Discussion:
PGP in France, the UK and Japan: legal issues?
(too old to reply)
Olivier Delrieu
2008-08-25 00:01:44 UTC
Permalink
Dear All,

Is there any legal issue, or legal requirement, when using and deploying
PGP-like software in a multinational company based in France, the UK
and Japan ?

Thank you,

Olivier.
A***@NOT.AT.Arargh.com
2008-08-25 00:06:58 UTC
Permalink
Post by Olivier Delrieu
Dear All,
Is there any legal issue, or legal requirement, when using and deploying
PGP-like software in a multinational company based in France, the UK
and Japan ?
That's something you should ask a lawyer, but, IIRC, yes.
--
ArarghMail808 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.
David E. Ross
2008-08-25 00:47:44 UTC
Permalink
Post by Olivier Delrieu
Dear All,
Is there any legal issue, or legal requirement, when using and deploying
PGP-like software in a multinational company based in France, the UK
and Japan ?
Thank you,
Olivier.
You might want to browse through the "Crypto Law Survey" at
<http://rechten.uvt.nl/koops/cryptolaw/index.htm>. It was updated just
last month.

"Prof.dr. Bert-Jaap Koops is professor of regulation & technology and
Academic Director of the Tilburg Institute for Law, Technology, and
Society (TILT) of Tilburg University, the Netherlands." [from his
personal Web page] I think he initially created "Crypto Law Survey" as
a thesis project while studying for his doctorate.
--
David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush cocktail?
A: Business on the rocks.
Olivier Delrieu
2008-08-25 07:56:14 UTC
Permalink
Dave, thanks for this link.

That gave me a good starting point, and I've found the relevant French
governmental body to talk to, FYI:
http://www.ssi.gouv.fr/en/regulation/rid_contact.html

Olivier
Post by David E. Ross
Post by Olivier Delrieu
Dear All,
Is there any legal issue, or legal requirement, when using and deploying
PGP-like software in a multinational company based in France, the UK
and Japan ?
Thank you,
Olivier.
You might want to browse through the "Crypto Law Survey" at
<http://rechten.uvt.nl/koops/cryptolaw/index.htm>. It was updated just
last month.
"Prof.dr. Bert-Jaap Koops is professor of regulation & technology and
Academic Director of the Tilburg Institute for Law, Technology, and
Society (TILT) of Tilburg University, the Netherlands." [from his
personal Web page] I think he initially created "Crypto Law Survey" as
a thesis project while studying for his doctorate.
Tamzen Cannoy
2008-08-25 09:00:04 UTC
Permalink
Post by Olivier Delrieu
Dave, thanks for this link.
That gave me a good starting point, and I've found the relevant French
http://www.ssi.gouv.fr/en/regulation/rid_contact.html
Olivier
\

As far as I know PGP Corporation sells extensively into all of these
countries.
Olivier Delrieu
2008-08-25 09:17:02 UTC
Permalink
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
Post by Tamzen Cannoy
Post by Olivier Delrieu
Dave, thanks for this link.
That gave me a good starting point, and I've found the relevant French
http://www.ssi.gouv.fr/en/regulation/rid_contact.html
Olivier
\
As far as I know PGP Corporation sells extensively into all of these
countries.
y.
2009-03-18 10:23:14 UTC
Permalink
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news. I thought that we were limited to 128 bits or the
like..
--
y.
Frank Merlott
2009-03-18 11:04:08 UTC
Permalink
Post by y.
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news. I thought that we were limited to 128 bits or the
like..
In the UK you still have the legal obligation to hand out your private
encryption keys and password to the authorities when required.

If you fail to do so this can be punished with up to three years of
prison, or five years if the investigation is related to terrorism.
--
Privacylover: http://www.privacylover.com
JTF
2009-03-18 14:07:26 UTC
Permalink
Post by Frank Merlott
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news.  I thought that we were limited to 128 bits or the
like..
In the UK you still have the legal obligation to hand out your private
encryption keys and password to the authorities when required.
If you fail to do so this can be punished with up to three years of
prison, or five years if the investigation is related to terrorism.
--
Privacylover:http://www.privacylover.com
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?

