Bert-Jaap Koops homepage - Crypto Law Survey

Overview per country

Version 22.3, January 2005
© Bert-Jaap Koops
All rights reserved. Please credit if quoting.

Please do not bookmark or link to this page, but refer to the main page instead.

Wassenaar Arrangement / COCOM [Sources 1, 5]

1. Export/ import controls

COCOM

COCOM (Coordinating Committee for Multilateral Export Controls) was an international organization for the mutual control of the export of strategic products and technical data from country members to proscribed destinations. It maintained, among others, the International Industrial List and the International Munitions List. In 1991, COCOM decided to allow export of mass-market cryptographic software (including public domain software). Most member countries of COCOM followed its regulations, but the United States maintained separate regulations.

Its 17 members were Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Luxemburg, The Netherlands, Norway, Portugal, Spain, Turkey, United Kingdom, and the United States. Cooperating members included Austria, Finland, Hungary, Ireland, New Zealand, Poland, Singapore, Slovakia, South Korea, Sweden, Switzerland, and Taiwan.

The main goal of the COCOM regulations was to prevent cryptography from being exported to "dangerous" countries - usually, the countries thought to maintain friendly ties with terrorist organizations, such as Libya, Iraq, Iran, and North Korea. Exporting to other countries is usually allowed, although states often require a license to be granted.

COCOM was dissolved in March 1994. Pending the signing of a new treaty, most members of COCOM agreed in principle to maintain the status quo, and cryptography remained on export control lists.

Wassenaar Arrangement

The Wassenaar Arrangement controls the export of weapons and of dual-use goods, that is, goods that can be used both for a military and for a civil purpose; cryptography is such a dual-use good.

In 1995, 28 countries decided to establish a follow-up to COCOM, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The negotiations on the Arrangement were finished in July 1996, and the agreement was signed by 31 countries (Argentina, Australia, Austria, Belgium, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, the Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States). Later, Bulgaria and Ukraine also became a participating state to the Arrangement.

The initial provisions were largely the same as old COCOM regulations. The General Software Note (applicable until the December 1998 revision) excepted mass-market and public-domain crypto software from the controls. Australia, France, New Zealand, Russia, and the US deviated from the GSN and controlled the export of mass-market and public-domain crypto software. Export via the Internet did not seem to be covered by the regulations.

There is a personal-use exemption, allowing export of products "accompanying their user for the user's personal use" (e.g., on a laptop).

In September 1998, Wassenaar negotiations in Vienna did not lead to changes in the crypto controls, although it was apparently considered to restrict the GSN (see an article in German) and possibly also to ease controls for key-recovery crypto. (Compare an article in Swedish of March 1998.)

The Wassenaar Arrangement was revised in December 1998. Negotiations were held on 2 and 3 December 1998 in Vienna, which resulted in restrictions on the General Software Note and in some relexations:

• free for export are: all symmetric crypto products of up to 56 bits, all asymmetric crypto products of up to 512 bits, and all subgroup-based crypto products (including elliptic curve) of up to 112 bits;
• mass-market symmetric crypto software and hardware of up to 64 bits are free for export (the 64-bit limit was deleted on 1 December 2000, see below);
• the export of products that use encryption to protect intellectual property (such as DVDs) is relaxed;
• export of all other crypto still requires a license.

There was no change in the provisions on public-domain crypto, so that all public-domain crypto software is still free for export. Nothing was said about electronic exports (e.g., via the Internet), which consequently remain unclear.

In its meeting of 30 November-1 December 2000, the Wassenaar states lifted the 64-bit limit for export controls on mass-market crypto software and hardware (in the Cryptography Note, clause d. (the 64-bit limit) was deleted in its reference to category 5A2, as well as the related Validity Note, see the summary). The public statement of the meeting mentioned that "Participating States recognised that it is important to continue deepening Wassenaar Arrangement understanding of how and how much to control" intangible transfers.

The Wassenaar provisions are not directly applicable: each member state has to implement them in national legislation for them to have effect. (In the entries below, I have included mention of the pre-December 1998 regulations, which will stay into effect until the government enacts new legislation to implement the Wassenaar changes.)

See the Wassenaar List (crypto is in category 5 part 2). See further the Wassenaar Arrangement page (includes contact information for various national export control authorities), a Wassenaar FAQ (by US BIS), Greg Broiles' page on the Wassenaar Arrangement, which includes links to John Young's pages on the Wassenaar Arrangement and comments on the December 1998 changes, and the GILC Wassenaar page. See also Chapter 3 of Simo-Pekka Parviainen's thesis on Cryptographic Software Export Controls in the EU. Cf. an April 1996 article on the Wassenaar Arrangement.

Back to the Table of Contents

Council of Europe [Source 5]

2. Domestic laws and regulations
On 23 November 2001, the Council of Europe adopted the Convention on Cybercrime [search for convention 185] (see the text and Explanatory Report). The Convention deals with substantive and procedural criminal law. 
Article 18 contains a production order: "Each party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order: a). a person in its territory to submit specified computer data in that person's possession or control, which is stored in a computer system of a computer-data storage medium". Para. 176 of the Explanatory Memorandum adds that "Parties could establish obligations that the specified computer data (...) must be produced in the manner specified in the order. This could include reference (...) to form, such as that the data or information be provided in 'plain text' (...)." Hence, the convention allows, but does not oblige, party states to create a decryption order.
Section 62 of the Explanatory Memorandum specifies the clause "without right" that is used in describing several offences the treaty penalises. It explicitly states that encryption "should in principle be considered a legitimate protection of privacy and, therefore, be considered as being undertaken with right". So, encryption can not be outlawed by party states, although the phrase "in principle" allows for a certain margin of appreciation.

The Convention was signed on 23 November 2001 by 26 of the 43 CoE Member States, as well as by Canada, Japan, South Africa and the United States (who participated in the drafting process). Later, several states followed. As soon as 5 countries have ratified the convention, it will enter into force. (As of 8 January 2004, four countries had ratified.) The convention will not be directly applicable, but will have to be implemented by party states in their national laws. See the list of signatures and ratifications for the current status of the convention.  

History of the Convention
A Committee of Experts on Crime in Cyber-Space (PC-CY) was established in January 1997, and published a first draft text for discussion on 27 April 2000 (version 19). The Assembly of the CoE approved a further draft on 24 April 2001, and a new version (no. 27) was published on 25 May 2001 (CDPC (2001) 2 rev). 

The production order was earlier included in article 14 of the draft (version 19). Article 14, section 5 read: "Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order for the purposes of criminal investigations and proceedings any person who has knowledge about the functioning of the computer system or measures applied to secure the computer data therein to provide all necessary information, as is reasonable, to enable the undertaking of the measures referred to in paragraphs 1 [search] and 4 [seizure]."
The "measures applied to secure the computer data" included cryptography. It was not quite clear whether the provision included a decryption order. Given the purpose of the seizure power of article 14, section 4 ("to seize or similarly secure computer data accessed (...) in view of their possible use in criminal investigations and proceedings"), one might infer that section 5 should be read as requiring persons to provide decryption information that enable the use of seized encrypted data in criminal proceedings. Admittedly, the text was a bit muddy here.
The text refers only to criminal investigation, not to national security purposes. Since section 7 refers to the "conditions and safeguards under national law", states must respect the privilege against self-incrimination, which is incorporated in article 6 of the European Convention on Human Rights and hence should be respected in national laws. Consequently, states should not require suspects to decrypt.

Earlier on, key escrow may have been considered in the draft convention. According to the 25 November 1998 minutes of the EU's Legal Advisory Board, it was unclear "whether the convention will contain any provisions on escrow of encryption algorithms". The current text does not contain anything to suggest key escrow.

3. Developments to restrict cryptography
The Council of Europe (a 46-member intergovernmental organisation, whose treaties are not directly applicable in national law), in its Recommendation R (95) 13 Concerning Problems of Criminal Procedure Law Connected with Information Technology of 11 September 1995, stated that "measures should be considered to minimise the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary." The recommendation itself does not state which measures should be taken or how the "balance must be found" in the "conflict of interests between the needs of the users and law enforcement".

Back to the Table of Contents

European Union [Sources 5, 7, 8]

1. Export/ import controls
Export of dual-use goods, including cryptography, is regulated by the Council Regulation (EC) No 1334/2000 setting up a Community regime for the control of exports of dual-use items and technology (Official Journal L159, 30.1.2000), in force since 29 September 2000 [see also the Corrigendum, Official Journal 2000/176, 15.07.2000]. This replaces the earlier 1994 Council Regulation (see below). The Regulation was amended by Council Regulation (EC) No 458/2001 of 6 March 2001, OJ 7 March 2001, L65/19 (deleting the 64-bit limit for symmetric mass-market crypto, see under Wassenaar), by Council Regulation (EC) No 2432/2001 [beware: large document] of 20 November 2001, the  Annexes of which replaced the Annexes to the 2000 Regulation (and by Council Regulation (EC) No 880/2002 of 27 May 2002, OJ 29 May 2002, L 139/7, which is not relevant to crypto controls). The EU regulations follow the Wassenaar Arrangement.
In general, export within the EU is liberalised, and remaining export licensing procedures are simplified.

