Preface In January of 1993 the National Institute of Standards and Technology (NIST) initiated the preparation of this and other publications on various aspects of the civilian cryptography issue. The purpose of this project was to prepare concise summaries of information, based upon research in open source literature, on a particular topic of interest relevant to the public discussion of cryptographic- related issues. This study was prepared under contract from the National Institute of Standards and Technology (NIST). No claim is made by NIST as to the accuracy or completeness of the information contained herein. The document does not constitute the official position of the U.S. Government on the subject matter covered in this publication. Comments, additions, or corrections on this study are welcomed, as it is our intent to update it periodically. Submissions should be directed to: Mr. Lynn McNulty Associate Director for Computer Security Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899 Fax: 301-948-1784 E-mail: mcnulty@ecf.ncsl.nist.gov Thank you. IDENTIFICATION AND ANALYSIS OF FOREIGN LAWS AND REGULATIONS PERTAINING TO THE USE OF COMMERCIAL ENCRYPTION PRODUCTS FOR VOICE AND DATA COMMUNICATIONS Professor James P. Chandler Diana C. Arrington Donna R. Berkelhammer William L. Gill January 1994 Prepared by National Intellectual Property Law Institute and The George Washington University 1350 Eye Street NW, Suite 820 Washington, DC 20005 Subcontract No. 19K-RF105C DOE Project No. 2042-E024-A1 Prepared for Data Systems Research and Development Program Technical Operations Oak Ridge K-25 Site Oak Ridge, Tennessee 37831-7620 Managed by MARTIN MARIETTA ENERGY SYSTEMS, INC. for the U.S. DEPARTMENT OF ENERGY under contract DE-AC05-84OR21400 This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. K/DSRD/SUB/93-RF105/3 Limited Distribution IDENTIFICATION AND ANALYSIS OF FOREIGN LAWS AND REGULATIONS PERTAINING TO THE USE OF COMMERCIAL ENCRYPTION PRODUCTS FOR VOICE AND DATA COMMUNICATIONS Professor James P. Chandler Diana C. Arrington Donna R. Berkelhammer William L. Gill January 1994 Prepared by National Intellectual Property Law Institute and The George Washington University 1350 Eye Street NW, Suite 820 Washington, DC 20005 Subcontract No. 19K-RF105C DOE Project No. 2042-E024-A1 Prepared for Data Systems Research and Development Program Technical Operations Oak Ridge K-25 Site Oak Ridge, Tennessee 37831-7620 Managed by Martin Marietta Energy Systems, Inc. for the U.S. Department of Energy under contract DE-AC0584OR21400 CONTENTS ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . iv ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . v 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . 1 2. ENCRYPTION TECHNOLOGY FOREIGN LAWS . . . . . . . . . 2 2.1 AUSTRALIAþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY 2 2.2 BELGIUMþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY. 2 2.3 BRAZILþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY . 2 2.4 CANADA. . . . . . . . . . . . . . . . . . . . . . 2 2.4.1 Export and Import Permits Act . . . . . . . 2 2.4.2 Import Controls . . . . . . . . . . . . . . 2 2.4.3 Export Controls . . . . . . . . . . . . . . 3 2.5 PEOPLES REPUBLIC OF CHINA . . . . . . . . . . . . 3 2.5.1 Import Controls . . . . . . . . . . . . . . 3 2.5.2 Export Controls . . . . . . . . . . . . . . 3 2.6 EUROPEAN COMMUNITY. . . . . . . . . . . . . . . . 3 2.6.1 Import Controls . . . . . . . . . . . . . . 4 2.6.2 Export Controls . . . . . . . . . . . . . . 4 2.7 FRANCE. . . . . . . . . . . . . . . . . . . . . . 5 2.7.1 Import Controls . . . . . . . . . . . . . . 5 2.7.2 Export Controls . . . . . . . . . . . . . . 5 2.8 GERMANY . . . . . . . . . . . . . . . . . . . . . 6 2.8.1 German Foreign Trade Act. . . . . . . . . . 6 2.8.2 Import Controls . . . . . . . . . . . . . . 6 2.8.3 Export Controls . . . . . . . . . . . . . . 7 2.9 INDIA . . . . . . . . . . . . . . . . . . . . . . 7 2.10 ISRAEL . . . . . . . . . . . . . . . . . . . . . 7 2.11 ITALY. . . . . . . . . . . . . . . . . . . . . . 7 2.12 JAPAN. . . . . . . . . . . . . . . . . . . . . . 7 2.12.1 Import/Export Controls . . . . . . . . . . 7 2.12.2 Encryption Technology Controls . . . . . . 8 2.13 SPAIN. . . . . . . . . . . . . . . . . . . . . . 8 2.13.1 Import/Export Controls . . . . . . . . . . 8 2.13.2 Encryption Technology Controls . . . . . . 8 2.14 THE NETHERLANDS. . . . . . . . . . . . . . . . . 9 2.14.1 Import/Export Laws . . . . . . . . . . . . 9 2.14.2 Encryption Technology Controls . . . . . . 9 2.15 UNITED KINGDOM . . . . . . . . . . . . . . . . . 9 2.15.1 Import/Export Laws . . . . . . . . . . . . 9 2.15.2 Encryption Technology Controls . . . . . . 9 2.16 SOUTH AFRICA . . . . . . . . . . . . . . . . . . 