Interesting People mailing list archives
IP: How the French banned crypto
From: Dave Farber <farber () cis upenn edu>
Date: Wed, 11 Mar 1998 06:46:40 +0000
Date: Tue, 10 Mar 1998 11:35:52 -0800 (PST) From: Declan McCullagh <declan () well com> Thought this might be interesting to show how the French banned the domestic use of encryption. This is an excerpt from an OECD draft document describing country controls on encryption that's currently being circulated and will, I believe, be finalized and made public in the next month or so. -Declan **** [...] FRANCE Export/import controls, restrictions, and domestic controls 53. France is a member of the Wassenaar Arrangement and the European Union. The government agency in charge of implementing laws and policy related to cryptography is the "Service Central de la Securite des Systemes d'Information" (SCSSI), which comes under the authority of the Secretary General for National Defence. 54. The controls on encryption in France are governed by: - law 90-1170 of 29 December 1990 (Official Journal of 30 December 1990), notably article 28; modified by law 91-648 of 11 July 1991 (Official Journal of 13 July 1991); and further modified by law 96-659 of 26 July 1996, notably article 17 on penalties (Official Journal of 27 July 1996); - decree 92-1358 of 28 December 1992 in application of the preceding laws (Official Journal of 30 December 1992, pages 17914 to 17916); - order of 28 December 1992 concerning declarations and requests for authorisations with regard to means of encryption and services (Official Journal of 30 December 1992, pages 17916 and 17917, Official Journal of 9 January 1993, pages 507 and 508); - order of 28 December 1992 defining the particular conditions which apply to encryption services (Official Journal of 30 December 1992, page 17917); - decree 95-613 of 5 May 1995 on the control of the export of goods with a double use (Official Journal of 7 May 1995, page 7547); - order of 5 May 1995 on the control of export to third party countries and the transfer to member states of the European Community of goods with a double use (Official Journal of 7 May 1995, page 7561); - order of 5 May 1995 defining the general G.502 licence for the export of encryption methods and setting out the means for establishing and using this licence (Official Journal of 7 May 1995, page 7578); - decree 96-67 of 29 January 1996 relating to the powers of the Secretary General for National Defence (SGDN) on security in information technology (Official Journal of 30 January 1996); and - law 96-659 of 26 July 1996 on telecommunications regulations (article 17 - Official Journal of 27 July 1996 ). 55. In summary, the Law of 29 December 1990 states that for use, supply and export of cryptography with no other object than authentication of data or assuring data integrity, a prior declaration must be submitted. A copy of the acknowledgement of declaration must be presented to customs at each export. For temporary export, a user declaration will serve as an export declaration in the case of cryptography exclusively for personal use by an individual. For any other kind of cryptography, a prior authorisation is needed. 56. In June 1996, France passed a telecommunications law, referred to as the "26th July Law", partly aimed toward relaxing restrictions on cryptography by amending the Law of December 1990. Article 17 of the new law deals with cryptography. The supply, import from countries outside the European Union, or export of an encryption device or service is subject to authorisation if it performs functions of confidentiality, and the supply and export of all other cryptography products also remains controlled. However, the new law relaxes restrictions on the use of cryptography products in France. 57. Article 17 of the 26 July law relaxes restrictions on the use of authentication devices, stating that no prior declaration will be required for "encryption devices or services which do not provide confidentiality but are used to authenticate or guarantee the integrity of messages; where the device provides for confidentiality functions based solely on secret conventions managed under approved procedures and by an organisation approved under the conditions defined in Part II of the Article i.e. a licensed trusted third party." 58. Article 17 also relaxes restrictions on the use of cryptographic methods for confidentiality services, provided that the confidentiality services used are managed by an authorised "trusted third party". The trusted third party will be a government licensed organisation which manages encoding keys for users. The licenses will be conditional upon the trusted third party submitting encoding keys to the appropriate authorities according to the law so that the State can, if necessary, access the information. Cryptographic products remain subject to authorisation even if they are used in conjunction with a trusted third party. 59. The French Government describes a trusted third party's function as follows: The trustworthy third party is a recognised organisation which manages encoding keys on the user's behalf. The user signs a contract with the trustworthy third party which regularly transmits the keys to use to encode information to the user. A clause is written into the licensing agreement with the trustworthy third party which stipulates that it must submit the encoding keys to the proper authorities according to the law. Thus, users can use an encryption professional who guarantees a high quality service to them, while the State can, if need be, have access to the information. 60. Until the 26th July Law is fully implemented, the previous restrictions remain in place. As of February 1998, all of the decrees required to implement the law have not been passed. Two of the outstanding decrees relate to Article 17 dealing with cryptography, covering in particular (1) the conditions and procedures for submitting declarations and granting of licenses for import, export, use and supply of encryption products; and (2) the framework and responsibilities for trusted third parties. [...] -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo () vorlon mit edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------
Current thread:
- IP: How the French banned crypto Dave Farber (Mar 10)