Rebecca Farr said:
My company would like to be able to send encrypted mail to our office in Paris.[...] I've been told by someone here in the US that France wants control of any use of encryption software including sending email.
I don't recommend relying on info found on the net without tracking it back to its sources. In this case, the official publication of the French laws, fairly accessible anyway (in France :-) In any case, you could take a look at: http://www.ens.fr/equipes_dmi/grecc/loi.html where is stored what is claimed to be a transcript of the relevant French law (missing is the regulatory procedure which is as important to you). At least missing last time I looked. You can also look around at that group's home page: http://snekkar.ens.fr:80/equipes_dmi/grecc/ I posted to this group a tentative translation in September, here it is again: As to the quality of the translation: I'm not an american lawyer, nor a french lawyer, and any given legal paragraph can usually be interpreted either way. This may not even be my reading tomorrow... To avoid confusing things even further, I'll limit my comments to remarks concerning the translation, in square brackets []. And don't blame me for the quality of the English, the French itself is laughable. Have fun, Pierre. pierre@shell.portal.com ++++++ translation of the ENS post, as of Sept 23, 1994 ++++++++ Law number 90-1170, published in the "Journal Officiel" of December 30, 1990. (The first 27 articles concern the encryption of information transmitted via radio or mail.) Article 28. - By cryptologic services, one means all services aimed at transforming through secret conventions information or clear signals into information or signals unintelligible by third parties, or at achieving the reverse operation, via means, hardware or software, designed to that end. To preserve the interests of defense and internal or external national security, the supply, export, or use of cryptologic means or services are subject: a) to prior declaration when this means or service can have no other use than authenticating a communication or than ensuring the integrity of the transmitted message. b) to prior authorization by the Prime Minister in all other cases. A decree of the "Conseil d'Etat" [President and some ministers, if I recall] determines the circumstances in which the declaration is filed, or the authorization granted, as per the previous paragraph. This decree can make provisions for a simplified system of declaration or authorization for certain types of equipment or services, or for certain categories of users. II. - In addition to the provisions of the customs code, anyone having exported a cryptologic means, or having provided or made to be provided a cryptologic service without the authorization mentioned in paragraph I of the present article, will be punished by a fine of 6000 F [US$1,200] to 500 000 F [US$100,000] and by imprisonment of one to three months or by one of these two sentences only. The court can, in addition, forbid the person from requesting this authorization for a period of at most two years, or five years for subsequent offenses. In case of conviction, the court can, in addition, pronounce the forfeiture of the cryptologic equipment. III. - In addition to police officers and customs officers in their jurisdiction, agents authorized for this purpose by the Prime Minister and sworn in the conditions specified by the "Conseil d'Etat", can investigate and report by a [sworn, whatever] statement any violations of the present article and of the corresponding regulations. Their statements are forwarded within five days to the "Procureur de la Republique" [district attorney ?]. They can enter business locations and transportation means, request the disclosure of any business documents and take copies of them. They can, on location or by convocation, collect information and justifications. ===================================== Decree Number 92-1358 of December 28, 1992, published in the "Journal Officiel" of December 30, 1992. Decision of December 28, 1992 about declarations and requests for authorization relative to cryptologic equipment and services. ... Art. 4 - Require prior declaration, the provision, export, and use of any cryptologic equipment and services ... in particular : - The equipment, hardware or software, susceptible to ensure the confidentiality of communications of any nature, or the confidentiality of data stored in memory; - Cryptologic services that ensure the confidentiality of all or part of a communication, or of data stored in memory; - Cryptoanalytic equipment and services. [This "declaration" article may in fact be an "authorization" article. That would be a pretty major mistake of the previous transcriber.] Art. 6 - Smart cards that do not allow, in and of themselves, that is without the need for external cryptologic devices, to ensure the confidentiality of communications, benefit of the same declarations filed and authorizations obtained for the equipment and services with which they are used. Art. 7 - Are not considered cryptologic equipment, the means, hardware or software, specifically designed for the protection of software against illegal copying or use, even if they use methods or devices kept secret, on the condition that they do not allow the encryption, either directly or indirectly of that software package. ... Art. 9 - In case of uncertainty of the requestor, as to whether some equipment or service belongs to the category of cryptologic equipment and services, the central service for the security of information systems is consulted. Paris, Decmber 28, 1992. French version according to Jerome RABENOU Student at the Villetaneuse Law School. Paris - France.