10 2.16.1 Import/Export Laws . . . . . . . . . . . . 10 2.16.2 Encryption Technology Controls . . . . . . 10 2.17 RUSSIA . . . . . . . . . . . . . . . . . . . . . 10 2.18 SAUDI ARABIA . . . . . . . . . . . . . . . . . . 10 2.19 MEXICO . . . . . . . . . . . . . . . . . . . . . 10 2.20 SWEDEN . . . . . . . . . . . . . . . . . . . . . 10 2.21 SWITZERLAND. . . . . . . . . . . . . . . . . . . 10 ABSTRACT This document analyzes foreign controls pertaining to encryption technology. Controls surveyed include export and import laws and any domestic laws that could be found. Research for this task began with a search of actual statutes and codes of the foreign countries. This search yielded limited and incomplete information which had to be supplemented by other resources. The researchers collected information from various embassies, with limited success, and also referred to various secondary sources such as reports prepared for the National Institute of Standards and Technology for conferences addressing encryption issues. The authors of reports were called and queried as to the strength and validity of the information presented in the reports. This process proved to be rather helpful. During the analysis of the reports, it was found that others have attempted this type of research before and have had similar limited success. Twenty-one countries were researched by the aforementioned method. Information was found for most of the countries. A few countries had no official controls, although actual controls may in fact be exercised. ACRONYMS EIPA Export and Import Permits Act COCOM Committee for Multilateral Export Controls EC European Economic Community 1. INTRODUCTION This document analyzes foreign controls pertaining to encryption technology. Controls surveyed include export and import laws and any domestic laws that could be found. Research for this task began with a search of actual statutes and codes of the foreign countries. This search yielded limited and incomplete information which had to be supplemented by other resources. The researchers collected information from various embassies, with limited success, and also referred to various secondary sources such as reports prepared for the National Institute of Standards and Technology for conferences addressing encryption issues. The authors of reports were called and queried as to the strength and validity of the information presented in the reports. This process proved to be rather helpful. During the analysis of the reports, it was found that others have attempted this type of research before and have had similar limited success, with one manufacturer finally having its subsidiaries ask foreign government officials what their policies were. Twenty-one countries were researched by the aforementioned method. Information was found for most of the countries. A few countries had no official controls, although actual controls may in fact be exercised. 2. ENCRYPTION TECHNOLOGY FOREIGN LAWS 2.1 AUSTRALIAþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY Australia requires an import certificate for encryption software or hardware only upon request by the exporting country. 2.2 BELGIUMþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY Belgium does not impose import restrictions for encryption technology. 2.3 BRAZILþIMPORT CONTROLS ON ENCRYPTION TECHNOLOGY Brazil does not impose import restrictions for encryption technology. 2.4 CANADA 2.4.1 Export and Import Permits Act The Export and Import Permits Act (EIPA) regulates the export and import of goods in Canada. To ensure compliance with the provisions of EIPA, customs officers are authorized to satisfy themselves that all pertinent requirements have been met. The provisions of the Customs Act pertaining to search, detention, seizure, forfeiture, and condemnation apply where any provisions of the EIPA or regulations have been violated. Violators are subject to criminal prosecution. 2.4.2 Import Controls Based on the listed items in the Import Control List, the importation of cryptographic technology into Canada is not controlled. 2.4.3 Export Controls The exportation of items from Canada may be subject to restriction if they are included on the Export Control List pursuant to the EIPA. Canada follows the Coordinating Committee for Multilateral Export Controls (COCOM) regulations in the regulation of cryptographic technology. Encryption devices are outlined in category five, part two of Canada's export regulations. These provisions are similar to U.S. category five in the Export Administration Regulations. 