Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Encryption laws

From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Mon, 31 Mar 2003 16:29:43 -0500
Good point starting with Export laws and attorneys.  US is pretty strict
about what you can export and to whom as far as encryption goes.  

Also in the US, there are some pretty strange state laws or potential state
laws that may or may not prohibit encryption, i.e the Texas and
Massachusetts draft are pretty horrendous.  There are other states who have
adopted some strange things and it will be diced in court since they are SO
encompassing.   

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Brad Arlt [mailto:arlt () cpsc ucalgary ca] 
Sent: Saturday, March 29, 2003 1:12 PM
To: Steven Bourque
Cc: security-basics () securityfocus com
Subject: Re: Encryption laws


On Fri, Mar 28, 2003 at 04:28:31PM -0500, Steven Bourque wrote:

Does anyone know of a location that lists current encryption laws 
worldwide?

We are looking at implementing encryption to locations world wide
(within one organization) and want to know of any possible legality 
issues we may come across.

The main office is in Waterloo, Canada, but have remote offices
throughout most of the world that will be encrypting data to and from 
this location.  We would like to know which locations we will have to 
reduce the encryption if any.


First, you want to consulte with a lawyer.  A team of laywers really. And
ones skilled in the laws of each contry you are dealing with as well as
international law.  Since you are working for a trans-national corperation,
the company likely already has such a team.  Use them.

Encryption laws, in many first world nations, fall under the catagory of
munitions.  Looking at each countries export and import of munitions laws
might not be a bad place to start.

In the area of export of cryptographic technologies, Canada tries to adhere
to the Wassenaar Arrangement, which deals with convential arms and
"dual-use" goods and technologies.  There is a website dealing with the
Arragement, and has links to many nations export controls:

http://www.wassenaar.org/

The United Nations Commision on International Trade Law is a good place to
start with this: http://www.uncitral.org/en-index.htm

As is the Canadian Industry Ministry (link below give summary info on
cryptographic laws and regulation in Canada):
http://e-com.ic.gc.ca/english/crypto/index.html

The rule of thumb is:

If you are dealing with member nations of the EU, or G8, you are fine if you
import, use, or export cryptographic technologies and data. The caveot is
all users of such products must be citizens of one of the those nations, and
not be on a banned list.  The exception may be France, which had some pretty
odd restrictions in the past.

As we are dealing with munitions (stop thinking of it as data), transport of
goods through some nations may be prohibited or restricted.

Again, you should really consult your corperate legal team.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics
Previous By Date Next
Previous By Thread Next

Current thread: