exportation, and use of cryptography are subjected to:
a) previous declaration if the cryptography can have no other object
than authenticating communications or assuring the integrity of
transmitted messages;
b) previous authorisation by the Prime Minister in all other cases.
Simplified procedures exist for certain cryptography products or certain
user categories.
For both declaration and authorisation, a dossier containing technical
details and administrative data must be submitted. Authorisation can be
subjected to certain conditions in order to reserve the use of certain
types of cryptography to defined user or application categories.
It is unclear to what extent this regulation is being maintained in
practice.
It seems impossible for individuals or enterprises to obtain
authorisation for "strong" cryptography, such as RSA. Moreover, the
office dealing with authorisation renders decisions without motivation.
Germany [1, 3, 4, 5]
1. COCOM regulations, but Germany maintains export control of both
public domain and mass-market encryption software.
2. no
3. Some politicians have expressed a desire to regulate cryptography,
but, on the whole, there seems to be no threat that Germany will prepare
a law on cryptography.
Hungary [5]
2. no
3. no
4. There is a law that provides an agency with the competence to assess
cryptography; the agency can declare that it satisfies a minimum
security level.
Iceland [1]
2. no
3. no
India [3]
1. no
Ireland [1]
2. no
3. no
Israel [3]
1. Israel imposes restrictions on encryption, but the scope of its
restrictions is not clear.
Italy [1, 3]
1. COCOM regulations.
2. There is a law that demands accessibility of encrypted records for
the treasury.
3. no
Japan [1, 3]
1. COCOM regulations.
2. no
3. no
Latvia [4]
2. no
3. no
Mexico [3]
1. no
The Netherlands [3, 4, 5]
1. Public domain and mass-market software generally does not require a
validated license. Items capable of file encryption do require a
validated license.
2. no
3. In March 1994, a Dutch predraft law on cryptography leaked out, the
drift of which was a prohibition of having, using, or trading strong
cryptography. Those with a "legitimate concern" could apply for a user
license or a trade authorization. One condition for granting a license
was giving information to an administration agency; the text did not
state whether this information concerned only the algorithm or also all
the keys used. After many protests from those who would be affected by
the proposed regulation, it was withdrawn. The Dutch authorities are
currently studying on alternatives to handle the issue. Although the
draft regulation will not be continued in its present scope,
it shows how much the judicial authorities fear wide dissemination of
strong cryptography. It is to be expected that the Dutch government will
want to regulate encryption in some way.
New Zealand [1]
2. no
3. no
Norway [1]
2. no.
4. A bill on information security has been proposed, which indicates
that cryptography can be used for the storage of passwords. It is not
sure if and when this bill will come into force.
A bill has been proposed on central medical registries that would use
cryptographically pseudonimized entries.
Russia [3, 5]
1. A license is required for the importation of encryption facilities
manufactured abroad.
2. On 3 April 1995, president Jeltsin issued a decree prohibiting
unauthorized encryption. State organizations and enterprises need a
license to use encryption (for both authentication and secrecy, for
storage as well as transmission). Other enterprises and organizations
using uncertified cryptography do not receive state orders. The Central
Bank shall take measures against commercial banks that do not use
certified cryptography when communicating with divisions of the Central
Bank. The development, production, implementation, or operation of
cryptography without a license is prohibited.
Saudi Arabia [3]
1. no
South Africa [1, 3]
1. no
2. The South African situation is unclear. There appears to be
legislation prohibiting the encryption of data on public telephone
networks, but many companies and banks seem to ignore the legislation
and do encrypt their data.
Spain [1]
2. no
3. no
Sweden [3, 4]
1. no
2. no
3. no
Switzerland [1, 3]
1. no
2. no
3. no
Turkey [1]
2. no.
3. no
United Kingdom [1, 3, 4, 5]
1. COCOM regulations.
2. no
3. In its policy on the information superhighway, Labour states it does
not approve of escrowed encryption, but it wishes authorities to have
the power to demand decryption under judicial warrant. It seems, then,
that Labour intends to penalize a refusal to comply with a demand to
decrypt under judicial warrant.
United States of America [1, 2, 4]
1. The International Traffic in Arms Regulation restricts export of
"dual-use" cryptography (that is, cryptography that can serve both
civilian and military purposes) by placing it on the Munitions List. For
(relatively strong) products that can encipher information, an export
license is usually issued only for use by foreign branches of American
enterprises and for use by financial institutions. "Weak" cryptography
(e.g., with a certain maximum key-length) can also be exported.
Export of cryptography that serves only authentication or integrity
purposes is ruled by the Export Administration Regulations. Some types
of public domain software have been decontrolled and are now on the
Commerce Control List.
Several initiatives, as yet unsuccessful, have been taken, both in
Congress and by the public, to try to mitigate the cryptography export
restrictions.
2. no
3. In 1993, the Clinton Administration announced the Escrowed
Encryption Initiative (EEI), usually referred to as the Clipper
Initiative, after its first implementation in the Clipper chip. A
classified, secret-key algorithm, SKIPJACK, has been implemented in
an Escrowed Encryption Standard (EES). The reported basic idea of the
EEI is to provide citizens with a safe cryptosystem for securing
their communications without threatening law enforcement. The EES
procures law enforcement access by means of a Law Enforcement Access
Field (LEAF) that is transmitted along with each encrypted message;
the field contains information identifying the chip used. Law
enforcement agencies wiretapping communications encrypted with EES
can decipher tapped messages by obtaining the two parts of the chip's
master key that are deposited with two escrow agencies (National
Institute of Standards and Technology and the Treasury Department's
Automated Systems Division), provided they have a court order for the
tapping. The EES is a voluntary standard to be used in telephone
communications. Privacy advocates fear that the government may
declare escrowed encryption obligatory once it has captured a
sufficient portion of the market. It is doubtful that EES will be
widely accepted, though, given the skepticism with which the majority
of US citizens presently regard escrowed encryption or government
access to keys. On June 27, 1995, Senator Grassley introduced the
Anti-Electronic Racketeering Act (S.974), which, if enacted, would
virtually ban encryption. Only the use of escrow-like software would
be an affirmative defense for those prosecuted for using
cryptography. The bill doesn't seem to have much support at
present.
4. The Utah Digital Signatures Act of 1995 provides a legal
framework for the use of cryptography for authentication and
integrity purposes.