Draft French Encryption Decrees

By
Stewart Baker
(sbaker@steptoe.com)

Michael Hintze
(mhintze@steptoe.com)

October 1997

We have translated versions of the French Government's recently released draft decrees on encryption policy. The first decree contains the rules for the import (from countries that are not members of the EC), use, supply and export of encryption products, and the second decree contains the rules governing the trusted third parties who hold encryption keys (i.e. key escrow agents).

The decree that regulates the import, use, supply and export of encryption products differentiates between two types of products, and creates a different regulatory regime for each. The following is a brief analysis of the two decrees.

I. CRYPTOGRAPHIC ITEMS USED FOR AUTHENTICATION, ETC.

The import, use, supply, or export of a cryptographic product that is capable only of authentication, digital signature, or access control functions requires the submission of a "declaration" to the SCSSI (the French agency in charge of encryption controls). A "declaration of personal use" can be filed by the end-user. Alternatively, a "declaration of supply for general use" can be filled by the supplier, and this would exempt end-users from having to file their own declarations.

If SCSSI determines that the product does indeed fall within this category (digital signatures, access control, etc.), it will deliver a receipt within two months of the filing of the declaration. This receipt constitutes an approval. Because the approval of declarations for qualifying products appears to be routine, this, as a practical matter, can be seen as a registration requirement.

II. ENCRYPTION ITEMS USED FOR CONFIDENTIALITY

For the import, use, supply, or export of products that employ encryption to ensure confidentiality, an "authorization" must be obtained from SCSSI.

SCSSI may request that the applicant provide technical documentation or copies of the software involved. SCSSI will make a determination within four months of the receipt of the completed authorization request, and failure to respond within this time will be deemed an approval. Authorizations can be revoked or abrogated under certain conditions, and, in cases of urgency, may be suspended effective immediately.

Encryption products that are to be used exclusively for "development, validation, or demonstration purposes" are exempt from the authorization requirement, but SCSSI must be notified at least one month in advance.

While the translation of the draft decree is somewhat difficult to decipher, Article 15 appears to state that an "authorization to supply" will only be granted for products that use key recovery-type features. "Authorizations for use," however, do not appear to be limited in this way. In any case, it is our understanding of French policy that in most cases, SCSSI is unlikely to approve an "authorization" for a non-recovery product that uses strong encryption for confidentiality purposes.

However, certain encryption items may be exempted from the declaration and authorization requirements if they appear on a list of items that, because of the "type and strength of the encryption process employed, their conformity to a French or European Community norm, . . . [or] their intended application and the possible misapplication . . . , are not likely to undermine the national defense interests or the internal or external security of the State." Based upon past practice and our understanding of current French policy, it is likely that at least 40-bit encryption products will appear on this list, and thus, could be imported and used in France without an "authorization."

III. REQUIREMENTS FOR TRUSTED THIRD PARTIES

The separate decree that governs trusted third parties (or key recovery agents) states that such entities must be approved by SCSSI. An application for approval will be granted or denied within four months of its receipt, and a failure to respond within this period will be deemed an approval.

Perhaps the most controversial provision of the decree is that SCSSI will only approve trusted third parties that are French. This means that the entity must be owned by a French national, or the majority of the partners and managers must be French. For corporations, the managers, agents, and directors of the board of directors or executive committee must be French. The decree does contain a discretionary exception whereby the Prime Minister can approve entities not meeting these conditions. At the very least, however, the decree contains a clear and strong preference for French entities.

Article 11 of the decree contains a list of items that must be included in the documentation to be submitted to SCSSI. These look at least somewhat like the criteria for key recovery agents found in the US Commerce Department regulations. Additionally, once an entity is approved, SCSSI must be notified of any change in the status of the entity or its employees. An approval may be denied if the trusted third party or a senior employee of the entity has been sentenced to imprisonment of more than three months.

These are only drafts of the expected decrees. It is still possible that significant changes could be made before they are finalized.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com