Cryptography and Liberty 2000
An International Survey of Encryption Policy

Electronic Privacy Information Center
Washington, DC


About the Electronic Privacy Information Center


The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. EPIC is a project of the Fund for Constitutional Government. EPIC works in association with Privacy International, an international human rights group based in London, UK and is also a member of the Global Internet Liberty Campaign, the Internet Free Expression Alliance and the Internet Privacy Coalition.

The EPIC Bookstore provides a comprehensive selection of books and reports on computer security, cryptography, the First Amendment and free speech, open government, and privacy. Visit the EPIC Bookstore at http://www.epic.org/bookstore/.


Copyright © 2000 by the Electronic Privacy Information Center


First edition 2000
Printed in the United States of America
All Rights Reserved

ISBN: 1-893044-07-6

 

EPIC Staff

Marc Rotenberg, Executive Director
David L. Sobel, General Counsel
Andrew Shen, Policy Analyst
Sarah Andrews, Policy Analyst
Dori Kornfeld, Policy Fellow
David Banisar, Senior Fellow
Wayne Madsen, Senior Fellow

 

Acknowledgements

This report was written by Wayne Madsen and David Banisar, Senior Fellows at the Electronic Privacy Information Center.

The following individuals provided invaluable information and advice: Dr. Andrzej Adamski, Nicholas Copernicus University, Poland; Yaman Akdeniz, Cyber-Rights & Cyber-Liberties (UK); Ian Brown, University of London; Jos Dumortier, KU.Leuven, Belgium; Rishab Aiyer Ghosh, India; Brian Gladman, UK; Peter Gutmann, New Zealand; Austin Hill, ZKS, Canada; Gus Hosein, London School of Economics, UK; Bert-Jaap Koops, Tilburg University, NL; Meryem Marzouki, Imaginons un Réseau Internet Solidaire, France; Jose Luis Martin Mas, FREE, Spain; Ulrich Sandl, Bundesausfuhramt, Germany; Viktor-Mayer-Schoenberger, Harvard University; Erich Moechel, quintessenz, Austria; Andriy, Privacy Ukraine; Per Helge Sørensen, Denmark; Greg Taylor, EF Australia; Jerome Thorel, ZD France; Peter Wallstrom, Sweden; Rigo Wenning, FITUG, Germany; Maurice Wessling, BITS of Freedom, NL.

The Electronic Privacy Information Center gratefully acknowledges the support of the Open Society Institute, as well as the assistance of members of the EPIC Advisory Board and members of the Global Internet Liberty Campaign (GILC).

An electronic version of this report and updates is available online at http://www.epic.org/crypto/

Table of Contents

Executive Summary


The international relaxation of regulations concerning encryption has largely succeeded. The rise of electronic commerce and the recognition of the need to protect privacy and increase the security of the Internet has resulted in the development of policies that favor the spread of strong encryption worldwide. Governments attempting to develop e-commerce are recognizing that encryption is an essential tool for transactions, and are reversing decades old restrictions based on national security concerns. An increasing number of countries have developed policies, based on the OECD guidelines.

Most countries in the world today impose no restrictions on the use of cryptography. In the vast majority of countries, cryptography may be freely used, manufactured, and sold without restriction. This is true for both leading industrial countries and for emerging economies.

There are a small number of countries where strong domestic controls on the use of cryptography exist. These are mostly countries where human rights command little respect, most notably Russia and China. Many of these countries place strict controls on the Internet, satellite dishes and other new communications devices.

There is little international support today for key escrow encryption. It has been abandoned by most counties and is no longer enforced in the few countries where laws requiring its use still remain.

A few countries impose “lawful access” requirements that could compel users to disclose keys or decrypted files to government agencies. Concerns over the right against self-incrimination found in many legal systems have led many countries to reject their adoption. Several other countries are considering bills that would require third parties to decrypt communications from suspects.

A number of governments are considering proposals that give intelligence and law enforcement agencies new powers to conduct surveillance, break into buildings or hack computers to obtain encryption keys and obtain information. Law enforcement and intelligence agencies are also demanding and receiving substantial increases in budgets. These new powers and budgets raise concerns about the expansion of government surveillance and the need for public accountability.

Export controls remain the most powerful obstacle to the development and free flow of encryption but they are steadily being relaxed because of the Internet and demands for secure electronic commerce. The decision by the United States to liberalize its own encryption export regulations in January 2000 has had the effect of weakening the position of those who favor strict controls on cryptography.


Purpose and Methodology of the Survey

 


This is the third annual review of encryption policies around the world. This survey was undertaken by the Electronic Privacy Information Center (EPIC), with the assistance of members of the Global Internet Liberty Campaign and other experts on encryption policy, to provide a comprehensive review of the cryptography policies of national and territorial jurisdictions around the world.

To obtain information for the survey, we sent letters to the embassies, United Nations missions, government ministries, trade boards, and information offices of some 230 countries and territories with independent policy-making authority. These entities were contacted in the belief that governments themselves are best able to authoritatively explain their policies, especially on such a technical subject. We patterned our survey after one conducted in 1989 by the Computer Science and Law Research Group (GRID) of the University of Quebec, which analyzed the data protection policies and laws of over 150 countries on behalf of the government of Canada. In our second and third surveys, we expanded the contacts to include organizations and individuals in various countries with direct knowledge of encryption and telecommunications policies. We inquired about five major areas of cryptography policy:


Between the issuance of our first report in February 1998 and our second report issued in May 1999, the Organization of Economic Cooperation and Development (OECD) conducted an inventory of the cryptography regulations of its member states. We have incorporated those findings in this report as they best represent current national policies within the OECD member countries.