2.5 PEOPLES REPUBLIC OF CHINA 2.5.1 Import Controls China practices a licensing scheme for imported commodities. An application is to be filed and a license obtained in advance by corporations approved by the state to engage in the business of importing commodities. A license is valid for 1 year, and a corporation may apply for an extension. Based on China's List of Prohibited and Restricted Imports and Exports enacted in 1987, China restricts the importation of voice-encoding devices. 2.5.2 Export Controls A corporation engaging in the exportation business must first file an application for approval with the Ministry of Foreign Trade or the foreign trade bureau of the province. The Ministry establishes an export control list of prohibited and restricted goods. Based on China's List of Prohibited and Restricted Imports and Exports, China restricts the exportation of voice-encoding devices. 2.6 EUROPEAN COMMUNITY In 1957, the Treaty of Rome established the European Economic Community (EC). The EC members are the territories of Belgium, Denmark, the Federal Republic of Germany, France, Ireland, Italy, Luxembourg, the Netherlands, Great Britain, Greece, Spain, and Portugal. In 1986, the Single European Act modified the treaties, creating the European Communities so as to establish an internal market without boundaries in which free dissemination of merchandise, persons, services, and capital are assured. The free internal market would be continually implemented by the member-states during the course of a 5-year period concluding on December 31, 1992. 2.6.1 Import Controls Most articles imported from EC member-states are not subject to restrictions. The rules applicable to the free movement of goods are derived from Articles 9 et seq. of the Treaty of Rome. However, Article 36 allows prohibitions of restrictions on imports justified for various reasons, such as public morality, public policy, or public security. The EC courts have consistently held that Article 36 is applicable to measures of a noneconomic nature, such as the maintenance of a national health care system or the security of member-state oil supplies. No import/export controls on encryption technology were found. 2.6.2 Export Controls Most products exported to EC member-states are not subject to restrictions; however, certain sensitive products and technologies deemed necessary for national policy are subject to the laws and regulations instituted by member-states. The sensitive nature of certain products derives from the dual useþcivil and militaryþwhich can be made of them. Intra-EC member trade is to be regulated by controls pursuant to the COCOM rules; however, a satisfactory basis for cooperation between member-states and the Commission has not been established. The objective will be to develop uniform export and import control lists of products and their respective destinations. The developing momentum of the intergovernmental conference on political union in regard to exports of weapons and nonproliferation should facilitate an agreement on the treatment of dual-use products. No import/export controls on encryption technology were found. Currently, the Commission of the European Communities is developing a European telecommunications policy to establish a common telecommunications market (networks and telecommunications equipment). The emerging telecommunication policy is governed by the Treaty of Rome and by the fundamental human rights as developed by the European Court of Justice. This telecommunications policy might affect the future controls on cryptographic technology in voice and data networks. 2.7 FRANCE 2.7.1 Import Controls Imports into France are governed by French law and the EC regulations. Two considerations must be considered in connection to entry of goods into France: whether goods to be imported into France are subject to any import restrictions and what declarations or filings are to be made for permissible importation. Goods can fall into four categories: articles not subject to restrictions, articles subject to prior notification, articles subject to an import license, or articles subject to special import restrictions. Almost all goods that originate in the EC as well as certain goods specified by law may be imported into France without being subject to import restrictions. An import license is valid for only 6 months and only with reference to a specific type of merchandise coming from a specific origin. France requires a license for the import of encryption into the country. France requires Data Encryption Standardþbased encryption manufacturers and users to deposit a key with the French government, and they may also require an import license if it is determined necessary on a case- by-case review. France would probably forbid the use of key escrow technology unless they are given the keys and a full description of the algorithm. 