That is like saying just because I work at the bank, I know the
combination to the bank vault. Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
Frank Merlott
2009-03-18 22:42:25 UTC
Permalink
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault. Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System

Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.


http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
--
Privacylover: http://www.privacylover.com
JTF
2009-03-18 23:29:09 UTC
Permalink
Post by Frank Merlott
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault.  Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System
Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
--
Privacylover:http://www.privacylover.com
Which OS's....
Frank Merlott
2009-03-19 14:28:35 UTC
Permalink
Post by JTF
Post by Frank Merlott
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault.  Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System
Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
Which OS's....
The one used by 90% of computer users
--
Privacylover: http://www.privacylover.com
JTF
2009-03-19 15:05:19 UTC
Permalink
Post by Frank Merlott
Post by JTF
Post by Frank Merlott
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault.  Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System
Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
Which OS's....
The one used by 90% of computer users
--
Privacylover:http://www.privacylover.com
If you are into 100% untracability, you would use a LiveCD which after
shutdown, leaves no trace of your use on the system.......So that
leaves out any Windows version.
Frank Merlott
2009-03-20 02:55:40 UTC
Permalink
Post by JTF
Post by Frank Merlott
Post by JTF
Post by Frank Merlott
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault.  Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System
Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
Which OS's....
The one used by 90% of computer users
If you are into 100% untracability, you would use a LiveCD which after
shutdown, leaves no trace of your use on the system.......So that
leaves out any Windows version.
BartPE is a live Windows CD, that breaks your theory. There are many
reasons why a Unix based live CD is better than a Windows one, but
Windows Live CDs do exist.
--
Privacylover: http://www.privacylover.com
JTF
2009-03-20 14:26:11 UTC
Permalink
Post by Frank Merlott
Post by JTF
Post by Frank Merlott
Post by JTF
Post by Frank Merlott
Post by JTF
when implementing plausible deniability, how would they determine that
you actually know the password and are holding out?
That is like saying just because I work at the bank, I know the
combination to the bank vault.  Just because there is an encrypted
file on my hard disk, doesn't mean I have the information to unlock it.
TrueCrypt's Deniable File System
Together with Tadayoshi Kohno, Steve Gribble, and three of their
students at the University of Washington, I have a new paper that
breaks the deniable encryption feature of TrueCrypt version 5.1a.
Basically, modern operating systems leak information like mad, making
deniability a very difficult requirement to satisfy.
http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html
Which OS's....
The one used by 90% of computer users
If you are into 100% untracability, you would use a LiveCD which after
shutdown, leaves no trace of your use on the system.......So that
leaves out any Windows version.
BartPE is a live Windows CD, that breaks your theory. There are many
reasons why a Unix based live CD is better than a Windows one, but
Windows Live CDs do exist.
--
Privacylover:http://www.privacylover.com
I stand corrected, thanks.

David E. Ross
2009-03-18 15:03:46 UTC
Permalink
Post by y.
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news. I thought that we were limited to 128 bits or the
like..
The best resource for answering questions like this is
<http://rechten.uvt.nl/koops/cryptolaw/index.htm>.
--
David E. Ross
<http://www.rossde.com/>.

Don't ask "Why is there road rage?" Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>
Admins
2009-03-19 04:28:51 UTC
Permalink
Post by y.
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news. I thought that we were limited to 128 bits or the
like..
Check and look it all up under the Cryptography section here:

http://www.privacyoffshore.net/links.html

Regards, admins
David E. Ross
2009-03-19 14:50:50 UTC
Permalink
Post by Admins
Post by y.
Post by Olivier Delrieu
Indeed, just had confirmation from French governmental representative
that USAGE of PGP-like software is NOT subject to any legal requirement,
as per a 2007 law. (FYI)
That's good news. I thought that we were limited to 128 bits or the
like..
http://www.privacyoffshore.net/links.html
Regards, admins
Please do not include any attachments in this newsgroup, not even your
VCF card.
--
David E. Ross
<http://www.rossde.com/>.

Don't ask "Why is there road rage?" Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>
Unruh
2008-08-25 01:06:24 UTC
Permalink
Post by Olivier Delrieu
Dear All,
Is there any legal issue, or legal requirement, when using and deploying
PGP-like software in a multinational company based in France, the UK
and Japan ?
Get legal advice in each of those countries. It is you, not us, who will
spend time in jail if you get it wrong.

But you could try
http://rechten.uvt.nl/koops/cryptolaw/index.htm
for a guide. Again, it is you, not he, that will spend time in jail if the
information is wrong. It should be treated as a hint only.
Sheridan Hutchinson
2008-08-25 01:40:34 UTC
Permalink
Post by Olivier Delrieu
Dear All,
Is there any legal issue, or legal requirement, when using and
deploying PGP-like software in a multinational company based in
France, the UK and Japan ?
I am not a lawyer however I must point out that in the UK the Police can
demand that individuals or businesses must hand over private encryption
keys and passwords if they deem it necessary.
--
Regards,
Sheridan Hutchinson
***@Shezza.org
Loading...