Cryptography is used in many good things like hiding information content, prevent unauthorized use of information, authentication which are important at least in the Internet but also in many other places in our normal life. Cryptographic algorithms are useful only if they are secure and we can trust them. There are lots of algorithms like that but we're not always allowed to use them because of laws and restrictions in using them. Then we have to use some weaker algorithm which might be trivial for attacker to break.
Finland and other Scandinavian countries have no restrictions at the moment and looks like we're not going to have any. Most of the other countries in the world have them, some of them more strict than the others. Governments are trying invent backdoors in algorithms and better ways to control the use of cryptography but it seems they're not going to succeed in it.
The Internet has grown so fast and so big over the last few years that now it's full of companies, shops, normal people and lots of information which is just waiting for us to get it. We can easily do our work, pay our bills or do our shopping in the Internet. Sounds great but there's also a much more darker side. In addition to the normal people it is also full of hackers and sniffers who are trying to find out our passwords, credit card numbers and any valuable information we might have. That's why we're using cryptographic algorithms to protect our secrets from outsiders.
It's easy. We'll just apply some nice, little program to encrypt our data so that nobody is able to read it without knowing the right key. Unfortunately that is not always possible due the restrictions in using cryptographic algorithms. Some governments want to keep all information so that they are able to read it if they want. If they can read it, probably someone else can do the same thing and that's something we don't want to happen. But why all this trouble with encryption? What can we do here in Finland to protect our information from hackers? How about other countries?
Generally the main idea of using encryption is to crypt our data with minimum effort which is enough to protect information as long as we want to and the information has some value. There are lots of algorithms we can use (DES, RC5, RSA just to mention a few). We just pick one that suits our needs and use it. At the moment 72-bit block cipher or 1024-bit public key algorithm should be enough to protect our data for a few years.
Because the goverments haven't been able to make a backdoor in algorithms they'll have to restrict the key size so small that they're able to crack it with brute-force attack in a reasonable time. In some countries you are not allowed to use some cryptographic algorithms at all without a special permission to do so or you're allowed to use some weakened algorithm (reduced key length etc) which won't be too hard to break if someone wants to do so.
Other way to prevent the use of cryptographic algorithms is give import and export restrictions. We allow everything in our country but taking a program or a piece of code is considered smuggling and you're going to get punished. In U.S. it's considered the same than trying to smuggle a nuclear weapon in the country (well, they won't put you in jail but it's the same law :) So you'll need a special license to bring your own software to the country and that might not be too easy to get.
So what countries do have restrictions? Almost all countries do have something to say about it.[5] Usually it's just import and export regulations but some countries do have restrictions in using them too. First you'd think that only communistic countries or countries in darkest Africa have that kind of rules but amazingly there are fairly many "advanced" countries which have quite strict laws considering cryptography.
Finland is a strange country. We don't have any restrictions in using cryptography [8] and looks like we're not going to have any [7,6]. This is a good thing and I sure hope that it's not going to change. Only thing which can change that is European Union and we should pay attention what kind of ideas they've got [4].
European Union has it's own restrictions [4] though almost all of the member countries have their own policy like Finland. European Union gives only recommendations about it so none of the member countries can't be forced to change their laws (not at the moment). Mainly those recommendations consider only the case when the encrypted information is needed in criminal investigations [3]. In future EU is probably going to suggest something like govermental access to the keys used in encryption but no-one knows that for sure yet.
In Europe France has the strictest policy against cryptography. Almost everything is illegal, at least without a permission [2]. The Nordic countries (Finland and Sweden) are not regulating the use of algorithms which is a good thing and everybody should take our example and stop making excuses about preventing crimes and catching criminals.
U.S. has many restrictions in exporting algorithms and is not going to change them until an another even worse solution is found. Those regulations depend on the purpose of the encryption and the strength of the algorithm but usually you are not allowed to import or export any algorithm that uses over 40-bit key (40-bits isn't enough for anything so it's useless). [1]
Many other countries like Russia, Israel, Hong Kong, India, Japan, New Zealand have importing restrictions which means that you'll need a license to bring encryption software to country. Some of the countries don't even know itself how those things are restricted and everything is case-to-case. So, if you're going to take encryption software to some country you'll have to ask first and do it after that (the other way it might be bit more expensive and more difficult).
How about the future? Are the regulations going to change worse or better when computing power increases? Currently at least the U.S. goverment is trying to invent an algorithm which has a backdoor so that they can always read the encrypted information without destroying the security of the algorithm. If they succeed, they'll probably ban all the other algorithms and let people use only this one. Fortunately they haven't succeeded in it yet and I hope that they won't make it. At least I'm not willing to use cryptography that has backdoor in it. How about if someone else finds out that backdoor? Of course they can find a better solution but I still don't like the idea of government reading my e-mail.
| [1] | Black, John, U.S. Export Restrictions on Software that Employs Cryptography, 1997
http://www.softwareprotection.com/articles/art962.htm |
| [2] | Bortzmeyer, Stéphane, L'utilisation du chiffrement en France, 1.3.1996
http://web.cnam.fr/reseau/Crypto/ |
| [3] | Committee of Ministers to Member States, Recommendation No. R (95) 13 Concerning Problems of Criminal Procedure Law Connected with Information Technology, 11.9.1998
http://www.privacy.org/pi/intl_orgs/coe/info_tech_1995.html |
| [4] | Communication from the commission to the European Parliament, the council, the economic and social committee and the committee of the regions, Ensuring security and trust in electronic communication
http://www.ispo.cec.be/eif/policy/97503toc.html |
| [5] | Koops, Bert-Jaap, Crypto Law Survey - Overview Per Country, 11.7.1998
http://cwis.kub.nl/~frw/people/koops/cls2.htm |
| [6] | Kuusela, Sami, Encrypted Email For Finns, Swedes, Danes, Wired News, 23.1.1997
http://www.wired.com/news/topframe/1642.html |
| [7] | Liikenneministeriö telemarkkinayksikkö, Hallituksen esitys, 26.6.1998
http://www.vn.fi/lm/telemarkkina/tietos.htm |
| [8] | Valtioneuvosto, Salausjärjestelmät ja niiden käyttö, 13.11.1995
http://www.vn.fi/vm/suomi/muuta/vahti/saltr.htm |