CRYPTOGRAPHY AND LIBERTY

AN INTERNATIONAL SURVEY OF ENCRYPTION POLICY


Global Internet Liberty Campaign

http://www.gilc.org/

Survey Results

Reported countries have been grouped into three categories regarding controls on cryptography. A "Green" designation signifies that the country has either expressed support for the OECD Guidelines on Cryptography, which generally favor unhindered legal use of cryptography, or has imposed no omnibus cryptography controls. A "Yellow" designation signifies that the country has proposed new cryptography controls, including domestic use controls, or has shown a willingness to treat cryptographic-enabled software as a dual-use item under Waasenaar. A "Red" designation denotes countries that have instituted sweeping controls on cryptography, including domestic use controls. Some countries do not fit neatly into one of the three categories, but trends may show them as being borderline, i.e., "Yellow/Red."

Anguilla

GREEN

Anguilla is a self-governing British territory in the Caribbean. It has also attracted an off-shore Internet industry which takes advantage of the territory's tax haven status. In an interview with a reporter from Wired magazine, Victor F. Banks, the Anguillan Minister of Finance, gave a pitch for Anguilla as a base for Internet commerce. He said "Here in Anguilla we are well situated for Internet commerce. Our banks are well regulated, clean, secure; we are very vigilant against criminal activity; we have strong rules against money laundering and traffic in illegal drugs. We have mutual legal assistance with the US that allows it to get information from us about any clientele involved in criminal activity, although it can't go on fishing expeditions to find out about tax avoidance."

Offshore Information Services is one company that offers Anguilla domain name services (.ai), e-mail accounts, virtual web sites, and links to encryption programs like Pretty Good Privacy (PGP). It also offers the opportunity to engage in cryptographic civil disobedience. One may send a three-line encryption program to Anguilla. In the United States, this simple harmless act is illegal, a violation of the ITAR. The web address for the civil disobedience campaign is http://online.offshore.com .ai/arms-trafficker/ . By hosting such an operation, Anguilla does not seem to be a country in support of U.S. initiatives on cryptography.

Ref: Charles Platt, "Plotting Away in Margaritaville," Wired (July 1997)

Antigua and Barbuda

GREEN

The Embassy of Antigua and Barbuda in Washington did not respond to our survey. However, perusal of their Free Trade Zone web site yielded the fact that the island nation is trying to compete with Anguilla in luring international data services, including those reliant on the Internet. Several virtual casinos have been established in the Free Trade Zone. It is certain that strong encryption is a high priority for such operations.

Ref: www.candw.ag/~ftpzone/gam elicenced.htm

Argentina

YELLOW

Argentina has acceded to the Wassenaar Arrangement and is presumably committed to restricting the export of cryptographic products and technology as dual-use goods. However, the Argentine Ministry of Justice distributes PGP from the following web address: http://www.jus.gov.ar/firma/index. html

Armenia

YELLOW

According to the Second Secretary of the Embassy of Armenia in Washington, Armenia does not currently have a policy on the use of cryptography. However, the Armenian government has recently set up a Department of Information and Publications which, among other things, is planning to initiate legislation concerning the use of cryptography.

Ref: Embassy of the Republic of Armenia letter dated July 31, 1997.

Australia

GREEN/YELLOW

We received a phone call from the Embassy of Australia in Washington, D.C. They said they had received our request for information on Australia's laws on the use, export, and import of cryptographic products but were unsure of what agency of the Australian government to forward our request. We informed the embassy that the Attorney General's Department was the most likely agency possessing the information we desired. The confusion by the embassy on which government department is responsible for cryptography was cited in the government-commissioned Review of Policy relating to Encryption Technologies , authored by former deputy director of the Australia Security Intelligence Organization (ASIO), Gerald Walsh. In what is popularly called the Walsh Report (issued on October 10, 1996 and initially embargoed by the government for public release), Walsh criticizes the government for its lack of coordination in establishing a cryptographic policy:

[The Review found a lack of clarity as to which Minister and which department had responsibility for cryptography policy and the consequent danger of a lack of coordination in policy development. These deficiencies need to be overcome.]

