Category Archives: Legal information

image_pdfimage_print

ANSSI Cryptography Authorization: Complete Declaration Guide

Flags of France and the European Union on a white background representing ANSSI cryptography authorization

Comprehensive Guide: Navigating Cryptographic Means Authorization

ANSSI cryptography authorization: Learn how to navigate the regulatory landscape for importing and exporting cryptographic products in France. This comprehensive guide covers the necessary steps, deadlines, and documentation required to comply with both national and European standards. Read on to ensure your operations meet all legal requirements.

2024 Articles Technical News

Best 2FA MFA Solutions for 2024: Focus on TOTP & HOTP

2024 Articles Technical News

New Microsoft Uninstallable Recall: Enhanced Security at Its Core

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

2024 EviKey & EviDisk Technical News

IK Rating Guide: Understanding IK Ratings for Enclosures

2024 Digital Security Technical News

Apple M chip vulnerability: A Breach in Data Security

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

ANSSI cryptography authorization, authored by Jacques Gascuel, CEO of Freemindtronic, provides a detailed overview of the regulatory framework governing cryptographic products. This guide addresses the essential steps for compliance, including how to fill out the necessary forms, meet deadlines, and provide the required documentation. Stay informed on these critical updates and more through our tech solutions.

Complete Guide: Declaration and Application for Authorization for Cryptographic Means

In France, the import, export, supply, and transfer of cryptographic products are strictly regulated by Decree n°2007-663 of 2 May 2007. This decree sets the rules to ensure that operations comply with national and European standards. At the same time, EU Regulation 2021/821 imposes additional controls on dual-use items, including cryptographic products.

This guide explains in detail the steps to correctly fill in the declaration or authorization request form, as well as the deadlines and documents to be provided to comply with the ANSSI cryptography authorization requirements.

Download the XDA Form

Click this link to Download the declaration and authorization application form

Regulatory Framework: Decree No. 2007-663 and Regulation (EU) 2021/821

Decree No. 2007-663 of 2 May 2007 regulates all operations related to the import, export, supply, and transfer of cryptographic means. It clearly sets out the conditions under which these operations may be carried out in France by defining declaration and authorization regimes. To consult the decree, click this link: Decree n°2007-663 of 2 May 2007.

At the European level, Regulation (EU) 2021/821 concerns dual-use items, including cryptographic products. This regulation imposes strict controls on these products to prevent their misuse for military or criminal purposes. To view the regulation, click this link: Regulation (EU) 2021/821.

By following these guidelines, you can ensure that your operations comply with both national and European standards for cryptographic products. If you need further assistance or have any questions, feel free to reach out!

Fill out the XDA PDF Form

The official form must be completed and sent in two copies to the ANSSI. It is essential to follow the instructions carefully and to tick the appropriate boxes according to the desired operations (declaration, application for authorisation or renewal).

Address for submitting forms

French National Agency for the Security of Information Systems (ANSSI)Regulatory Controls Office51, boulevard de La Tour-Maubourg75700 PARIS 07 SP.

Contact:

  • Phone: +33 (0)1 71 75 82 75
  • Email: controle@ssi.gouv.fr

This form allows several procedures to be carried out according to Chapters II and III of the decree.
You can download the official form by following this PDF link.

  • Declaration of supply, transfer, import or export from or to the European Union or third countries.
  • Application for authorization or renewal of authorization for similar operations.

Paperless submission: new simplified procedure

Since 13 September 2022, an electronic submission procedure has been put in place to simplify the formalities. You can now submit your declarations and authorisation requests by email. Here are the detailed steps:

Steps to submit an online application:

  1. Email address: Send your request to controle@ssi.gouv.fr.
  2. Subject of the email: [formalities] Name of your company – Name of the product. Important: The object must follow this format without modification.
  3. Documents to be attached:
    • Completed form  (electronic version).
    • Scanned  and signed form.
    • All required attachments (accepted formats: .pdf, .xls, .doc).
  4. Large file management: If the size of the attachments exceeds 10 MB, divide your mailing into several emails according to the following nomenclature:
    • [Formalities] Name of your company – Product name – Part 1/x
    • [Formalities] Your Company Name – Product Name – Part 2/x

1. Choice of formalities to be carried out

The form offers different boxes to tick, depending on the formalities you wish to complete:

  • Reporting and Requesting Authorization for Any Cryptographic Medium Operation: By ticking this box, you submit a declaration for all supply, transfer, import or export operations, whether inside or outside the European Union. This covers all types of operations mentioned in the decree.
  • Declaration of supply, transfer from or to a Member State of the European Union, import and export to a State not belonging to the European Union of a means of cryptology: Use this box if you are submitting only a simple declaration without requesting authorisation for the operations provided for in Chapter II of the Decree.
  • Application for authorisation to transfer a cryptographic method to a Member State of the European Union and export to a State that does not belong to the European Union: This box is specific to operations that require prior authorisation, pursuant to Chapter III of the Decree.
  • Renewal of authorisation for the transfer to a Member State of the European Union and for the export of a means of cryptology: If you already have an authorization for certain operations and want to renew it, you will need to check this box.

1.1 Time Limits for Review and Notification of Decisions

This section should begin by explaining the time limits for the processing of applications or declarations based on the operation being conducted. Each subsequent point must address a specific formal procedure in the order listed in your request.

1.1.1 Declaration and Application for Authorization of Any Transaction Relating to a Means of Cryptology

This relates to general declarations for any cryptographic operation, whether it involves supply, transfer, import, or export of cryptographic means.

  • Examination Period: ANSSI will review the declaration or application for 1 month (extended to 2 months for cryptographic services or export to non-EU countries).
  • Result: If the declaration is compliant, ANSSI issues a certificate.
  • In Case of Silence: You may proceed with your operation and request a certificate confirming that the declaration was received if no response is provided within the specified time frame.

1.1.2 Declaration of Supply, Transfer, Import, and Export to Non-EU Countries of a Means of Cryptology

This section involves simple declarations of cryptographic means being supplied, transferred within the EU, imported, or exported outside the EU.

  • Examination Period: For supply, transfer, import, or export operations, ANSSI has 1 month to review the file. For services or exports outside the EU, the review period is 2 months.
  • Result: ANSSI will issue a certificate if the file is compliant.
  • In Case of Silence: After the deadlines have passed, you may proceed and request a certificate confirming compliance.

1.1.3 Application for Authorization to Transfer Cryptographic Means within the EU and Export to Non-EU Countries

This applies to requests for prior authorization required for transferring cryptographic means within the EU or exporting them to non-EU countries.

  • Examination Period: ANSSI will examine the application for authorization within 2 months.
  • Notification of Decision: The Prime Minister will make a final decision within 4 months.
  • In Case of Silence: If no response is provided, you receive implicit authorization valid for 1 year. You can also request a certificate confirming this authorization.

1.1.4 Application for Renewal of Authorization for Transfer within the EU and Export of Cryptographic Means

This relates to renewing an existing authorization for the transfer of cryptographic means.

  • Review Period: ANSSI will review the renewal application within 2 months.
  • Notification of Decision: The Prime Minister will issue a decision within 4 months.
  • In Case of Silence: If no decision is made, an implicit authorization valid for 1 year is granted. You can request a formal certificate to confirm this authorization.

1.1.5 Example Response from ANSSI for Cryptography Authorization Requests

When you submit a declaration or request for authorization, ANSSI typically provides a confirmation of receipt, which includes:

  • Subject: Confirmation of Receipt for Cryptography Declaration/Authorization
  • Date and Time of Submission: For example, “Monday 23 October 2022 13:15:13.”

The response confirms that ANSSI has received the request and outlines the next steps for review.

A: Information on the Registrant and/or Applicant, Person in charge of the administrative file and Person in charge of the technical elements.

This section must be filled in with the information of the declarant or applicant, whether it is a legal person (company, association) or a natural person. You should include information such as:

  • The name and address of the entity or individual.
  • Company name and SIRET number for companies.
  • Contact details of the person responsible for the administrative file and the person in charge of the technical aspects of the cryptology product.

Person in charge of technical aspects: This person is the direct contact with the ANSSI for technical questions relating to the means of cryptology.

B: Cryptographic Medium to which the Declaration and/or Application for Authorization Applies

This part concerns the technical information of the cryptology product:

B.2.1 Classify the medium into the corresponding category(ies)

You must indicate whether the product is hardware, software, or both, and specify its primary role (e.g., information security, network, etc.).

B.2.2 General description of the means

The technical part of the form requires a specific description of the cryptographic means. You will need to provide information such as:

  • Generic name of the medium (photocopier, telephone, antivirus software, etc.).
  • Brand, trade number, and product version .
  • Manufacturer and date of release.

Comments in the form:

  • The cryptographic means must identify the final product to be reported (not its subsets).
  • Functional description: Describe the use of the medium (e.g., secure storage, encrypted transmission).

B.2.3 Indicate which category the main function of the means (tick) relates to

  • Information security (means of encryption, cryptographic library, etc.)
  • Computer (operating system, server, virtualization software, etc.)
  • Sending, storing, receiving information (communication terminal, communication software,
  • management, etc.)
  • Network (monitoring software, router, base station, etc.)
  • If yes, specify:

B.3. Technical description of the cryptology services provided

B.3.2. Indicate which category(ies) the cryptographic function(s) of the means to be ticked refers to:

  • Authentification
  • Integrity
  • Confidentiality
  • Signature

B.3.3. Indicate the secure protocol(s) used by:

  • IPsec
  • SSH
  • VoIP-related protocols (such as SIP/RTP)
  • SSL/TLS
  • If yes, specify:

Comments in the form:

  • Cryptographic functionality: Specify how the product encrypts data (e.g., protection of files, messages, etc.).
  • Algorithms: List the algorithms and how they are used. For example, AES in CBC mode with a 256-bit key for data encryption.

