Cyphernomicon Top
Cyphernomicon 9.7

Policy: Clipper,Key Escrow, and Digital Telephony:
Crypto Laws Outside the U.S.


    9.7.1. "International Escrow, and Other Nation's Crypto Policies?"
           - The focus throughout this document on U.S. policy should
              not lull non-Americans into complacency. Many nations
              already have more Draconian policies on the private use of
              encryption than the U.S. is even contemplating
              (publically). France outlaws private crypto, though
              enforcement is said to be problematic (but I would not want
              the DGSE to be on my tail, that's for sure). Third World
              countries often have bans on crypto, and mere possession of
              random-looking bits may mean a spying conviction and a trip
              to the gallows.
           + There are also several reports that European nations are
              preparing to fall in line behind the U.S. on key escrow
             - Norway
             - Netherlands
             - Britain
           + A conference in D.C. in 6/94, attended by Whit Diffie (and
              reported on to us at the 6/94 CP meeting) had internation
              escrow arrangements as a topic, with the crypto policy
              makers of NIST and NSA describing various options
             - bad news, because it could allow bilateral treaties to
                supercede basic rights
             - could be plan for getting key escrow made mandatory
             + there are also practical issues
               + who can decode international communications?
                 - do we really want the French reading Intel's
                    communications? (recall Matra-Harris)
               - satellites? (like Iridium)
               - what of multi-national messages, such as an encrypted
                  message posted to a message pool on the Internet...is
                  it to be escrowed with each of 100 nations?
    9.7.2. "Will foreign countries use a U.S.-based key escrow system?"
           - Lots of pressure. Lots of evidence of compliance.
    9.7.3. "Is Europe Considering Key Escrow?"
           - Yes, in spades. Lots of signs of this, with reports coming
              in from residents of Europe and elsewhere. The Europeans
              tend to be a bit more quiet in matters of public policy (at
              least in some areas).
           - "The current issue of `Communications Week International'
              informs us that the European Union's Senior Officials Group
              for Security of Information Systems has been considering
              plans for standardising key escrow in Europe.
              
              "Agreement had been held up by arguments over who should
              hold the keys. France and Holland wanted to follow the
              NSA's lead and have national governments assume this role;
              other players wanted user organisations to do this." [
              rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow
              in Europe too, 1994-06-29]
    9.7.4. "What laws do various countries have on encryption and the
            use of encryption for international traffic?"
           + "Has France really banned encryption?"
             - There are recurring reports that France does not allow
                unfettered use of encryption.
             - Hard to say. Laws on the books. But no indications that
                the many French users of PGP, say, are being prosecuted.
             - a nation whose leader, Francois Mitterand, was a Nazi
                collaborationist, working with Petain and the Vichy
                government (Klaus Barbie involved)
           + Some Specific Countries
             - (need more info here)
             + Germany
               - BND cooperates with U.S.
             - Netherlands
             - Russia
           + Information
             - "Check out the ftp site at csrc.ncsl.nist.gov for a
                document named something like "laws.wp"  (There are
                several of these, in various formats.)  This  contains a
                survey of the positions of various countries, done for
                NIST by a couple of people at Georgetown or George
                Washington or some such university." [Philip Fites,
                alt.security.pgp, 1994-07-03]
    9.7.5. France planning Big Brother smart card?
           - "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government
              has confirmed its plans to replace citizen's paper-based ID
              cards with credit card-sized "smart card" ID cards.
              .....
              "The cards contain details of recent transactions, as well
              as act  as an "electronic purse" for smaller value
              transactions using a personal identification number (PIN)
              as authorization. "Purse transactions" are usually separate
              from the card credit/debit system, and, when the purse is
              empty, it can be reloaded from the card at a suitable ATM
              or retailer terminal."  (Steve Gold/19940304)" [this was
              forwarded to me for posting]
    9.7.6. PTTs, local rules about modem use
    9.7.7. "What are the European laws on "Data Privacy" and why are
            they such a terrible idea?"
           - Various European countries have passed laws about the
              compiling of computerized records on people without their
              explicit permission. This applies to nearly all
              computerized records--mailing lists, dossiers, credit
              records, employee files, etc.--though some exceptions exist
              and, in general, companies can find ways to compile records
              and remain within the law.
           - The rules are open to debate, and the casual individual who
              cannot afford lawyers and advisors, is likely to be
              breaking the laws repeatedly. For example, storing the
              posts of people on the Cypherpunks list in any system
              retrievable by name would violate Britain's Data Privacy
              laws. That almost no such case would ever result in a
              prosecution (for practical reasons) does not mean the laws
              are acceptable.
           - To many, these laws are a "good idea." But the laws miss
              the main point, give a false sense of security (as the real
              dossier-compilers are easily able to obtain exemptions, or
              are government agencies themselves), and interfere in what
              people do with information that properly and legally comes
              there way. (Be on the alert for "civil rights" groups like
              the ACLU and EFF to push for such data privacy laws. The
              irony of Kapor's connection to Lotus and the failed
              "Marketplace" CD-ROM product cannot be ignored.)
           - Creating a law which bans the keeping of certain kinds of
              records is an invitation to having "data inspectors"
              rummaging through one's files. Or some kind of spot checks,
              or even software key escrow.
           - (Strong crypto makes these laws tough to enforce. Either
              the laws go, or the counties with such laws will then have
              to limit strong crypto....not that that will help in the
              long run.)
           - The same points apply to well-meaning proposals to make
              employer monitoring of employees illegal. It sounds like a
              privacy-enhancing idea, but it tramples upon the rights of
              the employer to ensure that work is being done, to
              basically run his business as he sees fit, etc. If I hire a
              programmer and he's using my resources, my network
              connections, to run an illegal operation, he exposes my
              company to damages, and of course he isn't doing the job I
              paid him to do. If the law forbids me to monitor this
              situation, or at least to randomly check, then he can
              exploit this law to his advantage and to my disadvantage.
              (Again, the dangers of rigid laws, nonmarket
              solutions,(lied game theory.)
    9.7.8. on the situation in Australia
           + Matthew Gream [M.Gream@uts.edu.au] informed us that the
              export situation in Oz is just as best as in the U.S. [1994-
              09-06] (as if we didn't know...much as we all like to dump
              on Amerika for its fascist laws, it's clear that nearly all
              countries are taking their New World Order Marching Orders
              from the U.S., and that many of them have even more
              repressive crypto laws alredy in place...they just don't
              get the discussion the U.S. gets, for apparent reasons)
             - "Well, fuck that for thinking I was living under a less
                restrictive regime -- and I can say goodbye to an
                international market for my software.]
             - (I left his blunt language as is, for impact.)
    9.7.9. "For those interested, NIST have a short document for FTP,
            'Identification & Analysis of Foreign Laws & Regulations
            Pertaining to the Use of Commercial Encryption Products for
            Voice & Data Communications'. Dated Jan 1994." [Owen Lewis,
            Re: France Bans Encryption, alt.security.pgp, 1994-07-07]
  

Next Page: 9.8 Digital Telephony
Previous Page: 9.6 Current Crypto Laws

By Tim May, see README

HTML by Jonathan Rochkind