The following is gleaned from the Commerce Department/NSA international encryption report:

Australian legislation controlling the export of cryptography products has existed since at least 1987 when Australia became a member of COCOM. Australian regulations, unlike COCOM, include all cryptographic products under a separate category rather than distinguishing them as dual-use or military. Cryptographic products require Ministry of Defense approval under Regulation 13B and the associated Schedule 13 of the Customs (ProhibitedExports) Regulations. As such, Australian export control regulations exceed both COCOM and Wassenaar guidelines in some areas, most notably in requiring individual export licensing for mass-market applications software and other mass-market software performing cryptographic functions.

With COCOM's revision of the control lists in 1991, Australia adopted the revised lists that included the decontrol of mass-market cryptographic software. However, by November 1994, Australia had specifically excepted cryptographic software from the decontrol permitted by COCOM, again requiring individual licensing on such products. The Commerce/NSA report redacts information from State Department Canberra cables explaining Australia's decision to re-impose individual licensing.

According to the Australian Department of Foreign Trade, as referenced in State Department Canberra Cable 03283-93, Australia has a reasonably advanced commercial encryption industry, mainly focused on protecting commercial data flow via modems, voice scramblers, and mobile phones, and that Australian exports of such products are mainly to the financial industry. Approval or denial of export applications is based on economic factors, the impact on Australian national security, and international obligations. Applications for export of cryptographic equipment are referred to the Defence Signals Directorate (DSD) for technical advice on the impact of export on national security. DSD is the agency responsible for collecting foreign signals intelligence (SIGINT), much of which is shared with the U.S. National Security Agency under the terms of the UK-USA Security Agreement of 1948. DSD is also the agency responsible for the security of all Australian government communications.

In December 1996, Australia amended its export control laws to allow a personal-use exemption for encryption software that remains in the control of Australian users.
According to the Commerce/NSA report, there are no import controls on cryptographic products in Australia.

Additionally, according to the Commerce/NSA report, the private use of encryption devices is limited only by the requirement to obtain Austel (Australian Telecommunications Authority) approval for any equipment to be attached to the public switch telephone network. Approval is generally granted provided the equipment does not harm the network. Australia does not appear to use homologation laws to control the private use of encryption. Homologation regulations govern the connection to and use of communications equipment on national telecommunications networks. Some governments use homologation regulations as a pretext to restrict the use of cryptography on telecommunications networks.

The Walsh Report recommends that Australia not establish a key escrow or recovery scheme as advocated by the United States. Its finding on this subject is as follows:

1.2.5 The Review does not support legislative action at this stage to prescribe a form of key management infrastructure accessible by government for purposes of national safety . . .

1.2.8 The Review does not recommend specific options for encryption legislation at this time.

1.2.11 There seems no compelling reason or virtue to move early on regulation or legislation concerning cryptography. Law enforcement and national security agencieshave certainly experienced difficulty where subjects of investigation have refused access to encrypted stored data and it has not been possible for them or other agencies to decrypt this material. It is questionable, though, whether any range of policy decisions concerning key management would have altered this situation materially. For the present, the investigative capability of the agencies is not significantly affected.

1.2.27 Invocation of the principle of non self-incrimination is likely to prove an obstacle to efforts by law enforcement agencies to obtain encryption keys by search warrants or orders made by courts and tribunals.

1.2.39 The ready availability of strong encryption, with no requirement to escrow or register keys, nor to entrust them to any independent entity, is the most effective safeguard of individual privacy.

1.2.50 It would be premature to enter formal negotiations with other countries on access to encrypted data, where public keys are held in those countries, until there is some certainty as to likely key management infrastructures.

1.2.53 There is a high risk of corruption in the third party service provider sector and the Government would be prudent to require integrity screening and registration of those who seek to offer such services to the public.

1.2.56 There seems to be little popular support in or outside the United States for a 'Commercial Key Escrow' system involving government agencies creating as it would significant vulnerability outside of the control of the person or corporation.

In August 1997, Senator Richard Alston, the newly-designated Federal Information Economy Minister, took over responsibility for cryptography policy-making from the Attorney General's department. The Attorney-General's department was criticized for initially suppressing the Walsh report on cryptography in early 1997.

It was reported that the new National Office for the Information Economy (NOIE) would have "significant private sector input", including long- and short-term contracts for staff from business backgrounds, in order to reflect corporate concerns.