B.3.4. Specify the cryptographic algorithms used and their maximum key lengths:

Table to be filled in: Algorithm / Mode / Associated key size / Function

This section requires detailing the cryptographic services that the product offers:

  • Secure protocol (SSL/TLS, IPsec, SSH, etc.).
  • Algorithms used and key size (RSA 2048, AES 256, etc.).
  • Encryption mode (CBC, CTR, CFB).

C: Case of a cryptographic device falling within category 3 of Annex 2 to Decree No. 2007-663 of 2 May 2007

This section must be completed if your product falls under category 3 of Annex 2 of the decree, i.e. cryptographic means marketed on the consumer market. You must provide specific explanations about:

  • Present the method of marketing the means of cryptology and the market for which it is intended
  • Explain why the cryptographic functionality of the medium cannot be easily changed by the user
  • Explain how the installation of the means does not require significant subsequent assistance from the supplier

D: Renewal of transfer or export authorization

If you are applying for the renewal of an existing authorisation, you must mention the references of the previous authorisation, including the file number, the authorisation number and the date of issue.

E: Attachments (check the boxes for the attachments)

To complete your file, you must provide a set of supporting documents, including:

  • General document presenting the company (electronic format preferred)
  • extract K bis from the Trade and Companies Register dated less than three months (or a
  • equivalent document for companies incorporated under foreign law)
  • Cryptographic Medium Commercial Brochure (electronic format preferred)
  • Technical brochure of the means of cryptology (electronic format preferred)
  • User manual (if available) (electronic format preferred)
  • Administrator Guide (if available) (electronic format preferred)

All of these documents must be submitted in accepted electronic formats, such as .pdf, .xls, or .doc.

F: Attestation

The person representing the notifier or applicant must sign and attest that the information provided in the form and attachments is accurate. In the event of a false declaration, the applicant is liable to sanctions in accordance with Articles 34 and 35 of Law No. 2004-575 on confidence in the digital economy.

G: Elements and technical characteristics to be communicated at the request of the national agency for the security of information systems (preferably to be provided in electronic format)

In addition, the ANSSI may request additional technical information to evaluate the cryptology product, such as:

  1. The elements necessary to implement the means of cryptology:
  2. two copies of the cryptographic medium;
  3. the installation guides of the medium;
  4. devices for activating the medium, if applicable (license number, activation number, hardware device, etc.);
  5. key injection or network activation devices, if applicable.
  6. The elements relating to the protection of the encryption process, namely the description of the measures

Techniques used to prevent tampering with encryption or management associated keys.

  1. Elements relating to data processing:
  2. the description of the pre-processing of the clear data before it is encrypted (compression, formatting, adding a header, etc.);
  3. the description of the post-processing of the encrypted data, after it has been encrypted (adding a header, formatting, packaging, etc.);
  4. three reference outputs of the means, in electronic format, made from a clear text and an arbitrarily chosen key, which will also be provided, in order to verify the implementation of the means in relation to its description.
  5. Elements relating to the design of the means of cryptology:
  6. the source code of the medium and the elements allowing a recompilation of the source code or the references of the associated compilers;
  7. the part numbers of the components incorporating the cryptology functions of the medium and the names of the manufacturers of each of these components;
  8. the cryptology functions implemented by each of these components;
  9. the technical documentation of the component(s) performing the cryptology functions;
  10. the types of memories (flash, ROM, EPROM, etc.) in which the cryptographic functions and parameters are stored as well as the references of these memories.

Validity and Renewal of ANSSI Cryptography Authorization

When ANSSI grants an authorization for cryptographic operations, it comes with a limited validity period. For operations that require explicit authorization, such as the transfer of cryptographic means within the EU or exports outside the EU, the certificate of authorization issued by ANSSI is valid for one year if no express decision is made within the given timeframe.

The renewal process must be initiated before the expiry of the certificate. ANSSI will review the completeness of the application within two months, and the decision is issued within four months. If ANSSI remains silent, implicit authorization is granted, which is again valid for a period of one year. This renewal ensures that your cryptographic operations remain compliant with the regulations established by Decree n°2007-663 and EU Regulation 2021/821, avoiding any legal or operational disruptions.

For further details on how to initiate a renewal or first-time application, refer to the official ANSSI process, ensuring all deadlines are respected for uninterrupted operations.

Legal Framework for Cryptographic Means: Key Requirements Under Decree No. 2007-663

Understanding the legal implications of Decree No. 2007-663 is crucial for any business engaged in cryptology-related operations, such as the import, export, or transfer of cryptographic products. This section outlines the legal framework governing declarations, authorizations, and specific cases for cryptographic means. Let’s delve into the essential points:

1. Formalities Under Chapters II and III of Decree No. 2007-663

Decree No. 2007-663 distinguishes between two regulatory regimes—declaration and authorization—depending on the nature of the cryptographic operation. These formalities aim to safeguard national security by ensuring cryptographic means are not misused.

  • Chapter II: Declaration Regime
    This section requires businesses to notify the relevant authorities, particularly ANSSI, when cryptographic products are supplied, transferred, imported, or exported. For example, when transferring cryptographic software within the European Union, companies must submit a declaration to ANSSI. This formality ensures that the movement of cryptographic products adheres to ANSSI cryptography authorization protocols. The primary goal is to regulate the flow of cryptographic tools and prevent unauthorized or illegal uses.
  • Chapter III: Authorization Regime
    Operations involving cryptographic means that pose higher security risks, especially when exporting to non-EU countries, require explicit authorization from ANSSI. The export of cryptographic products, such as encryption software, outside the European Union is subject to strict scrutiny. In these cases, companies must obtain ANSSI cryptography authorization, which evaluates potential risks before granting permission. Failure to secure this authorization could result in significant legal consequences, such as operational delays or penalties.

2. Request for Authorization or Renewal

If your operations involve cryptographic means that require prior approval, the Decree mandates that you apply for authorization or renewal. This is particularly relevant for:

  • Transfers within the EU: Even though the product remains within the European Union, if the cryptographic tool is sensitive, an authorization request must be submitted. This helps mitigate risks associated with misuse or unauthorized access to encrypted data.
  • Exports outside the EU: Exporting cryptographic means to non-EU countries is subject to even stricter controls. Businesses must renew their authorization periodically to ensure that all their ongoing operations remain legally compliant. This step is non-negotiable for companies dealing with dual-use items, as defined by EU Regulation 2021/821.

3. Category 3 Cryptographic Means (Annex 2)

Category 3 cryptographic means, outlined in Annex 2 of the Decree, apply to consumer-facing products that are less complex but still critical for security. These are often products marketed to the general public and must meet specific criteria:

  • Unmodifiable by End-Users: Cryptographic products under Category 3 must not be easily altered by end-users. This ensures the integrity of the product’s security features.
  • Limited Supplier Involvement: These products should be user-friendly, not requiring extensive assistance from the supplier for installation or continued use.

An example of a Category 3 product might be a mobile application that offers end-to-end encryption, ensuring ease of use for consumers while adhering to strict cryptographic security protocols.

Regulatory Framework and Implications

Decree No. 2007-663, alongside EU Regulation 2021/821, sets the groundwork for regulating cryptographic means in France and the broader European Union. Businesses must comply with these regulations, ensuring they declare or obtain the proper ANSSI cryptography authorization for all cryptographic operations. Compliance with these legal frameworks is non-negotiable, as they help prevent the misuse of cryptographic products for malicious purposes, such as espionage or terrorism.

Displaying ANSSI Cryptography Authorization: Transparency and Trust

Publicly showcasing your ANSSI cryptography authorization not only demonstrates regulatory compliance but also strengthens your business’s credibility. In fact, there are no legal restrictions preventing companies from making their authorization certificates visible. By displaying this certification, you reinforce transparency and trustworthiness, especially when dealing with clients or partners who prioritize data security and regulatory adherence.

Moreover, doing so can provide a competitive edge. Customers and stakeholders are reassured by visible compliance with both French and European standards, including Decree No. 2007-663 and EU Regulation 2021/821. Displaying this certificate prominently, whether on your website or in official communications, signals your business’s proactive stance on cybersecurity.

Final Steps to Ensure Compliance

Now that you understand the steps involved in ANSSI cryptography authorization, you are better equipped to meet the regulatory requirements for importing and exporting cryptographic means. By diligently completing the necessary forms, submitting the required documentation, and adhering to the outlined deadlines, you can streamline your operations and avoid potential delays or penalties. Moreover, by staying up-to-date with both French and European regulations, such as Decree No. 2007-663 and EU Regulation 2021/821, your business will maintain full compliance.

For any additional guidance, don’t hesitate to reach out to the ANSSI team or explore their resources further on their official website. By taking these proactive steps, you can ensure that your cryptographic operations remain fully compliant and seamlessly integrated into global standards.

End-to-End Messaging Encryption Regulation – A European Issue

Balance scale showing the balance between privacy and law enforcement in EU regulation of end-to-end encrypted messaging.

The Controversy of End-to-End Messaging Encryption in the European Union

In a world where online privacy is increasingly threatened, the European Union finds itself at the center of a controversy: Reducing the negative effects of end-to-end encryption of messaging services. This technology, which ensures that only the sender and recipient can read the content of messages, is now being questioned by some EU member states.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Discover our new Cyberculture article about a End-to-End Messaging Encryption European Regulation. Authored by Jacques Gascuel, a pioneer in Contactless, Serverless, Databaseless, Loginless and wireless security solutions. Stay informed and safe by subscribing to our regular updates.

Regulation of Secure Communication in the EU

The European Union is considering measures to regulate secure messaging practices. This technology ensures that only the sender and recipient can read the messages. However, some EU member states are questioning its impact on law enforcement capabilities

Control of Secure Messaging and Fragmentation

If the EU adopts these proposals, it could fragment the digital landscape. Tech companies might need to choose between complying with EU regulations or limiting their encrypted messaging services to users outside the EU. This could negatively affect European users by reducing their access to secure communication tools.

Why the EU Considers End-to-End Messaging Encryption Control

Law enforcement agencies across 32 European states, including the 27 EU member states, are expressing concerns over the deployment of end-to-end encryption by instant messaging apps. Their fear is that this could hinder the detection of illegal activities, as companies are unable to monitor the content of encrypted messages. This concern is one of the key reasons why the EU is considering implementing control over end-to-end message encryption.