2.7.2 Export Controls Most products exported to EC member-states are not subject to restrictions; however, certain products are subject to prior notification, an export license, or a prior authorization before they may be exported. Such notifications, licenses, or authorizations are obtained pursuant to similar procedures governing importations. In order to preserve the interests of French national security or defense, exports or use of cryptography must (1) be þdeclared prior to the operation when this operation only results in certification, or in the securization of the transmitted message; and (2) be authorized prior to the operation by the Prime Minister in any other cases.þ The penalty for not complying is a fine of 6,000 to 500,000 FF and/or a prison sentence from 3 to 8 months. A declaration of delivery or use of means of cryptography is issued at the central bureau for security of information systems. The request form for a declaration has two parts, a technical part and an administrative part. The technical part is an þextensive description in French of the operation or means of cryptography and of its exploitation mode, including the management of secret arrangements.þ The administrative part allows for the identification of the person requesting the operation, location of the operation, and the categories of persons or societies allowed to use the operation. The request indicates the duration for which the authorization is requested, which cannot exceed 10 years. The export of cryptography requires the deposit of a copy of the receipt of the declaration to the customs office. As in the United States, France has decontrolled software that is in the public domain, and it retains control of mass-market and other encryption software as military items. 2.8 GERMANY 2.8.1 German Foreign Trade Act The German Foreign Trade Act of 1961 regulates German trade and recognizes the need to reduce to a minimum restrictions and formalities in the import and export of goods. Germany is considered one of the world's most liberal trading nations. However, Germany does provide for prohibitions and restrictions for the protection of Germany's market organization, specific industries, public health, and public order. Germany draws a distinction between trade regulations on the one hand and noncommercial regulations on the other. Noncommercial regulation serves a purpose that is not directly related to international trade, but rather to serving public health, safety, industry, and public order. Since Germany is a member of the EC, the country's foreign trade policy has become increasingly influenced by EC legislation. 2.8.2 Import Controls Germany has an import control list over 300 pages in length which in combination with a list of countries indicates whether a license is required. A license can be applied for at the Federal Office for Commercial Business. Germany does not have any restrictions on encryption products. 2.8.3 Export Controls The Foreign Trade Ordinance contains an export control list of all goods subject to foreign trade restrictions. The export list does not impose prohibitions, but it indicates authorization requirements. All goods requiring authorization are classified by a four-digit code number. COCOM restrictions are incorporated into the export list. Germany has specifically exempted encryption software from the General Software Note of the COCOM Industrial List. Therefore, Germany maintains control of both public domain and mass-market encryption software. 2.9 INDIA No import/export controls were found. 2.10 ISRAEL Israel imposes import restrictions on encryption; however, the scope of their restrictions is not clear. 2.11 ITALY There are no import restrictions on encryption technology. Italy follows COCOM regulations for the export of encryption technology, allowing public-domain and mass-market software to be exported with no license and other encryption-capable items to be exported with a validated license. 2.12 JAPAN 2.12.1 Import/Export Controls The Foreign Exchange and Foreign Trade Control Law governs the import and export of goods in Japan. The Law is designed to permit the export of goods with minimal restrictions. The Law provides for some restrictions in order to prevent unfair exportation and ensure orderly importation. Unfair exportation includes the export of goods that may infringe on an industrial property right or copyright protected in the country of destination, export of goods with false representation of country of origin, and goods that greatly differ from the specifications given in the contract. The Law requires export licenses for certain kinds of goods and services for certain destinations. A person who intends to export goods and/or technology to a destination designated in a cabinet order as an area where international peace and security are obstructed is required to obtain a license from the Minister of International Trade and Industry. Primarily, restrictions involve COCOM-controlled goods and technologies. Japan joined COCOM in 1950 and enforces COCOM controls through a national list of strategic goods and technology. The list is published together with other controlled items in a cabinet order and is administered by the Ministry of International Trade and Industry. 