That's not entirely correct either. Most countries (possibily all) have
legislation which prevents the use of devices which prevent the authorities
from being able to access the infomation passing within their national
boundaries. Some of this legislation was introduced to cover voice traffic
and hardcopy postal material and has never been updated to specifically to
cover data sent electronically, or removed from the legal lists. Some
countries have added regulations specifically to cover electronic data
scrambling/encryption, but not necessarily intended for universal
application within their borders. I am not a lawyer but I understand from
lawyer colleagues on working groups that countries, including Germany, do
have legislation which can be applied to make the holding/use of data
encryption products an admission of guilt (of some much darker activity). In
most cases this type of legislation exists to counter organised crime and
particularly drug trafficking. The reality is that no one can decide exactly
how to use existing legislation and what new legislation to introduce and
there are dozens of working parties around the world looking at this subject
and trying to draw conclusions. Two very active organisations are OECD and
the European Commission of the European Union.
The US Federal Government has the added legislative layer around ITAR which
does not stop the import and export of 'munitions', but does require the
application for and grant of a license. That process can be extremely
protracted, particularly if the end user destination does not have
'favoured' status. However, if you put enough effort and time into making an
application, the restrictions are not a concrete wall.
Two major issues face legislators. The first challenge is defining the
object of the legislation. It may seem simple to describe the object as
'electronic data communication', but effective legislation requires a better
definition to be enforced through the courts and may not reflect new
technology. What we now accept as electronic mail could be replaced within a
very short time with a new technology which does not legally conform to that
description. If you look carefully at data protection legislation you will
see that most governments have been very careful to spread the net beyond
current descriptions and that has already given lawyers room to argue in
test cases. The second challenge is that no country can effectively
legislate beyond its own borders and so far getting early international
agreement has proved difficult.
In the mean time, a great many organisations do not register under data
protection legislation and do use and handle encryption products against
existing legislation. Most governments have decided to hold off bringing
test cases and thats just a case of risk management. On one side a user
faces risks to unencrypted data, on the other he faces risks from the courts
if he uses encryption. As most of the court risks look low, companies
operate outside the law as the lesser risk action. Thats a personal choice
but for some companies it may prove to be a bad choice.
Subject: RE: ENCRYPTED DATA ACROSS NATIONAL BOUNDARIES???
Date: Thursday, October 19, 1995 11:02AM
Simon Gerraty wrote:
>>as with PGP it just won't be legal.
This is incorrect. The use of x bit RSA (x > 40) type encryption is
not illegal - I could send you a encrypted message from here, London
UK, without breaking any laws.
The EXPORT from the US of any software capable of performing such
encryption is illegal, not its use.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----