An International Survey of
Encryption Policy
Electronic Privacy Information Center
Washington, DC
Executive Summary *
The Importance of Cryptography *
Encryption and Human Rights *GILC and Encryption *
Purpose and Methodology of the Survey *
Country Ratings *
Survey Results *
Few Domestic Controls *Little Support for Key Escrow/Key Recovery *
Increase in Surveillance Budgets and Powers *
The Role of Export Controls *
The Wassenaar Arrangement *
The Unclear Authority of Wassenaar *
The New Wassenaar List of Dual-Use Goods and Technologies *
The International Development of Encryption Policy *
Organization for Economic Cooperation and Development *The European Union *
G-8 *
Council of Europe *
Country Reports *
Angola *Anguilla *
Antigua and Barbuda *
Argentina *
Armenia *
Aruba *
Australia *
Austria *
Bahrain *
Belarus *
Belgium *
Belize *
Brazil *
Bulgaria *
Cambodia *
Campione d’Italia *
Canada *
Chile *
China *
Croatia *
Cyprus *
Czech Republic *
Denmark *
Dominica *
Estonia *
Falkland Islands *
Finland *
France *
Germany *
Gibraltar *
Greece *
Hong Kong *
Hungary *
Iceland *
India *
Indonesia *
Iran *
Ireland *
Israel *
Italy *
Japan *
Kazakhstan *
Kenya *
Korea, Republic of (South Korea) *
Kuwait *
Kyrgyzstan *
Latvia *
Lebanon *
Liechtenstein *
Lithuania *
Luxembourg *
Malaysia *
Mexico *
Monaco *
Mongolia *
Morocco *
Mount Athos, Republic of *
Nauru *
Netherlands *
Netherlands Antilles *
New Zealand *
Nicaragua *
Niue *
Norfolk Island *
Norway *
Pakistan *
Palestine *
Papua New Guinea *
Philippines *
Pitcairn Islands *
Poland *
Portugal *
Romania *
Russia *
Saudi Arabia *
Singapore *
Slovakia *
Slovenia *
South Africa *
Spain *
Sri Lanka *
Swaziland *
Sweden *
Switzerland *
Republic of China (Taiwan) *
Tanzania *
Tatarstan *
Tonga *
Tunisia *
Turkey *
Uganda *
Ukraine *
United Arab Emirates *
United Kingdom *
United States *
Uruguay *
Venezuela *
Vietnam *
Table of Countries *
OECD Guidelines *
Wassenaar Arrangement *
GILC Resolution on Cryptography *
Most countries in the world today have no controls on the use of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both leading industrial countries and for developing countries. There is a movement towards international relaxation of regulations relating to encryption products, coupled with a rejection of key escrow and recovery policies. Many countries have recently adopted policies expressly rejecting requirements for key escrow systems and a few countries, most notably France, have dropped their escrow systems. There are a small number of countries where strong domestic controls on the use of cryptography exist. These are mostly countries where human rights command little respect.
Recent trends in international law and policy point toward continued relaxation of controls on cryptography. The Organization for Economic Cooperation and Development's Cryptography Policy Guidelines and the Ministerial Declaration of the European Union, both released in 1997, argue for the liberalization of controls on cryptography and the development of market-based, user driven cryptography products and services. There is a growing awareness worldwide of encryption and an increasing number of countries have developed policies, driven by the OECD guidelines.
Export controls remain the most powerful obstacle to the development and free flow of encryption. The revised December 1998 Wassenaar Arrangement may roll back some of the liberalization sought by the OECD, particularly by restricting the key lengths of encryption products that can be exported without approval licenses. However, several major countries have already indicated that they do not plan to adopt new restrictions.
The United States government continues to lead efforts for encryption controls around the world. The U.S. government has exerted economic and diplomatic pressure on other countries in an attempt to force them into adopting restrictive policies. The U.S. position may be explained, in part, by the dominant role that national intelligence and federal law enforcement agencies hold in the development of encryption policy.
Emerging computer and communications technologies have radically altered the ways in which we communicate and exchange information. Along with the speed, efficiency, and cost-saving benefits of the digital revolution come new challenges to the security and privacy of communications and information traversing the global communications infrastructure.
In response to these challenges, the security mechanisms of traditional paper-based communications media -- envelopes and locked filing cabinets -- are being replaced by cryptographic security techniques. Through the use of cryptography, communication and information stored and transmitted by computers can be protected against interception to a very high degree. Until recently, there was little non-governmental demand for encryption capabilities. Modern encryption technology -- a mathematical process involving the use of formulas (or algorithms) -- was traditionally deployed most widely to protect the confidentiality of military and diplomatic communications. With the advent of the computer revolution and recent innovations in the science of encryption, a new market for cryptographic products has developed. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever-increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic fund transfers require secure means of encryption and authentication -- features that can only be provided if cryptographic know-how is widely available and unencumbered by government regulation.
Cryptography can also be used to allow for the anonymous dissemination of information, such as reports on human rights abuses, and to ensure that documents of human rights groups are not tampered with or altered after release.
Governmental regulation of cryptographic security techniques endangers personal privacy. Encryption ensures the confidentiality of personal records, such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of being stolen or misused.
Government regulation of techniques such as encryption that help to protect individual privacy may also be contrary to the spirit of international laws and norms that recognize privacy as a fundamental human right. Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, as well as other international agreements, and national laws, make clear the importance of privacy protection for human freedom and civil society.
In many countries in the world, human rights organizations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, reported widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries. In some countries, such as Honduras and Paraguay, the state-owned telecommunications companies were active participants in helping the security services monitor human rights advocates. These problems are not limited to developing countries. French counter-intelligence agents wiretapped the telephones of prominent journalists and opposition party leaders. The French Commission Nationale de Contrôle des Interceptions de Securité estimated that there are some 100,000 illegal taps conducted each year in France. There have been numerous cases in the United Kingdom which revealed that the British intelligence services monitor social activists, labor unions and civil liberties organizations. A recent UK bill was enacted that allows for the surveillance of lawyers and priests. In Germany, a bill is currently pending that would allow, for the first time since the Nazi era, the ability to bug journalists' offices. The European Parliament issued a report in January 1998 revealing that the U.S. National Security Agency was conducting massive monitoring of European communications.
Many human rights groups currently use encryption to protect their files and communications from seizure and interception by the governments they monitor for abuses. These include Guatemala, Ethiopia, Haiti, Mexico, South Africa, Hong Kong and Turkey. Other groups such as Amnesty International USA also use cryptographic techniques to digitally sign messages that they send over the Internet to ensure that the messages are not altered in transmission.
Additional information on the use of encryption technology by international human rights organizations is contained in the briefing paper "Encryption in the Service of Human Rights," produced by Human Rights Watch (http://www.aaas.org/SPP/DSPP/CSTC/ briefings/crypto/dinah.htm)
The Global Internet Liberty Campaign (GILC) was established in June 1996 to protect civil liberties and human rights in the online world. GILC maintains a web site, publishes an on-line newsletter, and participates in government meetings around the globe. GILC is made up of over 50 human rights, consumer, privacy, free speech, and Internet user groups in 20 countries on five continents.
GILC has been active in promoting the worldwide elimination of restrictions on encryption. GILC members have made presentations to the OECD, the EU and other international organizations, organized policy conferences in many countries, and submitted comments and reports to international governmental groups and governments. Members of GILC provide training in the use of cryptographic methods to human rights organizers, journalists and political activists.
In 1996, GILC issued a "Resolution in Support of the Freedom to Use Cryptography" that states: "the use of cryptography implicates human rights and matters of personal liberty that affect individuals around the world" and that "the privacy of communication is explicitly protected by Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, and national law."
GILC also maintains an extensive collection of resources about encryption policy on its web site at (http://www.gilc.org/).
This survey was undertaken by the Electronic Privacy Information Center (EPIC), with the assistance of members of the Global Internet Liberty Campign and other experts on encryption policy, to provide a comprehensive review of the cryptography policies of virtually every national and territorial jurisdiction in the world.
To obtain information for the survey, we sent letters to the embassies, United Nations missions, government ministries, trade boards, and information offices of some 230 countries and territories with independent policy-making authority. These entities were contacted in the belief that governments themselves are best able to authoritatively explain their policies, especially on such a technical subject. We patterned our survey after one conducted in 1989 by the Computer Science and Law Research Group (GRID) of the University of Quebec, which analyzed the data protection policies and laws of over 150 countries on behalf of the government of Canada. In this second survey, we expanded the contacts to include organizations and individuals in various countries with direct knowledge of encryption and telecommunications policies. We inquired about four major areas of cryptography policy:
Between the issuance of our first report in February 1998 and this one, the Organization of Economic Cooperation and Development (OECD) conducted an inventory of cryptography regulations of its member states. We have incorporated those findings in this report as they best represent current national policies within the OECD member countries.