Refs: Review of Policy relating to Encryption Technologies (Walsh Report), October 10, 1996.
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
http://zdnet.com.au /pcweek/content/1001/pcoz0004.html

Austria

YELLOW

The Embassy of Austria in Washington, D.C. informed us that the Austrian organization responsible for cryptography usage and exports and imports was the Federal Ministry of Foreign Affairs, Section VI, in Vienna. A fax to that agency went unanswered.

According to the Commerce/NSA report, the Austrian government controls all encryption software as a dual-use item, and special licenses are required for its export, transit, or re-export. The legislation governing dual-use items is the Aussenhandelsgesetz 1995 Bundesgesetzblatt 172 , as well as accompanying Bundesgesetzblatt 180/1995 . Licenses are denied to destinations where an armed conflict is ongoing, to countries of concern, and to those against which there are international sanctions. The information was derived from Commerce Department Vienna Cable 004611, June 7, 1995.

According to a study by the Institute for Applied Information Processing and Communication (IAIK) regulations concerning the use of cryptography within Austria are covered by the law on internal radio transmissions ( Betriebsfunkverordnung - BFV 1995). Encryption is explicitly forbidden because frequencies assigned to certain companies and organizations are considered privileged frequency allocations that can only be used for company-specific internal communications. However, some frequencies are allocated to whole sectors of the economy resulting in the problem that competitors may listen in. Consequently, there is a strong interest from affected companies to change these regulations. The only exceptions are the sub-units of the Ministry of Interior (mainly the police and security forces). Public communication systems (e.g. GSM) may be encrypted. International regulations on amateur radio which demand transmission in clear text (and restrict content very strongly) are enforced in Austria.

On July 8, 1997, Caspar Einem, the Austrian Minister for Science and Transport endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers"will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework atEuropean and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: Embassy of Austria, Office of the Commercial Counselor fax dated June 24, 1997. A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html/
http://www2.echo.lu/bonn/confer ence.html/

Bahrain

UNKNOWN

We were contacted by telephone by the Embassy of Bahrain in Washington, D.C. and informed that the agency in Manama, Bahrain that was responsible for regulating the use of cryptography was the Directorate of Islamic Affairs, a component of the Ministry of Justice and Islamic Affairs. A direct query to that agency went unanswered.

Belarus

RED

Belarus restricts the manufacture, maintenance, and use of cryptographic products. Licenses are required by the State Security Committee (the Belarussian KGB).

Ref: http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html/

Belgium

GREEN/YELLOW

Belgium requires those wishing to export cryptography to countries other than the Netherlands and Luxembourg to first obtain an export license. However, the European Union statutes have liberalized these requirements to cover additional EU members and certain non-EU countries.

In December 1994, the Belgian parliament passed a law that would have required escrowed encryption. The law authorized the Belgian Institute for Posts and Telecommunications to establish a mandatory key escrow deposit system. The law contained homologation provisions that permitted the Belgacom, theBelgian PTT, to disconnect a phone that used unescrowed encryption. The law has not yet been implemented because the enabling regulations have not been issued. There is a legislative proposal to amend the law to relax the cryptography restrictions.

On July 8, 1997, Jos Chabert, the Belgian Vice Premier and Minister for Economics for the Brussels Capital Region, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html
http://www.freenix.fr/netizen/20 5-e.html
http://www2.echo.lu/bonn/confere nce.html

Belize

GREEN

The Embassy of Belize in Washington, D.C. informed us that they were not aware of any laws in Belize concerning the use of cryptography. They did inform us that cryptography was under the jurisdiction of the Attorney General's Ministry in Belmopan.

Ref: Embassy of Belize fax dated June 20, 1997.

Brazil

GREEN

According to the 1993 NIST survey, Brazil does not impose import restrictions for encryption technology.

The PGP encryption program in Portuguese is available from Brazil via the Internet. The web site is http://www.dca.fee.unicamp.br/pgp.

Ref: NIST Preliminary Results of Study of Non - U.S. Cryptography Laws/Regulations, September 27, 1993.

Bulgaria

GREEN/YELLOW

Bulgaria has acceded to the Wassenaar Arrangement and is presumably committed to restricting the export of cryptographic-enabled software as a dual-use good.

