September 30th, 2012, 07:43 PM
Cryptography Legal Issues
Hello everyone. I am a law student in the United States, and I work on my school's Law Review, which is an academic legal publication. We are required to write an article on an unresolved legal issue, and Cryptography seems like it could possibly present some novel legal issues.
I was wondering if anyone is curious about any other legal issues that Cryptography presents. It would help me find a topic my article, and provide this community with any legal information I come across.
I have done a fair amount of preliminary research into the subject, so if you have any legal questions that I am familiar with, I'll do my best to answer them.
Keep in mind that I'm restricted to writing about US law. Any and all suggestions/comments/questions are appreciated.
Edit: Also, please keep in mind that I possess only a basic knowledge of how Security and Cryptography actually work, so you'll have to take that into account.
October 1st, 2012, 09:18 PM
Until the 90s, cryptography was classified as a munition in the US export control list. Therefore, exporting crypto software was almost verboten in those times. While some restrictions were loosened in the 90s, there are some restrictions even now on exporting crypto software to rogue nations and organizations and mil-grade cryptography still requires a munitions export license.
I'm curious about the subject as far as knowing what the legal issues are currently myself. Mainly, if I was to write some C code routines that implemented (say) 128-bit or 256-bit encryption, would I need special permission to publish that code on my web-page (as there seems to be restrictions on crypto > 64-bit and something about notifying the BIS). Does it apply even to well-known algorithms that can be found in textbooks.
Last edited by Scorpions4ever; October 2nd, 2012 at 02:40 PM.
Up the Irons
What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
"Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
Down with Sharon Osbourne
"I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
October 3rd, 2012, 12:09 AM
Practical cryptographic schemes are defined as "computationally secure" -- meaning that they are designed (and this is a necessity in order to make practical, usable encryption schemes) to have a negligible (extremely, extremely small) chance of being broken by an attacker. I have absolutely no background in cyber security law, but you may be want to look into the liability of someone (say, a cyber-security company) who correctly implements a cryptographic scheme that happens to be broken, compromising their clients' data.
Originally Posted by LegalEagle
Also, you could look into liability for a business who incorrectly implements a cryptographic scheme although I suppose that would be something along the lines of malpractice. I recommend looking into my first suggestion because even when a business is obsequious and implements a cryptographic scheme exactly correctly there is always a very, very, very, very small chance that someone could break the scheme by getting lucky. If that happens who's responsible?