CRYPTO LAW SURVEY Version July 1995 Bert-Jaap Koops (koops@kub.nl) Please credit if quoting. This survey of cryptography laws is based on several reports and on replies to a posting on Internet discussion lists. Only for France, The Netherlands, and Russia have I consulted original texts of relevant regulations; for the other countries, the reports listed below served as the only source. These findings, therefore, do not pretend to be exhaustive or fully reliable. I thank all who have provided me with information for this survey. Please send comments, corrections, updates, additional information, and questions to E.J.Koops@kub.nl. SOURCES [1] KPMG EDP Auditors, Rapport aan de Ministers van Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake de uitkomsten van het Bedrijfseffectenonderzoek Cryptografie (Amstelveen, 7 april 1994), pp. 27-38, 107-114 [2] Moret Ernst & Young EDP Audit Management Services, Eindrapport onderzoek ontwerp-regeling encryptie, (Amsterdam, 1 maart 1994), pp. 21-30 [3] James P. Chandler, Diana C. Arrington, Donna R. Berkelhammer, and William L. Gill, Identification and Analysis of Foreign Laws and Regulations Pertaining to the Use of Commercial Encryption Products for Voice and Data Communications, DOE Project No. 2042-E024-A1, Washington, January 1994 [4] André Sylvain, Data Encryption and the Law(s) - Results, posted on talk.politics.crypto, 15 December 1994 [5] various references; personal communications by Adam Back, Peter Gervai, Ulf Moeller, Marc Plumb, and Thomas Quinot. ----------------------------------------------------------------------------------- SURVEY PER COUNTRY 1. Export/ import regulations 2. Other laws/regulations pertaining to encryption 3. Threats/ intentions to regulate encryption 4. Regulations stimulating encryption use ----------------------------------------------------------------------------------- _COCOM_ 1. COCOM (Coordinating Committee for Multilateral Export Controls) is an international organization (Japan, Australia, and all NATO members, Ireland excluded) for the mutual control (and restriction) of strategic arms export. It maintains, among others, the International Industrial List and the International Munitions List. In 1991, COCOM has decided to allow export of mass-market cryptographic software (including public domain software). Some member countries of COCOM follow its regulations, but others, such as Germany and the United States, maintain separate regulations. _Australia_ [1, 3] 1. Written permission is needed for exporting cryptographic equipment designed to ensure the secrecy of communications or stored information. 2. no 3. no _Austria_ [1] 2. no 3. no _Belgium_ [1, 3] 1. no 2. no 3. no _Brazil_ [3] 1. no _Canada_ [1, 3, 4, 5] 1. Canada follows COCOM regulations. The exportation of items from Canada may be subject to restriction if they are included on the Export Control List. All types of cryptography can be transported between Canada and the United States, but cryptography imported from the US remains under US ITAR rules and cannot be exported if the US does not allow export. 2. no 3. no (but Canada is monitoring the debate in the US) _People's Republic of China_ [3] 1.China restricts the importation and exportation of voice-encoding devices. _Denmark_ [1, 4] 2. no 3. no 4. The Danish Teletrust Group has set up an Encryption Group to work on the technical and legal concept of public-key certifying authorities. A Centre Certifying Auhtority (CCA) would coordinate control and certification of key centres to provide secure keys within telecommunications. It would be necessary for such a CCA to have a legal basis. The Danish government has not (yet) implemented the initiative into law. _European Union_ [5] 2. no 3. There are rumours that the EU is working on the establishment of a key escrow system to counter the US Clipper initiative. The EU system would allow member states to choose escrow agents where keys have to be deposited. The European Community's Green Book on the Security of Information Systems (Draft 4.0, 18 October 1993) poses a case for the provision of "Public Confidentiality Services" (which offer some sort of Government Access to Keys). _Finland_ [4, 5] 2. no 3. no _France_ [1, 3, 4] 1. a) For exporting authentication- or integrity-only cryptography, a declaration dossier of export delivery must be deposited. A copy of the receipt of declaration must be presented to customs at each exportation. For temporary exportation, a user declaration will serve as export declaration in the case of cryptography used exclusively for personal use by an individual. A delivery declaration will serve as temporary-export declaration for a sample. b) For exporting any other kind of cryptography, apart from once depositing administrative and technical details needed for user or delivery authorisation, a license is needed for each exportation. 2. Delivery, exportation, and use of cryptography are subjected to: a) previous declaration if the cryptography can have no other object than authenticating communications or assuring the integrity of transmitted messages; b) previous authorisation by the Prime Minister in all other cases. Simplified procedures exist for certain cryptography products or certain user categories. For both declaration and authorisation, a dossier containing technical details and administrative data must be submitted. Authorisation can be subjected to certain conditions in order to reserve the use of certain types of cryptography to defined user or application categories. It is unclear to what extent this regulation is being maintained in practice. It seems impossible for individuals or enterprises to obtain authorisation for "strong" cryptography, such as RSA. Moreover, the office dealing with authorisation renders decisions without motivation. _Germany_ [1, 3, 4, 5] 1. COCOM regulations, but Germany maintains export control of both public domain and mass-market encryption software. 