• Export to other EU countries is entirely liberalised, with the exception of some highly specialised products, such as cryptanalysis items. For these items, member states can issue General Intra-Community Licenses valid for export to one or more determined EU countries, provided basic requirements are met, such as a statement of the end use of exported items. For re-exports after intra-EU export, an information-exchange mechanism is established.
• For export to Australia, Canada, the Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, Switzerland and the US, a Community General Export Authorisation (CGEA) can be applied for, which is valid for export from all EU countries.
• For export to other countries. a General National License can be applied for (except for cryptanalysis items), which are valid for export to one particular country. Otherwise, exporters have to apply for an individual license. For mass-market crypto software and hardware

See for an overview of EU export controls Simo-Pekka Parviainen's thesis on Cryptographic Software Export Controls in the EU, and the documents page at UK's DTI. 

2. Domestic laws and regulations
The European Council Resolution of 17 January 1995 on the lawful interception of telecommunications (96/C329/01) contains a requirement for network operators and service providers, if they use encryption, to provide intercepted communications to law-enforcement agencies "en clair" (which I interpret as meaning to provide the signal as they received it, since they cannot undo encryption by users).

3. Developments to restrict cryptography
The draft Green Book on the Security of Information Systems (Draft 4.0, 18 October 1993), which has not been officially adopted by the European Council, poses a case for the provision of "Public Confidentiality Services" (which would offer some sort of Government Access to Keys).

In 1996 and 1997, the European Commission was working on a draft proposal on the establishment of a Europe-wide network of Trusted Third Party Services (ETS). The network would be established for providing certification services by private TTP's. Although primarily meant for establishing an infrastructure for the use of public key encryption, the proposal might also try to address the legal access problem, e.g., through key recovery. The studies conducted did not address key recovery in-depth, but concentrated on issues related to establishing a public-key infrastructure for digital signatures. The Report on the results of 1995 TTP projects said that key recovery systems "can potentially provide at least part of the answer to the problems raised by confidentiality functions." These "should be investigated as a matter of priority, in order to complete the picture of TTP functionality." See the Infosec homepage and European Trusted Services preparatory studies. See also the KRISIS pilot project.

The 6-8 July 1997 Global Information Networks Conference Bonn Ministerial Declaration of European Ministers (from the European Union, EFTA, Central and Eastern Europe, and Cyprus) echoes the OECD guidelines. It recognizes the importance of strong cryptography, and declares that crypto products should be available internationally and users should have free choice, subject to applicable law. Measures to safeguard lawful access should be proportionate and effective. Like the OECD guidelines, this leaves ample room for interpretation (pro or con key recovery).

With the release in October 1997 of the Communication from the Commission Towards A European Framework for Digital Signatures And Encryption, COM (97) 503, the European Commission has chosen a direction away from key recovery. Building on its April 1997 Communication on Electronic Commerce, this communication aims at creating a reliable European framework for digital signatures. It also addresses confidentiality crypto policy. It stresses the economic and societal importance of cryptography: "the public needs to have access to technical tools allowing effective protection of the confidentiality of data and communication against arbitrary intrusions. Encryption of data is very often the only effective and cost-efficient way of meeting these requirements." The Commission is concerned that restrictions on encryption affect the right to privacy, its effective exercise and the harmonisation of data protection laws in the Internal Market. Also, "divergence between regulatory schemes might result in obstacles to the functioning of the Internal Market."

The Commission is wary of key recovery issues. "Key escrow or key recovery raise a number of practical and complex questions that policy makers would need to solve, in particular issues of privacy, vulnerability, effectiveness and costs. If at all required, regulation should be limited to what is absolutely necessary. Regulation would also need to distinguish between a multitude of possible key types (storage keys, session keys, authentication keys, etc.)." The Commission will examine whether national restrictions are totally or partially justified, notably whether they are proportionate, taking into account the provisions on the free circulation of goods in the Internal Market, and the requirements of the Data Protection Directive. Also, regulations should distinguish authentication services from confidentiality services. The Commission invites the Council of the European Union to initiate a debate on encryption issues. (In its Ninth Report, the Select Committee on European Legislation considered that this Communication does "not raise questions of legal or political importance".)

At the RSA Data Security Conference, January 1998, Detlef Eckhert of the European Commission (DGXIII) said that no regulation is planned for the EU.

EU ministers of Justice and Home Affairs were reported to have agreed that law enforcement agencies must have access to keys or plaintext, at a conference in Birmingham, January 1998. The UK prepared a policy paper for the EU in February 1998, stating that it may be necessary for law enforcement to have lawful access in certain circumstances, which may be either overt (i.e., demanding decryption) or covert (probably through key recovery). The Council of Ministers, on 28 May 1998, decided to monitor closely the use of cryptography by serious criminals and terrorists; it recognised the promotion of key escrow as a possible approach to meet law-enforcement needs. Also, law-enforcement agencies may require access to decryption keys necessary to decrypt seized material. The Council agreed to prepare a Resolution on Encryption and Law Enforcement [source: Swedish government communication 1998/99:116].

ETSI (European Telecommunications Standardisation Institute) worked on a standard for Trusted Third Parties. Part of the standard would relate to lawful access to encrypted data. Great Britain was reported to have pushed here for its Royal Holloway scheme (for key escrow) to be used as a basis, but in early 1998, an interim draft to this purpose was rejected by ETSI.

See also Cryptography in Europe.

4. Developments favoring cryptography
The European Union has adopted a Green Paper on Legal Protection for Encrypted Services in the Single Market, a discussion proposal on protecting services which are encrypted to ensure payment of a fee (such as pay television and video-on-demand). The Green Paper considers proposing a harmonization of national laws to prohibit the manufacture, sale, importation, possession, and promotion of illicit decoders, as well as unauthorized decoding. On 9 July 1997, the European Commission proposed legislation (directive COM (97) 356 (in pdf)) to this purpose, which would also include online services with conditional access. Some cryptographers have voiced concern that the proposal might curb cryptanalytic research. See also Markus Kuhn's critical page on the subject.

The Communication Towards A European Framework for Digital Signatures And Encryption(see above) stresses the economic and soietal importance of encryption. It mentions that the institutions of the European Union will use digital signatures and encryption.

More recently, several other EU documents call for wider use of encryption as a tool to protect European citizens. The Draft report of the Temporary Committee on the Echelon Interception System of 18 May 2001 recommends "appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software" and "The European institutions and the public administrations of the Member States are called upon systematically to encrypt e-mails, so that ultimately encryption becomes the norm."
The Commission Communication on Improving the Security of Information Infrastructures and Combating Computer-related Crime of 26 January 2001, COM(2000) 890 final, affirms that the Commission will promote "the availability of products and services with an appropriate level of security and encouragement of a more liberalised use of strong encryption through a dialogue amongst all interested parties." The draft Proposal for a Recommendation on security of infrastructures and combating computer-related crime of 18 June 2001 calls for promoting "European research in encryption software to improve the possibility of self-defence by consumers".

Back to the Table of Contents

OECD (Organisation for Economic Co-operation and Development) [Source 5]

3. Developments to restrict cryptography/ 4. Developments favoring cryptography
The OECD released its Recommendation of the Council concerning Guidelines for Cryptography Policy on 27 March 1997. The guidelines are non-binding recommendations to Member governments, meaning that they will not be part of international law. The Guidelines provide principles which states should take into account and balance in developing a national crypto policy. The principles are:

1. Trust in cryptographic methods
2. Choice of cryptographic methods
3. Market driven development of cryptographic methods
4. Standards for cryptographic methods
5. Protection of privacy and personal data
6. Lawful access
7. Liability
8. International co-operation

The principles should be seen as "interdependent and should be implemented as a whole so as to balance the various interests at stake. No principle should be implemented in isolation from the rest."

Some have welcomed the OECD principles as a victory for privacy over US-pushed key recovery, while others object to certain points as being too inflexible or too vague. Although the guidelines do not endorse key recovery, they do not prohibit it either. In fact, the guidelines are vague enough to allow a broad range of interpretation, and states will be able to choose a privacy-oriented or a law-enforcement-driven policy line as they see fit. While the guidelines recommend states to cooperate to coordinate their crypto policies, one may be skeptical about the chances of governments coming to an agreement; after all, within the OECD, states have not been able to agree, and they have left the task of finding a balance between, roughly speaking, information security/ privacy and law-enforcement/ national security to individual states.

Cf. Stewart Baker's analysis of and comments on the OECD guidelines.

The process of discussing and drafting policy guidelines started with an Ad-hoc Meeting of Experts on Cryptography Policy on 18-19 December 1995, organized by the OECD Committee for Information, Computer and Communications Policy (ICCP). They proposed to make a study upon current Member Countries encryption policies, market for encryption, key escrow encryption, and to develop a cryptography policy guideline based on the following principles, among others: provides security with confidence, voluntary use, international perspective, recognise national responsibilities, legally effective. The Group of Experts on Security, Privacy and Intellectual Property Protection in the Global Information Infrastructure held subsequent meetings on 7-8 February 1996 in Canberra, on 8 May 1996 in Washington, DC, on 26-28 June in Paris, and on 26-27 September 1996, again in Paris. At the June 1996 meeting, according to one report, no agreement was established; the OECD was said to be split into two parties, one with countries favouring mandatory key escrow (notably the US, UK, and France), and one with countries opposing this approach (mainly Japan and the Scandinavian countries). See a 1 October 1996 press release.

One can compare the final version to an earlier draft of the Guidelines that was discussed at the December 1996 meeting (with rather optimistic personal comments by Robin Whittle). (Text between [square brackets] remained to be decided upon.) In January 1997, the OECD Group of Experts on Security. Privacy, and Intellectual Property Protection in the GII concluded the guidelines. The Guidelines were finally turned into a Council of the OECD resolution in March 1997.

