[250] in cryptography@c2.net mail archive
Re: European crypto export policy
daemon@ATHENA.MIT.EDU (Assar Westerlund)
Thu Feb 20 15:12:41 1997
To: cryptography@c2.net
From: Assar Westerlund <assar@sics.se>
Date: 18 Feb 1997 23:59:00 +0100
In-Reply-To: 3umoelle@informatik.uni-hamburg.de's message of Tue, 18 Feb 1997 02:39:15 +0100 (MET)
3umoelle@informatik.uni-hamburg.de (Ulf M=F6ller) writes:
> Swedish Datateknik 97-02 features an article about how COCOM/ Wassenaar
> Arrangement effects Swedish crypto exports.
>
> I wonder if someone whose Swedish is better than mine could summarize
> the article? It is at http://www.et.se/datateknik/arkiv/97-02/5.html
EU-countries forbidden for Swedish export of crypto
It talks about the Wassenaar Arrangement as the successor of COCOM.
It says that in principle all crypto comes under the part of
"information security" part of this Arrangement. It refers to the
Swedish law 1994:2060 that is the one that regulates export of
strategic and dual-use products. In principle no exports can be made
without the approval of the Inspection for Strategic Products (ISP).
You are not allowed to take a cryptoprogram over the border into
Denmark. An ATM-card is allowed, but nothing smarter than that. You
may obtain a licens but that requires that the FRA (the Swedish NSA)
establishes how strong your system is, and that they approve of the
exporting company and the recipient. AU-system complains about this
unnecessary steps for exporting to Europe. Egon Svensson from ISP
explains that they don't want the technology to be distributed to
countries that don't already have it. According to him only England,
France, Holland, Sweden, and Germany and perhaps some more could be
considered to have the necessary cryptographic knowledgement.
----------------------------------------------------------------------
My comments:
It's mainly bullshit. I've read myself and had a lawyer look at the
relevant Swedish law. According to this you can always export
`publicable available' cryptographic software. We have also tried to
have some converations with ISP and Egon Svensson in particular.
Apart from being quite unnice and threating that we will not be able
to buy stuff from the US, they don't even know the law itself says.
> Datateknik 97-01 reports about pressure for crypto regulations from
> the US, but also from the EU and OECD [the OECD turned out not to
> endorse key escrow shortly after the article was published]. The
> Swedish government is currently collecting facts and opinions; so far
> it remains an open question which standpoint it will take. England is
> preparing a law similar to the French one, while there are policy
> discussions similar to the Swedish going on in Germany and Denmark,
> says G=F6ran Axelsson, Sweden's representative in the EU's IT security
> body.
Regarding key recovery and similar schemes it seems that the Swedish
government has been unable to make up its mind. They have put an
ex-ambassador called Magnus Fax=E9n in charge of talking to EU, OECD and
suggesting a future Swedish policy. This person seems to have very
little insight into the problems. I can't resist quoting what he said
in an artikel in Dagens Nyheter:
[ http://www.dn.se/DNet/departments/12/content/dnit/dnitv2/kryptering.html =
]
- Who believes that the terrorists and the maffia will deposit any
keys?
- The idea is to build in barriers against unauthorized crypto into
the computers that are sold on the market. Different experts have
different estimates of how difficult it will be for the criminals to
get hold of and use advanced cryptography.
/assar