We also referred to a report prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy, obtained by EPIC under the Freedom of Information Act. The report, dated July 1995, is titled "A Study of the International Market for Computer Software with Encryption". The Commerce Department and NSA attempted to obtain and analyze copies of the laws and regulations from as many encryption-producing nations as possible.
In this and the previous survey, we consulted the very useful Crypto Law Survey that is maintained by Bert-Jaap Koops. That survey includes descriptions of crypto policies in many of the world’s countries as well as links to important source documents.
A 100 per cent response was the goal of this and our previous survey. For this survey we found that many more countries were familiar with the issue than had been during the first survey.
Reported countries have been grouped into three categories regarding controls on cryptography. A "Green" designation signifies that the country promotes or has expressed support for a policy that allows for unhindered legal use of cryptography, such as adopting the OECD Guidelines. A "Yellow" designation signifies that the country has proposed new domestic cryptography controls, including domestic use controls, has import controls, or has shown a willingness to abide strictly by the terms of the Wassenaar Arrangement. A "Red" designation denotes countries that have instituted sweeping controls on cryptography, including domestic use controls. Many countries do not fit neatly into one of the three categories, but may share attributes from two of the categories. These countries are designated as "Green/Yellow" or "Yellow/Red."
Most countries do not restrict the domestic use of encryption by their citizens. Of the handful of countries around the world that do, few are democracies and most have strong authoritarian governments. The countries include Belarus, China, Israel, Kazakhstan, Pakistan, Russia, Singapore, Tunisia, Vietnam, and Venezuela. In many of those countries, the controls do not appear to be enforced.
Most countries that have explicitly rejected controls have noted the importance of security of electronic information for electronic commerce, the threats of economic espionage, and the need to protect privacy online. The 1997 OECD Guidelines on Cryptography Policy and the European Commission expressed strong support for the unrestricted development of encryption products and services. In the past year, Canada, Ireland, and Finland have announced national crypto policies based on the OECD Guidelines, favoring the free use of encryption
A number of countries explicitly reversed their positions on domestic controls recently. Most notable of these is France, which has long restricted encryption, but reversed that policy in January 1999 and announced that people will be able to use encryption without restrictions. In December 1997, Belgium amended its 1994 law to eliminate its provision restricting cryptography.
Little Support for Key Escrow/Key Recovery
Concurrent with the rejection of domestic controls by most countries is the rejection of key escrow/recovery policies by governments. We found that few countries now support such policies.
Key escrow/recovery was a concept promoted by the United States government whereby users would be able to use strong encryption in their systems. However, a third party such as a government agency or a specially authorized company (which usually had government ties) would hold the keys and provide them to a government agency when requested. Escrow was first introduced in the U.S. in the Clipper Chip in 1993. Security experts have been critical of the security of escrow systems, noting a number of problems created by having a central party holding users' keys.
The U.S. pressured many countries and international organizations such as the OECD and Wassenaar to adopt key escrow. U.S. Envoy for Encryption David Aaron traveled the world urging countries to adopt escrow policies. The OECD countries rejected the U.S. pressure and called for free use of cryptography and respect for privacy.
A critical and perhaps final blow to key escrow was the rejection of key escrow by the Wassenaar Arrangement group in 1998. The U.S. attempted to gain favorable export rules for escrow/recovery products to encourage an international market. No consensus was reached and this plan was rejected. The German Ministry of Economics announced in a press release: "Certain states that had originally demanded special treatment for key recovery products were unsuccessful in their efforts. The export of encryption technology will therefore remain possible without the deposit of keys with the government."
These international policy developments have had a significant impact on domestic policies in both countries that supported escrow and those that did not have encryption policies. The most dramatic turnaround was in France, where Prime Minister Jospin announced in January 1999 that France would scrap its key escrow system in favor of free use of cryptography. Taiwan, which had stated in 1997 that it was planning a key escrow system, is now reporting that it does not plan to adopt a key escrow system.
Only a few countries now officially endorse key escrow. Spain enacted a telecommunications bill in 1998 that may promote escrow, but it has not been implemented. The UK was in the process of developing an electronic commerce bill that may coerce Certificate Authorities to obtain private keys as a condition of licensing and new laws that will require disclosure of keys by users. However, that effort now appears to have lost support and may be withdrawn. In the U.S., export control rules that once encouraged key escrow were somewhat relaxed in 1998. Lacking any real international consensus, it appears unlikely that escrow will survive.
Increase in Surveillance Budgets and Powers
As countries reject restrictions on encryption, they continue to face pressure from law enforcement and intelligence agencies which demand access to communications. There have been a variety of approached taken to resolve this pressure.
One trend has been the increased funding of intelligence agencies to compensate for the perceived loss of intelligence from encryption. In the United States, a number of new "Net Centers" have been proposed. These Net Centers would combine government and private sector money and would not be subject to freedom of information laws. In France, Prime Minister Jospin announced that as part of France's relaxation of controls, "the technical capacities of the authorities will be significantly reinforced." In Australia, a government report recommended that agencies be given additional powers to "hack" into computer systems under a court order. In Germany, police are now allowed to place microphones in homes. The Council of Europe is also developing a new Convention on Computer Crime that will reportedly encourage new surveillance powers and centers at the urging of the U.S. Department of Justice, which is drafting the convention. These new proposals for new investigative powers raise troubling questions about surveillance and accountability. Will the agencies granted these powers be fully accountable to democratic institutions and subject to meaningful public oversight?
Other countries such as Malaysia and Ireland are enacting laws that require individuals to hand over keys for criminal investigations. Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide.
Internationally, export controls are the strongest tool used by governments to limit development of encryption products. Export controls reduce the availability of encryption in common programs such as operating systems, electronic mail and word processors, especially from American companies. The restrictions make it difficult to develop international standards for encryption and interoperability of different programs. Countries must develop their own local programs, which do not inter-operate well (if at all) with other programs developed independently in other countries. They may not be as secure because of a lack of peer-review. Because markets are smaller, companies and individuals are not as interested in developing programs because of smaller potential profits.
Some countries have taken advantage of the situation by promoting the lack of controls in their countries. As Switzerland noted in response to our inquiry, "Switzerland will keep its efficient export permit process for cryptographic goods in order to encourage Swiss exports to increase their sales and share worldwide while being mindful of national security interests." One result of this has been the emergence of small companies in many countries without restrictions, which produce encryption products. Another result has been companies, especially American companies, moving their encryption production divisions overseas to countries with fewer controls, such as Switzerland
The Internet has significantly changed the effectiveness of export controls. Strong, unbreakable encryption programs can now be delivered in seconds to anywhere in the world from anywhere with a network connection. It has been increasingly difficult for countries to limit dissemination, and once a program is released, it is nearly impossible to stop its redissemination, especially if it is in one of the many countries around the world with no export controls. In the United States, export controls are used as a justification to limit of the availability of encryption on domestic Internet sites and thus serve as indirect domestic controls on encryption.
The Wassenaar Arrangement (WA) is an agreement by a group of 33 industrialized countries to restrict the export of conventional weapons and "dual use" technology to certain other countries considered pariah states or, in some cases, those that are at war. Certain cryptographic products, along with other technology such as supercomputers and high-level computer security access software, are considered to be "dual use" in that they can be used for both commercial and military purposes. The WA replaces the former Cold War-era Coordinating Committee on Multilateral Export Controls (COCOM), a group of 17 countries that placed restrictions on the export of certain technology to countries of the former Warsaw Pact and other communist states. After the fall of the Warsaw Pact and Soviet Union, COCOM became an anachronism, and on November 16, 1993, in The Hague, COCOM agreed to dissolve itself and to establish a grouping called the "New Forum."
At a New Forum meeting held in Wassenaar, the Netherlands, it was decided that COCOM would formally cease to exist on March 31, 1994. The New Forum agreed to continue the use of the COCOM munitions control lists as a basis for global export controls until the new arrangement could be established. A formal agreement to establish the "Wassenaar Arrangement" was reached at the December 19, 1995, meeting in Wassenaar. The participating countries agreed to locate the Wassenaar Arrangement Secretariat in Vienna. The WA is one of four international export control arrangements. The others are the Nuclear Suppliers Group, the Australia Group, and the Missile Technology Control Regime and are mainly directed against the proliferation of weapons of mass destruction and missiles.