Exploring the Details of the Proposed Regulation on Encrypted Messaging

EU Commissioner for Home Affairs, Ylva Johansson, has put forward a proposal that could significantly impact the tech industry. This proposal actively seeks to mandate tech companies to conduct thorough scans of their platforms, extending even to users’ private messages, in an effort to detect any illicit content.

However, this proposal has not been without controversy. It has sown seeds of confusion and concern among cryptographers and privacy advocates alike, primarily due to the potential implications it could have on secure messaging. The balance between ensuring security and preserving privacy remains a complex and ongoing debate in the face of this proposed regulation.

Background of the EU Proposal on Secure Messaging

A significant amount of support can be found among member states for proposals to scan private messages for illegal content, particularly child pornography, as shown in a European Council document. Spain has shown strong support for the ban on end-to-end messaging encryption.

Misunderstanding the Scan Form

Out of the 20 EU countries represented in the document, the majority have declared themselves in favor of some form of scanning encrypted messages. This proposal has caused confusion among cryptographers and privacy advocates due to its potential impact on secure communication protocols.

The Risks of Ending End-to-End Messaging Encryption

Privacy advocates and cryptography experts warn against the inherent risks of weakening encryption. They emphasize that backdoors could be exploited by malicious actors, thus increasing user vulnerability to cyberattacks.

Position of the European Court of Human Rights (ECHR) on Secure Messaging

The European Court of Human Rights (ECHR) has taken a stance on end-to-end messaging encryption. In a ruling dated February 13, the ECHR declared that creating backdoors in end-to-end encrypted messaging services like Telegram and Signal would violate fundamental human rights such as freedom of expression and privacy. This ruling highlights the importance of end-to-end messaging encryption as a tool for protecting privacy and freedom of expression within the context of human rights in Europe.

Messaging Apps’ Stance on End-to-End Encryption Regulation

As the European Union considers implementing control over end-to-end message encryption, several messaging apps have voiced their concerns and positions. Here are the views of major players in the field:

Signal’s Position on End-to-End Messaging Encryption Regulation

Signal, a secure messaging app known for its commitment to privacy, has taken a strong stance against the proposed regulation. Meredith Whittaker, president of Signal, has described the European legislative proposal as “surveillance wine in security bottles.” In the face of this legislative proposal, Signal has even threatened to cease its activities in Europe. Despite this, Whittaker affirmed that the company would stay in Europe to support the right to privacy of European citizens.

WhatsApp’s Concerns on End-to-End Messaging Encryption Regulation

WhatsApp, another major player in the messaging app field, has also expressed concerns about the proposed regulation. Helen Charles, a public affairs representative for WhatsApp, expressed “concerns regarding the implementation” of such a solution at a seminar. She stated, “We believe that any request to analyze content in an encrypted messaging service could harm fundamental rights.” Charles advocates for the use of other techniques, such as user reporting and monitoring internet traffic, to detect suspicious behavior.

Twitter’s Consideration of End-to-End Messaging Encryption

In 2022, Elon Musk discussed the possibility of integrating end-to-end encryption into Twitter’s messaging. He stated, “I should not be able to access anyone’s private messages, even if someone put a gun to my head” and “Twitter’s private messages should be end-to-end encrypted like Signal, so that no one can spy on or hack your messages.”

Mailfence’s Emphasis on End-to-End Encryption

Mailfence, a secure email service, has declared that end-to-end encryption plays a crucial role in setting up secure messaging. They believe it’s extremely important to protect online privacy.

Meta’s Deployment of End-to-End Encryption

Meta (formerly Facebook) recently deployed end-to-end encryption by default for Messenger conversations. This means that only the sender and recipient can access the content of the messages, with Meta being unable to view them.

Other Messaging Apps’ Views on End-to-End Encryption

Other messaging apps have also expressed their views on end-to-end encryption:

Europol’s View

The heads of European police, including Europol, have expressed their need for legal access to private messages. They have emphasized that tech companies should be able to analyze these messages to protect users. Europol’s director, Catherine De Bolle, even stated, “Our homes are becoming more dangerous than our streets as crime spreads online. To ensure the safety of our society and our citizens, we need this digital environment to be secure. Tech companies have a social responsibility to develop a safer environment where law enforcement and justice can do their job. If the police lose the ability to collect evidence, our society will not be able to prevent people from becoming victims of criminal acts”.

Slack’s View

Slack, a business communication platform, has emphasized the importance of end-to-end encryption in preserving the confidentiality of communications and ensuring business security.

Google’s View

Google Messages uses end-to-end encryption to prevent unauthorized interception of messages. Encryption ensures that only legitimate recipients can access the exchanged messages, preventing malicious third parties from intercepting or reading conversations.

Legislative Amendments on End-to-End Messaging Encryption

Several proposed amendments related to end-to-end messaging encryption include:

Encryption, especially end-to-end, is becoming an essential tool for securing the confidentiality of all users’ communications, including those of children. Any restrictions or infringements on end-to-end encryption can potentially be exploited by malicious third parties. No provision of this regulation should be construed as prohibiting, weakening, or compromising end-to-end encryption. Information society service providers should not face any barriers in offering their services using the highest encryption standards, as this encryption is crucial for trust and security in digital services.

The regulation permits service providers to select the technologies they employ to comply with detection orders. It should not be interpreted as either encouraging or discouraging the use of a specific technology, as long as the technologies and accompanying measures adhere to the requirements of this regulation. This includes the use of end-to-end encryption technology, a vital tool for ensuring the security and confidentiality of users’ communications, including those of children.

When implementing the detection order, providers should employ all available safeguards to ensure that the technologies they use cannot be exploited by them, their employees, or third parties for purposes other than compliance with this regulation. This helps to avoid compromising the security and confidentiality of users’ communications while ensuring the effective detection of child sexual abuse material and balancing all fundamental rights involved. In this context, providers should establish effective internal procedures and safeguards to prevent general surveillance. Detection orders should not apply to end-to-end encryption.

Advantages and Disadvantages of End-to-End Messaging Encryption

Advantages:

  • Privacy: End-to-end messaging encryption protects users’ privacy by ensuring that only the participants in the conversation can read the messages.
  • Security: Even if data is intercepted, it remains unintelligible to unauthorized parties.

Disadvantages:

  • Limitation of Detection of Illegal Activities: Law enforcement agencies fear that end-to-end messaging encryption hinders their ability to fight the most heinous crimes, as it prevents companies from regulating illegal activities on their platforms.

Technical Implications of Backdoors in End-to-End Messaging Encryption

The introduction of backdoors in encryption systems presents significant technical implications. A backdoor is a covert mechanism deliberately introduced into a computer system that allows bypassing standard authentication processes. It can reside in the core of a software’s source code, at the firmware level of a device, or be rooted in communication protocols. Backdoors can be exploited by malicious actors, increasing user vulnerability to cyberattacks. Detecting backdoors requires constant technological vigilance and rigorous system analysis.

Implications of New Cryptographic Technologies for Content Moderation

Innovation in cryptography is paving the way for new methods that allow effective content moderation while preserving end-to-end messaging encryption. Recent research is delving into advanced cryptographic technologies that empower platforms to detect and moderate problematic content without compromising communication privacy. These technologies, often rooted in artificial intelligence and natural language processing, have the capability to analyze metadata and behavior patterns to identify illicit content. For instance, the EU’s Digital Services Act (DSA) is aiming to make platform recommendation algorithms transparent and regulate online content moderation more effectively.

This could encompass systems that assess the context and frequency of messages to detect abuses without decrypting the content itself. Moreover, solutions like AI-based content moderation offer substantial advantages for managing online reputation, delivering faster and more consistent responses than manual moderation. These systems can be trained to recognize specific patterns of hate speech or terrorist content, enabling swift intervention while respecting user privacy. The integration of these innovations into messaging platforms could potentially resolve the dilemma between public safety and privacy protection. It provides authorities with the necessary tools to combat crime without infringing on individuals’ fundamental rights to communication privacy.

Potential Impact of This Technology on End-to-End Messaging Encryption of Messaging Services

Adopting these new cryptographic technologies represents a major advance in how we view online security and privacy. They offer considerable potential for improving content moderation while preserving end-to-end messaging encryption, ensuring a safer internet while protecting human rights in the digital age. These innovations could play a key role in implementing European regulations on end-to-end messaging encryption, balancing security needs with respect for privacy.

Messaging Services Affected by European Legislation

Among the popular messaging applications that use end-to-end messaging encryption available in Europe are:

  • Signal: A secure messaging application that uses end-to-end encryption. It ensures that only the sender and recipient can access message content, even when data is in transit on the network.
  • WhatsApp: Adopted end-to-end encryption in 2016. It ensures that messages are encrypted at the sender’s device and only decrypted at the recipient’s device.
  • Messenger: Meta (formerly Facebook) plans to generalize end-to-end encryption on Messenger by 2024.
  • Telegram: Uses end-to-end encryption for specific features, such as Secret Chats, ensuring message privacy between the sender and recipient.
  • iMessage: Apple’s messaging service uses end-to-end encryption for messages sent between Apple devices.
  • Viber: Another messaging app that uses end-to-end encryption to secure messages between users.
  • Threema: A secure messaging app that employs end-to-end encryption for all communications, providing high privacy standards.
  • Wire: Offers end-to-end encryption for messages, calls, and shared files, focusing on both personal and business communication.
  • Wickr: Provides end-to-end encryption for messaging and is known for its strong security features.
  • Dust: Emphasizes user privacy with end-to-end encryption and self-destructing messages.
  • ChatSecure: An open-source messaging app offering end-to-end encryption over XMPP with OTR encryption.
  • Element (formerly Riot): A secure messaging app built on the Matrix protocol, providing end-to-end encryption for all communications.
  • Keybase: Combines secure messaging with file sharing and team communication, all protected by end-to-end encryption.

