9.7.1. "International Escrow, and Other Nation's Crypto Policies?"
- The focus throughout this document on U.S. policy should
not lull non-Americans into complacency. Many nations
already have more Draconian policies on the private use of
encryption than the U.S. is even contemplating
(publically). France outlaws private crypto, though
enforcement is said to be problematic (but I would not want
the DGSE to be on my tail, that's for sure). Third World
countries often have bans on crypto, and mere possession of
random-looking bits may mean a spying conviction and a trip
to the gallows.
+ There are also several reports that European nations are
preparing to fall in line behind the U.S. on key escrow
- Norway
- Netherlands
- Britain
+ A conference in D.C. in 6/94, attended by Whit Diffie (and
reported on to us at the 6/94 CP meeting) had internation
escrow arrangements as a topic, with the crypto policy
makers of NIST and NSA describing various options
- bad news, because it could allow bilateral treaties to
supercede basic rights
- could be plan for getting key escrow made mandatory
+ there are also practical issues
+ who can decode international communications?
- do we really want the French reading Intel's
communications? (recall Matra-Harris)
- satellites? (like Iridium)
- what of multi-national messages, such as an encrypted
message posted to a message pool on the Internet...is
it to be escrowed with each of 100 nations?
9.7.2. "Will foreign countries use a U.S.-based key escrow system?"
- Lots of pressure. Lots of evidence of compliance.
9.7.3. "Is Europe Considering Key Escrow?"
- Yes, in spades. Lots of signs of this, with reports coming
in from residents of Europe and elsewhere. The Europeans
tend to be a bit more quiet in matters of public policy (at
least in some areas).
- "The current issue of `Communications Week International'
informs us that the European Union's Senior Officials Group
for Security of Information Systems has been considering
plans for standardising key escrow in Europe.
"Agreement had been held up by arguments over who should
hold the keys. France and Holland wanted to follow the
NSA's lead and have national governments assume this role;
other players wanted user organisations to do this." [
rja14@cl.cam.ac.uk (Ross Anderson), sci.crypt, Key Escrow
in Europe too, 1994-06-29]
9.7.4. "What laws do various countries have on encryption and the
use of encryption for international traffic?"
+ "Has France really banned encryption?"
- There are recurring reports that France does not allow
unfettered use of encryption.
- Hard to say. Laws on the books. But no indications that
the many French users of PGP, say, are being prosecuted.
- a nation whose leader, Francois Mitterand, was a Nazi
collaborationist, working with Petain and the Vichy
government (Klaus Barbie involved)
+ Some Specific Countries
- (need more info here)
+ Germany
- BND cooperates with U.S.
- Netherlands
- Russia
+ Information
- "Check out the ftp site at csrc.ncsl.nist.gov for a
document named something like "laws.wp" (There are
several of these, in various formats.) This contains a
survey of the positions of various countries, done for
NIST by a couple of people at Georgetown or George
Washington or some such university." [Philip Fites,
alt.security.pgp, 1994-07-03]
9.7.5. France planning Big Brother smart card?
- "PARIS, FRANCE, 1994 MAR 4 (NB) -- The French government
has confirmed its plans to replace citizen's paper-based ID
cards with credit card-sized "smart card" ID cards.
.....
"The cards contain details of recent transactions, as well
as act as an "electronic purse" for smaller value
transactions using a personal identification number (PIN)
as authorization. "Purse transactions" are usually separate
from the card credit/debit system, and, when the purse is
empty, it can be reloaded from the card at a suitable ATM
or retailer terminal." (Steve Gold/19940304)" [this was
forwarded to me for posting]
9.7.6. PTTs, local rules about modem use
9.7.7. "What are the European laws on "Data Privacy" and why are
they such a terrible idea?"
- Various European countries have passed laws about the
compiling of computerized records on people without their
explicit permission. This applies to nearly all
computerized records--mailing lists, dossiers, credit
records, employee files, etc.--though some exceptions exist
and, in general, companies can find ways to compile records
and remain within the law.
- The rules are open to debate, and the casual individual who
cannot afford lawyers and advisors, is likely to be
breaking the laws repeatedly. For example, storing the
posts of people on the Cypherpunks list in any system
retrievable by name would violate Britain's Data Privacy
laws. That almost no such case would ever result in a
prosecution (for practical reasons) does not mean the laws
are acceptable.
- To many, these laws are a "good idea." But the laws miss
the main point, give a false sense of security (as the real
dossier-compilers are easily able to obtain exemptions, or
are government agencies themselves), and interfere in what
people do with information that properly and legally comes
there way. (Be on the alert for "civil rights" groups like
the ACLU and EFF to push for such data privacy laws. The
irony of Kapor's connection to Lotus and the failed
"Marketplace" CD-ROM product cannot be ignored.)
- Creating a law which bans the keeping of certain kinds of
records is an invitation to having "data inspectors"
rummaging through one's files. Or some kind of spot checks,
or even software key escrow.
- (Strong crypto makes these laws tough to enforce. Either
the laws go, or the counties with such laws will then have
to limit strong crypto....not that that will help in the
long run.)
- The same points apply to well-meaning proposals to make
employer monitoring of employees illegal. It sounds like a
privacy-enhancing idea, but it tramples upon the rights of
the employer to ensure that work is being done, to
basically run his business as he sees fit, etc. If I hire a
programmer and he's using my resources, my network
connections, to run an illegal operation, he exposes my
company to damages, and of course he isn't doing the job I
paid him to do. If the law forbids me to monitor this
situation, or at least to randomly check, then he can
exploit this law to his advantage and to my disadvantage.
(Again, the dangers of rigid laws, nonmarket
solutions,(lied game theory.)
9.7.8. on the situation in Australia
+ Matthew Gream [M.Gream@uts.edu.au] informed us that the
export situation in Oz is just as best as in the U.S. [1994-
09-06] (as if we didn't know...much as we all like to dump
on Amerika for its fascist laws, it's clear that nearly all
countries are taking their New World Order Marching Orders
from the U.S., and that many of them have even more
repressive crypto laws alredy in place...they just don't
get the discussion the U.S. gets, for apparent reasons)
- "Well, fuck that for thinking I was living under a less
restrictive regime -- and I can say goodbye to an
international market for my software.]
- (I left his blunt language as is, for impact.)
9.7.9. "For those interested, NIST have a short document for FTP,
'Identification & Analysis of Foreign Laws & Regulations
Pertaining to the Use of Commercial Encryption Products for
Voice & Data Communications'. Dated Jan 1994." [Owen Lewis,
Re: France Bans Encryption, alt.security.pgp, 1994-07-07]
By Tim May, see README
HTML by Jonathan Rochkind