Cryptography law

From Advocatespedia, The Law Encyclopedia
Jump to: navigation, search

In today’s date ones personal information needs to be protected , because it is something that, if disclosed, and gone in the wrong hands can have catastrophic effects not only on the persons personal and professional life, but also on the lives of the people connected to him .Therefore , it is important to protect them and prevent them from causing such disastrous effects. As we know laws are codes of conduct which touch almost all aspects of our lives in various ways. Even when it comes to cryptography ,there are laws which are concerned with securing and protecting these unauthorised information.

Cryptography law
AuthorAnyesha Chakraborty
Published on08/02/2019
EditorFaiyaz Khalid
Last Updates08/02/2019

The word cryptography has been derived from an ancient Greek word “kryptos” which means a hidden secret ,and “graphein” which mean “to write”. Cryptography involves creating written or generated codes that allow information to be kept secret. Cryptography converts data to a format that is unreadable for an unauthorized user, allowing it to be transmitted without unauthorised entities decoding it back into a readable format, thus compromising the data.[1]

Encryption laws or cryptography laws deals with legislation ensuring that information is secure and transmitted confidentially, as well as policies designed to keep secure encryption schemes out of the hands of unauthorised individuals and foreign powers .The government has implemented several tools to transform data via encryption technology to prevent unauthorised access to or modification of sensitive governmental and private information.[2]

As we can already see that, the essentiality of cryptography laws has been rising in the recent decades. Therefore this branch of law has also become quiet famous because of its essentiality. The work of a cryptographic lawyers in the field of cryptology laws are varied. These attorneys create cryptology laws , not only with an aim to secure ones personal information but also create laws and policies for commercial usage of encrypted information . The business attorneys implement the cryptography laws. They assist their clients understand the type and kind of cryptography law that exists and how they can use the encryption technology to do business. Cryptology attorneys also help their clients pursue patents as appropriate for technology developments in this area of law. These lawyers also argue when governments aims to restrict the usage of encryption technology .The clients also rely on cryptographic lawyers to defend themselves against suits concerned with the failure of encryption technology to protect personal information. In these types of cases these lawyers play a very big role, as they make their clients and the jury understand the legal implications intertwined with the case.

One of the issues affecting cryptography laws is whether the government can compel or force corporation and private citizens to decrypt the data when the data can be used to hold a prosecution against the individual or against a customer. The fifth amendment provides individuals with the right to reject self incrimination. In other words you don’t have to give information to the government that implicates you in a crime .In the context of cryptology laws, courts debate whether individuals can be forced to provide decrypting information that allows the government to access their computer and accounts.[3]

This question often arises as to whether encryption is legal or not ,we can have a look at this article posted in . U.S. Senate Bill Seeks to Ban Effective Encryption, Making Security Illegal

The anticipated Feinstein-Burr Compliance with Court Orders Act, an anti-security bill, would require the provision of data in an intelligible format to a government pursuant to a court order ( A draft copy was uploaded by The Hill reporter Cory Bennett, though whether it has been submitted officially within the Senate is not yet clear (

This bill essentially says you can not have any conversation or data exchange that the government can not access if it wants to. It is the legal culmination of what the FBI has been lobbying Congress for years. If Feinstein-Burr becomes law, it will be illegal to deploy strong encryption without key escrow maintained by each company. Cryptographers and computer scientists near-unanimously assert key backup systems are insecure at scale.

The first read of the bill is chilling. Strong cryptography within the United States would effectively be banned, preventing U.S. companies from building secure software. These companies would be mandated to provide real technical assistance. Unlike the best effort of today, they would be required to give plain-text data in its original format or risk penalties for violating the law.

Specifically, any U.S company would be required to maintain the ability, through unspecified means, to retrieve the plain-text from any data “made unintelligible by a feature, product, or service owned, controlled, created, or provided by the [company].” And the company would then be required to turn over such data in real-time “concurrently with its transmission” or “expeditiously, if stored by the [company] or on a device.” This would appear to mean that any U.S. organization involved in the design and programming of software, the packing of the software, the creation of any device that runs such software, and any service provider who sells such device and software to connect to their network would all be required by law to decrypt your data on short notice and provide it real-time to the government.

This is far, far more insidious than going after unlocking an iPhone. If this becomes law, the mere existence of the means to be able to decrypt your data can be potentially exploited by any private party, not just the U.S. government. Unnecessary liabilities for data breaches will now be required for every company dealing with data digitally, no matter how private. This mandates the creation of back-doors without prescribing the exact nature of those back-doors. Let that sink in.