Balancing Security and Privacy

The debate over end-to-end messaging encryption highlights the difficulty of finding a balance between security and privacy in the digital age. On the one hand, law enforcement agencies need effective tools to fight crime and terrorism. On the other hand, citizens have the fundamental right to privacy and the protection of their communications.

Alternatives to Weakened End-to-End Messaging Encryption?

It is crucial to explore alternatives that address law enforcement’s public safety concerns without compromising users’ privacy. Possible solutions include developing better digital investigation techniques, improving international cooperation between law enforcement agencies, and raising public awareness about online dangers.

Navigating Encryption: Security and Regulatory Impediments

Limitations and Challenges of Advanced Cryptographic Technologies

Hardware security modules (HSMs), such as PGP, actively enhance messaging and file encryption security. Similarly, Near Field Communication (NFC) hardware security modules, like DataShielder, significantly bolster protection. Yet, we must confront the significant limitations that regulations introduce; these aim to curtail the protection of both private and corporate data. By encrypting data before transmission, these solutions robustly defend against interception and unauthorized access, whether legal or otherwise. Additionally, this technology stands resilient to AI-driven content moderation filters. In particular, this pertains to messages and files that systems like DataShielder encrypt externally; subsequently, these services are employed for communication.

Ineffectiveness of AI-Based Moderation Filters

Content moderation systems relying on artificial intelligence face a major obstacle: they cannot decrypt and analyze content protected by advanced encryption methods. As a result, despite advances in AI and natural language processing, these filters become inoperative when confronted with messages or files encrypted via HSM PGP or NFC HSM.

Consequences for Security and Privacy

This limitation raises important questions about platforms’ ability to detect and prevent the spread of illicit content while respecting user privacy. It highlights the technical challenge of developing solutions that strike a balance between privacy protection and public safety requirements.

Towards a Balanced Solution

It is imperative to continue researching and developing new cryptographic technologies that enable effective moderation without compromising privacy. The goal is to find innovative methods that respect fundamental rights while providing authorities with the tools needed to fight criminal activities.

HSM PGP and NFC HSM: Alternatives to End-to-End Messaging Encryption

In addition to end-to-end encrypted messaging services, there are alternative solutions like Hardware Security Modules (HSM PGP) and Near Field Communication Hardware Security Modules (NFC HSM) that offer potentially higher levels of security. These devices are designed to protect cryptographic keys and perform sensitive cryptographic operations, ensuring data security throughout its lifecycle.

DataShielder NFC HSM and DataShielder HSM PGP are examples of products that use these technologies to encrypt communications and data anonymously. These tools allow encryption of not only messages but also all types of data, providing a versaced solution that uses Freemindtronic’s EviEngine technology to provide secure and flexible encryption, meeting the diverse needs of professionals and businesses. This solution is designed to operate without a server or database, enhancing security by keeping all data under the user’s control and reducing potential vulnerabilities.

Impact of HSM PGP and NFC HSM on End-to-End Messaging Encryption

HSM PGP and NFC HSM integration adds a vital layer to cybersecurity. They provide a robust solution for information security.

Specifically, DataShielder HSM PGP offers advanced protection. As the EU considers encryption regulation, DataShielder technologies emerge as key alternatives. They ensure confidentiality and security amidst digital complexity. These technologies advocate for encryption as a human rights safeguard. Simultaneously, they address national security issues.

Conclusion

The European legislator faces complexity in harmonizing regulation with Member States. They aim to finalize it by next year. Clearly, preserving end-to-end encryption requires exploring alternatives. This includes better cooperation between law enforcement and advanced investigative techniques.

HSM PGP and NFC HSM transform messaging into secure communication. They do so without servers or identification. Thus, they provide strong protection for organizational communication and data. These measures balance privacy needs with public safety requirements. They offer a comprehensive digital security approach in a complex environment.

Sources

EU Sanctions Cryptocurrency Regulation: A Comprehensive Overview

EU military defense of cryptocurrency

EU Sanctions Reshape Crypto

EU Sanctions Cryptocurrency, setting a global precedent. This regulatory overhaul aims to curb evasion and unify enforcement, enhancing transaction transparency. Dive into the EU’s strategic measures to fortify its financial system against the misuse of digital currencies.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Explore our Cyberculture section for detailed information on the EU Sanctions and Cryptocurrency Regulation, authored by Jacques Gascuel, a pioneer in contactless, serverless, databaseless sensitive data security solutions. Stay up to date and secure with our frequent updates.

EU Sanctions Cryptocurrency Regulation: A Comprehensive Overview

The EU is stepping up its regulatory game to combat economic sanction evasion, focusing sharply on the cryptocurrency sector. This move aims to unify sanction application practices across member states and enhance digital financial transaction traceability.

New EU Sanctions Cryptocurrency: A Global Context

Amid rising geopolitical tensions, the EU has bolstered its economic regulations. These measures, targeting cryptocurrency freezes, aim to thwart sanction dodging and standardize enforcement across member states.

EU Parliament’s Landmark Regulation Cryptocurrency

Confronting sanction evasion threats, the EU Parliament has enacted a regulation criminalizing such acts. Offenders now face harsh penalties, underscoring the EU’s commitment to maintaining sanction regime integrity.

Capital Freeze and Criminal Wealth Confiscation

A significant breakthrough, the EU Council and Parliament have agreed on rules for freezing and seizing criminal funds. This regulation extends to cryptocurrencies, highlighting the EU’s resolve to strip criminals of illicit gains.

Cryptocurrency Implications

These recent regulations signal a pivotal shift in the fight against cryptocurrency misuse. The EU’s clear intent is to battle illicit activities and bolster financial security within its borders.

International Comparison of Cryptocurrency Regulations

While the EU adopts stringent measures against Russia, it’s insightful to compare its stance with other global powers. The US exhibits a fragmented regulatory approach, China enforces restrictive policies, and the UK navigates post-Brexit with moderate regulations. This comparison underscores the varied strategies nations employ to address the rapidly evolving cryptocurrency sector.

Cold Wallets: EU Sanctions Cryptocurrency Regulations’ Reach

Cold wallets, designed for offline key and cryptocurrency address storage, fall outside the direct scope of new EU regulations. Devices like EviVault and EviSeed, incorporating NFC and HSM technologies, do not facilitate transaction signing, placing them beyond payment service regulations.

Hardware Wallets: Transaction Signing Scrutiny

Hardware wallets, enabling private key storage and transaction signing, face stricter regulations. The EU aims to prevent these devices from circumventing sanctions, imposing compliance requirements for signed transactions.

Enhancing Previous Directives

The new regulation builds on previous directives like AMLD5, which set anti-money laundering and terrorism financing standards in the cryptocurrency sector. It introduces additional obligations for crypto service providers, focusing on user identity verification and suspicious transaction monitoring.

Comparative Analysis: International Regulatory Approaches

The global landscape of cryptocurrency regulation is diverse and evolving. The PwC Global Crypto Regulation Report 2023 highlights the varying degrees of regulatory development across jurisdictions. For instance, while the EU has made significant strides with the Markets in Crypto-Assets Regulation (MiCA), differences in scope and implementation timelines persist when compared to other regions. The United States continues to balance innovation with investor protection, employing a multifaceted regulatory approach. In contrast, China maintains a more restrictive stance, reflecting its broader financial policies.

Inclusion of Regulatory References: MiCA

The Markets in Crypto-Assets Regulation (MiCA) represents a landmark in EU financial legislation, establishing uniform market rules for crypto-assets not previously covered by financial services laws. MiCA’s key provisions address transparency, disclosure, authorization, and supervision of transactions, aiming to support market integrity and financial stability. As such, MiCA is a critical reference point for understanding the EU’s approach to digital asset regulation.

Regulations’ Links and Effective Dates

Conclusion

The EU’s latest regulatory measures on cryptocurrency sanctions reflect a proactive stance in addressing the challenges of financial technology. By fortifying sanctions and enhancing compliance, the EU not only aims to deter sanction evasion but also demonstrates its resolve to protect the integrity of its financial system amidst the dynamic digital economy.

Encrypted messaging: ECHR says no to states that want to spy on them

ECHR landmark ruling in favor of encrypted messaging, featuring EviCypher NFC HSM technology by Freemindtronic.

Protecting encrypted messaging: the ECHR decision

Encrypted messaging is vital for digital privacy and free speech, but complex to protect. The historic ECHR decision of February 13, 2024 supports strong encryption against government surveillance. We discuss the importance of this decision. You will discover EviCypher NFC HSM encryption technology from Freemindtronic, guardian of this decision but for all messaging services in the world.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Stay informed in our posts dedicated to Cyberculture to follow its evolution thanks to our regularly updated topics

Learn more through this Cyberculture section on your data encryption rights to protect your personal and professional data written by Jacques Gascuel, creator of data security solutions. Stay informed and secure with our regular news.

Encrypted messaging: ECHR says no to states that want to spy on them

The historic judgment of the European Court of Human Rights (ECHR) elevates encrypted messaging to the rank of guardian of privacy and freedom of expression. But this also poses security and public order problems. On February 13, 2024, she spoke out in favor of strong encryption, against state interference.

The ECHR has rejected Russian authorities’ request to Telegram, a messaging application, to provide private keys for encrypting its users’ communications, or to install backdoors that would allow authorities to access them. The Court considered that this request violated the rights to privacy and correspondence, as well as freedom of expression, of Telegram users.

The context of the case

The case background Six journalists and human rights activists challenged the request of the Russian authorities to Telegram before the ECHR. They claimed that this request violated their fundamental rights. They relied on Articles 8 and 10 of the European Convention on Human Rights. These articles protect the right to privacy and correspondence, and the right to freedom of expression.

The reasoning of the Court

The Court’s reasoning The Court acknowledged that the request of the Russian authorities had a legitimate aim of national security and crime prevention. However, it found that the interference with the rights of the applicants was not proportionate to the aim pursued. It emphasised that encryption plays a vital role in ensuring the confidentiality of communications and the protection of personal data. It held that the request of the Russian authorities was too general and vague. It did not offer enough safeguards against abuse. It could deter people from using encrypted messaging services.

