Version 27.0, February 2013
© Bert-Jaap Koops **Portions © Analog Devices, Inc. **
Licensed under Creative Commons Attribution Share Alike 4.0 International.
SPDX-License-Identifier: CC-BY-SA-4.0
[Sweden]{#sv} [Sources 3, 4, 5]
The import of cryptography is not restricted, nor will it in the future, according to the government's May 1999 Government Communication 1998/99:116 On cryptography.
Since 1 January 1995, Sweden restricts export of encryption according to the Wassenaar Arrangement, including the General Software Note. This regulation refers to the EU regulation (1334/2000) instead of maintaining a national list of controlled goods. The relevant regulations are the Law on control of dual-use goods and of technical assistance (SFS 2000:1064) of 30 November 2000, and the corresponding Decree (SFS 2000:1217) (that replaced SFS 1998:400).
The Inspection for Strategic Products keeps supervision and information regarding the export controls (SFS 1995:1680).
The Government Policy On cryptography affirms the need for export controls, but states that these should be gradually liberalised. It stipulates that the regulations should explicitly place physical export on an equal footing with electronic export (via computer networks), so that Internet exports will also fall under the export regulations.
A Foreign Affairs press release of 23 June 1999 announced that as of 1 August 1999, the Inspection for Strategic Products has the power to proclaim rules for general export licenses for crypto products. The general export license published (TFS 1999:40, 1 July 1999) allows crypto exports of up to 128-bit symmetric mass-market crypto to a list of about 60 approved countries (Argentina, Australia, Bahrain, Bangladesh, Brazil, Bolivia, Brunei, Bulgaria, Canada, Chechnya, Chile, China, Cyprus, Ecuador, Egypt, Estonia, Hong Kong SAR, Hungary, Iceland, India, Indonesia, Israel, Japan, Jordan, Kuwait, Latvia, Lebanon, Lithuania, Macao SAR, Macedonia, Malaysia, Mauritius, Mexico, Morocco, New Zealand, Norway, Oman, Pakistan, the Philippines, Poland, Qatar, Rumania, Russia, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Sri Lanka, Switzerland, Taiwan, Thailand, Tunisia, Turkey, Ukraine, the United Arab Emirates, Venezuela, Vietnam). Transport within the European Union is not considered export, so any crypto transfer is allowed. For other countries and products, an individual license is required. (See a paper with information about the application process.)
A report from the Swedish Cabinet Office (Regeringskansliet), Cryptography Policy: Possible Courses of Action for Sweden (in pdf) (original Kryptopolitik - möjliga svenska handlingslinjerin Swedish), from October 1997, set out the basis for discussion on a national crypto policy. It took as starting points that import of cryptography would continue to be free, and that the export controls would remain.
In February 1998, a Swedish company, Idonex, published the government's ruling that they could not export 128-bit crypto via ftp; they were granted an export license for 40-bit. The decision leaves unclear whether electronic export (through ftp) is covered by the controls or not. See the English info page.
See also section 5.2 of Simo-Pekka Parviainen's thesis.
The use of cryptography in decoding equipment for encoded transmissions
of radio and television programmes is regulated in law 1993:1367 on the
prohibition of certain forms of decoding equipment (source: Government
Communication 1998/99:116 On
cryptography).
For the rest, there are no laws regulating cryptography domestically.
The Swedish IT commission, which advises the government on strategic questions in the information technology field, released a report (SOU 1997: 73) in May 1997, Inför en svensk policy för Säker Elektronisk Kommunikation (Towards a Swedish Policy for Secure Electronic Communications). It recommended that no restrictions on the use of cryptography should be introduced. The trust in ICT could be severely reduced, and the prerequisites for maintaining an effective key management system are lacking. The commission dismissed the various forms of key management systems for private keys, such as key deposits and key recovery. The fight against serious crime and terrorism should use other police and security measures. The Swedish government should quickly make up its mind, so that it can influence the international work in the field, according to the commission. See the statement by the IT commission Avseende användning av kryptering (in Swedish).
Computer Sweden magazine, in July 1997, could not find anyone (who knows anyone) willing to publicly favor mandatory key deposits.
Sweden outlined its crypto policy in the 6 May 1999 Government
Communication 1998/99:116 On
cryptography. This affirms that
there is at present no reason to limit the use of cryptography in
Sweden. All shall have the right to choose such technologies themselves.
"If developments should warrant more stringent regulations, the
government will consider appropriate measures for creating means of
legal access to the plaintext of encrypted information for law
enforcement and supervisory authorities."
Although the government does not encourage key recovery, the
Communication says that government authorities themselves should use key
management systems with built-in functions for key recovery. For this,
internal key-management bodies probably must be set up. Such bodies
should be regulated "in such a way that they can serve as a model for
the private market too." Moreover, the government should investigate
whether there are reasons for the State to involve itself in a voluntary
authorisation procedure of special TTPs that provide confidentiality
services.
Before deciding upon this policy, Sweden discussed crypto policy in view of the discussions within the EU and the OECD. The October 1997 report by the Cabinet Office (Regeringskansliet), Cryptography Policy: Possible Courses of Action for Sweden (in pdf) (original Kryptopolitik - möjliga svenska handlingslinjerin Swedish), set out the basis for this discussion. The three starting points of the report were:
- "everybody has the right to use cryptography in order to secure stored data and communication";
- "prerequisites for Swedish users' voluntary deposit of their keys in Sweden should be created in response to the requirements of key deposit";
- "in order to enable law enforcement agencies to fight terrorism and drug dealers, rules and regulations for lawful access to plaintext and keys must be installed".
The report considered as a possible solution for balancing
law-enforcement and user needs the voluntary deposit of private crypto
keys, with legal access. It assumed that "many countries" will impose
mandatory key deposits, and in order to facilitate communication with
those countries, possibilities should be created for law enforcement to
cooperate, either through key deposits in both countries or through
international agreements.
For national traffic in Sweden, the report considered that the current
policy of free crypto use will be continued, and monitored "from time
to time, how the various interests are balanced".
Back to the Table of Contents