Copyrigtht © 1986 Universita' di Firenze. All rights reserved.
Free license available.
Un gran numero di governi prevede la regolamentazione dell'import
e dell'export della crittografia, spesso annoverata tra le armi
di tali nazioni.
Come principio generale, un governo consente l'utilizzo della
crittografia quando:
Comunque, ecco un elenco completo, stato per stato, delle restrizioni
su import e export.
Il testo seguente è in inglese perché riportato
direttamente come trovato sulla rete. Non ci sembra che vi possano
essere difficoltà di comprensione.
Australia
Generaly there is no restriction in importing any cryptography.
For exports there are two classes of regulations, which depend
on the cryptography- equipment you want to export. For the first
group you need a written permission by the Minister of State for
Defence, for the second one you need just a licence.
For more details see: Australian Cryptographic Regulations
Australia was also a member of CoCom
Austria
There are no specific export/import restrictions, but there's
something called "Datenschutzgesetz".
For latest information about Austrians "Datenschutzgesetz"
see ARGE Daten.
Below we introduce an elaborat by PeterPaul.Sint@oeaw.ac.at from
the Research Unit for Socio-Economics, Austrian Academy of Sciences:
Regulations on cryptography
Regulations concerning the use of cryptography within Austria
appear in the law about company and organisation internal radio
transmissions (Betriebsfunkverordnung - BFV 1995). For those encryption
is explicitly forbidden: the argument to support this regulation
is that this is a privileged frequency allocation which may be
used only for company internal communications. Problems arise
because some frequencies are allocated to whole sectors of the
economy. The result is: competitors may listen in. Correspondingly
there is strong interest from affected companies to change the
regulations. The only exceptions are the subunits of the Ministry
of Interior (mainly the police and security forces). Public communication
systems (e.g. GSM) may be encrypted.
It is obvious that the international regulations on amateur radio
which demand transmission in clear text (and restrict content
very strongly) are enforced in Austria (but per definition this
does not concern professionals).
Regulations concerning the export of products which provide cryptographic
security, encryption, both in hard- and software follow EU regulations:
The Austrian law on foreign trade, Aussenhandelsgesetz (AHG-EU),
in force since July, 1st 1995, contains regulations concerning
the export of "dual use goods" (annex 1, chapter 5).
The export regulations follow practically verbatim the EU directive
on export control (COM 837 (95) 10. April 95 and COM 3381 (94)
1. Dec. 94).
These regulations replace former ones which were explicitly designed
to enforce USA and NATO export restrictions (CoCom
rules). These regulations were phrased in a way appropriate for
a neutral country. Restrictions for the re export of goods were
enforced if the country from which they were imported demanded
it. The list of goods was practically identical with the one in
the new EU conformant regulation.
Computer professionals are affected only if they develop goods
they want to export.
Data security and Data Protection
A number of regulations concern confidentiality and protection
of data against unfair competition. Both the general data protection
act and specific regulations in several sectors of society (e.g.
medicine, public services, banks and other financial services,
private security services) have - partly very powerful - regulations.
In general they are not specific to computer professionals. But
they have side effects on the production of software in those
areas and on the embedding of software professionals into the
security network of the respective sectors.
We did not perform an extensive search for the different regulations
of this kind.
Belorus
For manufacture, repair and operation of cryptography, a license
by the State Security Committee is needed. Cryptography use by
business people is restricted. But there are no known export/import
restrictions.
Brazil
No export/import restrictions.
Canada
PGP is allowed to be exported) For physical exports you need
an authorization delivered by Ottawa.
Notice: There is a special regulation for transfering cryptographic
materials between Canada and the USA. This regulation says (summary)
that you are allowed to export any cryptography from the USA to
Canada and vice verca. But all cryptographic imports from the
USA fall under the US-ITAR rules.
That means that you have to respect the US-regulations or if necessary
you have to get an US-authorization to export cryptography from
Canada, which you have imported from the USA. A further restriction
is that the exports refer to countries and persons. That is the
reason why you, if you are not a citizen of Canada, are not allowed
to export cryptography from the USA to Canada.
For more information see also Canadian Cryptography Export Controls
People's Republic of China
China restricts the importation and exportation of voice-encoding
devices.
Denmark
The denish government aims to restrict cryptography in Telecommunication.
