France Rejects Backdoors in Encryption Products

For the right reasons, too:

Axelle Lemaire, the Euro nation's digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected.

"Recent events show how the fact of introducing faults deliberately at the request -- sometimes even without knowing -- the intelligence agencies has an effect that is harming the whole community," she said according to Numerama.

"Even if the intention [to empower the police] is laudable, it also opens the door to the players who have less laudable intentions, not to mention the potential for economic damage to the credibility of companies planning these flaws. You are right to fuel the debate, but this is not the right solution according to the Government's opinion."

France joins the Netherlands on this issue.

And Apple's Tim Cook is going after the Obama administration on the issue.

EDITED TO ADD (1/20): In related news, Congress will introduce a bill to establish a commission to study the issue. This is what kicking the can down the road looks like.

Posted on January 20, 2016 at 5:02 AM • 27 Comments

Comments

Chris WJanuary 20, 2016 5:35 AM

Anyone else gets the feeling this is all politics and smokescreen?

If they really wanted to make a statement, they would pass an amendment that criminalizes implementing backdoors.

("Access mechanisms not explicitly approved and enabled by the user" or whatever legal jargon is required to ensure there's an opt-in/out and informed consent clause).

Gonna be fun to see the reactions. It's quite probably that Tim Cook & co would start protest, coz then they have to be a lot clearer about several of cloud features, remote reset, ad api, backups, data collection etc.
The implications could be huge.

Bruce SchneierJanuary 20, 2016 6:21 AM

With a country like France, I worry about the government forcing back doors in secret while denying it in public. There's much less oversight and accountability in that country than in the US.

CzernoJanuary 20, 2016 6:55 AM

State actors are playing on words and this is something of
a smoke and mirrors game. The future law in question is only one of a complex of digital and surveillance laws.
While minister Axelle Lemaire is, rightly, refusing that lawful backdoors be mandated by the general digital law to be discussed,
at the same time France /has/ legislated cases where police or the secret services are allowed to plant backdoors, etc, with mandated help
from ISPs and telecommuncation operators and in some cases whithout a judge's order.


@Bruce : ISTM your comment is a bit unfair wrt the *actual* practice
- as opposed to constitutional theories - by the executive powers in France versus the USA to-day (as we know the latter after Snowden et al).

RobinJanuary 20, 2016 7:53 AM

By reports, French laws on the use of security - especially cryptographic - products have been restrictive for some time and became worse last year. For example products that use cryptography are only permitted if 'authorised', whatever that means.

But I have not been able to find an English language (or French, but maybe my choice of search terms is not very smart in French) summary of what is and what is not legally permitted. Anyone able to help?

ChristianJanuary 20, 2016 8:05 AM

Bruce could you elaborate on why there is much less oversight in France as in the US?

qwerttyJanuary 20, 2016 8:06 AM

@Bruce

Indeed, the USA would never put secret backdoors into software. Ever. Nor would they violate the consitutional rights of their citizens by spying on them illegally. Also, they have Superman on their side, and he wouldn't allow those things to happen. (sorry, I'm having trouble finding a statement that is as ridicoulous as the one you just made).

Seems you just lost it.

Justice Reserved for GodJanuary 20, 2016 9:07 AM

In the hi-tech world it's a no-no to visit France under any circumstances.
Bruce correctly worries that gov’t and corporations are lying to the public in France. Does not the CISA law allow the similar lying and cover-up of illegal deeds in the USA?
For the first time data-mining corporate agents are also above the law. Does France grant corporate indemnification too?

LBJ was quoted by his mistress that rogue intelligence agents bumped off JFK. Hence no release of gov't documents even after 55 years... Then Attorney General Robert Kennedy made a terminal statement wanting to reopen the sham Warren Commission findings...

Just a few years ago a reporter betrayed powerful generals’ trust. We can now deduce his car was remotely commandeered, crashed then blown-up. Officially it was just a simple car crash…

It’s wise to know who you are dealing with and know limits. It means following unwritten rules and realizing when pressure is being applied. Hitting home, the more you are able to deduce, the more you must practice self-censorship (self-preservation).
Twisted lawful deception rules with an iron fist by gathering our non-tangible assets.
In China bloggers and financial officials routinely disappear. We should all be so grateful.

JuliaJanuary 20, 2016 10:51 AM

"There's much less oversight and accountability in that country than in the US."

That's factually false, it's your Ivy League elite indoctrination talking. France recognizes the competence of the ECtHr. It has instituted the Nationale Consultative des Droits de l'homme in compliance with the Paris Principles. It has acceded to the Rome Statute and has extended standing invitations to all UN special procedures. France is a party to all eight core human rights treaties, and unlike the US, participates in good faith with treaties' required review procedures. That is a level of independent public oversight that this US government wouldn't dare approach.

With all the crazy shit americans are induced to believe, Juche's got nothing on USA USA USA!!, or whatever passes for ideology here these days. Go listen to DPRK elites speaking publicly with US apparatchiki, and tell me which ones are the loonies. Here we see once again that the USA is the most comprehensively brainwashed society in the world.

Clive RobinsonJanuary 20, 2016 12:16 PM

The problem with France and Espionage and cryptography is an old one.

Yes they used to have some heavy duty anti crypto laws but the real hum dinger is that France was up front about the state carrying out "economic espionage", with the infamous "it's less costly than R&D". It was one of those "cat out of the bag moments" that in reality was a "what you going to do about it" moments because as the hint was dropped "all governments that could do it were doing it". It was also obvious the French would happily name and shame if there was any push back. So the guilty including the US --which was the country the French were pointing at-- sat on their hands and tried to look innocent because they did not want the citizens knowing just how bad the spying had got with the FiveEyes capturing just about every corporate secret that went down a wire or over the airwaves.

Eventualy in more recent times the US Gov when pushed has admited to spying on other nations communications. But trots out the "but we don't do economic espionage unlike XXXX". And people in the US want to naively believe this, and the US mainly right wing press has banged that drum for all it's worth on this. The citizens want to believe because they think it somehow gives them a "moral high ground" over these other nations.

But it is a nonsense, historicaly the US was one of the worst thieves of IP (you can look it up). But things have not changed in that respect just the way they maintain the pretense of the American Dream.

The current way is directly out of Orwellian thinking, as has been shown the US Gov has been changing the meaning of words and phrases one of which is "National Security". They likes of the NSA overegged the pudding with redefining "collect" but it was just one of many lies --by ommision-- of definition that Orwell called "newspeak"[1].

And they don't give up, it would appear that the US Gov is spying on the other states in the TPP treaty negotiations, and have been a less than subtle about it (more "hamfisted" than "finessed").

What most in the US do not realise is that the TPP treaty is bad news for everybody but the top 1% of asset holders who mainly live in the US but run "multinational companies". The children of ordinary Americans will thus find that their parents have been tricked with the idea of "baubles and trinkets" dressed up to look like jobs and economic growth, not the reality of hidden destructive inflation of assets over static thus deprecating income and the export of economy strengthening design and manufacturing jobs to other countries...

[1] https://en.m.wikipedia.org/wiki/Newspeak

F.MitterandJanuary 20, 2016 12:47 PM

Well, I don't know what fuels the various comments on the lack of transparency and oversight in France wrt the use of cryptography, but my personal experience is that the situation is much better than in the US and the UK and I would add "by far" since 1998.

As a user, I am free to use whatever commercial crypto product I want, whether open source, foreign or national. With no restrictions on key length or other.

As a company, I am also free to use anything I want without restriction. I am also allowed to use government grade products in some specific situations (usually as a gov. contractor or as a critical infra. operator).

As a manufacturer, I simply need to fill out a few forms to register my HW/SW/service using encryption to the national crypto authority, ANSSI, to be allowed to sell. Some devices even benefit from an exemption or a simplified procedure.

As a telco/Internet provider, I have to be able to provide some data upon legal request.

Currently, the only "strong" restrictions are placed on export, and then only if I do so outside the EU.

Indeed, this doesn't prevent some agencies from playing games but this is in no way comparable in scope an extent to what NSA (and possibly the FBI), GCHQ and their Five Eyes friends are doing.

Dan The Beer CanJanuary 20, 2016 2:19 PM

It made me think of this old situation with IBM Lotus Notes.

Perhaps France does not want (publicly, at least) back doors because they have been pushing for weaker front doors.

This is from:
http://www.ibm.com/developerworks/lotus/library/ls-Notes_Encryption/index.html

Most countries are content with the way the International edition complies with U.S. encryption key export laws. The government of France, however, found the International edition unacceptable. To comply with French law, we created the French edition, which uses a plain 40-bit encryption key and can therefore be "broken" by attackers willing to apply considerable computing power (presumably, including the French government).

k15January 20, 2016 2:23 PM

When you encounter security flaws in business processes, and you don't want to devote your life to wrestling with them, who can you report them to, who's motivated to fix them?

RobinJanuary 20, 2016 2:35 PM

@F.Mitterand:

Here is one assertion that France is restrictive:

"France is one of the few EU countries that specifically regulates the provision of encryption technologies by requiring, in certain conditions, that prior to importing, exporting and/or supplying encryption devices or services companies file a declaration or request an authorization from the National Information Systems Security Agency (Agence Nationale de Sécurité des Systèmes d’Information – ANSSI)."
(http://blogs.dlapiper.com/privacymatters/france-changes-to-the-encryption-filing-requirements/)

OK, only one reference but it supports other reports that I've seen. But I repeat: it's hard to get a clear statement on what is, and what is not, permissible.

F.MitterandJanuary 20, 2016 4:19 PM

@clive
This is exactly what I said regarding export (I forgot import for which the same rules apply): you simply need to fill out a form and list the characteristics of your cryptographic device (cryptographic sevices, type of algorithms, key length, standards, etc.). The form is online on www.ssi.gouv.fr.

You usually only need a declaration to export/import (and I am curious to hear about cases where approval has been denied for commercial products - except for specific "unfriendly" countries). However, for military grade products export/import goes through a more much stringent process that applies to all military equipment, no just crypto. This is not different in the US with the ITAR + FMS regulations.

As to what is permissible and what is not, the answer is simple. As stated a few weeks ago by the director of ANSSI: the use of encryption is legal in France. You have no constraints wrt its use but you have to follow admin procedures to sell, import and export.

One of the crypto teams of Apple is in Paris and it would be surprising for this company to set up an office in a country that would overregulate the use of encryption. I guess that would be as smart as shooting yourself in the foot.

WikipediaJanuary 20, 2016 4:35 PM

@Robin
France used to have some restrictive encryption laws, considering encryption a "weapon of war".
In 1996 the legislation relaxed, allowing symmetric encryption with up to 128bit keys.
In 2004 the LCEN law (https://fr.wikipedia.org/wiki/Loi_pour_la_confiance_dans_l'%C3%A9conomie_num%C3%A9rique) ENTIRELY liberates use of any cryptographic means, only requiring some formal declaration or authorization for import/export of the technology.

Nowadays, there are pretty much no restrictions on the average user, and some small potential paperwork for companies.
I would say this is a much better state than wherever the UK and US are heading.

Sheep HairJanuary 20, 2016 5:31 PM

The standard bearers of defeating electronic security, NSA and GCHQ, deem themselves above the rule of law. Most of the rest of the world's intelligence services follow their lead. So, a discussion of laws is mute.

I would add there are areas of assumed security that the security destroyers don't seem to care about: VPN, SSH even cell phone comms. That would lead me to think they and many others are defeated regardless of encryption. For example, keys may be automatically stolen as soon as generated for those technologies. Recall the SIM fiasco.

They've done are very fine job of divide and conquer. I expect their lucky streak to continue, regardless of mere law.

Clive RobinsonJanuary 20, 2016 5:43 PM

An old but mildly humorous story regarding France and the US over "crypto that never was".

As some readers may know from my past comments I used to be involved with the design and manufacture of phones in South Korea.

One of the customers was a French Telco and they were having problems with domestic cordless phones, in that they wanted to sell upgrades of additional handsets for cordless phones.

Basicaly the handset was tied to a base unit via a "magic number" which was set in early phones by choping diodes of of the PCB, which was done at the time of manufacture. Which obviously ruled out after sales selling of upgrades.

