Security Basics mailing list archives
RE: Encryption laws
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Mon, 31 Mar 2003 16:29:43 -0500
Good point starting with Export laws and attorneys. US is pretty strict about what you can export and to whom as far as encryption goes. Also in the US, there are some pretty strange state laws or potential state laws that may or may not prohibit encryption, i.e the Texas and Massachusetts draft are pretty horrendous. There are other states who have adopted some strange things and it will be diced in court since they are SO encompassing. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: Brad Arlt [mailto:arlt () cpsc ucalgary ca] Sent: Saturday, March 29, 2003 1:12 PM To: Steven Bourque Cc: security-basics () securityfocus com Subject: Re: Encryption laws On Fri, Mar 28, 2003 at 04:28:31PM -0500, Steven Bourque wrote:
Does anyone know of a location that lists current encryption laws worldwide? We are looking at implementing encryption to locations world wide (within one organization) and want to know of any possible legality issues we may come across. The main office is in Waterloo, Canada, but have remote offices throughout most of the world that will be encrypting data to and from this location. We would like to know which locations we will have to reduce the encryption if any.
First, you want to consulte with a lawyer. A team of laywers really. And ones skilled in the laws of each contry you are dealing with as well as international law. Since you are working for a trans-national corperation, the company likely already has such a team. Use them. Encryption laws, in many first world nations, fall under the catagory of munitions. Looking at each countries export and import of munitions laws might not be a bad place to start. In the area of export of cryptographic technologies, Canada tries to adhere to the Wassenaar Arrangement, which deals with convential arms and "dual-use" goods and technologies. There is a website dealing with the Arragement, and has links to many nations export controls: http://www.wassenaar.org/ The United Nations Commision on International Trade Law is a good place to start with this: http://www.uncitral.org/en-index.htm As is the Canadian Industry Ministry (link below give summary info on cryptographic laws and regulation in Canada): http://e-com.ic.gc.ca/english/crypto/index.html The rule of thumb is: If you are dealing with member nations of the EU, or G8, you are fine if you import, use, or export cryptographic technologies and data. The caveot is all users of such products must be citizens of one of the those nations, and not be on a banned list. The exception may be France, which had some pretty odd restrictions in the past. As we are dealing with munitions (stop thinking of it as data), transport of goods through some nations may be prohibited or restricted. Again, you should really consult your corperate legal team. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfsbl1 ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- RE: Encryption laws Robinson, Sonja (Apr 01)