Oddbean new post about | logout
 FYI (with reference to #Durov case and beyond):
In France, the use and provision of #cryptographic tools and services are indeed subject to regulation. The relevant legal framework is primarily governed by the “Code de la défense” and the “Code monétaire et financier”.

Under French law, certain cryptographic tools are classified as "dual-use" items, meaning they have both civilian and military applications. This classification stems from historical concerns over national security and the use of strong encryption in military communications.
The importation, exportation, and provision of cryptographic services in France often require prior authorization from the French authorities. Specifically, the use of cryptography for securing communications and data may require either a declaration or an authorization depending on the strength and purpose of the encryption. This is governed by the “Agence nationale de la sécurité des systèmes d'information” (ANSSI), the French National Cybersecurity Agency.

The use of cryptographic systems is regulated under the 1996 decree (modified in 2007) which distinguishes between cryptographic tools that require a simple declaration and those that require prior authorization. For instance:
- #declaration: required for cryptographic tools with basic security measures, such as SSL/TLS for secure website communications;
- #authorization: required for more advanced or military-grade cryptographic tools, where the encryption strength and the potential impact on national security are higher.

French regulations on cryptography are linked to the broader European Union framework on dual-use goods, which includes cryptographic technologies. Specifically, the European Dual-Use Regulation (2021/821), which is a part of the EU’s export control regime, governs the trade of dual-use items, including encryption tools, that can be used for both civilian and military purposes.