I came up with a simple method where a random number generator would come up with a new number and store it in both the base and the handset programable memory.

Technicaly quite easy. On discussing it with the customer they thought it "neat" but thought they might have to check with the French Government. Two phonecalls later "no problem".

Not so easy with the the US chip manufacture (even though it was all being done in the Far East.

Basicaly the thought of a random number generator was viewed as backdoor "crypto" even though it was only 20bits... Forms went backwards and forwards, I had to write several "papers" about the design methodology, algorithms and implementation that the US IC manufacture then passed over to some nameless US agency. Who in turn asked for further clarification. And this went on for several weeks, causing the manufacturing time line to become critical...

Eventually they agreed with the idea of it not being a hidden RNG but they took for ever to say OK and even then conditionaly and requiring some "safe guards" be added...

So from my experience the French behaved quite reasonable the US,not...

How about VPN's?January 20, 2016 6:19 PM

Numerous VPN providers have servers located throughout the world. The best keep no logs or Juniper doors.

Can French users sign-up and connect to VPN servers located outside France? I use openvpn with AES-256 data encryption and RSA-3072 handshake. Security is further raised by (mostly) disabling Javascript and ads with Ublock Origin. Then i spoof the user Agent, IP, Time zone, fonts etc. I certainly don't use Windows 10 (Microsoft was the ONLY data-miner invited to the State of the Union Address...)

So far only China has banned VPNs. What limitations does France impose?

The Merry old England spies are having an encryption hissy-fit all the while banning the next probable USA President's Constitutional right to free speech. Tea-time?

In summary all my REALLY boring surfing is heavily encrypted. If i were connect to a French server both the NSA and French intelligence would automatically become suspicious. So in my particular situation (and for maximum security)i only connect to USA servers.
Those who are safer connecting to a foreign server probably live under a repressive government.

PhilJanuary 21, 2016 3:00 AM

@Bruce and other France bashers

There are quite a lot of subjects on which to bash France but cryptography is one of the worst choices in this regard. As several people have stated, France has zero regulation on private use of cryptography, only declarative paperwork for commercial use and the same export/import rules as any other products (no exchange with embargoed countries and more control on military stuff).

Clive RobinsonJanuary 21, 2016 5:38 AM

@ Martin Bott,

Encryption does not protect your data anyway, because if you are under surveillance they watch you, including your typing with radar / lidar.

Firstly you are conflating bulk surveillance and targeted surveillance. Secondly radar / lidar does not work in a hole in thr ground or other suitably prepared places.

Thus encryption will protect your privacy and with a little extra care your commercial secrecy as well. However if you have for some reason become a "person of interest" to the authorities you will need not just prepared places but fairly decent OpSec as well, in which case electronic communications are not something you are going to be using, so much of your point becomes moot.

There is a lot of nonsense talked up by the likes of the FBI's Mr Comey and the UK's Home Office Minister Ms May about terrorism and going dark. The simple fact is it usually does not pass the "sniff test" let alone any kind of independent analysis.

Home grown terrorists don't need electronic communications to be either radicalized or plot or plan an attack. They can simply meet up in places where surveillance is at best difficult, of which there are tens of thousands if not millions of places in a large town or small city. Likewise the more intelligent criminals know this as well. Even in the likes of the old East Germany there were not enough human resources to go around and trying to support them criticaly crippled their economy.

The whole point of Comey and May and their LEO advisors is "empire building" and "Status" with the IC it's building "time machines" as well.

Knowing this gives rise to a question of "treason" as well. That is are the LEO's and IC turning a blind eye from time to time or actually engineering terrorist attacks so that they can keep the gravey train going. We certainly know in the US and UK "agent provocateurs" have been used along with other techniques many would regard as entrapment. With the likes of the FBI feigning the "Last Minute Hero" routine having set up some low IQ or mentaly disturbed patsy with faux bombs etc that the patsy has no idea how they work nor could ever have got hold of.

It is without doubt a sordid grubing around for tax dollars to build worthless empires when it comes to terrorism so you have to ask is there anything else behind it other than just Empire building.