Back to the Table of Contents

Business Government Forum [Source 5]

1. Export/ import controls / 3. Developments to restrict cryptography
On 19-20 December 1995, a meeting was held at the International Chamber of Commerce in Paris, with governments, businesses and computer experts attending. According to an ICC press release, the "meeting ended in agreement that [encryption] controls should be kept to a minimum, consistent with the requirements of law enforcement and national security". Businesses agreed that independent trusted third parties could hold deposited keys, to which governments are allowed access under proper judicial warrant, provided sufficient safeguards are in place. Some governments appeared willing to relax export controls on strong cryptography as long as these safeguards applied. A second Business Government Forum on Global Cryptography Policy was held on 7 May 1996 in Washington, DC.

Argentina [Source 5]

1. Export/ import controls
There are no import controls.

Argentina has signed the Wassenaar Arrangement, so export controls should be regulated according to the pre-December 1998 Arrangement, including the General Software Note.

2. Domestic laws and regulations
There are no controls on crypto use.

Back to the Table of Contents

Australia [Sources 1, 3, 5, 8]

1. Export/ import controls
Export is regulated through the Defence and Strategic Goods List, last changed in June 1999 according to the December 1998 Wassenaar Arrangement. This includes the General Technology Note, exempting public-domain software from controls. Mass-market software is regulated according to the Wassenaar limits. There is a personal-use exemption (export is allowed for lawful permanent residents, provided they keep control of the crypto and make sure it is not transferred anywhere; a record must be kept for 3 years).

Before the 1999 implementation of Wassenaar, export regulations of December 1996 (see Cat 5.doc) were in accordance with the pre-December 1998 Wassenaar Arrangement, with the exception of the General Software Note. Written permission was needed for exporting cryptographic equipment designed to ensure the secrecy of communications or stored information. Public-domain or generally available crypto-software were included in the export controls (only public-domain "technology" (i.e. specific information necessary for the use of goods) was excluded).

Approval is also required for software that does not itself contain cryptography, but which has an interface specially designed for plugging in cryptography.

Crypto software transmitted electronically (e.g., over the Internet) was apparently not controlled. In mid-1998, the Defence Department became concerned that electronic exports were not covered by the controls, and to counter this, they have apparently threatened to use the Weapons of Mass Destruction Act. This in turn triggered a campaign by Electronic Frontiers Australia. After six months, the Defence Signals Directorate determined that no license was required for an online mirror of PGPi, provided that a warning is contained in the download page that the downloader may infringe Australian export rules if he does not have export approval; apparently, the burden of seeking a license is thus shifted to the downloader rather than the person who makes software available electronically.

Compare Nick Ellsmore's Cryptology for background on the Australian situation.

2. Domestic laws and regulations
On 27 September 2001, the Cybercrime Act, No. 161, 2001, was passed. Item 12 of the law inserts a section 3LA in the Crimes Act 1914, that requires release of encryption keys or decryption of encrypted data, upon a magistrate's order. The order may be granted if there are reasonable grounds for suspecting evidential material is held in or accessible from a computer, and the specified person is a suspect or (an employee of) the owner or lessee of the computer, who has relevant knowledge of the encryption. Failure to comply with the order is punishable with up to six months' imprisonment. The same power is granted in section 201A of the Customs Act 1901. The text of the Act is available at Scaleplus (search for "cybercrime act"). 
The Act is based on the Council of Europe's (then draft) Convention on Cybercrime. 
See EFA's comments on the Act.

3. Developments to restrict cryptography
Earlier developments
There has been an apparently unfounded rumour in the mid-1990s that Australia was planning to restrict banks to Government Access to Keys.

At the OECD meeting of December 1995, Australia expressed little interest in the use of Trusted Third Parties for judicial access to keys. Instead, the paper of the delegation suggested to require suspects to decrypt in case of a warrant; this would require the rules against self-incrimination to be adapted.

A 1996 report by Gerard Walsh, Review of policy relating to encryption technologies, was barred from public release in February 1997 by the Attorney-General's Department. After a freedom of information request by Electronic Frontiers Australia (EFA), it was released, and it is now available online at EFA. The main finding of the Review was that major legislative action was not advised at the time to safeguard national security and law-enforcement interests, although a range of minor legislative and other actions were indicated (such as the creation of an aggregate statute on intrusive investigative powers). The review did not recommend specific options for encryption legislation at the time. One action indicated was to consider establishing a further and more serious category of offence where encryption is used to obstruct government investigation into a criminal offence, and to consider creating a power to require production of crypto keys (or other recovery information). The review did not support mandatory key recovery at that stage.

Compare Nick Ellsmore's Cryptology for background on the Australian situation.

4. Developments favoring cryptography
Transmission of confidential government information (classified "confidential" or above) must be encrypted by an encryption system supplied by the Defence Signals Directorate available only to government agencies.

On 6 May 1998, the Minister for Finance and Administration officially launched the Gatekeeperproject, a strategy for the use of public-key technology within the Government.

Back to the Table of Contents

Austria [Sources 1, 5]

1. Export/ import controls
Export rules follow EU regulations and the (pre-December 1998) Wassenaar Arrangement.

2. Domestic laws and regulations
The Betriebsfunkverordnung forbids encryption in internal company and organisation radio transmissions.

3. Developments to restrict cryptography
no

4. Developments favoring cryptography
no

Back to the Table of Contents

Bangladesh [Source 5]

2. Domestic laws and regulations
There seems to be no law restricting cryptography.

Back to the Table of Contents

Belarus [Source 5, 7]

1. Export/ import controls
Import and export of cryptography (coding equipment) is restricted through Resolution of the Council of Ministers of the Republic of Belarus No. 218 of 18 March 1997. One must obtain a license from the Ministry of Foreign Affairs or the State Center for Information Security of the Security Council..

2. Domestic laws and regulations
According to the 21 August 1995 decree N. 456, for application of cryptography means, a license is required by the State Center for Information Security of the Security Council. For design, production, sale, repair, and operation of cryptography, a license by the Committee for State Security is needed. Cryptography use by business people is restricted.

Back to the Table of Contents

Belgium [Sources 1, 3, 5]

1. Export/ import controls
Belgium requires a license for exporting cryptography outside of the Benelux. Belgium has signed the Wassenaar Arrangement, including the (pre-December 1998) General Software Note.

2. Domestic laws and regulations
Decryption order
The Law on information-science crime (Wet van 28 november 2000 inzake informaticacriminaliteit / Loi du 28 Novembre relative à la criminalité informatique), Belgisch Staatsblad / Moniteur Belge 2001 - 298, of 28 November 2000 contains a decryption order (see the documents of the Second Chamber, in Dutch and French). Article 9 creates a new provision in the Code of Criminal Procedure, Art. 88quater. Para. 1 of art. 88quater allows an investigation judge (or others on his order) to order someone whom he reasonably suspects to have special knowledge of encryption services to give information on the working or the accessing of the services or on how to decrypt (literally: how to get the data at stake in intelligible form). This order to give decryption information can be given to suspects and people with a right to non-disclosure. (This follows from the fact that para. 2 has a privilege-against-self-incrimation exception, whereas para. 1 does not.)
Para. 2 of art. 88quater allows the investigation judge to order any suitable person to decrypt herself, within her possibility (lit.: to make accessible the data in the form ordered by the judge). This order to decrypt oneself cannot be given to suspects or persons with a right to non-disclosure (para 2, section 2). 
A refusal of either order is punishable with 6 to 12 months' imprisonment and/or a fine of BEF26 to BEF20k. There is a secrecy duty for professionally involved people. If the ordered persons unintentionally cause damage to the system or data, the State is civilly liable for this.

Article 12 of the same law has a more or less similar provision for intercepted encrypted telecommunications, to be inserted as section 4 of art. 90quater of the Belgian CCP. However, here there is no exception for suspects or persons with a right to non-disclosure, nor is there a civil-liability clause for the State.

Compare an earlier draft of the Law on information-science crime (Wetsontwerp inzake informaticacriminaliteit / Projet de loi relatif a la criminalite informatique), Nrs. 213/1 and 214/1, of 28 October 1999; see articles 4 and 7.

Program Act
The Program Act (Programmawet / Loi-programme) of 30 December 2001, Belgisch Staatsblad / Moniteur Belge 2001 of 31 December 2001, inserts a provision, art. 109terE, para. 6,  in the Law on the reform of certain economic state companies (Wet betreffende de hervorming van sommige economische overheidsbedrijven) of 21 March 1991, which may become a prohibition to use cryptography in telecommunications. The provision reads: 'The king determines (...) the technical and administrative measures applicable to (...) telecommunication-service subscribers and users, (...) in order to prohibit the provision of telecommunications services that prevent or hamper the measures of the [wiretap] Act of 10 June 1998 (...)." The provision will enter into force when the applicable Royal Decree appears.

Compare also art. 111 of the Act: "No-one is allowed to establish or try to establish communications via the telecommunications infrastructure in the Kingdom that harm the respect for the laws, the state security, the public order or the good morals or that constitute an insult to a foreign State." Violation of this article is punishable with imprisonment of one to four years (art. 114 para. 8 Reform Law). 