On July 8, 1997, Antoni Slavinski, the Bulgarian President of the Committee of Posts and Telecommunications and Christo Balarev, the Bulgarian Deputy Minister of Education and Science, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: http://www2.echo.lu/bonn/confere nce.html

Cambodia

UNKNOWN

The Embassy of Cambodia in Washington, D.C. informed us that, although they were not aware of any laws concerning the use of cryptography in Cambodia, the Ministry with responsibility was the Ministry of Posts and Telecommunications in Phnom Penh. A fax to the agency was followed by a coup d'état and no further information was forthcoming.

Ref: Royal Embassy of Cambodia fax dated June 19, 1997.

Campione d'Italia

GREEN

Campione d'Italia is a small Italian enclave on the shores of Lake Lugano. It is totally surrounded by Switzerland. Although technically part of Italy, it's close affiliation with Switzerland, a non-member of the European Union, has made it a virtual "neutral zone" from European laws, including those dealing with taxation. A company developing encryption in this feudal anomaly would face little or no export restrictions because Campione's border with Switzerland is open (there is also unrestricted access to Liechtenstein) and Swiss laws do not apply in the enclave. There is full Internet access via the modern Swiss PTT network. Because Campione has attracted numerous companies and banks, Italy prefers not to apply its laws to the territory.

Ref: Internet search.

Canada

GREEN/YELLOW

According to the Commerce/NSA report, the Export and Import Permits Act (EIPA), theExport Control List (ECL) and the Area Control List (ACL) are the mechanisms by which Canada controls exports. The EIPA authorizes the Government to exercise export controls to ensure that military or strategic goods are not exported to destinations representing a strategic threat to Canada. The Ministry of External Affairs is responsible for implementation of the act.

Canada was a member of COCOM and continues to adhere to the Wassenaar Arrangement. Canada has, therefore, issued guidelines for the exportof information security related equipment and technologies that are reflected in Group 1 of the Export Control List. Accordingly, export licenses are required for export to all destinations except the United States. The Foreign Affairs Export Controls Division works closely with Canada's Communications Security Establishment (CSE), the NSA's Canadian SIGINT partner, regarding export decisions on cryptographic products. The Division stated that the CSE works closely with the NSA, the UK's Government Communications Headquarters (GCHQ), and Australia's DSD on cryptographic export policies.

There are no import controls imposed by Canada and there are no laws restricting the private use of cryptography. Canada's homologation regulations require that cryptographic equipment conform to public network technical requirements.

Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.

China

RED

According to the NIST survey, China practices a licensing system for importing various commodities. An application must be filed and a license obtained in advance by corporations approved by the State to engage in the business of importing commodities. The licenses are valid for one year and extensions may be applied for.

The Notice of the General Administration of Customs of the People's Republic of China, Sec. 50-305, of November 1, 1987 (List of Prohibited and Restricted Imports and Exports), restricts the importation of voice-encoding devices.

Corporations engaging in the exportation business must file an approval application with the Ministry of Foreign Trade or the foreign trade bureau of the particular province. The Ministry establishes an export control list of prohibited and restricted goods. These regulations are contained in Interim Procedures of the State Import-Export Commission and Ministry of Foreign Trade of the People's Republic of China Concerning the System of Export Licensing of June 3, 1980.

The aforementioned Notice of the General Administration of Customs restricts the exportation of voice-encoding devices.

Ref: NIST Preliminary Results of Study of Non - U.S. Cryptography Laws/Regulations, September 27, 1993.

Croatia

GREEN

The Croatian embassy in Washington did not respond to our survey. However, it is noteworthy that the Cryptographic Reference Center's web page ( http://pgp.rasip.fer.hr ) , which is operated jointly by CARNet, the Croatian Academic and Research Network and FER, the Faculty of Electrical Engineering and Computing, in Zagreb, Croatia, makes PGP 5.0 and other cryptographic programs available on-line.

There are no identifiable laws or regulations governing the import or use of cryptography in Croatia.