We also referred to a report prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy, obtained by EPIC under the Freedom of Information Act. The report, dated July 1995, is titled “A Study of the International Market for Computer Software with Encryption.” The Commerce Department and NSA attempted to obtain and analyze copies of the laws and regulations from as many encryption-producing nations as possible. This document is mostly historical now.

A 100 per cent response was the goal of this and our previous surveys. For this survey we discovered that many more countries were familiar with the issue than had been during the first and second surveys. As a result, this is the most comprehensive survey to date of encryption policies.


Country Ratings


Reported countries have been grouped into three categories regarding controls on cryptography.

A “Green” designation signifies that the country imposes few controls on encryption in the country and promotes or has expressed support for a policy that allows for unhindered legal use of cryptography, such as adopting the OECD Guidelines. A “Yellow” designation signifies that the country has significant domestic controls such as requirements for lawful access, excessive export or import controls in law or have proposed new domestic cryptography controls. A “Red” designation denotes countries that have instituted sweeping controls on cryptography, including domestic use controls. Many countries do not fit neatly into one of the three categories, but may share attributes from two of the categories. These countries are designated as “Green/Yellow” or “Yellow/Red” depending on the direction the policies appear to be heading.

Issues in Encryption Policy



The Importance of Cryptography


Emerging computer and communications technologies have radically altered the ways in which we communicate. Along with the speed, efficiency, and economy of the digital revolution come new challenges to the security and privacy of communications and information traversing the global communications infrastructure.

In response to these challenges, the security mechanisms of traditional paper-based communications media - envelopes and locked filing cabinets - are being replaced by cryptographic security techniques. Through the use of cryptography, communication and information stored and transmitted by computers can be protected against interception. Until recently, there was little non-governmental demand for encryption capabilities. Modern encryption technology - a mathematical process involving the use of formulas (or algorithms) - was traditionally deployed most widely to protect the confidentiality of military and diplomatic communications. With the advent of the computer revolution and recent innovations in the science of encryption, a new market for cryptographic products has developed. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever-increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic fund transfers require secure means of encryption and authentication – features that can only be provided if cryptographic know-how is widely available and unencumbered by government regulation.

Cryptography can also be used to allow for the anonymous dissemination of information, such as reports on human rights abuses, and to ensure that documents of human rights groups are not tampered with or altered after release.

Governmental regulation of cryptographic security techniques endangers personal privacy. Encryption ensures the confidentiality of personal records, such as medical information, personal financial data, and electronic mail. In a networked environment, such information is increasingly at risk of being stolen or misused.


Encryption and Human Rights


Government regulation of techniques such as encryption that help to protect individual privacy may also be contrary to the spirit of international laws and norms that recognize privacy and the freedom to communicate in confidence as fundamental human rights. Article 12 of the Universal Declaration of Human Rights, and Article 17 of the International Covenant on Civil and Political Rights, as well as other international agreements, and national laws, make clear the importance of privacy protection for human freedom and civil society.

In many countries in the world, human rights organizations, journalists and political dissidents are the most common targets of surveillance by government intelligence and law enforcement agencies and other non-governmental groups. The U.S. Department of State, in its 1996 Country Reports on Human Rights Practices, reported widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries. In some countries, such as Honduras and Paraguay, the state-owned telecommunications companies were active participants in helping the security services monitor human rights advocates. These problems are not limited to developing countries. French counter-intelligence agents wiretapped the telephones of prominent journalists and opposition party leaders. The French Commission Nationale de Contrôle des Interceptions de Securité has estimated that there are some 100,000 illegal taps conducted each year in France. There have been numerous cases in the United Kingdom, which revealed that the British intelligence services monitor social activists, labor unions and civil liberties organizations. Even in countries that are considered to have open governments such as Sweden and Norway, national security agency have been found to routinely invade the privacy of non-governmental organizations.[1]

The European Parliament issued a report in January 1998 alleging that the U.S. National Security Agency was conducting massive monitoring of European communications as part of a worldwide surveillance system named Echelon.[2] The report also said that the system was used to target human rights groups such as Amnesty International. A subsequent report released in May 1999 and presented before the European Parliament in February 2000 revealed more information on the system and its use for economic espionage and resulted in protests and anger from the EU.[3]

Many human rights groups currently use encryption to protect their files and communications from seizure and interception by the governments they monitor for abuses. These include China, Guatemala, Ethiopia, Haiti, Mexico, South Africa, Hong Kong and Turkey. Other groups such as Amnesty International USA and the Tibetan Government-in-exile also use cryptographic techniques to digitally sign messages that they send over the Internet to ensure that the messages are not altered in transmission.

Additional information on the use of encryption technology by international human rights organizations is contained in the briefing paper “Encryption in the Service of Human Rights,” produced by Human Rights Watch.[4]

National Controls on Cryptography


Only a few countries around the world restrict the domestic use of encryption by their citizens. Of the handful of countries around the world that do, most have strong authoritarian governments.