The WA is open on a global basis to other countries that comply with the export control criteria. To be admitted to the Arrangement, a country must: 1) be a producer and/or exporter of arms or dual-use industrial equipment; 2) maintain non-proliferation policies and appropriate national policies, including adherence to international non-proliferation regimes and treaties; and 3) maintain fully effective export controls. Although the Arrangement does not provide for observer status, an outreach policy is being planned to inform non-member countries about WA objectives and activities and encourage such non-members to adopt WA-compliant national policies on the export of conventional arms and dual-use technologies, including cryptography.
The Unclear Authority of Wassenaar
It is important to note that the WA is neither an international treaty nor a law. It is merely designed to exchange views and information on international trade in conventional arms and dual-use goods and technologies. Also, Participating States commit to adjust their national export control policies to adhere to the WA Control Lists, but this commitment is discretionary in nature and not mandatory. Participating States may adjust their cryptographic export policies through new regulations or legislation.
The WA representatives largely represent the law enforcement, signals intelligence, and weapons control sectors of participant governments and have little appreciation for commercial concerns. The WA maintains that it is not directed at impeding bona fide commerce and is not directed against any state or group of states. However, the list of countries covered by a participating state's own national sanctions varies widely. For example, the United States imposes sanctions on certain countries through the International Traffic in Arms Regulations and the Export Administration Regulations, which are supervised by the Departments of Commerce, Treasury, and State. The United Kingdom also imposes sanctions on countries, but its list differs from that of the United States. Russia maintains virtually no enforceable sanctions on other countries. The substantial differences between participants on sanctions are an important weakness in the application of uniform WA export controls.
The WA countries maintain export controls for the items on the agreed control lists, which are reviewed periodically to take into account technological developments and experience gained. One such review took place throughout 1998 and resulted in a change to the cryptography dual-use control list. The WA announced the revised list on December 3, 1998. Decisions to amend the Control Lists, as with all WA decisions, are made by consensus, i.e., they must be unanimous.
The WA also facilitates the sharing of export information between participating states. Countries are required to report transfers or denials of transfers of certain controlled dual-use items to the other WA participants. Of particular interest to WA members are denials for export licenses for sensitive technology. Therefore, the WA stipulates that members will agree that notification of other members shall be made on an early and timely basis, preferably within 30 days but no later than within 60 days of the date of the denial of the license.
The New Wassenaar List of Dual-Use Goods and Technologies
On December 3, 1998 the Wassenaar Secretariat announced that new cryptography guidelines had been added to the Arrangement. The Wassenaar Dual-Use Control List now extends to encryption hardware and software cryptography products above 56-bits. These include Web browsers, e-mail applications, electronic commerce servers, and telephone scrambling devices. Other mass-market products, such as personal computer operating systems, word processing, and data base programs having strengths over 64-bits are subject to controls for two years. These controls must be renewed and approved unanimously, otherwise they will be canceled. There remains confusion over the control list’s distinction between 56 and 64-bit encryption, but it appears that participating states are obligated to establish new export controls over "mass market" encryption software that uses keys longer than 64-bits. They must also restrict other symmetric encryption software and hardware having keys longer than 56-bits (unless a formal export license is issued by the respective national government).
The Wassenaar countries also agreed to control other software, such as that used in specific sectors such as banking, insurance and health, at the 56-bit level. According to a press release from the German Ministry of Economy, "Certain states that had initially demanded special treatment for ‘key recovery’ products have not been successful. These were seen to be the United States and United Kingdom. Thus, the export of encryption technology will remain possible without depositing keys with government agencies." The restrictions do not apply to encryption products that protect intellectual property, such as digital watermarking for items like videos, cassettes and DVD disks. This exemption is seen as a concession to the entertainment industry.
Most importantly, and in what constitutes an important loophole, the new WA controls do not apply to the "intangible" distribution of cryptography, including downloads from the Internet.
It remains to be seen what the effects will actually be on the flow of encryption products. Several countries such as Canada and Germany have indicated that they do not plan to impose new strict restrictions on exports of mass-market software. The Swiss government wrote that "the upcoming minor changes to Switzerland's export controls on cryptographic goods as a result of the December changes to Wassenaar will not alter the liberal Swiss Cryptography Policy."
Over the past several years, the role of international organizations has become crucial in the development of encryption policies. These fora include the Organization for Economic Cooperation and Development, the European Union, the G-7/G-8, the Council of Europe, and the Wassenaar Arrangement (see above). In all of these, the U.S. -- with the support of the UK Government -- has led efforts to gain international support for restrictions. The U.S. have been led by the Undersecretary of Commerce for International Trade and former Ambassador to the OECD, David Aaron, who traveled the world urging governments to support the U.S. positions. In certain fora, especially in those which are oriented towards law enforcement or military/intelligence issues, the U.S. has had some success. Opposition to these efforts often has been led by Germany and the Scandinavian countries.
Organization for Economic Cooperation and Development
The Organization for Economic Cooperation and Development (OECD) is a Paris-based international body of 29 countries.
In 1996, the U.S. government approached the OECD to recommend that it begin work on cryptography guidelines focusing on international compatibility. The OECD had previously developed well respected guidelines on the privacy of personal information and computer security. The U.S. began pressuring the OECD to adopt key escrow as an international standard. For its encryption deliberations, the OECD changed from its traditional two year process of consensus to a one year accelerated process with a "core group" writing the guidelines. At the meetings, the U.S. delegation, led by the Justice Department, the FBI, and the NSA, lobbied the committee to endorse key escrow.
The OECD was severely divided by the proposals. The U.S. position was supported by France and the United Kingdom. On the other side, the Japanese Ministry of Trade and Industry was strongly opposed. The Scandinavian countries also announced that they were unhappy with the proposals, stating that the system would undermine trust. Denmark's representative announced that key escrow would not be included in a nation-wide card system. Industry representatives wanted to ensure that they would have the right to adopt any system of their choosing.
In March 1997, the OECD issued its Guidelines on Cryptography Policy. The OECD recommendation is a non-binding agreement that identifies the basic issues that countries should consider in establishing cryptography policies at the national and international level.
The OECD Cryptography Guidelines state:
The need for Guidelines emerged from the explosive worldwide growth of information and communications networks and technologies and the requirement for effective protection of the data which is transmitted and stored on those systems. Cryptography is a fundamental tool in a comprehensive data security system. Cryptography can also ensure confidentiality and integrity of data and provide mechanisms for authentication and non-repudiation for use in electronic commerce.Governments want to encourage the use of cryptography for its data protection benefits and commercial applications, but they are challenged to draft cryptography policies which balance the various interest at stake, including privacy, law enforcement, national security, technology development and commerce. International consultation and co-operation must drive cryptography policy because of the inherently international nature of information and communications networks and the difficulties of defining and enforcing jurisdictional boundaries in the new global environment."
The Guidelines are intended to promote the use of cryptography, to develop electronic commerce through a variety of commercial applications, to bolster user confidence in networks, and to provide for data security and privacy protection.
Some OECD Member countries have already implemented policies and laws on cryptography, and many countries are still developing them. Failure to co-ordinate these national policies at the international level could introduce obstacles to the evolution of national and global information and communications networks and could impede international trade. OECD governments have recognized the importance of international co-operation, and the OECD has contributed by developing consensus on specific policy and regulatory issues related to cryptography and, more broadly, to information and communications networks and technologies.
The Guidelines set out eight basic Principles for cryptography policy:
The OECD is currently planning to conduct a follow up to the guidelines in the area of digital signatures. In October 1998, the OECD released a survey of the member countries which found that many have adopted the guidelines.
The European Union has played a key role in rejecting restrictions on encryption. The European Commission requires Member States to report to the Commission any national proposals to impose technical rules for marketing, use, manufacture, or import of cryptographic products. The Commission also seeks to dismantle intra-Union controls on commercial encryption products.
In October 1997, the European Commission’s Directorate-General XIII, which is responsible for Telecommunications, Information Market and Exploitation of Research, issued a report that took issue with the United States’ policy of encouraging key escrow and recovery schemes. The report stated that "restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks," adding that key escrow systems "would not . . . totally prevent criminals from using these technologies."
On the issue of "back door" mechanisms giving law enforcement and intelligence agencies the right to read the plaintext of encrypted messages, the report said that if such systems are required, they "should be limited to what is absolutely necessary."
The report was sent by the European Commission to the major bodies of the European Union, including the European Parliament, the Council of Ministers, the Economic and Social Committee and the Committee of the Regions.
However, a European Council Resolution of January 17, 1995, requires network operators and service providers to provide law enforcement agencies "in the clear" access to encrypted communications.
