Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: How the French banned crypto

From: Dave Farber <farber () cis upenn edu>
Date: Wed, 11 Mar 1998 06:46:40 +0000
Date: Tue, 10 Mar 1998 11:35:52 -0800 (PST)
From: Declan McCullagh <declan () well com>


Thought this might be interesting to show how the French banned the
domestic use of encryption. This is an excerpt from an OECD draft document
describing country controls on encryption that's currently being
circulated and will, I believe, be finalized and made public in the next
month or so. 


-Declan


****


[...]


FRANCE


Export/import controls, restrictions, and domestic controls


53.     France is a member of the Wassenaar Arrangement and the
European Union. The government agency in charge of implementing
laws and policy related to cryptography is the "Service Central
de la Securite des Systemes d'Information" (SCSSI), which
comes under the authority of the Secretary General for National
Defence.


54.     The controls on encryption in France are governed by:
        
- law 90-1170 of 29 December 1990 (Official Journal of
        30 December 1990), notably article 28; modified by
        law 91-648 of 11 July 1991 (Official Journal of 13
        July 1991); and further modified by law 96-659 of
        26 July 1996, notably  article 17 on penalties
        (Official Journal of 27 July 1996);


- decree 92-1358 of 28 December 1992 in application of
        the preceding laws (Official Journal of 30 December
        1992, pages 17914 to 17916);


- order of 28 December 1992 concerning declarations
        and requests for authorisations with regard to means
        of encryption and services (Official Journal of 30
        December 1992, pages 17916 and 17917, Official
        Journal of 9 January 1993, pages 507 and 508);


- order of 28 December 1992 defining the particular
        conditions which apply to encryption services
        (Official Journal of 30 December 1992, page
        17917);


- decree 95-613 of 5 May 1995 on the control of the
        export of goods with a double use (Official Journal
        of 7 May 1995, page 7547);


- order of 5 May 1995 on the control of export to
        third party countries and the transfer to member
        states of the European Community of goods with a
        double use (Official Journal of 7 May 1995, page
        7561);


- order of 5 May 1995 defining the general G.502
        licence for the export of encryption methods and
        setting out the means for establishing and using
        this licence (Official Journal of 7 May 1995, page
        7578);


- decree 96-67 of 29 January 1996 relating to the
        powers of the Secretary General for National Defence
        (SGDN) on security in information technology
        (Official Journal of 30 January 1996); and


- law 96-659 of 26 July 1996 on telecommunications
        regulations (article 17 - Official Journal of 27
        July 1996 ).


55.     In summary, the Law of 29 December 1990 states that for
use, supply and export of cryptography with no other object than
authentication of data or assuring data integrity, a prior
declaration must be submitted. A copy of the acknowledgement of
declaration must be presented to customs at each export. For
temporary export, a user declaration will serve as an export


declaration in the case of cryptography exclusively for personal
use by an individual. For any other kind of cryptography, a
prior authorisation is needed.


56. In June 1996, France passed a telecommunications law, referred to as
the "26th July Law", partly aimed toward relaxing restrictions on
cryptography by amending the Law of December 1990. Article 17 of the new
law deals with cryptography. The supply, import from countries outside the
European Union, or export of an encryption device or service is subject to
authorisation if it performs functions of confidentiality, and the supply
and export of all other cryptography products also remains controlled.
However, the new law relaxes restrictions on the use of cryptography
products in France. 


57.     Article 17 of the 26 July law relaxes restrictions on the
use of authentication devices, stating that no prior declaration
will be required for "encryption devices or services which do
not provide confidentiality but are used to authenticate or
guarantee the integrity of messages; where the device provides
for confidentiality functions based solely on secret conventions
managed under approved procedures and by an organisation
approved under the conditions defined in Part II of the Article
i.e. a licensed trusted third party."


58.     Article 17 also relaxes restrictions on the use of
cryptographic methods for confidentiality services, provided
that the confidentiality services used are managed by an
authorised "trusted third party". The trusted third party will
be a government licensed organisation which manages encoding
keys for users. The licenses will be conditional upon the
trusted third party submitting encoding keys to the appropriate
authorities according to the law so that the State can, if
necessary, access the information. Cryptographic products
remain subject to authorisation even if they are used in
conjunction with a trusted third party.


59.     The French Government describes a trusted third party's
function as follows:


        The trustworthy third party is a recognised
        organisation which manages encoding keys on the
        user's behalf. The user signs a contract with the
        trustworthy third party which regularly transmits
        the keys to use to encode information to the user.
        A clause is written into the licensing agreement
        with the trustworthy third party which stipulates
        that it must submit the encoding keys to the proper
        authorities according to the law. Thus, users can
        use an encryption professional who guarantees a high
        quality service to them, while the State can, if
        need be, have access to the information.


60.     Until the 26th July Law is fully implemented, the previous
restrictions remain in place. As of February 1998, all of the
decrees required to implement the law have not been passed. Two
of the outstanding decrees relate to Article 17 dealing with
cryptography, covering in particular (1) the conditions and
procedures for submitting declarations and granting of licenses
for import, export, use and supply of encryption products; and
(2) the framework and responsibilities for trusted third
parties.




[...]






--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo () vorlon mit edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: