8 June 1998: Add Markus Kuhn message; add Adam Back message; link to French page
7 June 1998
Date: Sun, 7 Jun 1998 14:27:06 +0200 (MET DST) Subject: Is NAI-BV more restritive than french laws ? To: jy@jya.com From: nobody@REPLAY.COM (Anonymous) ------------------------------------- PLEASE REPLY ONLY TO : <pplf@usa.net> ------------------------------------- To: prz@acm.org CC:jy@jya.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Phil, We are very surprized : it seems that Network Associates International BV refuses french domains *.fr to download the PGP evaluation versions, contradicting completely the french laws which allow explicitly to import crypto from EU, and the european laws about "the free circulation of goods and services in the internal market of the European Union". NAI-BV is based in Netherlands and must respect the european laws. France itself respects the "Amsterdam Treaty" (yes : Amsterdam is the name of the EU Treaty... just the town where NAI-BV is) in the 1998 decrets. You can see the article 29 of the 25/02/98 decrets here : (Official Journal of French Republic) http://www.legifrance.gouv.fr We hope this was an simple error and that NAI-BV wants really to promote crypto worldwide dissemination in the respect of national laws. Sincerely -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQA/AwUBNXp2dVN/Zk0/gA1YEQLnmACgg1dwmXzbgUiLU+fM15/l+NSIpb8An2eV 06rkjosTBBNtKqXVjOa+3QD7 =ImPy -----END PGP SIGNATURE----- -------------------------------------------------------------- PGP pour les francais / PGP even for the French <pplf@usa.net> http://www.geocities.com/SiliconValley/Bay/9648 --------------------------------------------------------------
Date: Sun, 7 Jun 1998 12:16:06 +0200 (MET DST) Subject: NAI-BV is more restrictive than French laws! To: jy@jya.com From: nobody@REPLAY.COM (Anonymous) ------------------------------------- PLEASE REPLY ONLY TO : <pplf@usa.net> ------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUBJECT : NAI-BV is more restrictive than French laws ! Network Associates International BV offends against the European laws. Network Associates International BV refuses French domains *.fr to download the PGP evaluation versions, contradicting completely the French laws which allow explicitly to import crypto from EU and "the free circulation of goods and services in the internal market of the European Union". The site refuses too the Russian domains *.ru as the Russian PGP HomePage has just revealed. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQA/AwUBNXpWC1N/Zk0/gA1YEQJVUQCbBvIRutOVsfjAOvMQc3ta6PFoL8MAoMCh o+MRcY7CuZQb40l5TDVzPblv =n/qx -----END PGP SIGNATURE----- -------------------------------------------------------------- PGP pour les francais / PGP even for the French <pplf@usa.net> http://www.geocities.com/SiliconValley/Bay/9648 --------------------------------------------------------------
JYA note: Message reformatted for alignment and typo corrections; PGP sig may choke.
To: John Young <jya@pipeline.com> cc: cypherpunks@cyberpass.net Date: Mon, 08 Jun 1998 10:17:04 +0000 Subject: Re: PGP International Accused From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk> John Young wrote on 1998-06-07 16:24 UTC: > There are accusations from Russia and France that > PGP International and Network Associates are > improperly and probably illegally refusing downloads > of PGP to legitimate users. > > http://jya.com/pgpi-x-ru.htm > http://jya.com/nai-x-fr.htm > > Phil Zimmermann and the companies have been asked > by the plaintiffs to explain why public affirmations of open > access are contradicted by illegal restrictions. Independent on whether these practices are a good idea or not, a short note on the claims of illegality seems necessary here: Calling download restrictions "illegal" is a complete misconception: In Europe, everyone is free to restrict distribution of her software to any freely selectable subset of the world population. There is nothing wrong legally if you publish software that you make available only to (say) Finish students below 25 years of age, etc. Similarly, there is legally nothing wrong if you block your web-server for downloads from certain top-level domains. It would be a horrible idea if I were *forced* by European law to publish my software either to everyone or not at all. The existence of such nonsense-laws is implied in the above accusations. The various EU treaties that guarantee "the free circulation of goods and services in the internal market of the European Union" make it illegal for the governments of EU member states to introduce new laws that would legally restrict the distribution of good and services in the EU. However there are numerous special exceptions at the EU level (i.e., not introduced my individual member countries): for instance both British beef and cryptographic products are export controlled for safety & security reasons. The export controls for cryptographic software are not enforced among EU countries as long as the product is only commonly available shrink-wrap mass-market software (e.g., PGP) that comes without special support and customization, and that is not especially designed for military use. See the 1995 EU Dual Use directive. This means that unlike from the US, you *can* export PGP and GSM systems from EU countries. You *cannot* export a cryptographically secured olive-green tactical C3 radio subsystem for installation in tanks without an export licence from most EU countries, and you will face very serious prison sentences if you try to. References: H Roth: `Exportkontrollen für Verschlüsselungsprodukte'. Datenschutz und Datensicherheit (1+2/1998) pp 8--13,81--85 [Abstracts mirrored here] Markus -- Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK email: mkuhn at acm.org, home page: <http://www.cl.cam.ac.uk/~mgk25/>
Date: Mon, 8 Jun 1998 17:26:23 +0100 From: Adam Back <aba@dcs.ex.ac.uk> To: jya@pipeline.com CC: cypherpunks@cyberpass.net Cc: prz@pgp.com Subject: Re: PGP International Accused Looking at "PGP International, BVs" web page it makes the following very craftily worded claim about key escrow: http://www.pgpinternational.com/ : All PGP encryption products are 128 bit strong encryption, world wide. ok so far. : The products do not contain an unknown or undocumented message or key : recovery method (usually called backdoor). The only way to recover the : encrypted messages is to know and use the applicable key. Woah! Very sneaky: "doesn't contain any unknown or undocumented message or key recovery method." TIS GAKware, IBM GAKware, GCHQ's CASM/Cloud Cover GAK proposals could make similar claims to that. PGP for business _does_ contain a key recovery message, and it is documented as containing one. The above I think is likely to mislead most readers. If people choose to implement communications key recovery for whatever stated or unstated claimed business "demand" (feh) for communications key recovery, they can at least have the integrity to stand by their decisions, and not try to conceal this fact in their advertising. We expect better use of the PGP brand. (Cc'd to PRZ so that perhaps he can correct this piece of misleading marketroidese, which I presume he is unaware of.) Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`