I won't go into an analysis of it but yes, there is the "personal status" issue whereby the handing out of contracts gives the oportunity for very well paid early retirment and the inclusion in certain societies that give the feeling of imense status over the common clay of the citizens who are paying through the nose for it.

You might have noticed that in the US every time you get the "cutting the size of government" nonsense all that actually happens is civil servants get laid off or redeployed, and contractors move in and a much increased price, thus the taxes rarely go down and many social systems get cut giving rise to poverty, sickness and many other ills. In short the US and UK citizens are being quite deliberatly embeggard for the benift of less than 1% of the population, who do not pay the taxes they should and in effect corrupt politicians and senior civil servants, to continue the process...

GordonJanuary 21, 2016 10:30 AM

@Dan The Beer Can

That is a relic of a US policy that required that all US based crypto products be weakened to the equivalent of 40 bit security. So we are talking about a US back-doored crypto product that IBM was trying to sell to other countries. Because France refused to allow the sale of a product containing a backdoor, IBM instead offered to sell a product that was as weak across the board.

Ideally what France should have done at this point is refuse to allow the sale of any crypto products with less than 128 bit keys. In any case, this example shows up the US administration and IBM as the bad stewards, not the French administration.

Dirk PraetJanuary 21, 2016 7:06 PM

@ Wikipedia, @ Robin, @ Bruce

...In 2004 the LCEN law ENTIRELY liberates use of any cryptographic means, only requiring some formal declaration or authorization for import/export of the technology.

I have pointed out the same on several occasions on this blog in the past. Last year, France did however pass sweeping new surveillance legislation in the wake of the Charlie Hebdo attacks. Some seized the November 13th attacks to turn back the LCEN law on encryption, but which met with serious resistance, as pointed out in the article @ Bruce quoted.

On the upside, the French Assemblée currently discussing the new bill on "digital sovereignty" is adapting some interesting additional elements like (and translated from the Le Monde article quoted above):

- The government will deliver to parliament a report describing all necessary prerequisites to develop a "sovereign" operating system and will create a commission to oversee French digital sovereignty and verification of encryption protocols. Read: they want an official French replacement for Windows.
- Tough sanctions on internet "vengeance porn".
- Open access to public sector data.
- Official recommendation to use FOSS software in administration and civil services.
- Free access to scientific research papers.
- Extentions to "fair use" of images of landmark monuments and the like.
- Protection of security researchers uncovering security flaws.

As much as we may question current French oversight and accountability, it is quite clear that French legislators not only no longer trust proprietary (US) technologies but that legislation-wise they do seem to be moving in an entirely different direction than their US counterparts.

MarkJanuary 22, 2016 3:54 AM


You know, this so called world wide .gov debate and .mil crap with encryption use for the general public is a furffy.


Nothin' like wasting everyone`s time, money and resources, just for the sake of intellectual property theft by .gov`s in an insane attempt to control .pub`

RobinJanuary 23, 2016 2:37 AM

@dervishe, @F.Mitterand, and others

Thanks for the comments, and the link (@dervishe). And I'm sorry to be obtuse but some things are still not clear. (They might become clearer when I've had time to read through more of the pages linked to.

It seems to me that there are weasel words in play (am I surprised?). For example, on the page you link to it says:

"L’utilisation d’un moyen de cryptologie est libre. Il n’y a aucune démarche à accomplir.

En revanche, la fourniture, l’importation, le transfert intracommunautaire et l’exportation d’un moyen de cryptologie sont soumis, sauf exception, à déclaration ou à demande d’autorisation."

("The use of a means of cryptology is unrestricted. No steps need to be taken.

However, supply, import, export and intra-Community transfer of the means of cryptology are subject, without exception, to declaration or authorization.")

The first line says I can use what I like without restriction. But a strict reading of the second line seems to say (approximately) that if I don't write it myself then some declaration or authorization is needed. In other words obtaining, say Veracrypt (which I 'import' by downloading from a server outside France) needs authorisation. As for uploading encrypted files to a cloud storage service like sync.com, or using mail services such as ProtonMail, I'm not sure at all about the status.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.