[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Laws Outside the U.S.

"Timothy C. May" wrote:
> I heartily agree with Duncan here! There has been very little said by
> the good residents of France, Germany, Sweden, Holland, Italy, etc.
> about just what the crypto-related laws of their countries are.

(I've touched on this issue in a few bits and peices, but this is
an opportunity for me to summarise some of the critical points)

Crypto in Australia:

- There are no regulations or laws covering the use of crypto, ie.
  encryption of communications over common carriers. However, when a
  Law Enforcement Agency (only our Federal Police and the Australian
  Security Intelligence Organisation can obtain warrants for telephone
  intercepts) requires an intercept, the carrier must be able to
  furnish the information to them. What this means is that if the
  carrier employs encryption or some other method of altering
  information between external communication end points, it must unwrap
  this for AFP/ASIO when they have a warrant for such information. This
  applies _only_ to "carriers".

- There _are_ export laws on crypto, covered under section 13B and
  13E of the Customs (Prohibited Exports) Regulations (under the
  Customs Act 1901). This prohibits certain specified goods of which
  crypto is one, along with any goods in a list produced by the
  `Minister of State for Defence' on `Goods with Civil and Military
  Applications' [ie. what comes from COCOM]. Permits must be obtained
  in writing from the Minister of State for Defence _or_ someone
  authorised in writing by him/her. This legislation doesn't seem to
  have been applied.

- There are no laws on crypto import. Of course, importing implies
  something coming from another jurisdiction, who may see the export
  issue a different way. It's my belief that the laws are in place to
  "scare" and "standover" the _exporters_ and place the onus on them to
  control emissions. In other words, just as if the smoke shop sold to
  a minor, the shop, not the minor would get it.  I did at one stage
  think that "they" wouldn't mind occasional abuses of the legislation,
  as it gives them the occasional victim to prosecute and hold up for
  all to see. I don't think this anymore, because "they" would _not_
  win a case unless it's shown that the exporter did so explicitely to
  construct products for "the bad guys" (a dubious concept at best) --
  as opposed to products for personal security and commerce (I suspect
  this is why Phils case is on ice, prosecuting him isn't ever going to

- The Defence Signals Directorate (DSD) is our primary SIGINT/COMSEC
  agency. Much like the NSA (but on a smaller scale, their HQ in
  Canberra consists of 3 or 4 buildings only, surrounded by razor
  fencing though and my "driver" swears the radio went dead as I
  stepped out for a closer look :>) they provide COMSEC advice to the
  Govt. They are also the ones that deal with authorising crypto
  products for export under s.13B & 13E as mentioned above.

- Some peripheral issues: There is a section in the Telecommunications
  (Interception) Act that makes it an "offence" to hinder an officer
  under a warrant. This may apply to the use of crypto, but would do so
  only after a warrant has already been obtained to look into a
  criminal offence -- this is mere speculation on my behalf. Our
  privacy act deals _only_ with information relating to the Tax File
  Number, and credit agencies. We have a `Data matching Act' that
  allows social security and the tax department to correlate data base
  information. Interestingly enough this Act specifically outlines in
  algorithm steps what is to be compared, how it is to be compared and
  even time restrictions on the lengths of these steps and looking at
  the composition of the information, one gets an idea about exactly
  what is stored in these databases.

> Lots of clucking about U.S. policy, followed by "And the U.S. is not
> the whole world" comments, but very little about, for example, the
> Dutch Binnenlandse Veiligheids Dienst (BVD) is targetting crypto
> users, or how, for example, the German Bundesnachrichtendienst (BND)
> is pushing for constitutional limits on speech in Germany.

So far there don't seem to be any moves here in Australia to change
what legislation is already in place. Though, I must admit that I
haven't gone into depth on this and am relying only upon what the
Department of Transport and Communications and our Attorney General's
Department have told me [by letter and telephone]. Ian Farqhar might
have some comments on the Law Enforcement Access Committee.

I have it on my "to do list" to wander up to the Law Reform Commission
and ask them whether they've considered or are considering any of these
issues (Justice Kirby once wrote an excellent paper in Computer
Networks and ISDN Systems on `Data protection and Law Reform' back in
1979 -- well, I would have been about 7 years old then, I read it at
a later stage).

> My hunch is that most of the Western nations are looking for policy
> guidance to Washington, and that whatever laws the U.S. adopts as part
> of Clipper-Key Escrow-Digital Telephony-Antiterrorism-Tracking will be
> adopted in a similar form by the EC and other countries. (The recent
> or upcoming conference on international issues in key escrow, whose
> agenda was posted a while back, is indicative of this.)

I'd say this is so. One thing that is particular about Australia is
that our Government "loves" International Agreements and likes to be
seen adhering to them. This fuels my skeptism about changes in our
crypto export laws (which have been unenforced anyways -- for the
reasons mentioned wrt. Phil above) because they come from COCOM
agreements. We've always had close ties with the US, but these have
been wavering, if only slightly, in the last few years. I'd like to
know more about COCOM though, can anyone offer ?

We beat the Australia card (then suffered the Tax File Number in its
place, though not as severe). I'm confident that something as high
profile as Clipper or Key Escrow would have a good level of opposition
where the public can understand the direct application to telephone
conversions, I'm not so confident about general issues of cryptography
though. I suspect this is the case in other countries, but anytime we
see "bulletin boards" and "the internet" on current affairs shows, it
tends to be in the context of underage access to pornography.


Matthew Gream 
<[email protected]>
(02) 821-2043
(sw/hw engineer)