However, the potential prohibition of article 109terE, para. 6, has to be read in conjunction with another article in the same Law, art. 109terF. This was inserted on 19 December 1997 (see the Belgisch Staatsblad/ Moniteur Belge of 30 December 1997) to clear the confusion that an earlier law had caused (see below) . This article states explicitly that the use of encryption is free. The provision of indicated encryption services to the public is subject to prior notification (four weeks in advance) to the Belgian Institute of Post and Telecommunications. The explanatory note states that the explicit mention that crypto use is free was needed to indicate the difference with the former law which wanted to subject encryption to procedures relating to key deposits. In the 1997 law, the government kept open the possibility of future action to gain access to coded messages; "this problem will be reviewed later, having regard to the development of the technology or of potential abuse of encryption by mafia organizations or terrorists".

History
In January 1996, Belgium found itself having a law which might prohibit the use of unescrowed encryption. The law was passed in December 1994 as part of a larger law and went unnoticed at the time. The law adds a condition under which telecoms equipment may be seized, namely in case of end equipment which renders tapping ineffective.

According to this law, crypto systems had to be agreed by the Belgian Institute for Posts and Telecommunications (BIPT), which some interpreted as an obligation to deposit keys there. However, a BIPT spokesman said that "government does not know the consequences of the law". The law was not enforced, but Belinfosec (Belgium Information & Security) had apparently prepared a report proposing further specifications and enacting clauses. The regulation had to be further implemented by Royal Decrees. The Ministry of Justice stated they did not intend to prohibit encryption as a rule. The law was interpreted by some as allowing a phone to be disconnected when it uses (hardware) cryptography end equipment.

Two legislation proposals, by Hatry (in French or Dutch) and Bribosia/Maximus (in French or Dutch) were submitted to drop the debated provisions of the 1994 law. The proposed law of Mmes. Bribosia and Maximus additionally tried to solve the law enforcement problem by requiring everyone who would be able to help in decrypting to do this, provided the help is necessary for the investigation.

3. Developments to regulate cryptography
None.

Back to the Table of Contents

Brazil [Sources 3, 5]

1. Export/ import controls
There are no export or import controls, but the government is working on a regulation.

2. Domestic laws and regulations
There are no controls on crypto use.

3. Developments to restrict cryptography
The government is working on a crypto law, but does not intend to restrict cryptography use.

Back to the Table of Contents

Bulgaria [Sources 5]

1. Export/ import controls
Bulgaria has signed the Wassenaar Arrangement.

Back to the Table of Contents

Burma (Myanmar) [Sources 5]

1. Export/ import controls
Export and import of cryptography may be restricted on the basis of the Computer Science Development Law (SLORC Law No. 10/96) of 20 September 1996, as amended by Law No. 3/98 of 23 February 1998. This law allows the Myanmar Computer Science Development Council to prescribe types of computer software and information that are not permitted to be imported or exported; violation of this prohibition carries a sentence of 5 to 10 years' imprisonment. According to an article by James Finch and Gladstone on the law (CTLR 2000: 67-70), as of March 2000, the Council had not promulgated any such permission or prohibition, implying that crypto import and export may be unrestricted.

2. Domestic laws and regulations
Cryptography is said to be restricted through a licensing regime.

Back to the Table of Contents

Canada [Sources 1, 3, 4, 5, 8]

1. Export/ import controls
Canada follows (pre-December 1998) Wassenaar regulations. The export of items from Canada may be subject to restriction if they are included on the Export Control List. In December 1996, Canada granted export of 56-bit cryptography to most countries for a twelve-month trial period; this has been extended until 30 June 1998. Mass-marker and public-domain software is excluded from the controls.

All types of cryptography can be transported between Canada and the United States, but cryptography imported from the US which is not otherwise included in the Export Control List remains under US export rules and cannot be exported from Canada if the US does not allow export. Public domain and mass-market software can be freely exported, but if it contains US-origin goods, paperwork must be filled out.

A discussion paper by the Task Force on Electronic Commerce, from February 1998, A Cryptography Policy Framework for Electronic Commerce, invited discussion over a review of Canada's crypto policy, including export controls. It presented three policy options:

• relax controls either by matching the most liberal export policies of other countries, or through recognition of the availability of similar-strength crypto products in foreign markets;
• maintain the existing policy;
• extend the export controls by adding mass-market and public-domain software, possibly with a relaxation for key recovery products.

An analysis of the 189 responses to the discussion paper was published on 28 September 1998. Most respondents favored relaxing controls on the export of cryptography.

Immediately following this publication, the government announced a new cryptography policy on 1 October 1998 (available at Industry Canada). Industry Minister John Manley affirmed the government's commitment to the Wassenaar Arrangement. However, the export controls would take into account the practices of other countries, so that they are not more restrictive than those of, in particular, the US, which had relaxed exports for certain sectors in September 1998. Furthermore, the export-permit process would be streamlined. For many products, users, or destinations, after a one-time review, general or multi-destination, multi-user permits would be issued.

See the relevant sections of the Export Control List and a summary of Canada's export controls on cryptographic software. Cf. also Baker and Hintze's comparison of US and Canada export controls.

2. Domestic laws and regulations
There are no domestic regulations on cryptography.

3. Developments to restrict cryptography
A discussion paper by the Task Force on Electronic Commerce, from February 1998, A Cryptography Policy Framework for Electronic Commerce, invited discussion over a review of Canada's crypto policy. It presented options for reviewing the domestic policy on encryption of stored data and on encryption of real-time communications.

For domestic encryption of stored data, the paper suggested the following options:

• a laissez-faire model: continue with current policies and leave everything to the market;
• a minimum standards approach: encourage crypto users to store back-up crypto keys or to provide business data recovery; this would be done by stimulating industry self-regulation, and possibly through using the government's PKI (see below) to only cross-certify private crypto service providers that comply with the minimum standards;
• mandatory access legislation through prohibiting non-key recovery cryptography.

For domestic encryption of real-time communications, the paper suggested the following options:

• maintain the status quo, that is, telecom carriers are required to decrypt to the extent they are able to, and the only telecom carriers required for law enforcement and national security reasons to undo encryption they themselves employ are the new wireless providers of personal communications services and local multipoint communications services (the other carriers are currently not required to keep back-up copies of session keys);
• obligations on all carriers: require that all federally regulated telecommunications carriers providing encryption services retain the ability to decrypt for law enforcement and national securities agencies on receipt of a court order; this would be extended to provincially regulated service providers, but would not affect Internet service providers;
• mandatory controls: in addition to the second option, crypto service providers would be obliged to provide mandatory assistance for decryption, and users would be prohibited from using non-key recovery crypto.

An analysis of the 189 responses to the discussion paper was published on 28 September 1998. Most respondents favored relaxing controls on the use of cryptography.

Immediately following this publication, the government announced a new cryptography policy on 1 October 1998 (available at Industry Canada). Industry Minister John Manley affirmed the freedom to develop and use cryptography products. The government will not implement mandatory key recovery or a mandatory licensing regime for TTPs. The government does, however, encourage industry to use key-recovery techniques for stored data, and it will use government procurement to encourage commercial key escrow by acting "as a model user of cryptography". Finally, the government proposes to make it an offense to "wrongfully disclose private encryption key information and to use cryptography to commit or hide evidence of a crime." Moreover, "warrants and assistance orders also apply to situations where encryption is encountered - to obtain the decrypted material or decryption keys."

See the summary of Canada's crypto policy.

4. Developments favoring cryptography
The Federal Government is establishing a Public Key Infrastructure throughout its network of federal departments and agencies, enabling secure transactions between citizens and the state. The PKI will be fully implemented in late 1998. See the government's PKI information page, and the February 1998 discussion paper A Cryptography Policy Framework for Electronic Commerce.

Back to the Table of Contents

Chile [Sources 5]

1. Export/ import controls
There are no import controls.

2. Domestic laws and regulations
There is no law regulating encryption use.

Back to the Table of Contents

People's Republic of China [Sources 3, 5]

See also Hong Kong Special Administrative Region.

1. Export/ import controls
By State Council Order No. 273, "Commercial Use Password Management Regulations", published on 15 October 1999 and in effect since 7 October 1999, import and export of encryption products requires a license by the State Encryption Management Commission. According to a "clarification letter" sent to US businesses in China in early March 2000, this involves only hardware and software for which encryption and decoding operations are core functions. As a result, products in which cryptography is only built-in (such as mobile phones and browser software) are exempted. Moreover, the letter clarified that the regulations do not entail key escrow.
However, the clarification letter only seems to apply to pre-2000 products. All products since 2000 seem to require a license.

2. Domestic laws and regulations
By State Council Order No. 273, "Commercial Use Password Management Regulations", published on 15 October 1999 and in effect since 7 October 1999, domestic crypto manufacture and use is severely restricted. Officially designated manufacturers must obtain aproval from the State Encryption Management Commission for the type and model (including key length) of their crypto products. Organisations and individuals may not distribute encryption products produced abroad. People may only use encryption products approved by the Commission, and they may not use commercial encryption products developed by themselves or produced abroad. For this use, they must have approval by the Commission. Only foreign diplomatic missions and consulates are exempted from this approval. The deadline for registration of crypto users was 31 January 2000.

According to a "clarification letter" sent to US businesses in China in early March 2000, this involves, however, only specialized hardware and software for which encryption and decoding operations are core functions. As a result, products in which cryptography is only built-in are exempted. Moreover, the letter clarified that the regulations do not entail key escrow.
However, the clarification letter only seems to apply to pre-2000 products. All products since 2000 seem to require a license.

For wireless crypto products, China seems to require use of a Chinese proprietary algorithm, and AES and WEP must be disabled.