Most countries that have explicitly rejected controls have noted the importance of security of electronic information for electronic commerce, the threats of economic espionage, and the need to protect privacy online. The 1997 OECD Guidelines on Cryptography Policy and the 1998 European Commission report expressed strong support for the unrestricted development of encryption products and services. Following their promulgation, Canada, Germany, Ireland, and Finland announced national cryptography policies based on the OECD Guidelines, favoring the free use of encryption.

A number of countries explicitly reversed their positions on domestic controls based on the OECD Guidelines. Most notable of these is France, which had long restricted encryption, but reversed that policy in January 1999 and announced that people can use encryption without restrictions. In December 1997, Belgium amended its 1994 law to eliminate the provision restricting cryptography.

Most of the countries that do restrict encryption are either former republics of the Soviet Union, or are located in Asia, or the Middle East. The countries include Belarus, Burma, China, Kazakhstan, Pakistan, Russia, Tunisia, and Vietnam. We found no countries in North or South America or Western Europe that currently restrict domestic use. The United Kingdom is the only major western power that continues to advocate for controls.

Most of these countries also generally place strong restrictions – in some cases, such as Burma and Iraq, outright bans – on the use of the Internet. In many of the countries, the restrictions do not appear to be enforced. In China, a new regulation requires companies to disclose their security systems to the national government but few companies are complying.

The rapid growth of worldwide electronic commerce and the lack of international consensus on restrictions will further isolate these countries and make it difficult for them to continue these policies. The wide availability of encryption on the Internet will make it impossible for them to enforce the laws in any meaningful way without imposing massive surveillance and censorship.


Key Escrow/Key Recovery


Concurrent with the rejection of domestic controls by most countries is the rejection of key escrow/recovery policies by governments. We found that there is now no international support for key escrow or key recovery systems.

Key escrow/recovery was a concept promoted by the United States government whereby users would be able to use strong encryption in their systems. However, a third party such as a government agency or a specially authorized company (usually with government ties) would hold the keys and provide them to a government agency when requested. Escrow was first introduced in the U.S. in the Clipper Chip in 1993. It was adopted into law by France in 1996 and promoted by the UK government for several years.

The U.S. pressured many countries and international organizations including as the OECD and Wassenaar to adopt key escrow. The U.S. Envoy for Encryption David Aaron traveled the world urging countries to adopt escrow policies. The OECD countries rejected the U.S. pressure and called for free use of cryptography and respect for privacy.

Security experts have been critical of the security of escrow systems, noting a number of problems created by having a central party holding users' keys. In October 1997, the European Commission issued a report that reviewed the problems with key escrow systems:[5]

(i) Key access schemes are considered by law enforcement agencies as a possible solution to cope with issues like encrypted messages. However these schemes and associated TTPs raise a number of critical questions that would need to be carefully addressed before introducing them. The ongoing discussion of different legislative initiatives in the US is an illustrative example of the implied controversy. The most critical points are vulnerability, privacy, costs and effectiveness:


(ii) Any involvement of a third party in confidential communication increases its vulnerability. The main reason for involving a third party in the management of keys for confidentiality is to allow that party to make the keys available to other than the two communicating parties, for example, to law enforcement.

Users may therefore not see many advantages in using TTPs for confidential communication, and probably not even for stored information. Regulators would thus need to offer incentives to convince users to use licensed TTPs for confidentiality purposes, for instance through a "public security label" or even by introducing a "mandatory scheme". Such a mandatory scheme would make any publicly available offer of encryption services subject to a licence that inter alia would demand key escrow/recovery.

The acceptance of such a system remains to be seen, but given its implied overheads, can not be regarded as an incentive for electronic commerce. In any case, restrictions imposed by national licensing schemes, particularly those of a mandatory nature, could lead to Internal Market obstacles and reduce the competitiveness of the European Industry.

The final blow to key escrow was its rejection by the Wassenaar Arrangement group in December 1998. The U.S. attempted to gain favorable export rules for escrow/recovery products to encourage an international market. No consensus was reached and this plan was rejected. The German Ministry of Economics announced: “Certain states that had originally demanded special treatment for key recovery products were unsuccessful in their efforts. The export of encryption technology will therefore remain possible without the deposit of keys with the government.”[6]

These international policy developments had a significant impact on domestic policies in both countries that supported escrow and those that did not have encryption policies. The most dramatic turnaround was in France, where Prime Minister Jospin announced in January 1999 that France would scrap its key escrow system in favor of free use of cryptography and implemented new regulations relaxing controls in March 1999. Taiwan, which had stated in 1997 that it was planning a key escrow system, reported back in 1998 that it not longer plans to adopt such a system.

Only a few countries now officially endorse key escrow. Spain enacted a telecommunications bill in 1998 that endorsed escrow, but it was never implemented. For many years the UK was promoting a policy that would have coerced certificate authorities to obtain private keys as a condition of licensing. It is now using other means to try and attempt to gain keys (see section below). In the U.S., export control rules that once encouraged key escrow were somewhat relaxed in 1998 and eliminated in January 2000.


“Lawful Access” and Forced Disclosure of Encryption Keys


Following the rejection of key escrow, a new approach being considered by many governments is to demand “lawful access” to encryption keys or plain text. Under this approach individuals would be required to disclose keys to law enforcement agencies or face criminal penalties for failure to assist in a law enforcement investigation. So far, only a few countries have implemented such provisions.

