21 January 1999
See cryptology statement of January 1999
The rapid development of new communication systems in the information society will depend on the confidence that users can place in them, and in particular the security introduced by these means of communication.
Yet this development results in the transfer of pre-existing information exchanges from closed networks which generated mutual confidence among on-line users, to networks that are globally open, like the Internet where, because appropriate means are lacking, information can be intercepted, modified, or its validity can be questioned.
Furthermore, the increasing interconnection of internal data processing systems with open networks increases their potential vulnerability.
From the outset, electronic commerce is developing in an international framework. National rules must therefore take this into account to avoid penalizing the players of the national economy and to guarantee them effective means of protection against economic espionage.
Finally and above all, the entry into the information society is characterized by a spectacular growth in the volume of information exchanged over the information networks, and in particular of personal data, the protection of which is an essential democratic issue.
Cryptology thus constitutes one of the keys for instilling confidence in widespread utilization of the Internet, by ensuring the confidentiality, validity, integrity, non-repudiation of exchanged information, and the authentication of communicants.
The use of cryptological means is therefore necessary to help:
the development of electronic transactions,
ensure information system security.
However, the increased use of cryptology can reduce the ability of police and national security forces to fight criminality, organized crime and terrorism, drug trafficking or even the laundering of money. As such, controlling the use of cryptological means represents a national security issue.
The regulatory framework for cryptology must therefore be a realistic and effective compromise. It must enable a balanced approach between the legitimate needs to protect users in their economic and private lives, and maintain the capacity of the security services to preserve State security.
Article 28 of the law of December 29, 1990 concerning the regulation of telecommunications subjected cryptology to a strict system of prior authorization for the supply, export and use of all the confidentiality tools. These provisions formed an obstacle to the development of the protected relations necessary for the expansion of electronic commerce.
The new legislation (article 17 of the telecommunications regulation law of July 26, 1996), intended making it simpler for the final user to have recourse to cryptological means, and for the seller to get onto the market.
This legislation cannot come into effect without being complemented by a series of decrees and orders specifying firstly the modes of application of the systems (liberty, prior declaration and authorization), and secondly the responsibilities of accredited organizations holding the ciphering keys, called "trustworthy third parties" for state-approved cryptology.
The procedure for the adoption of these texts - which had been delayed - was initiated in the summer of 1997. The tests shall be implemented rapidly, as soon as the final agreement of the European Commission has been obtained and they have been examined by the Council of State.
The deregulation of the French regulatory framework concerning cryptology is intended to meet the requirements of the market and the Internet players, and should also encourage the development of a French industrial supply which can base itself on sound existing skills.
There is now total freedom to use cryptological means (electronic signature) to authenticate and guarantee the integrity and non-repudiation of messages. The marketing of electronic signature products shall be subject to a simplified declaration (no waiting period or technical file to be lodged).
The selling and the use of moderate-level cryptology are becoming commonplace
For applications requiring a moderate level of protection, such as electronic commerce with consumers, the use of algorithms with moderate-level keys shall be unrestricted. Their supply is subject to a prior declaration followed by a one-month waiting period, the furnishing of a technical file and registering of the algorithm. The regulation thus enables the use and sale of these algorithms to become commonplace.
The moderate-level cryptology threshold, set by a simple decree, may be revised as the technology evolves in order to preserve an effective capacity to protect users of applications requiring a moderate level of protection, which will represent the large majority of cryptology applications.
There shall also be no restrictions on the use of cryptological means, whatever their level, on condition that the keys used are managed by a trustworthy third party where state accredited cryptology is concerned.
The setting up of these organizations, whose role is to issue and archive the information ciphering keys, shall make it easier to use high-level cryptological means. The needs for increased confidentiality (strategic exchanges between companies for example) shall thus be covered while at the same time preserving the legal powers of the judiciary, police and security services.
As the new French legislation is based on the use of trustworthy third parties for cryptology, it is vital for a service supply to be rapidly available. This activity, possibly associated with that of the certification authority, must attract private operators, therefore it must generate earnings.
This is why the decrees and orders defining the conditions for exercising this new profession will not impose technical architectures, but will restrict themselves to functional requirements to allow the development of an economically profitable activity.
Moreover, it is important that the State itself should rapidly implement a trustworthy third party service for cryptology in order to meet its own specific requirements and possibly urgent needs of companies (relations with the Tax Office and public accounting, for example).
In view of the weak market situation and the modification of the regulations, it is up to the State to support the development of industrial products for data processing security, as is done in Germany. Consequently, the Industrial strategy department of the office of the Junior Minister for industry will put out a call for proposals in this field in 1998.