The Court also noted that encryption helps citizens and businesses to defend themselves against the misuse of information technologies, such as hacking, identity theft, data breach, fraud and undue disclosure of confidential information. It stated that this should be duly taken into account when assessing the measures that could weaken encryption.

The Court further observed that, in order to be useful to the authorities, the information must be decrypted at some point. It suggested that the authorities should use other means to obtain the necessary information, such as undercover operations, metadata analysis and international cooperation.

The consequences of the decision

The decision’s implications The decision of the Court is final and binding for Russia. It has to implement it within a reasonable time. It also has a broader impact. It sets out principles applicable to all member states of the Council of Europe, which comprises 47 countries. It sends a strong signal in favour of the respect of fundamental rights on the internet. It aligns with the position of several international organisations, such as the UN, the EU or the OSCE. They have stressed the importance of encryption for the protection of human rights online.

The official link of the ECHR decision is: AFFAIRE PODCHASOV c. RUSSIE and AFFAIRE PODCHASOV c. RUSSIE and AFFAIRE PODCHASOV c. RUSSIE. You can access it by clicking on the title or copying the address in your browser.

The position of other countries in the world

Encryption of communications is not a consensual topic. Countries have different, even opposite, positions on the issue. Here are some examples:

  • The Netherlands have argued for the right to strong encryption. They considered it a human right that must be safeguarded, in the country’s own interest.
  • The United States have repeatedly asked technology companies to provide them with access to encrypted data. They invoked the need to fight terrorism. These requests have been challenged by companies, such as Apple. They refused to create backdoors in their encryption systems.
  • China adopted a cybersecurity law in 2016. It requires companies to cooperate with authorities to provide encryption keys or means to bypass encryption. This law has been denounced by human rights defenders. They fear that it will be used to strengthen the surveillance and censorship of the Chinese regime.
  • The European Union adopted a directive on the protection of personal data in 2016. It recognizes encryption as a technical measure suitable for ensuring the security of data. The EU also supported the development of end-to-end encryption. It funded projects such as the free software Signal, which allows to encrypt calls and messages.

These examples show the divergences and convergences between different countries on the subject of encryption. They also reveal the political, economic and social issues that are at stake.

The world’s reactions to the ECHR decision on Encrypted Messaging

The ECHR decision on Encrypted Messaging has sparked different reactions in the world. Some countries praised the judgment, which boosts the protection of human rights on the internet. Other countries slammed the position of the Court, which undermines, according to them, the judicial cooperation and the national security.

The supporters of the ECHR decision

The Netherlands are among the countries that supported the ECHR decision. They argued for the right to strong encryption, considering it a human right that must be safeguarded, in the country’s own interest. The European Union also backed the Court, reminding that encryption is a technical measure suitable to ensure the security of data, in accordance with the directive on the protection of personal data adopted in 2016. The EU also stressed that it funds the development of end-to-end encryption, through projects such as the free software Signal, which allows to encrypt calls and messages.

The opponents of the ECHR decision

The United States are among the countries that opposed the ECHR decision. They have repeatedly asked technology companies to provide them with access to encrypted data, invoking the need to fight terrorism. These requests have been challenged by companies, such as Apple, which have refused to create backdoors in their encryption systems. China also expressed its disagreement with the Court, stating that encryption of communications fosters the dissemination of illegal or dangerous content, such as terrorist propaganda, child pornography or hate speech. China recalled that it has adopted in 2016 a cybersecurity law, which requires companies to cooperate with authorities to provide encryption keys or means to bypass encryption.

The non-signatories of the European

Convention on Human Rights Some countries have not reacted to the ECHR decision, because they are not signatories of the European Convention on Human Rights. This is the case for example of Russia, which ceased to be a member of the Council of Europe on March 16, 2022, after the invasion of Ukraine decided by the Kremlin. The country no longer participates in the activities of the ECHR. This is also the case of many countries in Africa, Asia or Latin America, which are not part of the Council of Europe and which have not ratified the Convention.

The signatory countries of the European Convention on Human Rights

The European Convention on Human Rights is an international treaty adopted by the Council of Europe in 1950, which aims to protect human rights and fundamental freedoms in the states parties. It entered into force in 1953, after being ratified by ten countries: Belgium, Denmark, France, Ireland, Italy, Luxembourg, the Netherlands, Norway, Sweden and the United Kingdom .

Since then, the Convention has been ratified by 36 other countries, bringing the total number of states parties to 46. They are: Albania, Germany, Andorra, Armenia, Austria, Azerbaijan, Bosnia and Herzegovina, Bulgaria, Cyprus, Croatia, Estonia, Finland, Georgia, Greece, Hungary, Iceland, Latvia, Liechtenstein, Lithuania, Malta, Moldova, Monaco, Montenegro, North Macedonia, Poland, Portugal, Romania, Russia, San Marino, Serbia, Slovakia, Slovenia, Spain, Czech Republic, Turkey and Ukraine.

All these countries recognize the jurisdiction of the European Court of Human Rights (ECHR), which is in charge of ensuring the respect of the Convention. The ECHR can be seized by any person, group of persons or non-governmental organization who claims to be a victim of a violation of the Convention by one of the states parties. The ECHR can also be seized by a state party who alleges that another state party has violated the Convention. The ECHR delivers judgments that are final and binding for the states parties.

An innovative and sovereign alternative: the EviCypher NFC HSM technology

Facing the challenges of encryption of communications, some users may look for an alternative more innovative and sovereign than the traditional messaging applications. This is the case of the EviCypher NFC HSM technology, developed by the Andorran company Freemindtronic. This technology makes it possible to generate, store, manage and use AES-256 encryption keys to encrypt all communication systems, such as WhatsApp, sms, mms, rcs, Telegram, webmail, email client, private messaging like Linkedin, Skype, X and even via postal mail with encrypted QR code messages, etc.

EviCypher NFC HSM: A Secure and Innovative Solution for Encrypted Messaging

Firstly, it guarantees the confidentiality and integrity of data, even if the messaging services are compromised for any reason, including by a court order. Indeed, it is physically impossible for Freemindtronic, the manufacturer of the DataShielder products, to provide encryption keys generated randomly by the user. These keys are stored encrypted in AES-256 via segmented keys in the HSM and NFC HSM. Only the user holds the decryption keys, which he can erase at any time.

Secondly, it preserves the anonymity and sovereignty of users, because it works without server and without database. It does not require internet connection, nor user account, nor phone number, nor email address. It leaves no trace of its use, nor of its user. It does not depend on the policies or regulations of the countries or companies that provide the communication services.

Thirdly, it offers an extreme portability and availability of encryption keys, thanks to the NFC technology. The user can carry his encryption keys on a physical support, such as a card, a bracelet, a key ring, etc. He can use them with any device compatible with NFC, such as a smartphone, a tablet, a computer, etc. He can also share them with other trusted users, in a simple and secure way.

Lastly, it is compatible with the EviCore NFC HSM or EviCore HSM technology, which allows to secure the access to equipment and applications. The user can thus use the same physical support to encrypt his communications and to authenticate on his different digital services.

The EviCypher NFC HSM technology guarantees the confidentiality and integrity of data, even if the messaging services are compromised for any reason, including by a court order. Indeed, it is physically impossible for Freemindtronic, the manufacturer of the DataShielder products, to provide encryption keys generated randomly by the user. These keys are stored encrypted in AES-256 via segmented keys in the HSM and NFC HSM. Only the user holds the decryption keys, which he can erase at any time.

Transforming Encrypted Messaging with EviCypher NFC HSM

The European Court of Human Rights (ECHR) decisively highlights encrypted messaging’s vital role in protecting privacy and freedom of speech. EviCypher NFC HSM, aligning perfectly with these principles, emerges as a pioneering solution. It confronts the challenges of state surveillance and privacy breaches head-on, providing unmatched defense for private communications. EviCypher NFC HSM goes beyond the ECHR’s conventional security and privacy requirements. It crafts an inviolable communication platform that honors users’ privacy rights profoundly. With its innovative approach, EviCypher NFC HSM introduces new data protection standards, forging a robust barrier against government intrusion.

Global Reach and User Empowerment

EviCypher NFC HSM’s technology has a broad global impact, seamlessly addressing the varied encryption landscapes worldwide. It provides a consistent answer to privacy and security issues, disregarding geographic limits. This global applicability makes EviCypher NFC HSM an indispensable tool for users worldwide, solidifying its position as a guardian of global privacy.

Despite potential skepticism about new technologies, the user-friendly and accessible nature of EviCypher NFC HSM aims to dispel such doubts. It promotes wider adoption among those seeking to enhance their communication security. Its compatibility with diverse devices and straightforward operation simplify encryption, facilitating an effortless shift towards secure communication practices.

EviCypher NFC HSM: A Beacon of User Autonomy

EviCypher NFC HSM technology deeply commits to empowering users. It allows individuals to generate, store, and manage their encryption keys independently, giving them direct control. This autonomy not only improves data security but also demonstrates a strong commitment to protecting users’ fundamental rights. It resonates with the values emphasized across the discussion, providing an effective way to strengthen online privacy and security. EviCypher NFC HSM marks a significant leap forward in the movement towards a more secure and private digital landscape.

This technologie HSM stands out as a state-of-the-art, self-sufficient solution, perfectly in line with the ECHR’s decisions and the worldwide need for secure encrypted communication. It leads the charge in advancing user autonomy and security, signaling a crucial evolution in encrypted messaging towards unparalleled integrity.

Incorporating EviCypher’s distinctive features—its operation without servers or databases, interoperability, and backward compatibility with all current communication systems, such as email, SMS, MMS, RCS, and social media messaging, even extending to physical mail via encrypted QR codes—highlights its adaptability and innovative spirit. EviCypher’s resistance to zero-day vulnerabilities, due to encrypting communications upfront, further underscores its exceptional security. Operating anonymously and offline, it provides instant usability without requiring user identification or account creation, ensuring seamless compatibility across phone, computer, and communication systems.