Back to the Table of Contents

Colombia [Source 5]

1. Export/ import controls
There are no import restrictions.

2. Domestic laws and regulations
Use of encryption is not restricted.

Back to the Table of Contents

Costa Rica [Source 5]

2. Domestic laws and regulations
Use of encryption is apparently not regulated.

Back to the Table of Contents

Czech republic [Sources 5]

1. Export/ import controls
Import is allowed "if it is declared by the importer not to be used for production, development, collection or use of nuclear, chemical or biological weapons."

Export is regulated according to the (pre-December 1998) Wassenaar Arrangement, implemented in the Law on the control of export and import of goods and technologies subject to international controls and further regulations on licensing export and import (regulations 43/1997 and 44/1997). However, the controls do not seem to be enforced, and the official government document Information Policy of the Czech Republic - Strategy Basics states: "The state shall not restrict import or export of cryptographic technologies."

2. Domestic laws and regulations
None.

3. Developments to restrict cryptography
No crypto regulation is expected.

Back to the Table of Contents

Denmark [Sources 1, 4, 5, 9]

1. Export/ import controls
There are export controls according to the (pre-December 1998) Wassenaar Arrangement, including the General Software Note. The Danish representative agreed to the December 1998 Wassenaar changes, but this has met with serious resistance in the Danish parliament and the government's IT Security Council (see an article in Danish).
The Danish Encryption Policy (click on Emneord, Kryptering), published by the four responsible ministers on 7 April 2000, is based on the principle that "Efforts should be made to ensure the greatest possible liberalization of export control for dual-use goods and technologies, within the EU and Wassenaar, but with due consideration for the need to remain in control of the spreading of very sensitive products to sensitive end-users."
Import is not controlled, and this policy will be maintained, as confirmed the first principle of the Danish Encryption Policy.

2. Domestic laws and regulations
None.

3. Developments to restrict cryptography
The Danish Technology Council, in an October 1995 report, discussed several options for cryptography policy, varying from doing nothing to prohibiting cryptography, without really taking a stand itself. According to the report, the issue is a Gordian knot, which should be cut soon by the Danish government.

The Danish IT Security Council adopted a policy on encryption in June 1996. The Council recommended that no limitations on encryption use should be introduced. Only in the case of telecommunications companies providing encryption as an integral part of their services, the companies should be able to decrypt a communication through a court order. The Council was of the opinion that secure and inviolable communication should be promoted and that any encryption prohibition at present is an illusion in reality, given the spread of efficient cryptography through the Internet.

A departmental Expert Committee, appointed in the summer of 1996 in preparation for a final decision on the crypto issue by the government, released its Report by the Expert Committee on Cryptography in April 1997. The Committee, under pressure of time, restricted its study to a regulation of the sale of cryptography (not its manufacture, use or import). The Committee recommended that no regulation of cryptography should be introduced presently. It further recommended that the Expert Committee should continue to follow international developments, and carry out an analysis to assess the possibilities and consequences of introducing incentive schemes to induce people to use key-recovery crypto.

The Expert Committee was allowed to continue its work, and in May 1998, it presented its final conclusions (press release in Danish) in a "Report on incentive solutions" (updated version available in Danish and partly in English). The report recommended that no restrictions should be established on citizens' and companies' encryption capabilities. No initiative should be made to incite people to use key-recovery cryptography. Still, the Danish government should not reject the possibility of a future crypto regulation. The international development should be monitored, and the crypto question should be answered anew if an international direction of crypto policies should emerge.

The government was to take a final position on the crypto question in 1998, but it was only on 7 April 2000 that four ministers published a letter to the IT-security Council with the Danish Encryption Policy (click on Emneord, Kryptering). The four principles stress that the current policy of free use of encryption will be maintained. Moreover, the Danish government will actively promote the dissemination and use of strong encryption in Denmark. Denmark will not implement key recovery regulations, but the government should "also be mindful of the continued need of the police, in accordance with the legal protection guarantees afforded by the Administration of Justice Act, to make use of existing means of investigation to prevent and clear up crime."

4. Developments favoring cryptography
The Danish Teletrust Group has set up an Encryption Group to work on the technical and legal concept of public-key certifying authorities. A Centre Certifying Authority (CCA) would coordinate control and certification of key centres to provide secure keys within telecommunications. It would be necessary for such a CCA to have a legal basis. The Danish government has not (yet) implemented the initiative into law.

The Post Security Services (formerly Nordic), involving Denmark, Finland, Norway, Sweden, and Ireland, provides a 1024-RSA-based secure e-mail system, with the Post Office as Key Authority. Other countries have shown interest in being cross-certified.

Back to the Table of Contents

Egypt [Source 5]

1. Export/ import controls
The import of tangible cryptography should take place through an importer who is registered on the Importers Register prepared by the Ministry of Economy and International Trade.

2. Domestic laws and regulations
There are no laws that prohibit the use of encryption.

3. Developments to restrict cryptography
According to a 2002 document by the ITU on the legal framework for e-commerce in Africa, the principle of cryptography 'according to specific rules and regulations' is accepted, possibly indicating an intention to regulate cryptography use. Moreover, an 'encryption office shall be established for depositing the encryption keys, safeguarding the encrypted data, which cannot be decoded unless according to a court decision', suggesting an intention to mandate key escrow.

Back to the Table of Contents

Estonia [Source 5]

1. Export/ import controls
There are no import controls, but export is controlled along the Wassenaar model. Licenses for export can be obtained from the Ministry of Foreign Affairs.

Back to the Table of Contents

Finland [Sources 4, 5, 8]

1. Export/ import controls
Import of cryptography is not regulated.

For export, a license is required through the Export Control of Dual-Use Goods Act (562/96), which implements the EU recommendation on export of dual-use goods and the WassenaarArrangement. A license is not needed if the crypto product is sold freely in retail and does not require extensive vendor support.
The Ministry of Trade and Industry announced (in Finnish) on 4 December 2000 that as of Spring 2001, mass-market cryptographic software of unlimited key length can be freely exported to all countries, in line with the Wassenaar Arrangement decision of 1 December 2000.

The government agreed upon a crypto policy on 7 October 1998. The National Cryptography Policy guidelines of 12 October 1998 (copy available in Finnish) affirm the commitment to the Wassenaar Arrangement and EU recommendation. However, Finland aims to influence the reform of the international export regulations so that control lists correspond to technical development, and to ensure that the necessary restrictions will not unreasonably impede normal foreign trade.

See also section 5.1 of Simo-Pekka Parviainen's thesis.

2. Domestic laws and regulations
None.

3. Developments to restrict cryptography
At the OECD meeting of December 1995, Finland did not approve key escrow proposals. The chairman of the Finnish public administration's group for data security affirmed that Finland will not require key escrow.

The government crypto policy guidelines (in Finnish) of 12 October 1998 affirm the support of free trade and use of cryptography. The provision of crypto services will be subject to a licensing and other authorization systems, based on voluntary action. Key escrow will not be mandatory. In criminal investigation, suspects do not have to assist in decryption of encrypted stored or transported data, but the authorities "may demand the provider of certification services or the maintainer of the encryption system to hand over a secret key in their possession or to otherwise contribute to the investigation of individual encrypted data". By 31 December 1998, the Ministries of Justice and the Interior will clarify the need to reform the Coercive Criminal Investigation Means Act.

4. Developments favoring cryptography
The Post Security Services (formerly Nordic), involving Denmark, Finland, Norway, Sweden, and Ireland, provides a 1024-RSA-based secure e-mail system, with the Post Office as Key Authority. Other countries have shown interest in being cross-certified.

The Privacy and Data Security in Telecommunications Act of June 1999 (no. 565-1999) allow telecoms users and subscribers "right to code their telecommunications message in the way they wish utilising the technical possibilities available thereto". Telecom operators have to inform users about the possibilities to protect communications. See sections 5 and 6 of the Act (also available in Finnish.

Back to the Table of Contents

France [Sources 1, 3, 4, 5, 6, 7]

1. Export/ import controls
France has signed the Wassenaar Arrangement for export controls, with the exception of the (pre-December 1998) General Software Note. See the government's SSI site for a list of applicable laws and decrees.

The import from countries outside the EU and the EEA (European Economic Area) and export of cryptography is regulated by the law No. 2004-575 of 21 June 2004 for the trust in the digital economy (Loi pour la confiance dans l'économie numérique). Articles 29, 30, 31, 34, 35, and 40 restrict import and export of cryptography products and services. Cryptography that can only be used for authentication is free of restrictions (art. 30(II)). 
Import from within the EU/EEA is free; import from other countries is subject to declaration, except for categories designated by decree (art. 30(III)). Export is subject to authorisation, except for categories designated by decree (art. 30(IV)). Authorisations and declarations executed prior to this law remain valid until their expiry date (art. 40). Failure to comply with these requirements is punishable with up to one (declaration) or two (authorisation) years' imprisonment and a fine of maximum 15,000 or 30,000 euro, respectively (art. 35).  
The decrees referred to in article 30 have not yet appeared; presumably, the former decrees (see below) still apply. 

Summary

functionality	no formality	declaration	authorization
authentication-only	use, import, export, supply
confidentiality crypto with key length up to 40 bits	use, import	supply	export (?)
confidentiality crypto with key length of 40-128 bits	use, import (for private use only)	use, import (for non-private use), supply	export
analogue crypto (e.g. in fax machines)	use, export, import	supply
various specific applications in which the cryptography cannot be used by the user for encrypting data (see decree 99-200 for details)	supply, use, export, import
crypto equipment accompanying someone with an official invitation by the state	use, export, import
other			supply, use, export, import

For temporary export, a user declaration will serve as export declaration in the case of cryptography used exclusively for personal use by an individual. A delivery declaration will serve as temporary-export declaration for a sample.