2.12.2 Encryption Technology Controls Japan follows COCOM guidelines for the export of encryption technology. Generally, public- domain and mass-market software may be exported without a validated license. Other encryption technologies are reviewed on a case-by-case basis. No import controls were found. No domestic controls on encryption use were found. 2.13 SPAIN 2.13.1 Import/Export Controls The export of goods is regulated by Royal Decree No. 2426 of September 14, 1979. Royal Decree No. 2426 regulates the processing of export transactions, payment of the purchase price, control, and the evaluation of trade balances. All goods may be exported, provided the conditions and requirements set forth by the Decree have been met. There are no limitations other than those established by the government for reasons of morality, health, public order, or other internationally recognized reasons. The export of goods is carried out by allowing the granting of a license by the Minister of Economy and Finance. 2.13.2 Encryption Technology Controls No import/export controls or domestic controls were found. 2.14 THE NETHERLANDS 2.14.1 Import/Export Laws The Import and Export Act of 1963 controls the import and export of goods. Imports and exports are free from any restrictions or registration formalities other than those expressly imposed. The Act states that restrictions and formalities may be imposed by regulations or decrees issued by the Minister of Economic Affairs or Minister of Agriculture. A number of decrees and regulations have been issued. The Economic Information Service, a service of the Ministry of Economic Affairs, maintains a list of current regulations and decrees, as well as a list of those goods for which import or export licenses are required. 2.14.2 Encryption Technology Controls Annex B of the Import and Export of Industrial Goods Decree of 1963 sets forth a list of industrial products for which an export license is required. The Export of Strategic Goods Decree of 1963 prohibits the export of an extensive number of products of a strategic nature. Public domain and mass-market software generally does not require a validated license. Items capable of file encryption do require a validated license. No import restrictions were found. 2.15 UNITED KINGDOM 2.15.1 Import/Export Laws The Import, Export and Customs Powers (Defence) Act of 1939 governs the import and export of goods in the United Kingdom. The Department of Trade and Industry regulates the import and export of goods. Generally, the United Kingdom follows COCOM guidelines for the export of COCOM-controlled goods. 2.15.2 Encryption Technology Controls The United Kingdom controls encryption items as dual-use items. No license is required for the export of mass-market and public-domain software. Other encryption items may be granted export licenses on a case-by-case basis. No import controls were found for encryption technology. 2.16 SOUTH AFRICA 2.16.1 Import/Export Laws The Import and Export Control Act, No. 45 of 1963, governs imports and exports in South Africa. The minister of Trade and Industry and Tourism has regulatory control over exports and imports. South Africa reserves the right to control or prohibit the export of certain goods from its country. Generally, prohibited exports consist of arms and ammunition. 2.16.2 Encryption Technology Controls No controls exist on the export of encryption technology. South Africa generally shapes its export practices to the import laws of the importing country. No import restrictions were found. 2.17 RUSSIA No import or export restrictions were found. 2.18 SAUDI ARABIA No import or export restrictions were found. 2.19 MEXICO The Mexican Institute of Foreign Trade governs imports and exports in Mexico. No export or import controls were found on encryption technology. 2.20 SWEDEN No import or export restrictions on encryption technology were found. 2.21 SWITZERLAND No import or export restrictions on encryption technology were found. K/DSRD/SUB/93-RF105/3 Limited Distribution INTERNAL DISTRIBUTION 1. J. P. Chandler 2. L. J. Hoffman 3. K. D. Streetman 4þ8. National Institute of Standards and Technology 9. DSRD Resource Center, 1099 COM, MS 7615, Room 507 10. K-25 Site Records, K-1001, MS 7101þRC