This article throws light on the scenario in USA regarding encryption laws.

Cryptography law is a rising field in law , and also equally important as I have already mentioned in the earlier paragraphs. This field of law requires attorneys who have an upper hand over both legal advocacy and technical information or knowledge. If one has knowledge relating to this feild of laws then they should try to utilise it which will help them get a upper hand over the others in their profession .

Source of Cryptography law :

If we go through the article available on cryptography law, we will see it is a subject which very closely connected to ones knowledge of mathematical calculations and computer science knowledge. Algorithms form a huge part of these mathematical calculations.

1. Secret key cryptography (SKC) :Uses a single key both for encryption and decryption also called symmetric encryption. Primarily used for privacy and confidentiality .

2. Public Key Cryptography (PKC) : uses one key for encryption and another for decryption ;also called asymmetric encryption .Primarily used for authentication, non repudiation, and key exchange.

3. Hash Functions: Uses mathematical transformation to irreversibly “encrypt” information, providing a digital fingerprint. Primarily used for message integrity.

These cryptographic algorithms are designed around computational hardness assumption ( computational hardness assumption is a hypothesis that a particular problem cannot be solved efficiently . It is not known how to prove unconditional hardness for essentially any useful problem .Instead, computer scientists rely on reductions to formally relate the hardness of a new or complicated problem to a computational hardness assumption about a problem that is better understood)making such algorithms hard to break in practice by any adversary. It is theatrically possible to break such a system, but it is infeasible to do so by any known practical means . [4]

Scope of cryptography:

Cryptography law has a wide range of scope considering its rising demands in today’s date .The book Cryptography’s Role in Securing the Information Society in the chapter The International Scope of Cryptography Policy states that ,any US cryptography policy must take into account a number of international dimensions. The most important of those dimensions is that after the World War 2 United states does not have an upper hand in economic, financial , technological, and political affairs .Thus , USA is in no position to dictate to the rest of the world regarding their understanding of cryptography law ,as cryptography has expanded far beyond its generic dimensions. In today’s global platform , international transactions of a country form a very important part for the government of various countries .These transactions need to be protected and this is done by the cryptography laws of a country. The cryptographic laws of a nation ,not only affects that particular country concerned but also various other countries who are connected to that country through various means.

Cryptography is an art which had developed in the ancient times ,with the passage of time this art has become more and more prevalent and important. But today cryptography had undergone a massive change in order to suit the changing needs of people of the world. As in today’s date internet forms a very important part of almost all our lives .According to the MIT technology review an average American uses 24 hours a week online .This clearly shows how closely our lives are attached to the internet world. In ancient times , the use of cryptography was mainly concerned with war , diplomatic relations. In the World War 2 we saw the usage of the allied cryptographic operations . The main aim of this was to disguise a message so as to prevent it from falling in wrong hands and save it from unauthorised reading .Carrying messages during the war regarding the positions of the troops etc were kept a secret and were protected from falling in the wrong hands that is in the hands of the enemy .However we can draw a line between cryptography as one of the features of digital signatures and cryptography for purposes of confidentiality. In the latter type of cryptography encryption is used ton encode the message so that only the administrator and the addressee can read the message and no one else .Cryptography used for authentication purposes does not always include usage of cryptography for protection purposes.


In ancient times the main purpose of cryptography was to maintain secrecy of messages ,especially in military and diplomatic fields .Transposition ciphers were the actual means of cryptography where the rearranging of the order of words took place for example “bye” became “eyb” . In Caesar cipher cryptography is done in a manner in which the plain text is replaced by a letter according to the positions down the alphabet .It has been named after Julius Caesar as he used it ,with a shift of three ,to communicate with his generals during his military campaigns .The earliest use of cryptography is some cipher text on a stone in Egypt . A strange example in history is that of a tattoo on a slave’s shaved head, under the re grown hair. COMPUTER CRYPTOGRAPHY : The computer revolution even revolutionised the cryptographic means and methods . As I have already mentioned before with the change of time and with the involvement of internet in our lives, cryptography has also changed .The classic cryptography resting on numbers and letters are has been changed with computers sing ciphers design and cryptoananlysis and are characterised on their operation on binary bit sequences .The linguistic approach has been replaced with extensive mathematics and numerology. Modern cryptography were primarily invented to suit the computer environment. The usage of the mathematical approach , the computer processing power and the cryptographic algorithms led to counter the problem of code breaking in an effective manner.