See also section 5.4 of Simo-Pekka Parviainen's thesis.

History
Formerly, the regulation was the law of 26 July 1996 (see article 28 (in French)) and the decrees implementing it of 24 February 1998, no. 98-101 (in French), as changed by decree 2002-688 (in French), and of 17 March 1999 (see below). 
Decree 99-200 of 17 March 1999 (text in French, and again) specifies categories of cryptography which do not require any prior formality. Decree 99-199 of 17 March 1999 (text in French and again) specifies categories of cryptography for which prior declaration is required (and no longer prior authorization). These decrees replaced the decrees 98-206 and 98-207 of 23 March 1998 (text in French).

In accordance with Jospin's January 1999 speech (text in French), a law was proposed for full liberalization of crypto import. A Bill on the Information Society (No. 3143, text in French) was approved by the Council of Ministers on 13 June 2001, but stranded in parliament. Chapter II of the Bill contained an extensive revision of the crypto regulations. The import and export rules were proposed as follows.

• authentication-only crypto is entirely free (art. 37-II);
• transfer from an EU member and import of crypto that can be used for confidentiality must be declared (decrees may specify crypto exempt from this requirement) (art. 37-III);
• transfer to an EU member and export of crypto that can be used for confidentiality requires authorization (decrees may specify crypto exempt from this requirement) (art. 37-IV);
• failure to declare is punishable with up to one year imprisonment, failure to comply with authorization with up to two years' (art. 43);
• declarations and authorizations executed prior to this law remain valid until their expiry date (art. 49).

Similar provisions have now been enacted through the law on trust in the digital economy (see above). 

2. Domestic laws and regulations
France used to restrict the domestic use and supply of cryptography for a long time (see below under History). This restrictive legislation (authorization and declaration were required for almost all cryptography) was slightly liberalized in 1996, when a law was passed mandating key deposits with Trusted Third Parties (TTPs). However, the domestic use of cryptography was liberalized in January 1999. Subsequently, other kinds of regulation (decrytion order, raising punishment) have followed.

Current state of the law
The use of cryptography is free, according to article 30(I) of the law No. 2004-575 of 21 June 2004 for the trust in the digital economy (Loi pour la confiance dans l'économie numérique). 
The provision of crypto services is subject to regulation: service provision must be declared, except for services designated by decree that do not harm security or defense interests. Service providers are subject to professional secrecy (art. 31 of the digital-economy act). Failure to declare is punishable with up to two years' imprisonment and a fine of up to 30,000 euro (art. 35(III)). The law also creates liability for service providers that store private keys (art. 32). Moreover, the Prime Minister can prohibit circulation of cryptography if its supplier does not comply with the regulations, even of the supply is free of charge (art. 34, sanctioned with up to two years' imprisonment (art. 35(II)). 

A decryption order has been enacted by the Law 2001-1062 of 15 November 2001 on daily security (JO 16 November 2001, p. 18215). Article 30 inserts a Title IV in the Code of Criminal Procedure that entails a power to require all qualified persons to decrypt or to hand over decryption keys if encrypted data are encountered during an investigation (art. 230-1 para. 1 FCCP). If it is necessary for the investigation of a crime with a maximum penalty of at least twe years' imprisonment, the police can ask the national-security services to crack encrypted data (art. 230-1 para. 2 through 230-5 FCCP). To this end, a Technical Assistance Center (Centre technique d'assistance) was created within the Ministry of the Interior by Decree 2002-1073 of 7 August 2002 (JO 10 August 2002, p. 13713), the activities of which are secret.  
Article 31(II) inserts a penalization in the Criminal Code: someone who fails to comply with a decryption order is punishable with a maximum of three years' imprisonment and 45,000 euro, or with five years' and 75,000 euro if decryption could have prevented or mitigated the effects of a crime (art. 434-15-2 FCC). According to article 31(I), TTPs offering confidentiality services are required to hand over the decryption keys of their customers or to decrypt themselves, under threat of two years' imprisonment and a fine of 45,000 euro (art. 11-1 of the Law of 10 July 1991 on the secrecy of correspondence by telecommunications). 

Maximum penalties for crimes are raised if cryptography was used to prepare or commit a crime or to facilitate the preparation or commission of a crime, according to article 37 of the law No. 2004-575 of 21 June 2004 for the trust in the digital economy (Loi pour la confiance dans l'économie numérique). The maximum punishments of crimes punishable with up to three years' imprisonment are doubled, and higher maximum punishments are raised one category (with categories of 5, 7, 10, 15, 20, 30 years and life imprisonment). The punishment rise is not applicable, however, if the perpetrator, upon request, submits the plaintext and private key of encrypted messages.

Investigation powers are attributed to competent officials to investigate crimes related to the crypto regulations, including search and seizure of cryptography. Failure to comply with a request for information or documents or blocking the investigation is punishable with up to six months' imprisonment and a fine of 7,500 euro (art. 36).

History of French domestic crypto laws
Before 1996, delivery, importation, exportation, and use of cryptography were subjected to: a) prior declaration if the cryptography can have no other object than authenticating communications or assuring the integrity of transmitted messages; b) prior authorisation by the Prime Minister in all other cases.

Simplified procedures existed for certain cryptography products or services or certain user categories. For authorisation, a dossier containing technical details and administrative data had to be submitted. Authorisation could be subjected to certain conditions in order to reserve the use of certain types of cryptography to defined user or application categories.

A press release of 16 October 1995 specified that use of cryptography for protecting passwords, access codes, subscriber numbers or bank card numbers for authentication purposes only necessitated a declaration by the provider when installing the service.

On 18 June 1996, France passed a law adapting its restrictions on cryptography (text in English or French). The law was published in the Journal Officiel on 27 July 1996 and is referred to as the 26th July law. Decrees on the application of the law (which have to be promulgated before the law is applicable) were published on 25 February 1998 (see the Journal Officiel of that date) (decree 98-101 of 24 February 1998 on the conditions of declarations and authorizations, and decree 98-102 of 24 February 1998 on the conditions for key escrow agencies), and several more decrees were published on 13 and 23 March 1998.

Cryptography that does not provide confidentiality could be used without restriction (so the prior requirement of declaration is cancelled); supply of authentication-only cryptography still had to be declared. Use and supply of confidentiality cryptography required authorization. Decree 98-206 of 23 March 1998 (text in French) specified categories of cryptography which did not require declaration or authorization (such as video-scramblers and ATMs). A supplier was exempted from the formalities for use exclusively for developing, validating, or demonstrating cryptography, if he informed SCSSI at least two weeks in advance. No authorization was given for cryptography for use by radio amateurs. A supply authorization for collective use exempted users from acquiring a use authorization. The use of cryptography with key lengths limited to 40 bits was exempted from declaration or authorization if ciphertexts can be cracked in maximum of 2⁴⁰ trials, according to decree 98-207 of 23 March 1998 (text in French) (this requirement was interpreted by Yves le Roux as a requirement to incorporate in every ciphertext a known plaintext (that is given to the authorities) to enable a known-plaintext attack); the supply of such cryptography was subject to declaration.

The law furthermore introduced Trusted Third Parties (TTPs), or rather, Key Escrow Agencies (KEA). If a KEA and its key-escrow scheme had been approved, users who escrowed their keys with the KEA would be able to freely use the cryptography scheme with these keys. The KEAs would be required to hand over keys to law enforcement under certain conditions. The only authorized Key Escrow Agency was SCSSI, according to a decree of 13 March 1998.

Decree 98-102 (text in French) specified the conditions for KEAs. It addressed, among others, the duration of a license to operate, the information the KEA had to provide to SCSSI, the information to register, user contract terms, a register of key requests by law enforcement and a separate (classified) one for key requests by security agencies, security measures, and how to handle when ceasing the activity. KEA employees were required to have a French security clearance.

In a 16 January 1998 press release, State Secretary of Industry Pierret welcomed the statement by Jospin that 56-bit cryptography should be liberalized as soon as possible to a simple regime of authorization.

The action plan on "Electronic Commerce" (see part III, "Creating Confidence", in particular part III.3), published 7 January 1998 by a task force led by Francis Lorentz, stated that the government was "resolutely oriented towards a liberal reading of the law". It urged a rapid implementation of the new law. It proposed further:

• a strong communication policy to promote the decrees;
• to promote with its (especially European) partners the principles underlying the policy;
• to bring about an agreement with France's most important trading partners on the principles and establishment of TTPs/ key deposits;
• to regularly review the regulatory framework (in particular, the 40-bit limit should be reviewed rapidly), conducting a broad consultation on this before the end of 1998;
• a government TTP/deposit service to be established as a role model, while stressing the importance of developing private operators for this function as well;
• that the decrees should not impose technical architectures for TTPs, but should limit themselves to functional demands.

It was unclear to what extent the restrictive regulation was enforced in practice; it was rumoured to be widely ignored. It seemed impossible for individuals or enterprises to obtain authorisation for "strong" cryptography. Even for state-owned industry, cryptography that does not serve military or high-grade security purposes had to be breakable. SCSSI, the office dealing with authorisation, rendered decisions without motivation.

