9.7.1. "International Escrow, and Other Nation's Crypto Policies?" - The focus throughout this document on U.S. policy should not lull non-Americans into complacency. Many nations already have more Draconian policies on the private use of encryption than the U.S. is even contemplating (publically). France outlaws private crypto, though enforcement is said to be problematic (but I would not want the DGSE to be on my tail, that's for sure). Third World countries often have bans on crypto, and mere possession of random-looking bits may mean a spying conviction and a trip to the gallows. + There are also several reports that European nations are preparing to fall in line behind the U.S. on key escrow - Norway - Netherlands - Britain + A conference in D.C. in 6/94, attended by Whit Diffie (and reported on to us at the 6/94 CP meeting) had internation escrow arrangements as a topic, with the crypto policy makers of NIST and NSA describing various options - bad news, because it could allow bilateral treaties to supercede basic rights - could be plan for getting key escrow made mandatory + there are also practical issues + who can decode international communications? - do we really want the French reading Intel's communications? (recall Matra-Harris) - satellites? (like Iridium) - what of multi-national messages, such as an encrypted message posted to a message pool on the Internet...is it to be escrowed with each of 100 nations? 9.7.2. "Will foreign countries use a U.S.-based key escrow system?" - Lots of pressure. Lots of evidence of compliance. 9.7.3. "Is Europe Considering Key Escrow?" - Yes, in spades. Lots of signs of this, with reports coming in from residents of Europe and elsewhere. The Europeans tend to be a bit more quiet in matters of public policy (at least in some areas). - "The current issue of `Communications Week International' informs us that the European Union's Senior Officials Group for Security of Information Systems has been considering plans for standardising key escrow in Europe. "Agreement had been held up by arguments over who should hold the keys. France and Holland wanted to follow the NSA's lead and have national governments assume this role; other players wanted user organisations to do this." [ rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow in Europe too, 1994-06-29] 9.7.4. "What laws do various countries have on encryption and the use of encryption for international traffic?" + "Has France really banned encryption?" - There are recurring reports that France does not allow unfettered use of encryption. - Hard to say. Laws on the books. But no indications that the many French users of PGP, say, are being prosecuted. - a nation whose leader, Francois Mitterand, was a Nazi collaborationist, working with Petain and the Vichy government (Klaus Barbie involved) + Some Specific Countries - (need more info here) + Germany - BND cooperates with U.S. - Netherlands - Russia + Information - "Check out the ftp site at csrc.ncsl.nist.gov for a document named something like "laws.wp" (There are several of these, in various formats.) This contains a survey of the positions of various countries, done for NIST by a couple of people at Georgetown or George Washington or some such university." [Philip Fites, alt.security.pgp, 1994-07-03] 9.7.5. France planning Big Brother smart card? - "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government has confirmed its plans to replace citizen's paper-based ID cards with credit card-sized "smart card" ID cards. ..... "The cards contain details of recent transactions, as well as act as an "electronic purse" for smaller value transactions using a personal identification number (PIN) as authorization. "Purse transactions" are usually separate from the card credit/debit system, and, when the purse is empty, it can be reloaded from the card at a suitable ATM or retailer terminal." (Steve Gold/19940304)" [this was forwarded to me for posting] 9.7.6. PTTs, local rules about modem use 9.7.7. "What are the European laws on "Data Privacy" and why are they such a terrible idea?" - Various European countries have passed laws about the compiling of computerized records on people without their explicit permission. This applies to nearly all computerized records--mailing lists, dossiers, credit records, employee files, etc.--though some exceptions exist and, in general, companies can find ways to compile records and remain within the law. - The rules are open to debate, and the casual individual who cannot afford lawyers and advisors, is likely to be breaking the laws repeatedly. For example, storing the posts of people on the Cypherpunks list in any system retrievable by name would violate Britain's Data Privacy laws. That almost no such case would ever result in a prosecution (for practical reasons) does not mean the laws are acceptable. - To many, these laws are a "good idea." But the laws miss the main point, give a false sense of security (as the real dossier-compilers are easily able to obtain exemptions, or are government agencies themselves), and interfere in what people do with information that properly and legally comes there way. (Be on the alert for "civil rights" groups like the ACLU and EFF to push for such data privacy laws. The irony of Kapor's connection to Lotus and the failed "Marketplace" CD-ROM product cannot be ignored.) - Creating a law which bans the keeping of certain kinds of records is an invitation to having "data inspectors" rummaging through one's files. Or some kind of spot checks, or even software key escrow. - (Strong crypto makes these laws tough to enforce. Either the laws go, or the counties with such laws will then have to limit strong crypto....not that that will help in the long run.) - The same points apply to well-meaning proposals to make employer monitoring of employees illegal. It sounds like a privacy-enhancing idea, but it tramples upon the rights of the employer to ensure that work is being done, to basically run his business as he sees fit, etc. If I hire a programmer and he's using my resources, my network connections, to run an illegal operation, he exposes my company to damages, and of course he isn't doing the job I paid him to do. If the law forbids me to monitor this situation, or at least to randomly check, then he can exploit this law to his advantage and to my disadvantage. (Again, the dangers of rigid laws, nonmarket solutions,(lied game theory.) 9.7.8. on the situation in Australia + Matthew Gream [M.Gream@uts.edu.au] informed us that the export situation in Oz is just as best as in the U.S. [1994- 09-06] (as if we didn't know...much as we all like to dump on Amerika for its fascist laws, it's clear that nearly all countries are taking their New World Order Marching Orders from the U.S., and that many of them have even more repressive crypto laws alredy in place...they just don't get the discussion the U.S. gets, for apparent reasons) - "Well, fuck that for thinking I was living under a less restrictive regime -- and I can say goodbye to an international market for my software.] - (I left his blunt language as is, for impact.) 9.7.9. "For those interested, NIST have a short document for FTP, 'Identification & Analysis of Foreign Laws & Regulations Pertaining to the Use of Commercial Encryption Products for Voice & Data Communications'. Dated Jan 1994." [Owen Lewis, Re: France Bans Encryption, alt.security.pgp, 1994-07-07]
Next Page: 9.8 Digital Telephony
Previous Page: 9.6 Current Crypto Laws
By Tim May, see README
HTML by Jonathan Rochkind