Symmetric key cryptography : Symmetric cryptography is an earlier version of the modern cryptography. The is was the only kind of cryptography which was known until sometime ago .This type of cryptography uses the same key for both encoding and decoding a message .In this cryptography only the sender and the receiver are aware of the secret key to decode the message therefore it can be considered to be a reasonably secured system of guarding the information contained in the message from falling in the wrong hands. This type of cryptography mainly consists of stream ciphers and block ciphers.

Asymmetric key cryptography :

This type uses two different but mathematically different keys ;one key is used to create digital signatures or to transform a particular data to an unintelligible form and the other key is used for the digital signatures or for bringing the message back to its original form .Computer equipments often use this method to utilise two such keys as are referred to as asymmetric cryptosystems where they rely on the use of asymmetric algorithms . In the field of cryptography, things changed rapidly when anew dimension was given to cryptographic designing as already mentioned in order to cater to the changing needs of the people .This new dimension of cryptography was given by Whitefield Diffe and Martin Hellman in 1976 when they introduced asymmetric key cryptography system .This was a system which was used the two key system whereas till then scientist had only relied on one key system this was a major development .The two keys used in this method are known as public and private key .In this system both the keys have special functions as while either of them can be used to encrypt a message ,in order to decrypt the message , the pairing key should be used .Whitfeild Diffie and Martin Hellman showed that public key cryptography b was possible presenting the Diffe- Hellman key exchange protocol. It is a tedious task to have a match of private and public keys so as to make the message legible and hence this message is claimed to be significantly more than the single key system . It has also been estimated that no single computer in a thousand years will be able to decode a message.

In the year 1978 ,another public key system was invented by Ron Rivest, Adi Shamir and Leonard Adleman popularly known as RSA . Public key cryptography is used to implement digital signatures schemes. A digital signatures shares one thing with the manual signatures ; that they both are produced with ease , they are difficult to forge.

There are various types or kinds of cryptographic algorithms :

1. SECRET KEY CRYPTOGRAPHY (SKC) : Secret key cryptography methods employ a single key for both encryption and decryption. The sender uses the key to encrypt the plaintext and sends the cipher texts to the receiver .The receiver applies the same key to decrypt the same message to retrieve the pain text. Since a single key is being used for both the functions this type of cryptographic algorithms are also called symmetric encryption. Secret key cryptography schemes are either characterised to be either stream ciphers or block ciphers. The stream ciphers work on a single bite and they use some sort of a feedback mechanism to constantly change the secret key. There are various types of stream ciphers :

Self synchronising stream ciphers – They are also known as asynchronous stream cipher ,the key stream depends on the secret key of the scheme ,but also of a fixed number , say , of cipher text digits Synchronising stream cipher – It is a stream cipher in which the key stream is generated independently of the plain text and the cipher text .

2. PUBLIC KEY CRYPTOGRAPHY (PKC) : This is considered to be the most significant devolupment in cryptography in the last 300 years. It was first described in Stanford University professor . Their paper described a two key crypto in which two people can engage in communication over a non secure communication channel without having to share a secret key.



the cryptography laws in the United States of America prevented the export of cryptographic technology and devices ,this was the case until1992 but after that in recent times especially since the year 2000 this law has been eased .But some restrictions still remain . Since the time of world war 2 many governments have regulated the export of cryptography for national security reasons .Since this art of cryptography first marked its entry in the world war 2 , these countries understood the value of cryptography in order to ensure the countries peace and security. Countries like US and UK believed that they had better cryptographic techniques than the others and therefore their scientist tried to make more advancement in the field of cryptography ,so much so that they tried to control the relations of the other countries as well .

The first amendment made controlling all use of cryptography inside the US illegal, but controlling access to US devolupments by others was more practical there were no constitutional impediments.

With the change of times the stringent laws that had been developed in the US have become linient . The burden of being the world strongest economy is there with the US and they have to make sure that their secret information is not leaked at any cost because it can cause them their fortune .

In re boucher may be influential as a case law .In this case a mans laptop was investigated by a customs agent and child pornography was discovered .The device had seized and powered down at which point disk encryption technology made the evidence unavailable. The judge held it was a foregone conclusion that the content exists since it has already been seen by the customs agent .


As of 2011 and since 2004, the laws of trust in the digital economy (LCEN) mostly liberalised the use of cryptography.

As long as cryptography is only used for authentication and integrity purposes, it can be freely used. The cryptographic key or the nationality of the entities involved in the transaction do not matter .The typical e business regime fall under this liberalised regime .

Exportation and importation of cryptographic tools to or from foreign countries must either declared (when the other country is a member of the European Union ) or requires an explicit authorization for countries outside EU .