 

Cyprus

GREEN/YELLOW

The Cypriot Embassy in Washington did not respond to our survey. However, Cyprus did endorse an international statement on cryptography in July 1997. On July 8, 1997, Dinos Michaelides, the Cypriot Minister of the Interior, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Czech Republic

GREEN/YELLOW

The Czech Republic has acceded to the Wassenaar Arrangement and is presumably committed to restricting the export of cryptographic-enabled software as a dual use good. However, according to the Commerce/NSA report, some one dozen Czech firms are taking advantage of U.S. export control regulations to develop their own encryption software.

There are no identifiable laws governing the import or domestic use of encryption in the Czech Republic.

On July 8, 1997, Igor Nemec, the Czech Chairman of the Office for the State Information System and Emanuel Ondracek, the Czech Vice Minister for Education, Youth and Sport, endorsed the communiqué ofthe European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
http://www2.echo.lu/bonn/confere nce.html

Denmark

GREEN

According to Commerce/NSA report, Denmark controls the export and re-export of encryption software pursuant to the Wassenaar Arrangement. There is no evidence that these regulations extend to mass-market software. A validated license is required for exports and to date, none have been denied. Denmark does not differentiate between encryption algorithms of varying strengths.

Denmark regulates the export of strategic goods under a Ministry of Industry executive order dated November 12, 1993. The central element of the executive order is the list of strategic goods that are subject to the export control policy and may only be exported when the Business Policy Ministry has issued a license. The list is composed of products under embargo from the four international control systems, the Missile Technology Control Regime, the Nuclear Nonproliferation Treaty, the Australia Group, and the Wassenaar Arrangement. The executive order has been subsumed by the EU dual-use regulation.

Denmark administratively processes export requests through a board sponsored by the Business Policy Ministry composed of Confederation of Danish Industry representatives and financed by industry. The Confederation of Danish Industry Board stated in response to a query from the U.S. Department of Commerce that individual validated licenses are required for the export of cryptographic equipment and software. The Board stated that no licenses were denied. Thisinformation was contained in Commerce Department Copenhagen Cable 2717, May 31, 1995.

Denmark does not control the import of encryption software. The Commerce/NSA report description of Danish domestic use controls is entirely redacted, a possible result of a classified explanation of Denmark's homologation regulations on its telecommunications network.

In June 1996, the Danish Information Technology Security Council advocated no restrictions on the use of encryption in Denmark, including mandatory key escrow systems. The Council decided that existing judicial search orders were sufficient in gaining access to encryption keys (an opinion also evident in Australia's Walsh Report). The Council also called on the Minister of Research and Information Technology submit to Parliament a Bill on Digital Signatures.

On July 8, 1997, Ms. Jytte Hilden, the Danish Minister of Research and Information Technology, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
http://www.fsk.dk/fsk/presse/970 527.html
http://www2.echo.lu/bonn/confere nce.html

Estonia

GREEN

In Estonia maintains neither import nor export restrictions on cryptography.

On July 8, 1997, Uno Veering, the Estonian Secretary of State, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."
Ref: http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html/
http://www2.echo.lu/bonn/confere nce.html

 

European Union

GREEN/YELLOW

According to the Commerce/NSA report, in 1992, the European Commission proposed a dual-use regulation as part of the progression to the free market. Since military exports were linked to Member States' national security concerns, control of such exports was deemed to be a matter for individual states. However, with dual-use goods, it was argued that, while military uses were of a national interest, their civil use was in the purview of the European Commission.

Eventually, a compromise was reached. A dual-use Regulation was agreed upon. The basis for the regulation was Article 113 of the Treaty of Rome and a Maastricht-based Common Foreign and Security Policy Joint Action with a series of annexes. The EU's dual-use Regulation (EC No. 3381/94) contains 24 articles and it entered into force on July 1, 1995. Council Decision No. 94/942/CFSP, with 8 articles and 5 annexes, has been appended to it.

The series of regulations, decisions, and annexes state that:

     
  1. all Member States recognize the same list of dual-use goods (generally based on the COCOM and Wassenaar lists), destinations, and guidelines.
  2. the majority of dual-use goods may require, at most, only a general authorization for shipment between member states (and for favored destinations outside the Union - Australia, Canada, Japan, Norway, Switzerland, and the United States).
  3. a common level of export control should exist throughout the Union.
  4. an export license issued in one Member State shall normally be valid for the shipment of goods from another Member State.


An October 8, 1997 report by the European Commission's Directorate-General XIII, which is responsible for Telecommunications, Information Market and Exploitation of Research, took issue with the United States' policy of encouraging key escrow and recovery schemes. The report stated that "restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks," adding that key escrow systems "would not . . . totally prevent criminals from using these technologies."

On the issue of "back door" mechanisms giving law enforcement and intelligence agencies the right to read the plain text of encrypted messages, the report says that if such systems are required they " should be limited to what is absolutely necessary."

The report was sent by the European Commission to the major bodies of the European Union, including the European Parliament, the Council of Ministers, the Economic and Social Committee and the Committee of the Regions.

Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, 1995.
http://www.ispo.cec.be/ei f/policy/97503toc.html

Falkland Islands

GREEN

According to Mr. D. G. Lang, the Attorney General of the Falkland Islands, there are no laws in the sparsely populated British territory that specificallydeal with the use of cryptography. Mr. Lang informed us that, as Attorney General, he does have legitimate concerns about the possible use of cryptography by criminal organizations in furtherance of international crime or terrorism. However, he said that there is no organized crime on the islands. He did offer his belief that the Falklands government is committed to joining the international effort to combat organized crime and, if the international community were to launch an effort against the use of"uncrackable" cryptography, the Falklands would join in such an effort.

According to the Attorney General, although the Falklands has a Constitutional guarantee respecting the privacy of the individual, this guarantee falls short of an absolute guarantee of privacy. An individual, in the Attorney General's opinion, would probably be unsuccessful in challenging on Constitutional grounds a possible future provision prohibiting or restricting his or her use of cryptographic techniques.

The Attorney General stated that cryptography is used in the Falklands for both business and government operations. He is not opposed to usage by such organizations, but merely the use of cryptography by criminals for criminal purposes.

Since United Kingdom laws do not automatically apply to the territories, the response of the Falkland Islands Attorney General is important in that it may mirror the policies of several of the United Kingdom's remaining territories, including Gibraltar, Bermuda, and the Cayman Islands.

Ref: Attorney General of the Falkland Islands letter dated July 3, 1997.

Finland

GREEN

According to the Ministry of Trade and Industry of Finland:


    The national legislation refers to the European export control systems which consists of two legal instruments:
    • Council Regulation (EC) No. 3381/94 of 19 December 1994 setting up a Community regime for the control of exports of dual-use goods, with amendment (EC) No. 837/95.
    • Council Decision 94/942/CFSP of 19 December 1994 on the joint action adopte by the council on the basis of Article J.3 of the Treaty on European Union concerning the control of exports of dual-use goods (with several amendments - the latest relevant amendment concerning the controls on intra-Community trade of cryptography is 97/419/CFSP of 26 June 1997).

      Regulation is directly applicable to all the Member States of the European Union. Finland's control lists (including definitions, general notes, etc.)concerning the export control of cryptographic software and hardware are identical to those agreed to in the Wassenaar Arrangement and the European Union Treaty. The only relevant difference to the controls maintained by the EU is that Finland's national legislation also covers the export of services, including the transfer of intangible technology, e.g., via electronic mail.

  1. The government agencies responsible for setting policies on the use, importation, and exportation of cryptographic products includethe Ministry of Trade and Industry and the Ministry for Foreign Affairs for export controls and electronic commerce), and the Ministry of Communications, and the Security Police (SUPO) (a component of the Interior Ministry). The Ministry of Finance has started a survey on the need for national information security legislation, including a law on digital signatures. Their work is ongoing.


It is noteworthy to point out the significant differences between the Ministry of Trade and Industry stated policy and that found in the Commerce/NSA report. The report states that "an individual validated license is required to import encryption software." It also states that "Finland regulates the domestic use of cryptography." Based on information contained in State Department Cable Number 3313, 26 May 1995, from the U.S. Embassy in Helsinki, the report states that "export and import regulations on encryption software are not rigorously enforced in Finland."