Summary at encrypted messaging

Encrypted Messaging is crucial for the digital society. It protects internet users’ privacy and freedom of expression. But it also challenges security and public order. The European Court of Human Rights (ECHR) supported strong encryption on February 13, 2024. It defended the right to encryption, against states that want to access it. Several international organizations agree with this position. They emphasize the importance of encryption for human rights online. However, the ECHR decision sparked diverse reactions worldwide. Different countries have different views on encryption.

Our conclusion on Encrypted Messaging

EviCypher NFC HSM technology is an innovative and sovereign alternative for Encrypted Messaging. Users can generate, store, manage and use AES-256 encryption keys. They can encrypt all communication systems, such as WhatsApp, sms, mms, rcs, Telegram, webmail, email client, etc. EviCypher NFC HSM technology ensures data confidentiality and integrity. It works even if messaging services are compromised. It preserves users’ anonymity and sovereignty. It does not need server or database. It offers extreme portability and availability of encryption keys, thanks to NFC technology. It is compatible with EviCore NFC HSM or EviCore HSM technology. They secure access to equipment and applications.

DataShielder products provide EviCypher NFC HSM technology. They are contactless encryption devices, guardians of keys and secrets. Freemindtronic, an Andorran company specialized in NFC security, designs and manufactures them.

The American Intelligence: How It Works

The American Intelligence How It Works : Section 702
Learn more about the American Intelligence written by Jacques Gascuel, inventor of sensitive data safety and security systems, for Freemindtronic. This article may be updated on this subject.

The American intelligence: a paradox

The American intelligence is powerful and influential, but also faces limits and challenges. Discover how it works, what are its consequences, and how to protect yourself from it.

2023 Articles Cardokey Eco-friendly EviSwap NFC NDEF Technology GreenTech

NFC Business Cards with Cardokey free for life: How to Connect without Revealing

2023 Articles Cyberculture EviCore HSM OpenPGP Technology EviCore NFC HSM Browser Extension EviCore NFC HSM Technology Legal information Licences Freemindtronic

Unitary patent system: why some EU countries are not on board

Andorran law

Llei 26/2014 del 30 d’octubre de patents

Articles Crypto Currency Cryptocurrency Digital Security EviPass Technology NFC HSM technology Phishing

Ledger Security Breaches from 2017 to 2023: How to Protect Yourself from Hackers

The American Intelligence: How It Works, Its Limits and Consequences

The American intelligence is one of the most powerful and influential in the world. It has a vast network of agencies, resources, and allies that enable it to collect, analyze, and act on information of strategic interest. However, the American intelligence also faces challenges and criticisms, both internally and externally. In this article, we will explore how the American intelligence works, what are its limits, and what are the consequences of its actions for the global security and privacy.

How the American Intelligence Works

The American intelligence is composed of 18 agencies that form the Intelligence Community (IC). These agencies are divided into two categories: the civilian agencies, which are under the supervision of the Director of National Intelligence (DNI), and the military agencies, which are under the supervision of the Secretary of Defense.

The main civilian agencies are:

  • The Central Intelligence Agency (CIA), which is responsible for collecting, analyzing, and disseminating foreign intelligence, as well as conducting covert operations and paramilitary activities.
  • The National Security Agency (NSA), which is responsible for collecting, processing, and disseminating signals intelligence (SIGINT), as well as conducting cyber operations and protecting the US government’s communications and information systems.
  • The Federal Bureau of Investigation (FBI), which is responsible for collecting, analyzing, and disseminating domestic intelligence, as well as conducting counterintelligence, counterterrorism, and law enforcement activities.
  • The National Geospatial-Intelligence Agency (NGA), which is responsible for collecting, analyzing, and disseminating geospatial intelligence (GEOINT), which includes imagery, maps, and other geographic information.
  • The National Reconnaissance Office (NRO), which is responsible for designing, launching, and operating reconnaissance satellites and other space-based systems that provide intelligence to the IC and the Department of Defense (DoD).
  • The Office of the Director of National Intelligence (ODNI), which is responsible for overseeing, coordinating, and integrating the activities of the IC, as well as providing strategic guidance and support to the DNI.

The main military agencies are:

  • The Defense Intelligence Agency (DIA), which is responsible for providing military intelligence to the DoD and the IC, as well as conducting human intelligence (HUMINT), counterintelligence, and defense attaché activities.
  • The National Security Agency/Central Security Service (NSA/CSS), which is responsible for providing SIGINT and cyber support to the DoD and the IC, as well as conducting information assurance and cryptologic activities.
  • The National Geospatial-Intelligence Agency (NGA), which is responsible for providing GEOINT support to the DoD and the IC, as well as conducting geospatial analysis and mapping activities.
  • The National Reconnaissance Office (NRO), which is responsible for providing space-based intelligence support to the DoD and the IC, as well as conducting satellite reconnaissance and surveillance activities.
  • The Military Intelligence Corps (MI), which is responsible for providing tactical and operational intelligence to the Army and the joint force, as well as conducting HUMINT, SIGINT, GEOINT, and counterintelligence activities.
  • The Office of Naval Intelligence (ONI), which is responsible for providing maritime intelligence to the Navy and the joint force, as well as conducting HUMINT, SIGINT, GEOINT, and counterintelligence activities.
  • The Marine Corps Intelligence Activity (MCIA), which is responsible for providing intelligence to the Marine Corps and the joint force, as well as conducting HUMINT, SIGINT, GEOINT, and counterintelligence activities.
  • The Air Force Intelligence, Surveillance, and Reconnaissance Agency (AFISRA), which is responsible for providing intelligence to the Air Force and the joint force, as well as conducting HUMINT, SIGINT, GEOINT, and counterintelligence activities.

The American intelligence works by collecting information from various sources, such as human sources, signals, images, open sources, and others. It then analyzes this information to produce intelligence products, such as reports, assessments, briefings, and forecasts. These products are then disseminated to the relevant consumers, such as the President, the Congress, the military, the policy makers, and the allies. The American intelligence also acts on the information it collects, by conducting operations, such as covert actions, cyber attacks, drone strikes, and special operations.

The Limits of the American Intelligence

The American intelligence, despite its capabilities and resources, is not omnipotent or infallible. It faces several limits and challenges, such as:

  • Legal and ethical limits: The American intelligence is bound by the laws and regulations of the US and the international community, as well as by the values and principles of the American democracy. It must respect the rights and liberties of the American citizens and the foreign nationals, as well as the sovereignty and interests of the other countries. It must also abide by the oversight and accountability mechanisms of the executive, the legislative, and the judicial branches, as well as the public opinion and the media. The American intelligence must balance its need for secrecy and effectiveness with its duty for transparency and legitimacy.
  • Technical and operational limits: The American intelligence is limited by the availability and reliability of the information it collects, as well as by the accuracy and timeliness of the analysis it produces. It must deal with the challenges of information overload, data quality, data security, data privacy, and data sharing. It must also cope with the threats and risks of cyber attacks, counterintelligence, deception, and denial. The American intelligence must balance its need for innovation and adaptation with its need for standardization and coordination.
  • Strategic and political limits: The American intelligence is limited by the complexity and uncertainty of the global environment, as well as by the diversity and dynamism of the actors and issues it faces. It must deal with the challenges of globalization, multipolarity, regionalization, and fragmentation. It must also cope with the threats and opportunities of terrorism, proliferation, rogue states, failed states, and emerging powers. The American intelligence must balance its need for anticipation and prevention with its need for reaction and intervention.

The Consequences of the American Intelligence

The American intelligence has significant consequences for the global security and privacy, both positive and negative, such as:

  • Positive consequences: The American intelligence contributes to the protection and promotion of the national security and interests of the US and its allies, as well as to the maintenance and enhancement of the international peace and stability. It provides valuable information and insights to the decision makers and the operators, as well as to the public and the media. It also conducts effective operations and actions to deter, disrupt, or defeat the adversaries and the threats. The American intelligence plays a key role in the global intelligence cooperation and coordination, as well as in the global governance and leadership.
  • Negative consequences: The American intelligence also poses risks and challenges to the security and privacy of the US and its allies, as well as to the international order and norms. It may collect, analyze, or disseminate information that is inaccurate, incomplete, or biased, leading to errors, failures, or controversies. It may also conduct operations or actions that are illegal, unethical, or counterproductive, leading to violations, scandals, or backlashes. The American intelligence may face competition or conflict with the other intelligence services or actors, as well as with the other stakeholders or interests.

Section 702 of FISA: A Surveillance Without Control

  • On July 17, 2008, the US Congress passed section 702 of the FISA (Foreign Intelligence Surveillance Act), which authorizes the US intelligence agencies to collect the electronic communications of non-Americans located abroad, without a warrant from the FISA judge.
  • On January 19, 2018, the US Congress extended section 702 of FISA until December 31, 2023, without making any substantial changes.
  • On March 22, 2023, the US Congress extended section 702 of FISA again until April 19, 2024, without making any significant changes.
  • On December 16, 2023, the US Congress approved the National Defense Authorization Act (NDAA), which included a four-month extension of section 702 of FISA, avoiding its expiration at the end of the year.

The Violation of the Right to Privacy

  • On June 5, 2013, the whistleblower Edward Snowden revealed the existence of the PRISM program, which allowed the US intelligence agencies to access the data of the users of the main electronic service providers, such as Google, Facebook, Microsoft or Apple.
  • On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor, an agreement that allowed the transfer of personal data between the European Union and the United States, considering that it did not offer an adequate level of protection.
  • On July 16, 2020, the CJEU invalidated the Privacy Shield, the successor of the Safe Harbor, for the same reasons, considering that the risk of interference by the US intelligence services in the transferred data was incompatible with the respect of the fundamental rights of the persons concerned.
  • On July 31, 2023, the CJEU issued a ruling that confirmed the invalidity of the Privacy Shield and imposed strict conditions for the transfer of personal data to third countries, especially the United States, under the standard contractual clauses (SCCs) or the binding corporate rules (BCRs).