In 1992, the European Commission proposed a dual-use regulation as part of the progression to the free market. Since military exports were linked to Member States’ national security concerns, control of such exports was deemed to be a matter for individual states. However, with dual-use goods, it was argued that, while military uses were of a national interest, their civil use was in the purview of the European Commission.
Eventually, a compromise was reached. A dual-use Regulation was agreed upon. The basis for the regulation was Article 113 of the Treaty of Rome and a Maastricht-based Common Foreign and Security Policy Joint Action with a series of annexes. The EU's dual-use Regulation (EC No. 3381/94) contains 24 articles and it entered into force on July 1, 1995. Council Decision No. 94/942/CFSP, with 8 articles and 5 annexes, has been appended to it.
The series of regulations, decisions, and annexes state that:
On May 15, 1998, the Commission adopted a Proposal for a Council Regulation setting up an EU regime for the control of exports of dual-use goods and technology (COM(1998) 257 final, 98/0162 (ACC)). The proposal calls for a notification procedure for intra-Community transfers of cryptographic products instead of the current authorization/licensing scheme.
The Group of 8 (G-8) is made up of the heads of state of the top eight industrialized countries in the world. The leaders have been meeting annually since 1975 to discuss issues of importance, including the information highway, crime and terrorism.
The G8 has been active in discussing encryption policy at the urging of the United States. At the G8 meeting in Lyon, France in 1996, the G8 agreed to "accelerate consultations, in appropriate bilateral or multilateral fora, on the use of encryption that allows, when necessary, lawful government access to data and communications in order to, inter alia, prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications."
At the Denver Summit in June 1997, the G8 agreed: "To counter, inter alia, the use of strong encryption by terrorists, we have endorsed acceleration of consultations and adoption of the OECD guidelines for cryptography policy and invited all states to develop national policies on encryption, including key, management, which may allow, consistent with these guidelines. lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies. "
At the Birmingham, England meeting on May 18, 1998, the G8 adopted a recommendation on ten principles and a ten-point action on high-tech crime that did not explicitly mention encryption. The ministers announced, "We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies."
The next G8 meeting will be in Cologne, Germany on June 18-20, 1999.
The Council of Europe is an inter-governmental organization formed in 1949 by West European countries. There are now 40 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."
On September 8, 1995, the Council of Europe approved a recommendation to limit strong cryptography in their member states. The Council is not like the European Commission in that it has no statutory authority to enforce its recommendations. However it is rare for member countries to reject Council of Europe’s recommendations. The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states:
"Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.""Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities."
"Specific obligations should be imposed on service providers who offer telecommunications services to the public, either through public or private networks, to provide information to identify the user, when so ordered by the competent investigating authority."
"Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary."
The Council is now working on a draft directive on computer crime. This directive is being drafted in part by the Computer Crime Division of the U.S. Department of Justice, which unsuccessfully represented the U.S. at the OECD. The drafts reportedly call for increased surveillance powers.
1999 UNKNOWN
1998 Not reported
According to the Angolan Embassy in Washington, D.C., the Ministry of Science and Technology in Luanda is responsible for setting cryptographic policy. A fax sent to that agency went unanswered.
Ref: Embassy of Angola fax dated January 19, 1999.
1999 GREEN
1998 GREEN
Anguilla is a self-governing British territory in the Caribbean. It has also attracted an off-shore Internet industry that takes advantage of the territory’s tax haven status. It has no restrictions on cryptography.
Offshore Information Services is one company that offers Anguilla domain name services (.ai), e-mail accounts, virtual web sites, and links to encryption programs like Pretty Good Privacy (PGP). It also offers the opportunity to engage in cryptographic civil disobedience. One may send a three-line encryption program to Anguilla. In the United States, this simple harmless act is illegal, and a violation of the U.S. export control rules. The web address for the civil disobedience campaign is http://online.offshore.com.ai/arms-trafficker/.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Anguilla. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: Charles Platt, "Plotting Away in Margaritaville," Wired (July 1997)
White House Press Release, September 16, 1998.
1999 GREEN
1998 GREEN
The Embassy of Antigua and Barbuda in Washington did not respond to our survey. However, a review of their Free Trade Zone web site yielded the fact that the island nation is trying to compete with Anguilla in luring international data services, including those reliant on the Internet. Several virtual casinos have been established in the Free Trade Zone. It is certain that strong encryption is a high priority for such operations.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Antigua and Barbuda. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: www.candw.ag/~ftpzone/gam elicenced.htm
White House Press Release, September 16, 1998.
1999 GREEN/YELLOW
1998 YELLOW
Argentina imposes no import or domestic use controls on cryptography.
The Secretariat for Public Affairs manages the Public Key Infrastructure for the Federal Government Administration, and as such, has issued Technical Standards related to the use of public key certificates for government bodies.
Argentina has acceded to the Wassenaar Arrangement and is committed to restricting the export of cryptographic products and technology as dual-use goods, including the new controls announced in December 1998.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Argentina. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: Email communication from the Secretariat for Public Affairs, January 1999.
White House Press Release, September 16, 1998.
1999 GREEN/YELLOW
1998 YELLOW
According to the Second Secretary of the Embassy of Armenia in Washington, Armenia does not currently have a policy on the use of cryptography. However, the Armenian government has recently set up a Department of Information and Publications which, among other things, is planning to initiate legislation concerning the use of cryptography.
Ref: Embassy of the Republic of Armenia letter dated July 31, 1997.
1999 GREEN
1998 Not reported
There are no domestic controls on the use of encryption.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Aruba. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: White House Press Release, September 16, 1998.
1999 GREEN/YELLOW
1998 GREEN/YELLOW
During our first survey we received a phone call from the Embassy of Australia in Washington, D.C. They said they had received our request for information on Australia's laws on the use, export, and import of cryptographic products but were unsure to which agency of the Australian government to forward our request. The confusion by the embassy on which government department is responsible for cryptography was cited in the government-commissioned "Review of Policy relating to Encryption Technologies", authored by former deputy director of the Australia Security Intelligence Organization (ASIO), Gerard Walsh. In what is popularly called the Walsh Report (issued on October 10, 1996 and embargoed by the government for public release until a Freedom of Information Act request by Electronic Frontiers Australia), Walsh criticized the government for its lack of coordination in establishing a cryptographic policy. In addition, the Review found a lack of clarity as to which Minister and which department had responsibility for cryptography policy and the consequent danger of a lack of coordination in policy development.
For this survey, we received feedback directly from the Attorney General’s Department and the Defense Signals Directorate (DSD) of Australia. The DSD and AG letters state:
Despite earlier expectations, the Minister for Communications, Information Technology and the Arts, Senator Richard Alston, through the National Office for the Information Economy (NOIE) has not played any significant role in cryptographic policy formation. The Minister has recently (December 1998) issued a document, "A Strategic Framework for the Information Economy", which makes only minor reference to encryption issues. Australia was represented at the recent Wassenaar meetings by the Defense Department and the Department of Foreign Affairs and Trade, the latter being yet another player in policy formation.
In December 1996, Australia amended its export control laws to allow a personal-use exemption for encryption software that remains in the control of Australian users.
The Walsh Report recommends that Australia not establish a key escrow or recovery scheme as advocated by the United States. Its finding on this subject is as follows:
1.2.5 The Review does not support legislative action at this stage to prescribe a form of key management infrastructure accessible by government for purposes of national safety.1.2.8 The Review does not recommend specific options for encryption legislation at this time.
1.2.11 There seems no compelling reason or virtue to move early on regulation or legislation concerning cryptography. Law enforcement and national security agencies have certainly experienced difficulty where subjects of investigation have refused access to encrypted stored data and it has not been possible for them or other agencies to decrypt this material. It is questionable, though, whether any range of policy decisions concerning key management would have altered this situation materially. For the present, the investigative capability of the agencies is not significantly affected.
1.2.27 Invocation of the principle of non self-incrimination is likely to prove an obstacle to efforts by law enforcement agencies to obtain encryption keys by search warrants or orders made by courts and tribunals.
1.2.39 The ready availability of strong encryption, with no requirement to escrow or register keys, nor to entrust them to any independent entity, is the most effective safeguard of individual privacy.
1.2.50 It would be premature to enter formal negotiations with other countries on access to encrypted data, where public keys are held in those countries, until there is some certainty as to likely key management infrastructures.
1.2.53 There is a high risk of corruption in the third party service provider sector and the Government would be prudent to require integrity screening and registration of those who seek to offer such services to the public.
