T 3.32 Violation of basic legal conditions for the use of cryptographic procedures

Various general legal conditions must be observed in relation to the use of cryptographic products. In some countries, for example, cryptographic procedures are not allowed to be used without approval. This can mean that, if encoded data records are sent to such countries, the recipient may not be able to read them because they cannot employ the necessary cryptomodules or may even commit an offence.

In addition, there are severe restrictions on exporting products with strong cryptography in a large number of countries. This particularly applies to the USA. When export is restricted, the functionality of coding products which are strong in themselves is often intentionally reduced (by reducing the diversity of the code). Such intentionally-weakened procedures do not even offer sufficient protection for average protection requirements. This is for instance the case for standard PC software from the USA such as Internet browsers (SSL), in which the length of the code is reduced to only 40 bits. Some export rulings even require parts of the code to be deposited, so that the cryptomodules are in principle unrestricted but foreign intelligence still has the possibility of accessing the files if necessary.

On the other hand, such restrictions, which are valid for use within certain countries or for export, can prevent data worth protecting from being encoded or cause it to be protected with low-quality cryptoproducts. This can both open the door to perpetrators and at the same time violate national law. For example, data protection laws may require the use of adequate cryptographic procedures for the protection of personal data.