The Legal and Political Consequences

  • On October 24, 2013, the European Parliament adopted a resolution that condemned the massive surveillance activities of the US intelligence services and called for the suspension of the cooperation agreements on security and counter-terrorism.
  • On October 23, 2015, the European Parliament adopted another resolution that requested the creation of an independent international tribunal to examine the complaints of the European citizens regarding the surveillance of the US intelligence services.
  • On September 14, 2018, the European Parliament adopted a third resolution that called for the suspension of the Privacy Shield, due to the non-compliance of the commitments made by the United States on the protection of personal data.
  • On August 31, 2023, the European Parliament adopted a fourth resolution that asked the European Commission to propose a new legislation on the protection of personal data in the context of cross-border data flows, which would guarantee a level of protection equivalent to that of the general data protection regulation (GDPR).

Sources:

Congress passes temporary extension of FISA Section 702 surveillance program – Axios:

The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield:

FISA Section 702: What it is and why Congress is debating it – NBC News

New technologies and products that limit the possibilities of intelligence

Facing the capabilities of collection and analysis of the American intelligence, which threaten the privacy and sovereignty of individuals and countries, there are new technologies and products that allow to limit the possibilities of intelligence. These technologies and products use techniques of encryption, cryptography, blockchain or NFC to protect personal data and electronic communications. They offer an alternative to traditional solutions, which are often vulnerable to attacks or interceptions by the American intelligence. Among these technologies and products, we can mention:

  • EviCypher NFC HSM and EviCypher HSM OpenPGP, which are patented technologies in the United States in the field of cybersecurity developed by Freemindtronic SL Andorra, used in counter-espionage products such as DataShielder Defense. They allow to encrypt and decrypt data without contact, thanks to hardware security modules that use NFC technology. They offer compatibility with OpenPGP standards, operating without server, without database, with a very high level of flexibility from different removable, fixed and online and offline storage media including NFC HSM.
  • DataShielder DefenseDataShielder Defense, which is a counter-espionage product developed by Freemindtronic SL Andorra, which uses EviCore NFC HSM and EviCore HSM OpenPGP technologies to encrypt and decrypt all types of data and communication services. This product protects sovereign communications, by preventing the American intelligence from accessing personal, professional or state secrets. It also guarantees the sovereignty of users, by making their data anonymous and inviolable.
  • Signal, which is an instant messaging application that uses the Signal protocol, which is an end-to-end encryption protocol that ensures the confidentiality and integrity of messages. This application allows to communicate anonymously and securely, by avoiding the surveillance or censorship of the American intelligence.
  • Tor, which is a decentralized network that uses volunteer relays to route Internet traffic anonymously and encrypted. This network allows to browse the web without leaving traces, by hiding the IP address and location of users. It also allows to access hidden websites, which are not indexed by search engines.

These technologies and products represent examples of innovative solutions that limit the possibilities of the American intelligence and preserve the individual and collective sovereignty. They also illustrate the issues and challenges related to the use of digital technologies in the field of intelligence.

Conclusion

The American intelligence is a complex and dynamic phenomenon that has a significant impact on the world. It has many strengths and weaknesses, as well as many opportunities and threats. It has many achievements and failures, as well as many benefits and costs. It is a source of both security and insecurity, both privacy and surveillance. It is a subject of both admiration and criticism, both cooperation and confrontation. The American intelligence is a paradox that requires a careful and balanced approach.

Unitary patent system: why some EU countries are not on board

Unitary Patent system European why some EU countries are not on board

Unitary patent system by Jacques Gascuel: This article will be updated with any new information on the topic.  

Why some EU countries don’t want the unitary patent

The unitary patent system promises to simplify and unify patent protection in Europe. But not all EU countries are on board. Discover why some countries like Spain have opted out and what it means for inventors.

2024 Cyberculture Legal information

ePrivacy Regulation: Transforming Messaging Privacy in 2025

2024 Cyberculture

Electronic Warfare in Military Intelligence

2024 Articles Cyberculture Legal information

ANSSI Cryptography Authorization: Complete Declaration Guide

2024 Articles Cyberculture

EAN Code Andorra: Why It Shares Spain’s 84 Code

Why some EU countries are not on board

What is the unitary patent?

The unitary patent is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the European Patent Office (EPO) 1. It is an alternative option to the classical European patent, which requires individual validation and maintenance in each country where the patent holder wants to benefit from protection 1. The unitary patent  entered into force on 1 June 2023, after the ratification of the Agreement on a Unified Patent Court (UPC Agreement) by 17 states participating in enhanced cooperation 2. It is expected that more EU states will join this scheme in the future 1.

The unitary patent is based on the European patent granted by the EPO under the rules of the European Patent Convention (EPC), so nothing changes in the pre-grant phase and the same high standards of quality search and examination apply. After a European patent is granted, the patent holder can request unitary effect, thereby obtaining a European patent with unitary effect (unitary patent) that provides uniform protection in initially 17 EU member states.

What is the current status of the unitary patent?

The unitary patent system is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the European Patent Office (EPO) . It is an alternative option to the classical European patent, which requires individual validation and maintenance in each country where the patent holder wants to benefit from protection . The unitary patent is expected to start in early 2023, after the ratification of the Agreement on a Unified Patent Court (UPC Agreement) by 17 states participating in enhanced cooperation . It is expected that more EU states will join this scheme in the future.

The UPC Agreement

The UPC Agreement is an international treaty that establishes the Unified Patent Court (UPC), a supranational specialised court that will have exclusive jurisdiction to settle disputes relating to unitary patents and European patents . The UPC Agreement was signed by 25 EU member states in 2013, but it requires the ratification by at least 13 states, including France, Germany and Italy, to enter into force.

As of June 2021, 16 states have ratified the UPC Agreement, including France and Italy . Germany has also ratified the UPC Agreement in December 2020, but its ratification is pending before the German Constitutional Court, which has received two constitutional complaints against it . The German government has expressed its intention to deposit its instrument of ratification as soon as possible after the resolution of these complaints . The UK, which was initially one of the mandatory ratifying states, has withdrawn from the unitary patent system after leaving the EU in 2020.

The main obstacle and challenges

The main remaining obstacle for the implementation of the unitary patent system is therefore the outcome of the German constitutional complaints. If they are dismissed or overcome, Germany could deposit its instrument of ratification and trigger the entry into force of the UPC Agreement within three months . However, if they are upheld or delayed, Germany could be prevented from joining the unitary patent or cause further uncertainties and complications for its launch.

Other challenges for the implementation of the unitary patentinclude the practical and logistical arrangements for the operation of the Unified Patent Court, such as the recruitment and training of judges, the establishment of IT systems and facilities, and the adoption of procedural rules and guidelines . Moreover, some legal and political issues may arise from the withdrawal of the UK from the unitary patent, such as the impact on the linguistic regime of the unitary patent, the distribution of the workload and the cases among the different divisions of the Unified Patent Court, and the compatibility of the UPC Agreement with EU law.

What are the advantages?

The unitary patent system offers several advantages for inventors and innovative companies who want to protect their innovations in the EU. Among these advantages, we can mention:

  • The simplification of the procedure: the patent holder no longer needs to carry out complex and costly procedures with national offices to validate their European patent in each country 1.
  • They only need to request unitary effect from the EPO, which is their single interlocutor 2.
  • The reduction of costs: the patent holder no longer has to pay validation fees, translation fees, representation fees or annual national fees to keep their patent in force in the countries covered by the unitary patent 1.
  • They only pay a single annual fee to the EPO, which is calculated according to a progressive scale 3.
  • The legal certainty: the patent holder benefits from a uniform protection in all countries where the unitary patent takes effect, without risk of fragmentation or divergence between national rights 1.
  • They can also enforce their rights before a supranational specialised court, the Unified Patent Court (UPC), which has exclusive jurisdiction to settle disputes relating to infringement and validity of unitary patents.

How does the unitary patent compare with other patent systems?

The unitary patent system is not the only option for obtaining patent protection in multiple countries. There are other regional or international patent systems that offer different advantages and disadvantages for inventors and innovative companies. Here are some examples:

The European Patent Convention (EPC)

The EPC is an international treaty that allows applicants to file a single application at the European Patent Office (EPO) and obtain a European patent that can be validated in up to 38 contracting states . The EPC is not affected by the unitary patent system and will continue to operate in parallel with it. The EPC offers more flexibility than the unitary patent, as applicants can choose which countries they want to validate their European patent in. However, it also involves more costs and formalities than the unitary patent, as applicants have to pay validation fees, translation fees and annual national fees in each country where they want to maintain their European patent.

The Patent Cooperation Treaty (PCT)

The PCT is an international treaty that allows applicants to file a single international application at a national or regional office and obtain an international search report and a preliminary examination report on their invention . The PCT does not grant patents directly, but facilitates the entry into national or regional phases in up to 153 contracting states . The PCT offers more time than the unitary patent system, as applicants can delay their decision on which countries they want to pursue their patent protection in for up to 30 or 31 months from the priority date . However, it also involves more complexity than the unitary patent, as applicants have to comply with different requirements and procedures in each country where they enter the national or regional phase.

The Eurasian Patent Convention (EAPC)

The EAPC is an international treaty that allows applicants to file a single application at the Eurasian Patent Office (EAPO) and obtain a Eurasian patent that can be validated in up to 8 contracting states . The EAPC is not related to the unitary patent system and operates independently from it. The EAPC offers more simplicity than the unitary patent, as applicants do not have to pay any validation fees or translation fees in the countries where they want to validate their Eurasian patent . However, it also involves more risk than the unitary paten system, as applicants cannot opt out of the jurisdiction of the Eurasian Court of Patent Disputes, which can invalidate their Eurasian patent in all contracting states.