1.2.56 There seems to be little popular support in or outside the United States for a ‘Commercial Key Escrow’ system involving government agencies creating as it would significant vulnerability outside of the control of the person or corporation.
In January 1999, an unredacted version of the Walsh Report was discovered by EFA and published on the Internet. Although Australia reported to the OECD that it imposes no import controls or domestic use controls on the use of cryptography, the redacted Walsh Report indicates changes have been recommended to these policies. These recommendations indicate that certain Australian government agencies were entertaining methods for accessing plain text data that went beyond key escrow or recovery solutions:
1.2.28 The Crimes Act 1914 should be amended to permit the AFP, NCA and ASIO to ‘hack’ into a nominated computer system to secure access to that system or evidence of an electronic attack on a computer system.6.2.3. The capacity to ‘hack,’ under a Justice of the Peace or Magistrate’s warrant, would harmonize the search provision of the Crimes Act 1914 to today's standard form of storage.
6.3.3 It would seem sensible to coordinate work on profitable areas of technical attack among and between the investigative agencies, DSD and the Defense Science and Technology Organization (DSTO). Again the forum would be able to provide the requisite level of coordination.
1.2.33 Authority should be created for the AFP, the NCA and ASIO to alter proprietary software so that it performs additional functions to those specified by the manufacturer. Such an authority, which clearly should be subject to warranting provisions, would, for example, enable passive access to a computer work station of a LAN and link investigative capability more effectively to current technology. While there are issues of liability, the Review is convinced the effort should be made to accommodate these so that a target computer may be converted to a listening device. This capacity may represent one of the important avenues of accessing plain text.
6.2.10. The opportunity may present itself to the AFP, NCA or ASIO to alter software located in premises used by subjects of intensive investigation or destined to be located in those premises. The software (or more rarely the hardware) may relate to communication, data storage, encoding, encryption or publishing devices. While some modifications may have the effect of creating a listening device which may be remotely monitored by means of the telecommunications service, for which purposes extant warranting provisions would provide, others may create an intelligent memory, a permanent set of commands not specified in the program written by the manufacturer or a remote switching device with a capacity to issue commands at request. The cooperation of manufacturers or suppliers may sometimes be obtained by agencies. When manufacturers or suppliers are satisfied the modification has no discernible effect on function, they may consent to assist or acquiesce in its installation. It will not always be possible, however, to approach manufacturers or suppliers or the latter may be in no position to consent to modification of proprietary software. When agencies are investigating a high priority target, practicing effective personal and physical security, moving premises and changing telephone/fax regularly, an opportunity to access the target's computer equipment may represent not only the sole avenue but potentially the most productive.
There is also a candid admission that access to encrypted voice communications is desired more for intelligence-gathering purposes than for criminal investigations:
3.6.1 Little evidence emerges of encrypted voice communications being employed by criminal elements, although ASIO noted foreign intelligence services had long adopted the practice. Great weight was placed by those law enforcement agencies consulted and ASIO on the tactical importance of real-time access to voice and data communications for the conduct of investigations and the collection of evidence. It was said, and examples were advanced to support the contention, that loss of this access would seriously impact on their investigative capability. The unique advantages of interception of communications are passivity, flexibility and the low risk of the endeavor, combined with immediacy of intelligence flow. Denied this tool, agencies would be forced to engage in a wider range of human source activities, for which the preparatory planning stage is quite long, which may entail considerable financial outlays and about which there would be a high degree of operational, bureaucratic and political risk.
Australian legislation controlling the export of cryptography products has existed since at least 1987 when Australia became a member of COCOM. Cryptographic products require Ministry of Defense approval under Regulation 13B and the associated Schedule 13 of the Customs (Prohibited Exports) Regulations. As such, Australian export control regulations exceed the former Wassenaar guidelines in some areas, most notably in requiring individual export licensing for mass-market applications software and other mass-market software performing cryptographic functions. The new Wassenaar controls announced in December 1998 align Wassenaar more closely with Australia’s long standing policy. A new Defense Strategic Goods List (DSGL) should be published in early 1999, following the December 1998 Wassenaar changes. The changes are expected to simplify applications for export of weak encryption products.
Approval or denial of export applications is based on economic factors, the impact on Australian national security, the identification of end users, and international obligations. Australia’s guidelines for export licenses are not publicly available. Applications for export of cryptographic equipment are referred to the DSD for technical advice on the impact of exports on national security. DSD is the agency responsible for collecting foreign signals intelligence (SIGINT), much of which is shared with the U.S. National Security Agency under the terms of the UK-USA Security Agreement of 1948. DSD is also the agency responsible for the security of all Australian government communications.
As of January 1999, DSD remains responsible for evaluating license applications, but export policy is largely determined by the Defense Acquisition Organization, specifically the Director General for Exports and International Programs, a branch of the Defense Department. The Attorney General’s department is responsible for legal aspects of security and encryption policy.
There are also redacted passages in the Walsh Report that emphasize the weaknesses inherent in export controls:
1.2.60 The continuing efficacy of export controls as a defensive strategy is dubious when no import controls exist and firms are able to evade the export controls of the United States, far and away the major software supplier, and purchase their requirements in Europe or Asia. As well, the Internet offers a marketplace without borders.5.2.7 It has to be said the continuing validity of export controls as a defensive strategy is open to question when import controls do not exist in most countries, where firms in countries covered by multi-lateral agreements on the proliferation of cryptography are able to circumvent United States' or Australia's export controls and buy the software of their choice in Asia or Europe and when easy access to the Internet is available to all.
Refs: Defense Signals Directorate letter dated January 14, 1999.
AG Letter Review of Policy relating to Encryption Technologies (Walsh Report), October 10, 1996.
http://www.efa.org.au/Issues/Crypto/Walsh/index.htm
http://zdnet.com.au /pcweek/content/1001/pcoz0004.html
E-mail dated January 21, 1999, Greg Taylor, Electronic Frontiers Australia.
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
http://www.dod.gov.au/dao/exportcontrols/greenbk/guidelin.htm
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
1999 GREEN/YELLOW
1998 YELLOW
Austria's report to the OECD indicates that in general there are no domestic controls on the use of cryptography (including transmissions over public telecommunications networks) or import restrictions.
On July 9, 1998, the Austrian Council of Ministers, the decision-making arm of the Federal government, accepted a revised draft report of the Federal Chancellery on encryption policy. The Council included a specific proviso that a draft statute must be tabled by the end of 1999, and this draft must comply in letter and spirit with six fundamental principles. These principles are taken directly from a Draft Digital Signatures and Cryptography Act that was tabled as a joint effort by a broad coalition of interests, including the Austrian Federation of Industrialists, the Austrian Chamber of Labour, various Federal Ministries and the two governing parties in parliament.
In paragraph 2 of the Draft Act, the government is explicitly enjoined from mandating a particular technology to end users. In addition, the use of key escrow is specifically prohibited. It also makes clear that all rules pertaining to setting up the infrastructure may not be used in any way to limit the use of technological means by everyone to achieve confidentiality and authenticity as she or he sees fit. The infrastructure envisioned may not be limited to authentication usage, but can also be applied for use in applications ensuring the confidentiality of communication.
The Federal Chancellery failed to submit the Draft Act to Parliament by the end of 1998 and drafting has now been delegated to the Ministry of Justice.
According to the Commerce/NSA report and the OECD Inventory of Controls on Cryptography Technologies, the Austrian government controls all encryption software as a dual-use item, and special licenses are required for its export, transit, or re-export. The legislation governing dual-use items is the Aussenhandelsgesetz 1995 BGBl 172/1995. The law implements the EU Dual Use Regulation 3381/94 and the Waasenaar Arrangement. Licenses are denied to destinations where an armed conflict is ongoing, to countries of concern, and to those against which there are international sanctions. Austria agreed to the enhanced Wassenaar controls announced in December 1998.
During our first survey, the Embassy of Austria in Washington, D.C. informed us that the Austrian organization responsible for cryptography usage and exports and imports was the Federal Ministry of Foreign Affairs, Section VI, in Vienna.
Ref: Embassy of Austria, Office of the Commercial Counselor fax dated June 24, 1997.
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html/
Viktor Mayer-Schönberger / Michael Pilz / Christian Reiser / Gabriele
Schmölzer, The Austrian Draft Digital Signatures Act, The Computer Law & Security Report Vol. 14 no. 5 (1998), 317.
1999 UNKNOWN
1998 UNKNOWN
During our first survey, we were contacted by telephone by the Embassy of Bahrain in Washington, D.C. and informed that the agency in Manama, Bahrain that was responsible for regulating the use of cryptography was the Directorate of Islamic Affairs, a component of the Ministry of Justice and Islamic Affairs. A direct query to that agency went unanswered.