CRYPTOGRAPHY LAWS IN UK : In UK the government of the country already has powers to force technology firms to act in whichever way it wants concerning the end to end encryption laws in ,but they are avoiding the usage of legislation as it would result in an on going battle this is what the security experts have said .

The Investigatory Powers Act , made law in late 2016b , allows the government to compel communications providers to remove “electronic protection applied .... to any communications or data”

The regulation of investigatory powers act part III was activated by ministerial order in 2007 , requires persons to decrypt information and or supply keys to government representatives to decrypt information without the order of the court . The failure to disclose carries a maximum penalty of 2years or even 5 years in case of national security or child indecency . It has been used again animal right activitist and atleast three people had been convicted for preventing to disclose their encryption keys , one of whom was sentenced to 13 months imprisonment . Even the politicians responsible for the law have voiced their concerns about its broad application which may turn out to be problematic .(9) of section 49 failed to consider that mere authentication can be used in a way analogous to encryption, making it impossible to circumvent the law via chaffing and winnowing. CRYPTOGRAPHY LAWS IN NETHERLANDS : Article 125k of the Wetboek van Strafvordering allows investigation with a warrant a access information carriers and networked systems. The same article allows the district attorney and similar officers of the court to order persons who know how to access those systems to share their knowledge in the investigation, including any knowledge of encryption of data or information carried. However, such an order may not be given to the suspect under investigation .


In Switzerlands there is no law specifying obligation to issue keys or passwords.


The cyber crime act of 2001 no 161 ,items 12 and 28 grant police with a magistrates order the wide ranging to require a specific person to provide any information that is reasonable and necessary to allow the officer to access the computer data that is “ evidential material which is understood to include mandatory decryption .Failing to comply carries 6 months imprisonment .


In Canada the key disclosure is covered under the provisions of the Canadian Charter Act which states that a person charged with an offence has the right to not be compelled to be witness in proceedings against that person in respect of offence and protects the rights of the individual that are both the citizens and non citizens of Canada .In a 2010 Quebec Court of Appeals case the court stated that the password compelled from an individual by law enforcement .


In the Czech Republic there is no law specifying obligation regarding keys and passwords. Laws provide protection against self incrimination including lack of penalization for refusing to answer any question which would enable law enforcement agencies to obtain access to potential evidence , which could be used against testifying a person.


Law on computer crime of 28 November 2000,Article 9 allows a judge to order both operators of computer system and telecommunications providers to provide assistance to law enforcement , including mandatory decryption and to keep their assistance secret but this action cannot be taken against suspects or their families. Failure to comply is punishable by 6 months to 1 year jail or fine of 130 to 100,000 euros .


As for our country India it does not have any law dedicated to the encryption policies of the country .Though there are certain sectoral regulations including in banking, finance, and telecommunication industries carry standards such as the minimum standards of encryption to be used for securing transactions . A draft National policy on encryption under section 84A of the Information Technology Act ,2000 was published on 21st September ,2015 and invited comments from public but was withdrawn on 23rd Srptember,2015 Section 84 Av permits the central government to prescribe the encryption standards and methods to secure electronic communication and promote e governance and e commerce .

The draft policy was withdrawn because it was unclear and its provisions were unfeasible .It was decided that India lacks any sort of encryption policy and therefore the original draft will be refined .The draft policy received a large amount of criticisms from all sectors business, IT sectors, users and civil society advocacy groups .


Even though cryptography has remained really helpful in overcoming the difficulty of usage f manual signatures in computer situations yet it is still not fool proof. It attracted a large number of criminals ,law enforcers etc.The usage of computers had also widened the usage of cryptography as people started becoming more and more computer oriented the usage of cryptography increased even more. This extensive usage of cryptography also led to its entry in the legal dimensions so as to prevent people from taking its undue advantage. While the encoded message promised the reliability of the data but it still did not ratify the reliability of the source .Thus in order to make it less vulnerable and more reliable there originated the idea of TTP (Trusted Third Parties).At the time of sending the message a third party stood their to ensure that the message came from a reliable source . This system was soon popularised and utilised by the governments which not only them to engage in online dealings with other parties but also gave the state the opportunity to have a certain amount of control over them .This also led to the rise of the usage of cryptography in assessment of cyber crimes etc .

India being the largest democracy of the world ,in my opinion should have some sort of laws and provisions which would act as a guidelines for the people of the country .The world is becoming more and more dependent on technology it is important that a country like India must not stay behind because anything that is left without control can lead to hazardous effects .As we see ,cyber crimes have been increasing in the country and the only way to control this is to have some sort of laws and provisions to prevent them and take efficient measures.