Here is an interesting article found in talk.politics.crypto:
From: stud-tj@mat.dtu.dk (Thomas Jakobsen (TH)) Newsgroups: talk.politics.crypto Subject: A Danish crypto policy Date: 3 Nov 1995 07:58:26 GMT Organization: Mathematical Institute, Technical University of Denmark Lines: 37 Distribution: world Message-ID: <47CI32$M64@NEWS.UNI-C.DK> Reply-To: stud-tj@mat.dtu.dk (Thomas Jakobsen (TH)) NNTP-Posting-Host: banach.mat.dtu.dk X-Newsreader: mxrn 6.18-9 Hi! A week ago, the Danish Board of Technology (DBT) published a report "A Danish Crypto Policy - how to keep digital information secret". DBT hopes that the report will start a debate on the subject, and that it can be used to create such a policy. More precisely, they state: "The objective of this report from the Danish Board of Technology are: * to stimulate political and public awareness as to how privacy in the communication of electronic data can be ensured; * to present a comprehensive basis for the debate on drafting Danish policy in related to EU [The European Union] initiatives and possible Danish legislation". There are no definitive conclusions as to whether escrowed-key cryptography should be the only type of cryptography allowed or whether there is no need for any prohibitions at all. Different authors have contributed; technical aspects, legal issues, and criminal investigation is covered. It is possible to order the 76 page Danish version of the report with a 4 page summary in English. The address is: Teknologiraadet Antonigade 4, DK-1106 Copenhagen K Denmark Phone: +45 33 32 05 03. The price is 100 DKK, which is about 15-20 US dollars. Thomas Jakobsen (T.Jakobsen@mat.dtu.dk)
Finland
Followed the CoCom regulations as cooperated
member of that organization.
France
Since 1973 cryptographic-implementations belong to military-munition.
And in this range it is classified as the second dangeroust one
(of eight). That is why you need a special authorization, delivered
by the Prime Minister (in fact SCSSI), to use or to export any
cryptography. But there are special regulations for cryptography
which can only be used for authentication. This kind of cryptography
needs a license by the SCSSI. If any product has such an authorization
than any distribution is allowed.
Notice: PGP is not licenced
in France. That is why you are not allowed to use PGP in France.
The reason is very simple: PGP is also used for enciphering information.
For authorization purposes there exists a french-variant of PGP.
But it is not often used in real-life. The reason: you have to
trust that the algorithm (not realy known in detail) is secure
and that the secret-keys, you get from a central institution,
are save and secret enough.
If you are using any cryptography in France, there are two points
of interest:
Here an article we have found in a newsgroup:
Import Controls
Imports into France are governed by French law and the EC regulations.
Two considerations must be made in connection to entry of goods
into France: whether goods to be imported into France are subject
to any import restrictions and what declarations or filings are
to be made for permissible importation. Goods can fall into four
categories: articles not subject to restrictions, articles subject
to prior notification, articles subject to an import license,
or articles subject to special import restrictions.
Almost all goods that originate in the EC as well as certain goods
specified by law may be imported into France without being subject
to import restrictions. An import license is valid for only 6
months and only with reference to a specific type of merchandise
coming from a specific origin.
France requires a license for the import of encryption into the
country. France requires Data Encryption Standard based encryption
manufacturers and users to deposit a key with the French government,
and they may also require an import license if it is determined
necessary on a case-by-case review. France would probably forbid
the use of key escrow technology unless they are given the keys
and a full description of the algorithm.
Export Controls
Most products exported to EC member-states are not subject
to restrictions; however, certain products are subject to prior
notification, an export license, or a prior authorization before
they may be exported. Such notifications, licenses, or authorizations
are obtained pursuant to similar procedures governing importations.
In order to preserve the interests of French national security
or defense, exports or use of cryptography must:
The penalty for not complying is a fine of 6,000 to 500,000 FF
and/or a prison sentence from 3 to 8 months.
A declaration of delivery or use of means of cryptography is issued
at the central bureau for security of information systems. The
request form for a declaration has two parts, a technical part
and an administrative part. The technical part is an extensive
description in French of the operation or means of cryptography
and of its exploitation mode, including the management of secret
arrangements. The administrative part allows for the identification
of the person requesting the operation, location of the operation,
and the categories of persons or societies allowed to use the
operation. The request indicates the duration for which the authorization
is requested, which cannot exceed 10 years. The export of cryptography
requires the deposit of a copy of the receipt of the declaration
to the customs office.
As in the United States, France has decontrolled software that
is in the public domain, and it retains control of mass-market
and other encryption software as military items.
by mark fisher
See the law and decrees (in French)
Germany
The BSI (30.5.1995): There are no restrictions on enciphering-algorithms
in germany at all. BSI (Bundesamt fuer Sicherheit in der Informationstechnik)
is not even in the position to decide if a restriction on cryptography
is enforcable or not.
Some restrictions:
The German Ministry of Interior is currently working on a draft
law which would prohibit cryptography (till now no detailed information
available).
see also: Kryptographie: Rechtliche Situation
Hungary
No export/import restrictions.
There is a law that provides an agency with the competence to
assess cryptography ;-). The agency can declare that it satisfies
a minimum security level.
India
No export/import restrictions.
Iceland
No restrictions at all.
Ireland
Happened to be a cooperated CoCom member.
Israel
Israel imposes restrictions on encryption, but the scope of
its restrictions is not clear.
Italy
If you are interested in Italian-Law see THE CARDOZO ELECTRONIC LAW BULLETIN.
Italy has also been a CoCom member.
Japan
Japan's membership at CoCom ended 1994.
Latvia
No internal restrictions.
Luxemburg
Luxemburg continues following the former CoCom
rules.
Mexico
(see CoCom)
No export/import restrictions.