The OECD Encryption Guidelines noted but did not endorse the lawful access principle. The Guidelines state:

National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.[7]

This was a very contentious issue in the OECD. The OCED considered and rejected support for the lawful access goal. As a result, this is the only principle and because that did not state that members “shall” adopt as a policy.

At the Denver Summit in June 1997, the G-8 supported access. It recommended that every country adopt “Lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies.”

Only Singapore and Malaysia have enacted laws that would require users to disclose their keys or face criminal penalties. In both of those countries, police have the power to fine and imprison users who do not provide the keys or the plaintext of files or communications to police.

Similar bills are pending in the United Kingdom and India. In the United States, Belgium and the Netherlands, bills are pending that would require third parties to release encryption keys and other information but would not require a person to incriminate himself.

A number of countries including Ireland, Sweden, Finland, and Denmark suggested that the government would consider lawful access provisions following the release of the OECD Guidelines. Thus far, none have adopted it. In Ireland a draft Electronic Commerce Bill has recently been published which would force individuals to provide access to plaintext but recommends against forced disclosure of keys. In Canada, an interministerial committee headed by Justice Canada is examining possible legislation. Other countries such as Denmark have decided against adopting such policies.

The Right Against Self-incrimination


Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide. The privilege against self incrimination forbids a government official from compelling a person to testify against himself. It has a long history in law originally developing from Roman and Canon law and was subsequently adopted by the Common law.[8]

In the United States, this issue has not been directly addressed by any courts yet but many legal scholars believe that it would not be permissible under the 5th Amendment to the Constitution to force an individual to disclose an encryption key or passcode that was not written down anywhere.[9]

Many European legal scholars also believe that requiring disclosure violates the European Convention on Human Rights.[10] The European Court of Human Rights has stated that the right of any "person charged" to remain silent and the right not to incriminate himself are generally recognized international standards which lie at the heart of the notion of a fair procedure under Article 6 of the European Convention on Human Rights. The burden of proof cannot be reversed for the suspect to provide the requested evidence or prove his/her innocence.[11] Article 8 of Convention, which protects the right to respect for private life and correspondence also sets out limits on surveillance that would affect interception.

In other countries, this concern is also raised. The New Zealand Law Commission noted recently that on the issue of lawful access, it will be difficult to compel people to disclose encryption keys:

We note that the difficulty in compelling a person to disclose the means of decryption, or the plain text of the document itself, will need to be given considerable thought; as will the question of an appropriate sanction in the event that disclosure is not made. In that regard, the disclosure of something held in one’s head is somewhat different in kind to the provision of DNA samples. Ultimately, any view formed on this issue will need to recognise that a private key may be held in the memory of a human being, rather than located in an electronic or paper based record.[12]

In Australia the Walsh Report, written by the former director of the Australian intelligence agency, also recommended against the “lawful access” requirement stating:

1.2.27 Invocation of the principle of non self-incrimination is likely to prove an obstacle to efforts by law enforcement agencies to obtain encryption keys by search warrants or orders made by courts and tribunals.[13]

Another issue is the penalizing of individuals who may not have access to the keys issued in their name. In many circumstances, an individual may not be in possession of a key, either because they have lost the key, revoked it or never possessed it in the first place. Under several of these laws and pending bills, the users could face jail for being unable to provide the keys. A group in the United Kingdom illustrated this problem by sending an encrypted “incriminating” message to Home Secretary Jack Straw after creating a key in his name. They then destroyed the encryption key.[14]


Increase in Surveillance Budgets


As countries reject restrictions on encryption, they continue to face pressure from law enforcement and intelligence agencies which demand access to communications. There have been a variety of approaches taken to resolve this pressure.

One trend has been the increased funding of intelligence agencies to compensate for the perceived loss of intelligence from encryption. In the United States, a number of new “Net Centers” have been proposed. These Net Centers would provide technical assistance to law enforcement agents specifically to break codes and would not be subject to freedom of information laws.[15] President Clinton also recently has asked for $2 billion for network protections.


New Surveillance Powers


In the absence of key escrow, intelligence and law enforcement agencies in a number of countries have been demanding the ability to use formerly extralegal approaches to obtain information and encryption keys from targets. This includes breaking into homes to “bug” computers and legal authorization to “hack” computer systems to obtain encryption keys.

In December 1999, the Australian Parliament approved a bill authorizing the Australian Security Organization (ASIO) to obtain warrants to access computers and telecommunications services “for the purpose of obtaining access to data that is relevant to the security matter and is stored in the target computer and, if necessary to achieve that purpose, adding, deleting or altering other data in the target computer, (b) copying any data to which access has been obtained, that appears to be relevant to the collection of intelligence by the Organisation in accordance with this Act; (c) any thing reasonably necessary to conceal the fact that any thing has been done under the warrant.” The bill does not mention encryption.[16]

In the Netherlands a law to allow the use of bugging devices in computers as a means to obtain clear text (Wet Bijzondere Opsporingsbevoegdheden) was approved in 1999 and went into effect in February 2000. Another bill that would allow the secret service to use hacking techniques to remotely access computer systems (Wet op de Inlichtingen- en Veiligheidsdiensten) is also pending. These powers were specifically given to combat cryptography during investigations.

In the United States the White House proposed the Cyberspace Electronic Security Act (CESA) in September 1999. Under the bill, law enforcement and intelligence agencies would be able to compel third parties to release encryption keys and other information. Technical methods used to obtain keys can be kept secret from disclosure in court. In addition, the FBI would be given $80 million in additional funding for its “Technical Support Center.” Previous versions allowed for secret searches.