2. no 3. Some politicians have expressed a desire to regulate cryptography, but, on the whole, there seems to be no threat that Germany will prepare a law on cryptography. _Hungary_ [5] 2. no 3. no 4. There is a law that provides an agency with the competence to assess cryptography; the agency can declare that it satisfies a minimum security level. _Iceland_ [1] 2. no 3. no _India_ [3] 1. no _Ireland_ [1] 2. no 3. no _Israel_ [3] 1. Israel imposes restrictions on encryption, but the scope of its restrictions is not clear. _Italy_ [1, 3] 1. COCOM regulations. 2. There is a law that demands accessibility of encrypted records for the treasury. 3. no _Japan_ [1, 3] 1. COCOM regulations. 2. no 3. no _Latvia_ [4] 2. no 3. no _Mexico_ [3] 1. no _The Netherlands_ [3, 4, 5] 1. Public domain and mass-market software generally does not require a validated license. Items capable of file encryption do require a validated license. 2. no 3. In March 1994, a Dutch predraft law on cryptography leaked out, the drift of of which was a prohibition of having, using, or trading strong cryptography. Those with a "legitimate concern" could apply for a user license or a trade authorization. One condition for granting a license was giving information to an administration agency; the text did not state whether this information concerned only the algorithm or also all the keys used. After many protests from those who would be affected by the proposed regulation, it was withdrawn. The Dutch authorities are currently studying on alternatives to handle the issue. Although the draft regulation will not be continued in its present scope, it shows how much the judicial authorities fear wide dissemination of strong cryptography. It is to be expected that the Dutch government will want to regulate encryption in some way. _New Zealand_ [1] 2. no 3. no _Norway_ [1] 2. no. 4. A bill on information security has been proposed, which indicates that cryptography can be used for the storage of passwords. It is not sure if and when this bill will come into force. A bill has been proposed on central medical registries that would use cryptographically pseudonimized entries. _Russia_ [3, 5] 1. A license is required for the importation of encryption facilities manufactured abroad. 2. On 3 April 1995, president Jeltsin issued a decree prohibiting unauthorized encryption. State organizations and enterprises need a license to use encryption (for both authentication and secrecy, for storage as well as transmission). Other enterprises and organizations using uncertified cryptography do not receive state orders. The Central Bank shall take measures against commercial banks that do not use certified cryptography when communicating with divisions of the Central Bank. The development, production, implementation, or operation of cryptography without a license is prohibited. _Saudi Arabia_ [3] 1. no _South Africa_ [1, 3] 1. no 2. The South African situation is unclear. There appears to be legislation prohibiting the encryption of data on public telephone networks, but many companies and banks seem to ignore the legislation and do encrypt their data. _Spain_ [1] 2. no 3. no _Sweden_ [3, 4] 1. no 2. no 3. no _Switzerland_ [1, 3] 1. no 2. no 3. no _Turkey_ [1] 2. no. 3. no _United Kingdom_ [1, 3, 4, 5] 1. COCOM regulations. 2. no 3. In its policy on the information superhighway, Labour states it does not approve of escrowed encryption, but it wishes authorities to have the power to demand decryption under judicial warrant. It seems, then, that Labour intends to penalize a refusal to comply with a demand to decrypt under judicial warrant. _United States of America_ [1, 2, 4] 1. The International Traffic in Arms Regulation restricts export of "dual-use" cryptography (that is, cryptography that can serve both civilian and military purposes) by placing it on the Munitions List. For (relatively strong) products that can encipher information, an export license is usually issued only for use by foreign branches of American enterprises and for use y financial institutions. "Weak" cryptography (e.g., with a certain maximum key-length) can also be exported. Export of cryptography that serves only authentication or integrity purposes is ruled by the Export Administration Regulations. Some types of public domain software have been decontrolled and are now on the Commerce Control List. Several initiatives, as yet unsuccessful, have been taken, both in Congress and by the public, to try to mitigate the cryptography export restrictions. 2. no 3. In 1993, the Clinton Administration announced the Escrowed Encryption Initiative (EEI), usually referred to as the Clipper Initiative, after its first implementation in the Clipper chip. A classified, secret-key algorithm, SKIPJACK, has been implemented in an Escrowed Encryption Standard (EES). The reported basic idea of the EEI is to provide citizens with a safe cryptosysem for securing their communications without threatening law enforcement. The EES procures law enforcement access by means of a Law Enforcement Access Field (LEAF) that is transmitted along with each encrypted message; the field contains information identifying the chip used. Law enforcement agencies wire-tapping communications encrypted with EES can decipher tapped messages by obtaining the two parts of the chip's master key that are deposited with two escrow agencies (National Institute of Standards and Technology and the Treasury Department's Automated Systems Division), provided they have a court order for the tapping. The EES is a voluntary standard to be used in telephone communications. Privacy advocates fear that the government may declare escrowed encryption obligatory once it has captured a sufficient portion of the market. It is doubtful that EES will be widely accepted, though, given the scepticism with which the majority of US citizens presently regard escrowed encryption or government access to keys. On June 27, 1995, Senator Grassley introduced the Anti-Electronic Racketeering Act (S.974), which, if enacted, would virtually ban encryption. Only the use of escrow-like software would be an affirmative defense for those prosecuted for using cryptography. The bill doesn't seem to have much support at present. 4. The Utah Digital Signatures Act of 1995 provides a legal framework for the use of cryptography for authentication and integrity purposes.