1999 RED
1998 RED
Belarus restricts the manufacture, maintenance, and use of cryptographic products. Licenses are required by the State Security Committee (the Belarussian KGB).
Ref: http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html
1999 GREEN/YELLOW
1998 GREEN
There are no domestic controls on cryptography. In December 1994, the Belgian parliament enacted a law that would have required escrowed encryption. The law authorized the Belgian Institute for Posts and Telecommunications to establish a mandatory key escrow deposit system. The law contained homologation provisions that permitted the Belgacom to disconnect a phone that used unescrowed encryption. The law was rescinded by the Law of December 19, 1997 that created a new Article on the Law of March 21, 1991. The article provides that "the use of cryptography shall remain free from restrictions." The law permits cryptographic techniques to be used within the private domain, private enterprises, and private networks.
A draft law on computer crime would authorize the Public Prosecutor to require a criminal suspect to decrypt a message for the prosecutor to read when so ordered.
Belgium requires those wishing to export cryptography to countries other than the Netherlands and Luxembourg to first obtain an export license. This is contained in the Law of August 5, 1991 and the Royal Decree of March 8, 1993 regarding the import, export, and transmission of arms, munitions, and materials for military use and related technology. The European Union EU Dual Use Regulation 3381/94 has liberalized these requirements to cover additional EU members and certain non-EU countries. However an export license for exporting cryptographic hardware or software outside the BENELUX countries is still required. These liberalized EU provisions are contained in the ministerial decree of May 19, 1995. Belgium agreed to the enhanced Wassenaar controls announced in December 1998.
The agency in charge of approving export licenses is the A.R.E., 4th Division.
Ref: http://www.iaik.tu-graz.ac.at/LEHRE/StudProj/HAINZSILLI/crypto.ak.home.html
http://www.freenix.fr/netizen/20 5-e.html
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
1999 GREEN
1998 GREEN
The Embassy of Belize in Washington, D.C. informed us that they were not aware of any laws in Belize concerning the use of cryptography. They did inform us that cryptography was under the jurisdiction of the Attorney General’s Ministry in Belmopan.
Ref: Embassy of Belize fax dated June 20, 1997.
1999 GREEN/YELLOW
1998 GREEN
Brazil does not regulate the export, import or domestic use of encryption. However, there are indications that this situation may be changing. The Brazilian government is considering a law that would require importers and domestic users of encryption to register their products and systems with the government.
The PGP encryption program in Portuguese is available from Brazil via the Internet. The web site is http://www.dca.fee.unicamp.br/pgp.
Ref: NIST Preliminary Results of Study of Non - U.S. Cryptography Laws/Regulations, September 27, 1993.
White House Press Release, September 16, 1998.
1999 GREEN/YELLOW
1998 GREEN/YELLOW
There are no domestic or import controls on the use of cryptography.
Bulgaria has acceded to the Wassenaar Arrangement and is presumably committed to restricting the export of cryptographic-enabled software as a dual-use good. Bulgaria agreed to the enhanced Wassenaar controls announced in December 1998.
1999 UNKNOWN
1998 UNKNOWN
During our first survey, the Embassy of Cambodia in Washington, D.C. informed us that although they were not aware of any laws concerning the use of cryptography in Cambodia, the Ministry with responsibility was the Ministry of Posts and Telecommunications in Phnom Penh. There was no response to our fax to the agency.
Ref: Royal Embassy of Cambodia fax dated June 19, 1997.
1999 GREEN
1998 GREEN
Campione d’Italia is a small Italian enclave on the shores of Lake Lugano. It is totally surrounded by Switzerland. Although technically part of Italy’s province of Como, its close affiliation with Switzerland, a non-member of the European Union, has made it a virtual "neutral zone" from European laws, including those dealing with taxation. A company developing encryption in this feudal anomaly would face little or no export restrictions because Campione’s border with Switzerland is open (there is also unrestricted access to Liechtenstein) and Swiss laws do not apply in the enclave. Italy chooses not to apply most Italian laws dealing with financial regulations to the enclave. There is full Internet access via the modern Swiss PTT network. Because Campione has attracted numerous companies and banks, Italy prefers not to apply its laws to the territory.
Ref: www.henley-partner.com/campione.htm
1999 GREEN
1998 GREEN/YELLOW
There are no laws restricting the private use of cryptography. Canada’s homologation regulations require that cryptographic equipment conform to public network technical requirements.
In October 1998, Minister of Industry John Manley announced the elements of Canada’s Cryptography Policy. The policy is a component of the Canadian Electronic Commerce Strategy. The policy permits Canadians to develop, import and use whatever cryptography products they wish and does not impose mandatory key recovery requirements or a licensing regime. Manley stated that "This policy is good for the Canadian economy . . . It supports the increased use of electronic commerce products and services in Canada, as well as the export of Canadian information technologies to other countries."
The government said it believed it had achieved a balanced approach that encourages the growth of electronic commerce while maintaining the capability of law enforcement and national security agencies to ensure public safety.
Somewhat echoing his colleagues south of the border, Solicitor General Andy Scott said "Law enforcement agencies recognize the benefits of cryptography in protecting sensitive information . . . However, cryptography can also be used to shield criminal activities. This policy highlights the development of a framework to help law enforcement agencies deal with the challenges posed by advanced communications and information technologies, including cryptography."
Specifically, the Canadian government implemented a cryptography policy that:
The policy stipulates that:
Furthermore, the Government of Canada proposes to make it an offense to wrongfully disclose private encryption key information and to use cryptography to commit or hide evidence of a crime.
Canada was a member of COCOM and continues to adhere to the Wassenaar Arrangement, including the December 1998 changes to the export control lists. Consequently, Canada has issued guidelines for the export of information security related equipment and technologies that are reflected in hardware and software dual-use list found in the Export Control List. These export controls are authorized by the Export and Import Permits Act. Accordingly, export licenses are required for export to all destinations except the United States. One exception is for Canadian residents who are traveling temporarily away from Canada and may wish to take a portable personal computer containing encryption software. All U.S.-origin encryption products are also controlled under Canadian regulations and they also require an individual or general export permit. All types of Canadian-manufactured cryptography can be exported freely from Canada to the United States. Canada regulates all types of exports of cryptography, including tangible (physical diskette) and intangible form (products downloaded from the Internet). When specific requests for export of intangibles are received, they are assessed on an individual basis.
There have been statements that the Canadian government will not impose strict new rules for export controls following the December Wassenaar changes. According to Canadian officials, mass-market software with encryption with a bit length of 128 bits will only require a one-time general license. Public domain software will not require any license.
The Foreign Affairs Export Controls Division of the Department of Foreign Affairs and International Trade works closely with Canada’s Communications Security Establishment (CSE), the NSA’s Canadian SIGINT partner, regarding export decisions on cryptographic products. The Division stated that the CSE works closely with the NSA, the UK’s Government Communications Headquarters (GCHQ), and Australia’s DSD on cryptographic export policies. Canada reported to the OECD that export permits are assessed on a routine basis for multiple destination countries or end-users for encryption products with key lengths of 56-bit DES equivalent or less. These are subject to a one-time review. Permits are also eased for trusted end-users, particularly Canadian corporations or bona fide financial institutions.
Ref: OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
Press Release 8099-e, Office of the Minister of Industry, October 1, 1998,
<http://info.ic.gc.ca/cmb/welcomeic.nsf/261ce500dfcd7259852564820068dc6d/85256613004a2e1785256690004c70fb?OpenDocument>
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
E-Mail, Industry Canada, February 1, 1999.
1999 GREEN
1998 Not reported
There are reportedly no prohibitions on the export, import, or domestic use of cryptographic products in Chile.
Ref: http://cwis.kub.nl/~frw/people/koops/cls2.htm#bi
1999 RED
1998 RED
According to the NIST survey, China practices a licensing system for the use, importing and exporting of various commodities, including encryption hardware and software. An application must be filed and a license obtained in advance by corporations approved by the State to engage in the business of importing and exporting encryption products. The licenses are valid for one year and extensions may be applied for.
The Notice of the General Administration of Customs of the People’s Republic of China, Sec. 50-305, of November 1, 1987 (List of Prohibited and Restricted Imports and Exports), restricts the import and export of voice-encoding devices.
Corporations engaging in the export business must file an approval application with the Ministry of Foreign Trade and Economic Cooperation or the foreign trade bureau of the particular province. The Ministry establishes an export control list of prohibited and restricted goods. These regulations are contained in Interim Procedures of the State Import-Export Commission and Ministry of Foreign Trade of the People’s Republic of China Concerning the System of Export Licensing of June 3, 1980.