Other countries are still developing policies that will give more powers to intelligence agencies. In France, Prime Minister Jospin announced in 1999 that as part of France's relaxation of controls, “the technical capacities of the authorities will be significantly reinforced.” Similarly the 1999 Germany encryption policy states that “the federal government will, to the extent that it can, support an improvement of the technical capabilities of the criminal prosecution and security authorities.”

At the urging of the U.S. Department of Justice, the Council of Europe is also developing a new Convention on Computer Crime that will reportedly expand surveillance powers and centers for network monitoring. The convention will require countries to adopt legislation to facilitate wiretapping of computer networks and compel manufacturers to build in surveillance capabilities.

These new proposals for new investigative powers raise troubling questions about surveillance and accountability. Will the agencies granted these powers be fully accountable to democratic institutions and subject to meaningful public oversight?


The Role of Export Controls


Internationally, export controls have been the strongest tool used by governments to limit development of encryption products. However, in the past several years, there has been a gradual relaxation of export controls, internationally, especially for software products.

Export controls reduce the availability of encryption in common programs such as operating systems, electronic mail and word processors, especially from American companies. The restrictions make it difficult to develop international standards for encryption and interoperability of different programs. Countries must develop their own local programs, which do not inter-operate well (if at all) with other programs developed independently in other countries. They may not be as secure because of a lack of peer review. Because markets are smaller, companies and individuals are not as interested in developing programs because of smaller potential profits.

Some countries have taken advantage of the situation by promoting the lack of controls in their countries. As Switzerland noted in response to our 1999 inquiry, “Switzerland will keep its efficient export permit process for cryptographic goods in order to encourage Swiss exports to increase their sales and share worldwide while being mindful of national security interests.” One result of this has been the emergence of small companies in many countries without restrictions, which produce encryption products. Another result has been companies, especially American companies, moving their encryption production divisions overseas to countries with fewer controls, such as Switzerland.

The Internet significantly changed the effectiveness of export controls. Strong, unbreakable encryption programs can now be delivered in seconds to anywhere in the world with a network connection. It has been increasingly difficult for countries to limit dissemination, and once a program is released, it is nearly impossible to stop its redissemination, especially if it is in one of the many countries around the world with no export controls. In the United States, export controls were used as a justification to limit the availability of encryption on domestic Internet sites and thus serve as indirect domestic controls on encryption.

Many countries have relaxed their export controls on encryption products, especially software. The United States Government announced in January 2000 that it now allows companies to export most products. It is now likely that other countries will follow suit.

The Wassenaar Arrangement


The Wassenaar Arrangement (WA) is an agreement by a group of 33 industrialized countries to restrict the export of conventional weapons and “dual use” technology to certain other countries considered pariah states or, in some cases, those that are at war. Certain cryptographic products, along with other technology such as supercomputers and high-level computer security access software, are considered to be “dual use” in that they can be used for both commercial and military purposes. The WA replaced the former Cold War-era Coordinating Committee on Multilateral Export Controls (COCOM), a group of 17 countries that placed restrictions on the export of certain technology to countries of the former Warsaw Pact and other communist states. After the fall of the Warsaw Pact and Soviet Union, COCOM became an anachronism, and on November 16, 1993, in The Hague, COCOM agreed to dissolve itself and to establish a grouping called the “New Forum.”

A formal agreement to establish the “Wassenaar Arrangement” was reached at the December 19, 1995, meeting in Wassenaar. The participating countries agreed to locate the Wassenaar Arrangement Secretariat in Vienna. The WA is one of four international export control arrangements. The others are the Nuclear Suppliers Group, the Australia Group, and the Missile Technology Control Regime and are mainly directed against the proliferation of weapons of mass destruction and missiles.

The WA is open on a global basis to other countries that comply with the export control criteria. To be admitted to the Arrangement, a country must: 1) be a producer and/or exporter of arms or dual-use industrial equipment; 2) maintain non-proliferation policies and appropriate national policies, including adherence to international non-proliferation regimes and treaties; and 3) maintain fully effective export controls. Although the Arrangement does not provide for observer status, an outreach policy is being planned to inform non-member countries about WA objectives and activities, and encourage such non-members to adopt WA-compliant national policies on the export of conventional arms and dual-use technologies, including cryptography.

The Authority of Wassenaar


It is important to note that the WA is neither an international treaty nor a law. It is merely designed to exchange views and information on international trade in conventional arms and dual-use goods and technologies. Also, participating states commit to adjust their national export control policies to adhere to the WA Control Lists, but this commitment is discretionary in nature and not mandatory. Participating states may adjust their cryptographic export policies through new regulations or legislation.

The WA members largely represent the law enforcement, signals intelligence, and weapons control sectors of participant governments and have little appreciation for commercial concerns. The WA maintains that it is not directed at impeding bona fide commerce and is not directed against any state or group of states. However, the list of countries covered by a participating state's own national sanctions varies widely. For example, the United States imposes sanctions on certain countries through the International Traffic in Arms Regulations and the Export Administration Regulations, which are supervised by the Departments of Commerce, Treasury, and State.[16] The United Kingdom also imposes sanctions on countries, but its list differs from that of the United States.[17] Russia maintains virtually no enforceable sanctions on other countries. The substantial differences between participants on sanctions are an important weakness in the application of uniform WA export controls.