The Netherlands
Public domain and mass-market software generally do not require
a validated license, but items capable of file encryption do.
In 1994 the Dutch government wanted to restrict the use of cryptography
in a way that everyone would have had to give all their private
keys to a state department. But the Dutch citizens rejected this
afforts. Information in Dutch: Gerben`s cryptography links
New Zealand
New Zealand`s a CoCom associated country.
Norway
The norwegian government is going to introduce its own encryption
standard called NSK, it is quiet similar to clipper.
A bill has been proposed on central medical registries that would
use cryptographically pseudonymized entries.
Norwegian related material can be found at the Norwegian Research Center for Computers and Law
Poland
The US Administration will support Poland`s candidacy for
a status of a founding member of a new organisation which is to
replace CoCom.
Portugal
Portugal is another former CoCom country.
DECREE OF THE PRESIDENT OF THE RUSSIAN FEDERATION
Concerning legal matters in the area of development, production,
sale and usage of encoding devices, and also for the assignment
of responsibility concerning the encoding of information.
With the goal of ensuring the unconditional discharge of the Law
of the Russian Federation "Concerning the Organs of Federal
Government Communications and Information," and also of intensifying
the struggle against organized crime and raising the security
of the telecommunications information systems of the organs of
state authority, the Russian credit and finance structure, and
enterprises and organizations, I decree:
Saudi Arabia
No export/import restrictions.
Singapore
(see CoCom (cooperated))
South Africa
No export/import restrictions.
Internally there exists a legislation prohibiting the encryption
of data on public telephone networks.
Spain
Sweden
Switzerland
Turkey
United Kingdom
Above countries were either full or cooperated members of
CoCom.
USA
There are two government agencies which control export of
encryption software. One is the Bureau of Export Administration (BXA)
in the Department of Commerce, authoriced by the Export Administration
Regulations (EAR). The second one is the Office of Defense Trate
Controls (DTC) in the State Department, authorized by the International
Traffic in Arms Regulations (ITAR).
As a rule of thumb, BXA (which worked with CoCom)
has less stringent requirements, but DTC (which takes orders from
NSA)
wants to see everything first and can refuse to transfer jurisdiction
on BXA.
A list of some exports which are allowed:
Any cryptographic implementation that can be used for military
purposes is restricted. (Question: Is there any cryptography which
cannot be used by the military?
Cryptography which can be only used for authentication or integrity
purposes is not restricted in ITAR because they are classified
as (more or less) common exports.
Detailed information about restrictions, you can found in:
Inside the USA: In 1993, the Clinton administration announced the so called Escrowed Encryption Initiative (EEI), well known as Clipper-Initiative. For more details and some discussion see:
CoCom
Coordinating Committee on Export Controls
established-1949
disolved 1994
members-(17)
Australia, Belgium, Canada, Denmark, France, Germany, Greece,
Italy, Japan, Luxembourg, Netherlands, Norway, Portugal, Spain,
Turkey, UK, US
cooperating countries-(8)
Austria, Finland, Ireland, South Korea, NZ, Singapore, Sweden,
Switzerland
CoCom was an unofficial nontreaty organization, chartered to coordinate
national restrictions on the export of sensitive military technologies
to the Soviet Union, other Warsaw Pact countries, and the People's
Republic of China. The idea behind was to slow technology transfer
into those countries.
Althougt CoCom was disolved in 1994, most signatory countries
are likely to still maintain its regulations for the time being,
but there are efforts to establish a "New Forum", that
continues the idea behind CoCom, with the difference, that the
boycotted countries have changed.
Some regulations we found:
Council of Europe
(Attention: this is not EU)
On 8th September 1995 the Council of Europe dismissed a recommendation
to ban strong cryptography in their member-countries.
Notice:The Council (unlike the Commission) has no statutory
powers to enforce its recommendations. However, Peter Csonka,
the chairman of the committee that drafted the document (and an
administrative officer at the Council's division of crime problems)
says that 'it is rare for countries to reject Council of Europe`s
recommendations'.
The proposal would make telecomms operators responsible for decrypting
traffic and supplying it to governments when asked. It would also
'change national laws to enable judicial authorities to chase
hackers across borders'.
see also: Cryptography in Europe
European Union (EU)
To detect criminals, the commission is seeking legal powers
to prevent people from using secret codes on the Internet which
it cannot crack. In fact, this plan would require to ban all strong
cryptography or mean that every person or company gave their 'secret
keys' to a law enforcement agency.
Here are some key points of an interview with an official of the
telecom security unit of the EU Commission (DG-13) in Brussels:
But notice that encryption and cryptography affect national affairs.
That means that EU members can keep their own restrictions on
cryptography. This is the major point of discussion in the European
Commission, because countries like France or UK want keep their
sovereignty in this area.
OECD
At a meeting on 18-19 December 1995 the OECD (ICCP) agreed
to have a further meeting on 7-8 February 1996
where they will discuss about encryption policies of their members,
markets for encryption, key escrow encryption ...