For the state of the law before 1999 (NOTE: this is outdated now), see also the summary of the French encryption regulation (in pdf) by Yves le Roux, including a list of the then applicable laws and decrees. The French pre-1999 regulation (now outdated) could be summed up in the following table (reprinted with the kind permission of Yves le Roux):

functionality	supply	import from outside EU/EEA	use	export
authentication-only	declaration	declaration	free	declaration
confidentiality with key length under 40 bits	authorization or declaration (*)	authorization or free (*)	authorization or free (*)	authorization
confidentiality using Key Escrow Agency	authorization	authorization	free	authorization
other confidentiality	authorization	authorization	authorization	authorization

(*) The dispensation was given for crypto which is sure to be cracked in maximum 2⁴⁰ rounds.

At a press conference (text in French) on 19 January 1999, Prime Minister Jospin announced the liberalization of the domestic crypto legislation. Use of cryptography of up to 128 bits is allowed as per direct (this was raised from 40 bits), while a law is being prepared for the complete liberalization of crypto use (see below). The mandatory nature of key deposits with TTPs is abolished.
These changes were implemented in decrees 99-200 of 17 March 1999 (text in French) and decree 99-199 of 17 March 1999 (text in French), pending the law which is to offer full liberalization of crypto use. See the summary table above (under 1) for a specification of cryptography of which the use is free.

Subsequently, a law was proposed to relax the previous restrictive crypto regulations. As outlined in the October 1999 Policy paper on the adaptation of the legal framework to the information society, the Bill on the Information Society (No. 3143, text in French) was approved by the Council of Ministers on 13 June 2001 (see general information in French on this bill). The bill stranded in parliament, however. Chapter II of the Bill contained an extensive revision of the crypto regulations. Some of these amendments (below indicated with (#)) were enacted in the November 2001 Law on daily security, others (indicated with &) in the June 2004 Law on trust in the digital economy (see above). The proposed domestic rules were as follows. 

• use and provision
  • use of crypto is entirely free (art. 37-I); (&)
  • authentication-only crypto is entirely free (art. 37-II); (&)
  • provision of cryptography that can be used for confidentiality must be declared (decrees may specify crypto exempt from this requirement) (art. 37-III); failure to declare is punishable with up to one year imprisonment (art. 43); declarations executed prior to this law remain valid until their expiry date (art. 49);  (&)
• TTP services
  • provision of crypto services must be declared (sanctioned with up to two years' imprisonment (art. 43-III)); such TTPs can subject themselves to voluntary accreditation (art. 38);
  • TTPs are held liable under certain conditions, both for confidentiality (art. 39) (&) and authentication (art. 40) services;
  • the Prime Minister can prohibit circulation of cryptography if its supplier does not comply with the regulations (art. 41, sanctioned with up to two years' imprisonment (art. 43-II)); (&)
  • Key Escrow Agencies have to decrypt or give decryption keys upon order, sanctioned with up to two year's imprisonment (art. 42); (#)
• criminal procedure and decryption order
  • competent officials are attributed several powers to investigate crimes related to the crypto regulations; failure to comply with a request for information or documents or blocking the investigation is punishable with up to six months' imprisonment (art. 44); (&)
  • if cryptography was used to facilitate the preparation or commission of a crime, the maximum punishment can be raised by a certain amount (but not if the offendant handed over plaintext or decryption keys) (art. 45); (&)
  • failure to comply with a decryption order (see below) is punishable with maximum three years' imprisonment, or with five years' if decryption could have prevented or mitigated the effects of a crime (art. 46); (#)
  • a power is introduced to require all qualified persons to decrypt or to hand over decryption keys if encrypted data are encountered during an investigation (proposed art. 230-1 para. 1 FCCP); (#)
  • if it is necessary for the investigation of a crime with a maximum penalty of at least twe years' imprisonment, the police can ask the national-security services to crack encrypted data (proposed art. 230-1 para. 2 - 230-5 FCCP). (#)

See the government SSI site on the applicable laws and decrees. For former regulattions, see the (now outdated) summary of the pre-1999 French encryption regulation (in pdf) by Yves le Roux.

Back to the Table of Contents

Germany [Sources 1, 3, 4, 5, 7]

1. Export/ import controls
Export is regulated according to the EU regulation and the Wassenaar Arrangement, in the regulations as amended according to the General License Nr. 16 (pdf text in German, published in the Bundesanzeiger of 31 August 1999, in force since 1 September 1999 (earlier version in Bundesanzeiger 32a of 15 February 1997)).

A press release of 27 August 1999 of the Ministry of Economic Affairs specified the new export controls, which stated that export controls for mass-market cryptography are limited to the absolute necessary. Mass-market crypto export within the EU has already been liberalized by the EU. Except for export to a few countries or for sensitive (military) applications, companies can now decide themselves whether a product falls within the category of mass-market crypto for which a general license suffices. There is no general requirement to declare, but exporters must be able, when requested, to hand over the specifics of exports. When in doubt, the Federal Export Agency (BAFA) will help (see address list).

See also section 5.3 of Simo-Pekka Parviainen's thesis.
A good article by Stefan Schuppert on Germany's export regulations (in German) appeared in Computer und Recht 2001/7, p. 429-434.

2. Domestic laws and regulations
None.

3. Developments to restrict cryptography
On 2 June 1999, the German government announced its "Corner points of the German crypto policy" (Eckpunkte der deutschen Kryptopolitik). There are five cornerstones.

1. The government does not intend to restrict the free availability of cryptography. It will actively support the spread of secure encryption in Germany.
2. The government will take measures to establish a framework of trust for secure encryption.
3. The government considers indispensable the ability of crypto manufacturers to develop secure and powerful crypto products.
4. The spread of strong cryptography should not erode the government's interception powers. Developments will therefore be closely monitored, and a report will be issued after two years. Besides, the government will make an effort to enhance the technical competence of law-enforcement and security agencies.
5. The government greatly values the international cooperation in crypto policy. It will advocate market-driven, open standards and interoperable systems.

History of the discussions about crypto regualation
Several politicians have expressed a desire to regulate cryptography. There have been many conflicting rumours on the likelihood of a crypto regulation. Interior Minister Kanther stated on 22 July 1997 that presently, there will be no crypto law; first, one should investigate what is technically feasible and useful. Overall, the government seemed to lean toward an intention not to regulate cryptography.

Allegedly, the government has been considering three variants of a crypto regulation:

1. crypto service providers would have to store escrowed keys and if necessary hand these over to law-enforcement
2. 1 + marketing of encryption products would require a license
3. 1 + 2 + prohibition of non-licensed (escrowed) encryption

Federal Interior Minister Kanther stated, in a speech on 28 April 1997, he wants to control encryption, by allowing only technologies whose manufacturers agree to provide keys to law enforcement (this seems option 2 in the above). In June 1997, however, the Interior Ministry seemed to favor a two-year voluntary key-escrow approach, in which the government would certify cryptography products which incorporate key-escrow (which seems option 1 in the above). Use of certified products would be voluntary. In October 1997, parliamentarian Tauss revealed that Kanther favours a crypto chip, comparable to the US Clipper chip, for use by the government, in order to create market pressure to push others to use the same technology. There is little support from industry for such an approach. The discussion over this "Pluto chip" was downplayed in early 1998, when producer Siemens and commissioner BSI (government agency for IT security) stated that the chip did not contain a backdoor.

The German federal government was, however, itself divided over the issue. Contrary to Kanther, the Minister of Economic Affairs Rexrodt opposed any restriction on crypto use. Likewise, the state Ministers of Economic Affairs in a March 1997 conference in Eltville spoke out against a ban on cryptography. Justice Minister Schmidt-Jortzig also opposed a restrictive crypto regulation. The initiative on Electronic Commerce ("Elektronischer Geschäftsverkehr"), dated 29 October 1997, declares: "The federal government does currently not intend to legally regulate the marketing or use of crypto products. In Germany, therefore, crypto systems can be freely chosen and used." Ulrich Sandl, from the Ministry of Foreign Affairs, said at the RSA Data Security Conference, 13 January 1998, that GAK systems were ruled out until at least the end of the year; moreover, he implied that use of US key recovery products may not be in accordance with German privacy law.

In December 1996, a meeting behind closed door was apparently held by federal and state Secretaries of State, discussing crypto regulation. The outcome of the meeting seemed to be some proposal to regulate cryptography: only licensed crypto could be used, and crypto manufacturers and distributors would be required, in order to have their products licensed, to ensure deposit of private crypto keys for law-enforcement and national security access, as well as to deposit the crypto source code. Distribution and use of non-licensed crypto would be banned. However, rumours over the status of such a proposal widely differred: some claimed that the proposal was merely a shot in the blue to trigger reactions, others claimed it was a (preliminary) draft of a impending regulation.

The Bavarian Secretary of Internal Affairs demanded a federal law against conspiratorial encryption technologies in telecommunications.

In the April 1997 parliamentary debate on the Information and Communication Services Law, the FDP explicitly spoke out against a crypto regulation. CDU/CSU-MP Marschewski stated that encryption should forthwith be put under a Europe-wide licensing regime. The political party Bündnis/ Die Grünen opposes a cryptography prohibition or a restrictive (e.g., key- escrow) regulation. The German Federal Parliament, in a 20 June 1996 resolution, found that effective encryption procedures may be freely chosen by participants within the scope of the constitutional right to confidential communication (which may be breached for internal or external security reasons).

An interministerial Task Force on Crypto Politics was set up in October 1996 to develop concrete suggestions for an overall political strategy on IT security until the end of 1996. The federal Minister of Economic Affairs, in announcing the Task Force on 7 October 1996, stated that a trade-off should be found between the equally important principles of freely choosing cryptography and preventing criminal crypto abuse.