The WA countries maintain export controls for the items on the agreed control lists, which are reviewed periodically to take into account technological developments and experience gained. One such review took place throughout 1998 and resulted in a change to the cryptography dual-use control list. The WA announced the revised list on December 3, 1998. Decisions to amend the Control Lists, as with all WA decisions, are made by consensus.

The WA also facilitates the sharing of export information between participating states. Countries are required to report transfers or denials of transfers of certain controlled dual-use items to the other WA participants. Of particular interest to WA members are denials for export licenses for sensitive technology. Therefore, the WA stipulates that members will agree that notification of other members shall be made on an early and timely basis, preferably within 30 days but no later than within 60 days of the date of the denial of the license.

The Wassenaar List of Dual-Use Goods and Technologies


On December 3, 1998, the Wassenaar Secretariat announced that new cryptography guidelines had been added to the Arrangement. The Wassenaar Dual-Use Control List now extends to encryption hardware and software cryptography products above 56-bits. These include Web browsers, e-mail applications, electronic commerce servers, and telephone scrambling devices. Other mass-market products, such as personal computer operating systems, word processing, and data base programs having strengths over 64-bits are subject to controls for two years. These controls must be renewed and approved unanimously, otherwise they will be canceled. It appears that participating states were obligated to establish new export controls over “mass market” encryption software that uses keys longer than 64-bits. They must also restrict other symmetric encryption software and hardware having keys longer than 56-bits (unless a formal export license is issued by the respective national government).

The Wassenaar countries also agreed to control other software, such as that used in specific sectors such as banking, insurance and health, at the 56-bit level. The US and UK governments led an effort to promote key escrow products but that proposal was rejected by the other countries. According to a press release from the German Ministry of Economics, “certain states that had initially demanded special treatment for ‘key recovery’ products have not been successful. Thus, the export of encryption technology will remain possible without depositing keys with government agencies.”[18] The restrictions do not apply to encryption products that protect intellectual property, such as digital watermarking for items like videos, cassettes and DVD disks. This exemption is seen as a concession to the entertainment industry.

Most importantly, and in what constitutes an important loophole, the new WA controls did not apply to the “intangible” distribution of cryptography, including downloads from the Internet.

The December 1998 amendments had a limited effect on the flow of encryption products. Several countries such as Canada and Germany announced that they did not plan to impose new strict restrictions on exports of mass-market software. The Swiss government wrote that “the upcoming minor changes to Switzerland's export controls on cryptographic goods as a result of the December changes to Wassenaar will not alter the liberal Swiss Cryptography Policy.”[19] The Arrangement is scheduled to expire in 2000 and it seems unlikely to be extended.

The International Evolution of Encryption Policy


Over the past several years, international organizations have played a central role in the development of encryption policies. These groups include the Organization for Economic Cooperation and Development, the European Union, the G-7/G-8, the Council of Europe, and the Wassenaar Arrangement. In all of these, the United States, with the support of the UK Government, led efforts to gain international support for restrictions. US Envoy for Cryptography David Aaron, traveled the world urging governments to support the U.S. positions on encryption policy. In certain gatherings, especially in those that are oriented towards law enforcement or military/intelligence issues, the U.S. had some success. The U.K. Home Office and its Minister Jack Straw have also been calling for restrictions on cryptography, even while the US began to lessen its support. The Home Office consistently stresses criminals and terrorists will use cryptography to hide their activities. Germany and several of the Scandinavian countries often led opposition to cryptography controls.

Organization for Economic Cooperation and Development


The Organization for Economic Cooperation and Development (OECD) is a Paris-based international body of 29 countries.

In 1996, the OECD began work on cryptography guidelines focusing on international compatibility. The OECD had previously developed well respected guidelines on the privacy of personal information and computer security. The Secretariat recommended that the OECD develop an international framework to promote the use of encryption.

The U.S. began pressuring the OECD to adopt key escrow as an international standard. For its encryption deliberations, the OECD changed from its traditional two year process of consensus to a one year accelerated process with a “core group” writing the guidelines. At the meetings, the U.S. delegation, led by the Justice Department, the FBI, and the NSA, lobbied the committee to endorse key escrow. The US also seconded a Justice Department lawyer to the OECD to develop the guidelines.

The OECD was severely divided by the proposals. The US position was supported by France and the United Kingdom. Many of the other representatives, including the economics and trade representatives from Japan, Canada and Germany did not favor these efforts. Representatives from the Scandinavian countries stated that key escrow would undermine trust. Denmark's representative announced that key escrow would not be included in a nation-wide card system. Industry representatives wanted to ensure that they would have the right to adopt any system of their choosing.

In March 1997, the OECD issued its Guidelines on Cryptography Policy. The OECD recommendation is a non-binding agreement that identifies the basic principles that countries should adopt in establishing cryptography policies at the national and international level.

The OECD Cryptography Guidelines state:


The Guidelines set out eight basic principles for cryptography policy:

1.Cryptographic methods should be trustworthy in order to generate confidence in the use of information and communications systems.

2.Users should have a right to choose any cryptographic method, subject to applicable law.

3.Cryptographic methods should be developed in response to the needs, demands and responsibilities of individuals, businesses and governments.