Ref: NIST Preliminary Results of Study of Non - U.S. Cryptography Laws/Regulations, September 27, 1993.
1999 GREEN
1998 GREEN
According to the Ministry of Science and Technology, there are no domestic use, import or export controls for encryption in Croatia. There is also no agency in charge of setting policy.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Croatia. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions. Interestingly, Croatia is not eligible for a U.S. Encryption Licensing Agreement for the export of recoverable products, an indication that the U.S. does not entirely trust the Croatian intelligence service and law enforcement agencies from abusing third party access to keys.
Ref: Email communication from Ministry of Science and Technology, Feb. 9, 1999.
White House Press Announcement, September 16, 1998.
1999 GREEN
1998 GREEN/YELLOW
According to the Cyprus Telecommunications Authority, there are no domestic use controls, export controls or import controls on cryptographic products in Cyprus. In addition, no government agency has established authority over cryptographic policy.
Ref: E-Mail, Cyprus Telecommunications Authority, Lefkosia, Cyprus, January 12, 1999.
1999 GREEN/YELLOW
1998 GREEN/YELLOW
There are no domestic prohibitions on the use of cryptography in the Czech Republic.
The Czech Republic enacted a decree known as the "Control of Exports and Imports of Goods Subject to International Control Regimes". The decree incorporates both the EU and Wassenaar lists of controlled dual-use lists into Czech export law. The Czech Republic is a Participating State in Wassenaar and a candidate for EU membership.
The Ministry of Industry and Trade reviews the exports of cryptographic product. The Ministry will issue either an individual license or an individual open license for exports. An individual license is for a one-time export of a cryptographic product while an individual open license covers recurring exports of cryptographic products for a particular destination and for a finite period of time. The export law of the Czech Republic covers only tangible cryptographic products.
The Czech Republic also extends its export law to the import of cryptographic products. Although the Ministry of Industry and Trade retains authority to control imports, it has issued a general import license for cryptographic products and users do not require any special authorization to bring such products into the Czech Republic.
On December 31, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial sectors in the Czech Republic. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
1999 GREEN/YELLOW
1998 GREEN
Denmark reported to the OECD that there are no domestic use prohibitions on the use of cryptography in Denmark.
In April 1997, an Export Committee on Cryptography, meeting under the auspices of the Ministry of Research and Technology and including representatives of other ministries, issued a report on the use and sale of cryptographic products. The Committee recommended that Denmark not impose new regulations on cryptography. However, it did state that Danish cryptography policy should take into consideration international developments (an obvious reference to Wassenaar and other regimes). The Committee particularly recommended against the establishment in Denmark of a key recovery scheme. In June 1998, the Committee issued its final recommendation. Although the Committee recommended that key recovery regulations and incentive schemes should not be implemented, international developments might necessitate a reconsideration of such controls in the future.
Denmark has implemented Wassenaar export controls in its Executive Order on Exports of Dual-Use Goods Technologies and Know-how. Denmark adheres to the amended Wassenaar Dual-Use Control list agreed to in Vienna in December 1998. This has caused some political controversy in Denmark and hearings may be held in the Parliament this year.
The Danish Agency for Trade and Industry licenses exports of cryptographic products. Danish export controls cover both tangible and intangible software transfers. Criminal sanctions can be levied against those who illegally transfer unlicensed cryptographic products subject to export controls. The Danish Defense Intelligence Service (Forsvarets Efterretningstjeneste) determines what and to whom cryptographic products may be exported.
Denmark originally regulated the export of strategic goods under a Ministry of Industry executive order dated November 12, 1993. The executive order has been subsumed by the EU dual-use regulation.
Ref: OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
No Regulation of Cryptography Now, Press release 27.05.97 <http://www.fsk.dk/fsk/presse/97/970527.html>
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
1999 GREEN
1998 Not reported
According to Delphis Ltd., a major Internet Service Provider in Dominica, there are no domestic use prohibitions, export or import controls on cryptography in Dominica. In addition, no government agency has been charged with regulating cryptographic technology.
On September 16, 1998, the United States authorized the export of unlimited strength encryption products (with or without key recovery) to the banking and financial, insurance, health and medical, and on-line electronic commercial sectors in Dominica. This is an indication that the U.S. has leveraged its authority to gain access to plain text information in those sectors within the country under Mutual Legal Assistance Treaty (MLAT)/Financial Action Task Force (FATF) provisions.
Ref: E-Mail, Delphis Ltd., Roseau, Commonwealth of Dominica, January 11, 1999.
White House Press Release, September 16, 1998.
1999 GREEN
1998 GREEN
The Estonian government, in formulating its cryptographic policy, has recommended that the main principles approved by the OECD, EU, and other organizations will be accepted. Therefore, the use of cryptographic algorithms and methods will be free and no key escrow systems or other limitations for cryptographic systems will be introduced in Estonia. The ministry responsible for regulating cryptography use is the Estonian State Secretary. Estonians therefore have the right to import and use encryption products in the country.
NATO representatives have reportedly pressured Estonia to adopt key recovery schemes as a pre-condition for joining the Western alliance. However, the EU has rejected the key recovery approach and Germany, in particular, is said to have warned Estonia that it would have to adopt the EU policy on cryptography before joining the Union.
As Estonia is a candidate for full membership in the EU, it has adopted the EU’s dual-use control list for cryptographic exports. Accordingly, exports require a license from the Ministry of Foreign Affairs.
Ref: Dr. Monika Oit and Valdo Praust, "The Estonian view on National Information Security Policy," Baltic IT&T ’98, Riga, Latvia, April 15-18, 1998.
"U.S. Assault on Northern Europe," Intelligence Newsletter, No. 342, September 17, 1998.
1999 GREEN
1998 GREEN
According to Mr. D. G. Lang, the Attorney General of the Falkland Islands, there are no laws in the sparsely populated British territory that specifically deal with the use of cryptography. Mr. Lang informed us that, as Attorney General, he does have legitimate concerns about the possible use of cryptography by criminal organizations in furtherance of international crime or terrorism. However, he said that there is no organized crime on the islands. He did offer his belief that the Falklands government is committed to joining the international effort to combat organized crime and, if the international community were to launch an effort against the use of "uncrackable" cryptography, the Falklands would join in such an effort.
According to the Attorney General, although the Falklands has a Constitutional guarantee respecting the privacy of the individual, this guarantee falls short of an absolute guarantee of privacy. An individual, in the Attorney General’s opinion, would probably be unsuccessful in challenging on Constitutional grounds a possible future provision prohibiting or restricting his or her use of cryptographic techniques.
The Attorney General stated that cryptography is used in the Falklands for both business and government operations. He is not opposed to usage by such organizations, but merely the use of cryptography by criminals for criminal purposes.
Since United Kingdom laws do not automatically apply to the territories, the response of the Falkland Islands Attorney General is significant.
Ref: Attorney General of the Falkland Islands letter dated July 3, 1997.
1999 GREEN/YELLOW
1998 GREEN
A new Finnish Cryptographic Policy was announced on January 5, 1999:
The Government of Finland adheres to the following guidelines concerning the national cryptography policy and statements on the use of cryptographic products.
According to the Ministry of Trade and Industry of Finland:
Finland’s national legislation relevant to export controls are:
The national legislation refers to the European export control systems which consists of two legal instruments:
The EU Regulation is directly applicable to all the Member States of the European Union. Finland’s control lists (including definitions, general notes, etc.) concerning the export control of cryptographic software and hardware are identical to those agreed to in the Wassenaar Arrangement and the European Union Treaty. The only relevant difference to the controls maintained by the EU is that Finland’s national legislation also covers the export of services, including the transfer of intangible technology, e.g., via electronic mail. Finland adheres to the revised Wassenaar Dual-Use Control List agreed to in Vienna in December 1998.
In an interview with the Finnish national newspaper Helsingin Sanomat (December 15, 1998), Finnish Prime Minister Paavo Lipponen claimed it was the "very powerful position of the United States" that forced through the changes to Wassenaar. He added, "the Wassenaar negotiations are highly secret." The Prime Minister, noting that the controls could hurt Finnish industry, stated, "Finland still aims for openness and free markets also in this area." Lipponen had to consider the position of Nokia, a Finnish firm with a large market share of the international cellular telephone market and Data Fellows, a cryptographic firm that has enjoyed 90-120 per cent annual growth including a significant international market share. Nokia’s trade policy director, told Helsingin Sanomat that along with other industry sectors, his firms believes that strong encryption should be permitted and its export should not be restricted. He said applying for export restrictions creates additional work and costs and the process is a "difficult thing."
