Version July Jaap Koops This survey

Found at: 0x1bi.net:70/textfiles/file?law/cryptlaw

Version July 1995
Bert-Jaap Koops (koops@kub.nl)
This survey of cryptography laws is based on several reports and on
Netherlands, and Russia have I consulted original texts of relevant
only source. These findings, therefore, do not pretend to be exhaustive
or fully reliable.
questions to E.J.Koops@kub.nl.
[1]   KPMG EDP Auditors, Rapport aan de Ministers van 
Binnenlandse Zaken, Justitie en Verkeer en Waterstaat inzake
 (Amstelveen, 7 april 1994), pp. 27-38, 107-114
[2]   Moret Ernst & Young EDP Audit Management Services,
Eindrapport onderzoek ontwerp-regeling encryptie,
(Amsterdam, 1 maart 1994), pp. 21-30
[3]   James P. Chandler, Diana C. Arrington, Donna R.
Berkelhammer, and William L. Gill, Identification and Analysis
of Foreign Laws and Regulations Pertaining to the Use of 
Commercial Encryption Products for Voice and Data 
Communications, DOE Project No. 2042-E024-A1, Washington, January 1994
[4]   André Sylvain, Data Encryption and the Law(s) - Results, 
[5]   various references; personal communications by Adam Back, 
s an international organization (Japan, Australia, and all NATO
members, Ireland excluded) for the mutual control (and restriction) of
(including public domain software). Some member countries of COCOM
follow its regulations, but others, such as Germany and the
United States, maintain separate regulations.
_Australia_ [1, 3]
_Austria_ [1]
_Belgium_ [1, 3]
_Brazil_ [3]
_Canada_ [1, 3, 4, 5]
Canada may be subject to restriction if they are included on the Export
Control List. All types of cryptography can be transported between
Canada and the United States, but cryptography imported from the US
allow export.
_People's Republic of China_ [3]
_Denmark_ [1, 4]
on the technical and legal concept of public-key certifying authorities. A
Centre Certifying Auhtority (CCA) would coordinate control and
certification of key centres to provide secure keys within
telecommunications. It would be necessary for such a CCA to have a
legal basis. The Danish government has not (yet) implemented the
nitiative into law.
_European Union_ [5]
key escrow system to counter the US Clipper initiative. The EU system
be deposited. The European Community's Green Book on the Security
of Information Systems (Draft 4.0, 18 October 1993) poses a case for
the provision of "Public Confidentiality Services" (which offer some sort
of Government Access to Keys).
_Finland_ [4, 5]
_France_ [1, 3, 4]
For temporary exportation, a user declaration will serve as export
by an individual. A delivery declaration will serve as temporary-export
b) For exporting any other kind of cryptography, apart from once
a) previous declaration if the cryptography can have no other object than
authenticating communications or assuring the integrity of transmitted
b) previous authorisation by the Prime Minister in all other cases.
Simplified procedures exist for certain cryptography products or certain
user categories. 
For both declaration and authorisation, a dossier containing technical
types of cryptography to defined user or application categories.
for "strong" cryptography, such as RSA. Moreover, the office dealing
_Germany_ [1, 3, 4, 5]
but, on the whole, there seems to be no threat that Germany will prepare
a law on cryptography.
_Hungary_ [5]
cryptography; the agency can declare that it satisfies a minimum security
_Iceland_ [1]
_India_ [3]
_Ireland_ [1]
_Israel_ [3]
_Italy_ [1, 3]
_Japan_ [1, 3]
_Latvia_ [4]
_Mexico_ [3]
_The Netherlands_ [3, 4, 5]
validated license. Items capable of file encryption do require a validated
cryptography. Those with a "legitimate concern" could apply for a user
license or a trade authorization. One condition for granting a license was
keys used.
After many protests from those who would be affected by the proposed
Although the draft regulation will not be continued in its present scope,
t shows how much the judicial authorities fear wide dissemination of
_New Zealand_ [1]
_Norway_ [1]
cryptography can be used for the storage of passwords. It is not sure if
and when this bill will come into force.
A bill has been proposed on central medical registries that would use
cryptographically pseudonimized entries.
_Russia_ [3, 5]
manufactured abroad.
unauthorized encryption. State organizations and enterprises need a
license to use encryption (for both authentication and secrecy, for
using uncertified cryptography do not receive state orders. The Central
Bank shall take measures against commercial banks that do not use
certified cryptography when communicating with divisions of the Central
Bank. The development, production, implementation, or operation of 
cryptography without a license is prohibited.
_Saudi Arabia_ [3]
_South Africa_ [1, 3]
many companies and banks seem to ignore the legislation and do encrypt
their data.
_Spain_ [1]
_Sweden_ [3, 4]
_Switzerland_ [1, 3]
_Turkey_ [1]
_United Kingdom_ [1, 3, 4, 5]
not approve of escrowed encryption, but it wishes authorities to have the
Labour intends to penalize a refusal to comply with a demand to decrypt
under judicial warrant.
_United States of America_ [1, 2, 4]
"dual-use" cryptography (that is, cryptography that can serve both
civilian and military purposes) by placing it on the Munitions List. For
(relatively strong) products that can encipher information, an export
license is usually issued only for use by foreign branches of American
enterprises and for use y financial institutions. "Weak" cryptography
(e.g., with a certain maximum key-length) can also be exported.
Export of cryptography that serves only authentication or integrity
of public domain software have been decontrolled and are now on the
Commerce Control List.
Several initiatives, as yet unsuccessful, have been taken, both in
Congress and by the public, to try to mitigate the cryptography export
Encryption Initiative (EEI), usually referred to as the Clipper Initiative,
after its first implementation in the Clipper chip. A classified, secret-key
algorithm, SKIPJACK, has been implemented in an Escrowed
Encryption Standard (EES). The reported basic idea of the EEI is to
communications without threatening law enforcement.
The EES procures law enforcement access by means of a Law
Enforcement Access Field (LEAF) that is transmitted along with each
encrypted message; the field contains information identifying the chip
used. Law enforcement agencies wire-tapping communications
encrypted with EES can decipher tapped messages by obtaining the two
agencies (National Institute of Standards and Technology
and the Treasury Department's Automated Systems Division), provided
they have a court order for the tapping.
The EES is a voluntary standard to be used in telephone
communications. Privacy advocates fear that the government may
accepted, though, given the scepticism with which the majority of US
citizens presently regard escrowed encryption or government access to
On June 27, 1995, Senator Grassley introduced the Anti-Electronic
Racketeering Act (S.974), which, if enacted, would virtually ban
encryption. Only the use of  escrow-like software would be an
affirmative defense for those prosecuted for using cryptography. The bill
for the use of cryptography for authentication and integrity purposes.