4.Technical standards, criteria and protocols for cryptographic methods should be developed and promulgated at the national and international level.

5.The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.

6.National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.

7.Whether established by contract or legislation, the liability of individuals and entities that offer cryptographic services or hold or access cryptographic keys should be clearly stated.

8.Governments should co-operate to co-ordinate cryptography policies. As part of this effort, governments should remove, or avoid creating in the name of cryptography policy, unjustified obstacles to trade.

The OECD is currently planning to conduct a follow up to the guidelines in the area of digital signatures. In October 1998, the OECD surveyed its member countries and found that many have adopted the guidelines. It is now working on an update to that survey.

The European Union


The European Union (EU) has played a key role in rejecting restrictions on encryption. The European Commission requires Member States to report to the Commission any national proposals to impose technical rules for marketing, use, manufacture, or import of cryptographic products.[20] The Commission also seeks to dismantle intra-Union controls on commercial encryption products.

In October 1997, the European Commission’s Directorate-General XIII, which is responsible for Telecommunications, Information Market and Exploitation of Research, issued a report that took issue with the United States’ policy of encouraging key escrow and recovery schemes. The report stated that “restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks,” adding that key escrow systems “would not . . . totally prevent criminals from using these technologies.”[21]

On the issue of “back door” mechanisms giving law enforcement and intelligence agencies the right to read the plaintext of encrypted messages, the report said that if such systems are required, they “should be limited to what is absolutely necessary.”

The report was sent by the European Commission to the major bodies of the European Union, including the European Parliament, the Council of Ministers, the Economic and Social Committee and the Committee of the Regions.

However, a European Council Resolution of January 17, 1995, requires network operators and service providers to provide law enforcement agencies “in the clear” access to encrypted communications.

The EU also plays an important role in export controls. In 1992, the European Commission proposed a dual-use regulation as part of the progression to the free market. Since military exports were linked to Member States’ national security concerns, control of such exports was deemed to be a matter for individual states. However, with dual-use goods, it was argued that, while military uses were of a national interest, their civil use was in the purview of the European Commission.

Eventually, a compromise was reached. A dual-use regulation was agreed upon. The basis for the regulation was Article 113 of the Treaty of Rome and a Maastricht-based Common Foreign and Security Policy Joint Action with a series of annexes. The EU's Dual-Use Regulation (EC No. 3381/94) contains 24 articles and it entered into force on July 1, 1995. Council Decision No. 94/942/CFSP, with 8 articles and 5 annexes, has been appended to it.

The series of regulations, decisions, and annexes state that:


On May 15, 1998, the Commission adopted a Proposal for a Council Regulation setting up an EU regime for the control of exports of dual-use goods and technology (COM(1998) 257 final, 98/0162 (ACC)). The proposal calls for a notification procedure for intra-Community transfers of cryptographic products instead of the current authorization/licensing scheme. It does not appear to have been implemented yet.

G-8


The Group of 8 (G8) is made up of the heads of state of the top eight industrialized countries in the world.[22] The leaders have been meeting annually since 1975 to discuss issues of importance, including the information highway, crime and terrorism.

The G8 has been active in discussing encryption policy at the urging of the United States. At the G8 meeting in Lyon, France in 1996, the G8 agreed to “accelerate consultations, in appropriate bilateral or multilateral fora, on the use of encryption that allows, when necessary, lawful government access to data and communications in order to, inter alia, prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications.”[23]

At the Denver Summit in June 1997, the G8 stated:

“To counter, inter alia, the use of strong encryption by terrorists, we have endorsed acceleration of consultations and adoption of the OECD guidelines for cryptography policy and invited all states to develop national policies on encryption, including key, management, which may allow, consistent with these guidelines. Lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies. “

At the Birmingham, England meeting on May 18, 1998, the G8 adopted a recommendation on ten principles and a ten-point action on high-tech crime that did not explicitly mention encryption. The ministers announced, “We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies.”[24]

Council of Europe


The Council of Europe is an inter-governmental organization formed in 1949 by West European countries. There are now 40 member countries. Its main role is “to strengthen democracy, human rights and the rule of law throughout its member states.” Its description also notes that “it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities.”

On September 8, 1995, the Council of Europe approved a recommendation to limit strong cryptography in their member states. The Council is not like the European Commission in that it has no statutory authority to enforce its recommendations. However it is rare for member countries to reject Council of Europe’s recommendations. The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states:[25]

Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.

Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities.

Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary.

The Council is now working on a draft convention on computer crime. This directive is being drafted in part by the Computer Crime Division of the U.S. Department of Justice. According to the Dutch Ministry of Justice, the draft is prepared by an ad-hoc group of experts of a "limited number of countries" and chaired by Prof. Kaspersen of the University of Amsterdam. The time limit for preparing the draft is the end of 2000. A number of non-members are also represented as observers to the ad-hoc group including the US, Canada, Japan, South Africa, the European Commission, the OESO, UNESCO and others. No draft of the directive has been released by the COE but according to the MOJ, it will require that all signatories require that all telecommunications and computer network equipment have built-in wiretapping capabilities.