The government agencies responsible for setting policies on the use, importation, and exportation of cryptographic products include the Ministry of Trade and Industry and the Ministry for Foreign Affairs for export controls and electronic commerce, and the Ministry of Communications, and the Security Police (SUPO) (a component of the Interior Ministry). The Ministry of Finance has started a survey on the need for national information security legislation, including a law on digital signatures. Their work is ongoing.
Ref: Ministry of Trade and Industry, Helsinki, fax dated July 28, 1997.
National cryptography policy, October 1998
<http://www.vn.fi/lm/telecom/cryptography/guidelines.htm>
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
1999 YELLOW/GREEN
1998 RED/YELLOW
France made a significant change in policy since our first survey in 1998. On January 19, 1999, Prime Minister Lionel Jospin announced a dramatic cryptography policy change. The new policy abolishes France’s complex licensing scheme for cryptographic imports and domestic use, mandatory key registration requirements for the domestic use of encryption, and a system of government-approved trusted third parties.
On January 19, Jospin stated:
The Government allowed itself time to reflect. After consulting those involved, experts and international partners, it became convinced that the dispositions which result from the law of 1996 are no longer appropriate. They strictly restrain the use of encryption in France, without allowing the authorities to efficiently combat criminal acts where encoding could facilitate dissimulation. They also make apparent a risk of isolation for France with regard to her main partners. The Government has therefore decided to opt for a fundamental change of direction, which aims to make the use of encryption totally permitted in France, while adapting the means at the disposal of the authorities to guarantee public liberty in this new environment and to combat the use of encoding methods for illicit ends.
The draft bill that will be presented to Parliament will be based on the following orientations:
• provide total freedom of use of encryption products, with one restraint to maintain control over exports which result from France's international engagements (encoding methods that do not use keys that are longer than 56 bits); • suppress the mandatory nature of having recourse to a third party of confidence for depositing encoding keys. The role of the third party will not be limited to managing keys but can extend to other tasks, such as certifying electronic signatures. Recourse to such instruments and to auto-depository mechanisms will be encouraged. The third parties of confidence can notably apply for certification from the authorities.
• allow the authorities to efficiently combat the use of encoding procedures for illicit ends. To this end, the current legal mechanism will be supplemented by setting up obligations, as well as penal sanctions, with regard to presenting the uncoded transcription of encoded documents to the legal authorities when they so request. Moreover, the technical capacities of the authorities will be significantly reinforced.
The law, therefore, must be changed, which will take several months. But the Government wished that the hindrances which handicap citizens who are anxious to protect the confidentiality of their exchanges, and the development of electronic commerce, be lifted without delay. Thus, while waiting for the legislative modifications announced, the Government decided to raise the threshold for permitted encryption methods from 40 bits to 128 bits, a level which is considered by experts to resolutely ensure high security.
As far as the supply of encryption products is concerned, the declaration procedure will be simplified, notably through the suppression of the simple stop test. Finally, the constraints on the third parties of confidence that can be modified through regulatory means will be considerably relaxed, in particular by the suppression of the requirement for defense clearance for personnel and 24 hour per day availability.
In March 1999 the French government announced three decrees that are intended to relax controls on encryption. The Service Central de la Sécurité des Systèmes d’Information (SCSSI) is the regulatory body in France as far as cryptography is concerned. SCSSI comes under the authority of the Secretary General for National Defense (SGDN) and has a direct reporting line to the office of the Prime Minister of France. French cryptography controls are much more stringent than those recommended by the Wassenaar Arrangement, of which France is a party. In December 1998, France subscribed to the more restrictive Wassenaar Dual-Use Control List. French export control laws do not distinguish between tangible and intangible cryptographic products. The Commerce/NSA report states that "France has the most comprehensive cryptologic control and use regime in Europe, and possibly worldwide."
France’s report to the OECD states that export, import, and domestic use controls on the use of encryption in France prior to Prime Minister Jospin's announcement were governed by:
Ref: Interministerial Committee on the Information Society (CISI) - January 19th,1999. < http://www.premier-ministre.gouv.fr/GB/INFO/FICHE1GB.HTM>
http://www.iris.sgdg.org/axes/crypto
http://www.internet.gouv.fre
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
Embassy of France fax dated June 23, 1997.
A Study of the International Market for Computer Software with Encryption , U.S. Department of Commerce and the National Security Agency, July 1995.
1999 GREEN
1998 GREEN
Germany has been at the forefront of opposing restrictions on encryption. It has been a counter-balance to U.S. efforts to promote key escrow and international restrictions. It had a significant role in the EU's 1997 paper on Encryption and Digital Signatures. In 1999, German efforts prevented key escrow from becoming part of the Wassenaar Arrangement.
According to the Embassy of the Federal Republic of Germany in Washington and the Federal Ministry of Economics and Technology.
Germany enacted a Digital Signature Law (SigG) on June 11, 1997. The digital signature system mandated uses asymmetric encryption. This system requires a secret key to be held by the signer and a public key that is certified by a Certificate Authority. The encryption algorithm to be used is not defined in the law. The law does not specify Certificate Authorities, but it requires that such parties be licensed by the government communications authority. This authority will certify Certificate Authorities and create a digital chain of trust for purposes of public key verification.
According to Germany’s report to the OECD, the "Electronic Commerce Initiative of the Federal Government" states that "the German government does not plan to regulate by statute the marketing and use of encryption products. In Germany, encryption systems may be freely chosen and used." In its progress report on the German action plan "Info 2000 &emdash; Germany’s Way to an Information Society" (Autumn 1997), the government states its policy is to:
Cryptographic exports are regulated by the implementation of the EU Dual-Use Regulation. Encryption equipment is listed individually in the German export list (Appendix to the Aussenwirtschaftsverordnung) in Part 1 C, paragraph 5 part 2 "Information Security." In 1998, the German Green Party posed the following question to the Federal Government: "Is the Federal Government aware of the view of cryptographic experts that certain encryption standards and systems have been watered down by the influence of agencies responsible for cryptography matters, in particular the NSA, and what is its response to this viewpoint?" The government’s answer was surprisingly candid, "The restrictive export control policy of the USA with regard to encryption technology is generally known; in its advisory role the BSI (Bündesamt fur Sicherheit der Informationstechnik -- the German Federal Information Security Agency, a department of the Ministry of the Interior) is, therefore, cautious with regard to recommending U.S. products to the public administration and to private German companies."
In December 1998, Germany adhered to the revised Wassenaar Arrangement export controls, tightening up its own export criteria. However, the Ministry of Economics has indicated that they do not plan to impose new restrictions on the export of cryptographic products.
Ref: E-mail from the German Ministry of Economics and Technology, January 19, 1999.
Press Release of the German Federal Ministry of Economic Affairs, December 8, 1998 on Wassenaar Arrangement Export Control for Encryption Technology Relaxed: No Forthcoming "Key Recovery" for Crypto Products.
<http://www.kuner.com/data/new/wassenaar.html>
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
Embassy of the Federal Republic of Germany fax dated June 19, 1997.
A Study of the International Market for Computer Software with Encryption, U.S. Department of Commerce and the National Security Agency, July 1995.
1999 GREEN
1998 GREEN
The Gibraltar Government Mission in Washington did not respond to our survey. However, the government of this British self-governing territory on the southern tip of Spain hosts an Internet gaming site (called InterKeno). Registration is made via the Internet and credit card details submitted on heavily encrypted pages. The government of Gibraltar receives licensing fees from this operation and it is unlikely that they would support a form of key recovery or escrow which might result in disruption of the gaming operations.
Exports are regulated under the EU Dual Use restrictions.
Ref: http://www. bet4abetterworld.com/general/geninfo.html#Security Information
1999 GREEN/YELLOW
1998 GREEN/YELLOW
Greece reported to the OECD that there are no import or domestic controls on cryptography in Greece.
During our first survey, the Embassy of Greece in Washington informed us that Greece had no contemporary or projected legislation concerning the use, import, or export of cryptography.
In December 1998, Greece subscribed to the more restrictive Wassenaar Dual-Use Control List.
Also, see the entry for Mount Athos.
Ref: Embassy of Greece letter dated July 15, 1997.
OECD Group of Experts on Information Security and Privacy, Inventory of Controls on Cryptographic Technologies (DSTI/ICCP/REG(98)4/REV3), September 23, 1998.
1999 YELLOW
1998 YELLOW
There are no domestic controls on encryption use in Hong Kong.
Import and export of cryptography is regulated by t