On July 8, 1997, Jan Store of the Finnish Foreign Ministry, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: Ministry of Trade and Industry, Helsinki, fax dated July 28, 1997.
http://www2.echo.lu/bonn/confere nce.html

France

RED/YELLOW

The Embassy of France in Washington, D.C. informed us that the Service Central de la Sécurité des Systmes d'Information (SCSSI) is the regulatory body in France as far as cryptography is concerned. SCSSI reports directly to the office of the Prime Minister of France. We contacted that agency in order to ascertain the laws on exports, imports, and domestic usage controls. No response was received.

The Commerce/NSA report states that "France has the most comprehensive cryptologic control and use regime in Europe, and possibly worldwide." On December 29, 1990, France enacted a new law (90-1170) regulating the telecommunications industry. Article 28 of the law specifically addresses encryption and adopts a control and export regime that is far more restrictive than that applied by Wassenaar and its predecessor, COCOM. The law, in order to "preserve the interests of national defense and of internal or external State security" regulates the "supply, export, or use of cryptologic methods or devices." Thus, although foreign cryptographic products may be imported into France without a license they may not be supplied to French users nor used in France without authorization by the Prime Minister.

Based on Decree 92-1358 of December 28, 1992, cryptographic equipment is separated into two categories. The first category includes equipment which "can have no other purpose than authenticating a communication or ensuring the integrity of a transmitted message." Such equipment requires the submission of a statement or declaration to SCSSI. SCSSI routinely allows the supply and use of authentication equipment for use within France and also for export with a minimum of red tape. However, the statement or declaration submitted for supply, use, or export of these devices must provide a "description of the security functions or mechanisms, including a detailed description of the cryptologic algorithm(s) (mathematical formulae) used and the system for the creation, development, and protection of the secret conventions; the software must be provided . . . in the source language."

The second category includes cryptographic methods or devices, which provide for the confidentiality of data or transmissions and cryptologic analysis methods. Supply, use, or export of devices in this category requires prior authorization. The authorization, if provided, will either be a general authorization (i.e., an authorization to supply or export devices to any user) or a private use authorization which restricts supply, export, or use to specifically named individuals or communities. Data that is submitted by the supplier, user, or exporter in order to obtain such authorization is extensive. In general, the information submitted must "describe not only the algorithm for generating a sequence or pseudo-random block, but all the hardware or software facilities, transforming an intelligible plain signal into an unintelligible cryptogram, including generating keys, storing them, managing them, etc."

As far as importing and usingcryptography in France is concerned, there are no restrictions on imports of encryption technology. However, the use and sales must be authorized either through a license application or by a declaration to the office of the Prime Minister, i.e., SCSSI. Users importing encryption software must register the encryption keys with the French government.

On June 18, 1996, the French legislature passed a new law on cryptography, Loi de réglementation des télécommunications , which amended the 1990 law. The law slightly liberalized the use of authentication-only encryption but also introduced the requirement for trusted third party (TTP) systems. However, the law was never enacted and the new Socialist government of Prime Minister Lionel Jospin seemed to change course on France's strict policies on cryptography usage. On August 29, 1997, Industry Minister Christian Pierret said that France would liberalize its encryption policies. "This liberalization of encrypting technology will allow French companies to fully enter the market of electronic commerce currently dominated by U.S. companies," he said.

On July 8, 1997, Christian Pierret, the French Secretary of State for Industry, endorsed the communiqué of the European Ministerial Conference on Global Information Networks in Bonn, Germany. The communiqué stated the participating ministers "will work to achieve international availability and free choice of cryptography products and interoperable services, subject to applicable law." The ministers also declared that "if countries take measures in order to protect legitimate needs of lawful access, they should be proportionate and effective and respect applicable provisions relating to privacy." The ministers also took note of the recently agreed OECD Guidelines on Cryptography policy as a basis for national policies and international co-operation. The ministers also emphasized "the need for a legal and technical framework at European and international levels which ensures compatibility and creates confidence in digital signatures."

Ref: Embassy of France fax dated June 23, 1997.
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
"French Leaders Urge Catchup on Internet,"ZDNet News (August 29, 1997)
http://www2.echo.lu/bonn/confere nce.html

 

Federal Republic of Germany

GREEN

According to the Embassy of the Federal Republic of Germany in Washington, in Germany there are:

Organization for Economic Cooperation and Development (OECD)

Council of Europe


Return to the Main Text of the Report