A Ministry of the Interior official responsible for national security, in a November 1996 debate, appeared to favour a crypto legislation to protect law-enforcement and national security. Although he did not think criminals would use licensed (key-escrow) cryptography, he stated that use of unlicensed crypto would give rise to criminal suspicion, and would moreover facilitate traffic analysis to discover criminal organizations.

The German Council for Research, Technology and Innovation, in a December 1995 report on the Information Society, recommends that legal preconditions have to be made for the decryption of documents by state authorities, that specify the criteria for decryption competence and unequivocally regulate the seizure of documents. The report states that in developing and implementing cryptography products it has to be realized that it must be possible to decrypt single documents in relation to the execution of criminal procedure law.

A conference of Justice Ministers in December 1995 expressed concern that law enforcement is not keeping pace with technological developments. Federal Minister of Justice Schmidt-Jortzig acknowledges the problem of law enforcement, but doubts that an encryption prohibition could be enforced. Moreover, a German regulation would be inadequate to deal with the global matter of cryptography. In March 1997, at a conference of his FDP party, he called demands to ban cryptography deeply illiberal.

In its policy document Info 2000: Deutschlands Weg in die Informationsgesellschaft, the German government supported the European Commission's ETS initiative. A focal point was promoting encryption to protect confidential information by network operators. "In this respect the legal preconditions for the decryption by state bodies are to be examined." As regards the fight against crime, "dangerous gaps" in law enforcement's ability through criminals' use of encryption should be stopped as soon as possible. "Where this should not be possible with the available methods, new forms also of technical information provision should be considered, to not let crime get a lead." The deployment of criminal law means should be considered only as an "ultima ratio".

The Enquiry Committee "Future of the media" of the German Parliament recommended in 1998 not to restrict cryptography. "The capabilities of users to protect themselves through cryptography should, given the current state of understanding, not be legally restricted. A restriction of the free use of such techniques can not, in this understanding, be justified in a cost-benefit analysis." (BT/DS 13/11002, recommendation 13)

Magazine "Der Spiegel" reported on 8 January 1996 that the German Ministry of the Interior is working on a draft law which would prohibit (unescrowed?) cryptography. It published another article in December 1996 on impending restrictive legislation (see above).

See Ulf Moeller's Kryptographie: Rechtliche Situation (in German), an action page by Nicolas Reichelt with many newspaper articles (in German), and more documents collected by Christopher Kuner (mostly in English), including a list of opinions of political parties (in English). There is also an extensive list of opinions and newspaper reports by Lutz Donnerhacke.

Back to the Table of Contents

4. Developments favoring cryptography

Back to the Table of Contents

Ghana [Sources 5]

1. Export/ import controls

There are no import or export controls. [Source: 2002 ITU document]

2. Domestic laws and regulations
None. [Source: 2002 ITU document]

Back to the Table of Contents

Greece [Sources 5, 9]

1. Export/ import controls

Greece has signed the Wassenaar Arrangement, so export controls should be regulated according to the (pre-December 1998) regulations, including the General Software Note.

2. Domestic laws and regulations
None.

Back to the Table of Contents

Hong Kong Special Administrative Region [Source 5]

1. Export/ import controls
Import and export of cryptography are regulated by the Import and Export (Strategic Commodities) Regulations (see the government FAQ). A license is required for importing or exporting cryptography, except for access-control equipment and authentication cryptography that can not be used for encrypting files or text. The definition of import as "to bring or cause to be brought into the Colony by air, land or water" may suggest that import by electronic means is unregulated.

2. Domestic laws and regulations
There are no regulations on the use of encryption. Crypto products that are to be connected to the public telecoms network, however, must comply with the relevant Telecommunications Authority's network connection specifications.

3. Developments to restrict cryptography
The September 2000 Report of the Inter-departmental Working Group on Computer Related Crime investigated the problem of cryptography for law enforcement. Ch. 5 recommends legislation for some form of decryption order. The order should be modelled on current production orders of the Organized and Serious Crimes Ordinance. As safeguards, the report recommends judicial scrutiny, a requirement that the offence at issue has a maximum penalty of at least two years' imprisonment, and that there be legal protection of the confidentiality of the information thus obtained. To enforce the power, penalties "commensurate with those for the specific offence under investigation" are recommended (although the report does not suggest how the offence under investigation is to be determined if the encrypted material does not yield evidence). Complying should be possible by giving plain text or the necessary passwords, codes, software and hardware to enable decryption. Suspects would be required to comply, similar to suspects addressed with current production orders (which do not have a privilege against self-incrimination clause).
See reactions to the report on FIPR's page.

Back to the Table of Contents

Hungary [Source 5]

1. Export/ import controls
Wassenaar and EU export controls are implemented through the Government Decree No. 50/2004 (III.23.) on Licensing foreign trade in dual-use goods and technologies. Export of mass-market encryption software is exempted.
There are no import controls for cryptography. An international import certificate can be issued if the exporting country requests this. 

2. Domestic laws and regulations
A provision in the Hungarian Digital Signature Act (text in Hungarian), which entered into force on 1 September 2001, holds that signature-creation data (such as a cryptographic key) shall not be used for other purposes than signing. The ministerial reasoning explains that the intention of this is to prohibit the use of private keys for cryptographic purposes, in the interest of national security. (Note that cryptographic keys not used for creating signatures can be used for encrypting.)

3. Developments to restrict cryptography
No.

4. Developments favoring cryptography
In February 2001, the Data Protection Commissioner issued a recommendation against regulating cryptography.

There is a law that provides an agency with the competence to assess cryptography; the agency can declare that it satisfies a minimum security level.

Back to the Table of Contents

Iceland [Source 1]

2. Domestic laws and regulations
no

3. Developments to restrict cryptography
no

Back to the Table of Contents

India [Sources 3, 5]

1. Export/ import controls
India requires an import license for encryptors. Import of crypto software is not restricted.

2. Domestic laws and regulations
The Information Technology Act 2000 (No. 21 of 2000) contains a decryption order. The Controller of Certifying Authorities may, according to art. 69 section 1, for national-security or crime-prevention reasons, direct any agency of the Government to intercept any information transmitted through any computer resource. Subsequently, according to art. 69 section 2, the "subscriber or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information." Failure to comply can be punished with imprisonment of up to seven years, according to art. 69 section 3.

3. Developments to restrict cryptography
None.

Back to the Table of Contents

Indonesia [Source 5]

1. Export/ import controls
There are no import restrictions for cryptographic products.

The export regulation is unclear. In any case, travellers with crypto software on a laptop do not require a license.

2. Domestic laws and regulations
I have had conflicting reports about crypto use: one source claims it is illegal, whereas another source says there are no use restrictions.

Back to the Table of Contents

Ireland [Sources 1, 9]

1. Export/ import controls
Import is not controlled.

Export is regulated according to the EU dual-goods regulation and the Wassenaar Arrangement, including the restriction of free export for mass-market software to 64-bit key lengths. The Framework for Ireland's Policy on Cryptography and Electronic Signatures of June 1998 and the Consultation Paper of August 1999 affirm the commitment to this legislation.

The responsible agency is The Licensing Unit of the Department of Enterprise, Trade and Employment (see address).

2. Domestic laws and regulations
The Electronic Commerce Act 2000 (nr. 27), which was enacted on 19 July 2000, contains a decryption order in article 27 (2) (c). A judge can issue a search warrant if there are reasonable grounds to suspect an offence under the Act has been committed. Such a warrant authorises investigation officers, among other things, "when the thing seized is or contains information or an electronic communication that cannot readily be accessed or put into intelligible form, to require the disclosure of the information or electronic communication in intelligible form". Persons or public bodies who fail or refuse to comply are guilty of a summary offence (art. 27 (4)). [What is the penalty for this?]
According to article 28, "Nothing in this Act shall be construed as requiring the disclosure or enabling the seizure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible." Hence, investigation officers can only require people to decrypt, not to hand over keys or passwords, and the power can only be used in relation to material seized during a search. The Act does not make an exception for suspects or mention the privilege against self- incrimination.

History
The Framework for Ireland's Policy on Cryptography and Electronic Signatures of June 1998 included the following basic principles: "The production, import and use of encryption shall not be subject to any regulatory controls 'other than obligations relating to lawful access'", and "Legislation will be enacted to oblige crypto users to release plaintext or crypto keys upon a lawful authorisation."
The Consultation Paper Outline of Legislative Proposals on electronic signatures, electronic contracts, certification service provision and related matters of August 1999 had a smaller set of basic principles, including "The production, import and use of cryptography will continue to be free from regulation." So, the lawful-access principle had been altered. The relevant section 20 of the Consultation Paper entailed a power to search and seize, but it did not contain a provision on requiring access to plaintext or crypto keys. According to the explanatory note, this provision provided lawful access to evidence, and it was not an enabler of mandatory key escrow or key recovery.

3. Developments to restrict cryptography
The Framework for Ireland's Policy on Cryptography and Electronic Signatures of June 1998 comprised the following basic principles:

• Users shall have the right to access strong and secure encryption and to choose any cryptographic method.
• The production, import and use of encryption shall not be subject to any regulatory controls "other than obligations relating to lawful access".
• Legislation will be enacted to oblige crypto users to release plaintext or crypto keys upon a lawful authorisation.

The Consultation Paper Outline of Legislative Proposals on electronic signatures, electronic contracts, certification service provision and related matters of August 1999 has a smaller set of ba