[1] For more information on wiretapping and other privacy issues, see EPIC/Privacy International, Privacy and Human Rights 1999 (EPIC, 1999) <http://www.privacyinternational.org/survey/>.
[2] European Parliament, Science and Technology Options Assessment (STOA), "An Appraisal of the Technologies of Political Control", January 6, 1998.
[3] Campbell D., "Interception Capabilities 2000", working document for the European Parliament, Science and Technology Options Assessment (STOA) panel.. <http://www.europarl.eu.int/dg4/stoa/en/publi/pdf/98-14-01-2en.pdf>.
[4] <www.aaas.org/SPP/DSPP/CSTC/briefings/crypto/dinah.htm>.
[5] European Commission, "Towards a European Framework for Digital Signatures and Encryption", COM (97)503. <www.ispo.cec.be/eif/policy>
[6] Press Release of the German Federal Ministry of Economic Affairs, December 8, 1998 on Wassenaar Arrangement "Export Control for Encryption Technology Relaxed: No Forthcoming “Key Recovery” for Crypto Products."
< www.kuner.com/data/new/wassenaar.html>.
[7] See Appendix A
[8] See R. H. Helmholz, "Self-Incrimination: The Role of the European Ius Commune", 65 NYU L Rev 962 (1990). See also L. Levy, Origins of the Fifth Amendment: The Right Against Self-Incrimination (2d ed. 1986).
[9] Doe v United States, 487 US 201, 219 (1988), Justice Stevens wrote in dissent, "[a defendant] may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe--by word or deed.” See Kathleen M. Sullivan, "Privacy in the Digital Age: Encryption and Mandatory Access" before the Subcommittee on the Constitution Federalism and Property Rights, Committee on the Judiciary, United States Senate, March 17, 1998; Greg S. Sergienko, Self Incrimination and Cryptographic Keys, 2 RICH. J.L. & TECH. 1 (1996) <http://www.richmond.edu/jolt/v2i1/sergienko.html>, For the US government view, see Phillip R. Reitinger, Compelled Production of Plaintext and Keys, The University of Chicago, 1996 U Chi Legal F 171
[10] "In the Matter of the Draft Electronic Communications Bill and in the Matter of a Human Rights Audit for Justice and FIPR", October 7, 1999. <http://www.fipr.org/ecomm99/ecommaud.html>.
[11] See the following judgments of the Court: Funke v. France, 25 February 1993, Series A no. 256-A, p. 22, ß 44; John Murray v. the United Kingdom, 8 February 1996, Reports of Judgments and Decisions 1996-I, p. 49, ß 45; and Saunders v. the United Kingdom, 17 December 1996, Reports 1996-VI, p. 2064, ß 68; Serves v. France, 20 October, 1997, Reports 1997-VI). Our thanks to Yaman Akdeniz for this information.
[12] New Zealand Law Commission, “Electronic Commerce Part Two: A basic legal framework”, November 1999.
[13] AG Letter Review of Policy relating to Encryption Technologies (Walsh Report), October 10, 1996. <http://www.efa.org.au/Issues/Crypto/Walsh/index.htm>
[14] See STAND, 'Operation Dear Jack', < http://www.stand.org.uk/dearjack/photostory.php3>
[15] EPIC, "Critical Infrastructure Protection and the Endangerment of Civil Liberties", October 1998
<www.epic.org/security/infowar/epic-cip.html>.
Australian Security Intelligence Organisation Act, Act No. 161 of 1999. Available at:<http://scaleplus.law.gov.au/cgi-bin/download.pl?/scale/data/pasteact/0/48/>.
[16] Countries for which the United States imposes sanctions are: Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria, the Angolan opposition group UNITA (National Union for the Total Independence of Angola) and UNITA-controlled areas of Angola, Taliban-controlled areas of Afghanistan, and Serbia and institutions of the Federal Republic of Yugoslavia (minus Montenegro). In addition, certain entities in China, India, Israel, Pakistan, and Wassenaar partner Russia are subject to special export determination for some technologies, including cryptography.
[17] The United Kingdom maintains sanctions against Iran, Iraq, Libya, Myanmar (Burma), Taiwan, and Yugoslavia. Unlike the United States, the British do not impose sanctions against Cuba, which is subject to an American embargo. On April 10, 1998, several WA partners of the United States abstained on a UN Human Rights Commission resolution condemning economic sanctions as coercive. Those WA partners abstaining included Austria, the Czech Republic, Denmark, Ireland, Italy, Poland, and Ukraine.
[18] Press Release of the German Federal Ministry of Economic Affairs, December 8, 1998 on Wassenaar Arrangement "Export Control for Encryption Technology Relaxed: No Forthcoming “Key Recovery” for Crypto Products." < www.kuner.com/data/new/wassenaar.html>.
[19] Letter from Embassy of Switzerland, January 27, 1999.
[20] EU Dual Use Regulation (EC No. 3381/94) as amended.
[21] European Commission, "Towards a European Framework for Digital Signatures and Encryption", COM (97)503. <www.ispo.cec.be/eif/policy>.
[22] United States, United Kingdom, France, Germany, Canada, Italy, Japan, and Russia.
[23] Ministerial Conference on Terrorism, Paris, France, July 30, 1996, Agreement on 25 Measures. <utl1.library.utoronto.ca/disk1/www/documents/g7/terror25.htm>
[24] G-8 Communique, Birmingham, UK, May 18, 1998. <http://www.gilc.org/crypto/g7/g8-birmingham-598.html>
[25] Recommendation No. R (95) of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with information, 11 September 1995. <www.privacyinternational.org/intl_orgs/coe/info_tech_1995.html>.