How Freemindtronic’s international patents are related to the unitary patent

Freemindtronic is an Andorran company that creates innovative solutions for security, cyber-security and counter-espionage, using contactless technology (NFC). We have several inventions that are protected by international patents in the fields of embedded systems, access control and segmented key authentication. For example, our patented technologies EviCore NFC HSM, which manage encryption keys in an NFC HSM device, EviCore HSM OpenPGP, which manage encryption keys in a security element of phones, EviVault NFC HSM Cold Wallet operating without contact, EviKey NFC a contactless secured USB key and the technology EviCypher NFC HSM which encrypts all types of data. These technologies implement our patents and especially the one based on the segmented key authentication system. The latter received the gold medal of international inventions of Geneva 2021.

Our patent options

Our patents are based on the European patent granted by the European Patent Office (EPO) under the rules of the European Patent Convention (EPC). Therefore, we could benefit from the unitary patent system, which is a new scheme that allows inventors and innovative companies to protect their inventions in 17 EU member states by filing a single request to the EPO. However, we would also have to consider the disadvantages and risks of the unitary patent, such as the risk of total invalidation, the lack of flexibility and the exclusion of some countries. Moreover, we would have to deal with the legal issues of the unitary patent for non-participating countries, such as cross-border infringement cases and jurisdictional conflicts.

Our patent strategy

We have opted for the unitary patent only for our segmented key authentication system, and we have added some non-participating countries to our other European patents. The reasons behind this choice are related to our market strategy, our innovation potential and our risk assessment. For instance, we have decided to use the unitary patent for our segmented key authentication system because we consider it as our core invention and we want to protect it in a uniform and effective way in most EU countries. On the other hand, we have decided to add some non-participating countries to our other European patents because we want to preserve our flexibility and avoid possible invalidation challenges in those countries.

Conclusion

Our international patents are relevant examples of how the unitary patent system can affect inventors and innovative companies in Europe, both positively and negatively. They illustrate the opportunities and challenges that the unitary patent poses for innovation and competitiveness in the EU.

How can legal issues of the unitary patent for non-participating countries be resolved?

The legal issues of the unitary patent system for non-participating countries are complex and not yet fully resolved. One of the main questions is how to deal with cross-border infringement cases involving unitary patents and national patents. For instance, if an inventor from a non-participating country, such as Spain, wants to enforce his rights on his classic European patent in a participating country, such as France, where a unitary patent holder claims to infringe his patent, which law should he consider? Well, the question is not easy to answer, because he will have to take into account many international standards. In the end, this very important aspect will be “subjected” to a very complex situation that will necessarily be defined with the successive application of the law.

Another question is how to ensure a fair balance between the rights and obligations of unitary patent holders and national patent holders in non-participating countries. For example, if a unitary patent holder wants to enforce their rights in a non-participating country, such as Poland, where a national patent holder is allegedly infringing their patent, which court should they go to? Well, the answer is not clear, as it will depend on the interpretation and application of various international agreements. In principle, the unitary patent holder should go to the national court of Poland, but they may face some difficulties or disadvantages in comparison with the national patent holder, such as higher costs, longer procedures or different standards of proof.

One possible way to resolve these legal issues is to harmonise the rules and practices of the unitary patent and the national patent systems in Europe. This could be achieved by adopting common standards and guidelines for patent examination, grant, validity and enforcement, as well as by establishing mechanisms for cooperation and coordination between the UPC and the national courts. Another possible way is to extend the scope and coverage of the unitary patent and the UPC to all EU member states and other EPC contracting states. This could be achieved by encouraging and facilitating their participation in the enhanced cooperation and ratification of the UPC Agreement.

However, these solutions may face some practical and political challenges, such as the lack of consensus or willingness among the different stakeholders, the respect for national sovereignty and diversity, or the compatibility with EU law and international obligations. Therefore, it is important that the unitary patent and its legal implications are carefully monitored and evaluated, and that its benefits and drawbacks are balanced and communicated to all parties involved.

What are the disadvantages?

The unitary patent system is not without disadvantages for some actors in the patent market. Among these disadvantages, we can mention:

  • The risk of total invalidation: the patent holder faces the possibility that their patent will be cancelled in all countries where it takes effect, if the UPC finds that it does not meet the requirements of patentability. They do not have the possibility to limit or amend their patent to avoid this fatal outcome.
  • The lack of flexibility: the patent holder cannot choose the countries where they want to protect their invention, nor renounce their patent in some countries to avoid paying fees or to circumvent legal obstacles. They must accept or refuse unitary effect as a whole.
  • The exclusion of some countries: the patent holder cannot benefit from protection in all EU member states, since some countries have decided not to participate in the unitary patent or have not yet ratified the UPC Agreement 1.
  • This is notably the case of Spain, which is one of the few EU countries that does not intend to be part of the unitary patent

What are the best practices or strategies for using or avoiding the unitary patent?

The unitary patent system offers a new opportunity for inventors and innovative companies who want to protect their inventions in Europe. However, it also poses some challenges and risks that need to be carefully considered. Depending on their needs and goals, they may decide to use or avoid the unitary patent, or to combine it with other patent systems. Here are some factors to consider when making this decision:

The scope of protection

The unitary patent system provides a uniform protection in 17 EU member states, which may cover a large part of the European market. However, it does not cover all EU member states, nor non-EU countries that are part of the EPC or the PCT. Therefore, inventors and innovative companies should assess whether the unitary patent covers their target markets, or whether they need to seek additional protection in other countries.

The cost of protection

The unitary patent reduces the cost of protection in Europe, as it eliminates the need to pay validation fees, translation fees and annual national fees in each country where the unitary patent takes effect. However, it also introduces a single annual fee for the unitary patent, which is calculated according to a progressive scale . Therefore, inventors and innovative companies should compare the cost of the unitary patent with the cost of other patent systems, and consider whether they need protection in all countries covered by the unitary patent, or whether they can save money by choosing a smaller number of countries.

The risk of invalidation

The unitary patent increases the risk of invalidation in Europe, as it exposes the unitary patent to a single challenge before the UPC, which can invalidate it in all countries where it takes effect. Moreover, the UPC is a new court that may have some uncertainties and inconsistencies in its interpretation and application of the law. Therefore, inventors and innovative companies should evaluate the strength and validity of their inventions, and consider whether they want to avoid this risk by opting out of the UPC for their European patents, or by using other patent systems that allow them to limit or amend their patents in case of invalidation challenges.

The enforcement of rights

The unitary patent facilitates the enforcement of rights in Europe, as it allows the holders of unitary patents to sue infringers before the UPC, which can grant pan-European injunctions and damages. However, it also exposes them to counterclaims for invalidity before the UPC, which can invalidate their unitary patents in all countries where they take effect. Therefore, inventors and innovative companies should assess the likelihood and impact of infringement and invalidity actions, and consider whether they want to benefit from this facilitation by opting in to the UPC for their European patents, or whether they want to retain more control over their litigation strategy by using national courts or other patent systems.

Why do some EU countries not want to join the unitary patent

The reasons for some EU countries’ exclusion from the unitary patent are diverse. Spain, for example, considers that the linguistic regime of the unitary patent, which relies on the three official languages of the EPO (English, French and German), is discriminatory and harms its economic and cultural interests. It believes that Spanish, which is the second most spoken native language in the world, should be recognised as an official language of the unitary patent, or at least, that the holders of unitary patents should be required to provide a full translation in Spanish of their patents. It also fears that the unitary patent will strengthen the dominant position of the English-speaking and German-speaking countries in the field of innovation and will reduce the development opportunities of Spanish companies.

Croatia, on the other hand, has not joined enhanced cooperation for setting up the unitary patent, because it joined the EU after the launch of this initiative. However, it has expressed its interest in joining the unitary patent in the future.

Poland and the Czech Republic have participated in enhanced cooperation, but have not signed or ratified the UPC Agreement, which is a prerequisite for being part of the unitary patent 2. These countries have invoked economic and legal reasons to justify their withdrawal. Poland has estimated that the unitary patent would have a negative impact on its national budget and on its competitiveness. The Czech Republic has expressed doubts about the compatibility of the unitary patent with EU law and about the quality of automatic translations .

Slovakia has also participated in enhanced cooperation, but has opposed the regulation on the unitary patent and has challenged it before the Court of Justice of the EU (CJEU). It has argued that the regulation was contrary to the principle of equal treatment between the member states and the official languages of the EU. It has also questioned the legal basis of the regulation and its respect for national competences in the field of industrial property. The CJEU rejected its request in 2015.

Hungary has ratified the UPC Agreement in 2018, but has denounced it in 2020, following a decision of its Constitutional Court that declared that the Agreement was incompatible with its Constitution. The Court considered that the Agreement infringed on Hungary’s sovereignty in the matter of intellectual property and that it violated the principle of separation of powers by entrusting the settlement of disputes relating to patents to a supranational court not integrated into the Hungarian judicial system.

Here is a table that summarizes that gives the list of European countries that accept the unitary patent and the European countries that have excluded themselves from the unitary patent:

Country Status Reason
Germany Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Austria Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Belgium Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Bulgaria Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Cyprus Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Croatia Excluded Has not joined enhanced cooperation
Denmark Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Spain Excluded Has opposed enhanced cooperation and has challenged the linguistic regime of the unitary patent
Estonia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Finland Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
France Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Greece Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Hungary Excluded Has ratified the UPC Agreement but has denounced it following a decision of its Constitutional Court
Ireland Accepts Participates in enhanced cooperation but has not yet ratified the UPC Agreement
Italy Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Latvia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Lithuania Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Luxembourg Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Malta Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Netherlands Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Poland Excluded Participates in enhanced cooperation but has not signed or ratified the UPC Agreement
Portugal Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Czech Republic Excluded Participates in enhanced cooperation but has not signed or ratified the UPC Agreement
Romania Accepts Participates in enhanced cooperation but has not yet ratified the UPC Agreement
Slovakia Excluded Has opposed enhanced cooperation and has challenged the regulation on the unitary patent
Slovenia Accepts Participates in enhanced cooperation and has ratified the UPC Agreement
Sweden Accepts Participates in enhanced cooperation and has ratified the UPC Agreement

What are the consequences of these countries’ exclusion from the unitary patent?

The exclusion of these countries from the unitary patent has consequences for both the holders of unitary patents and the national patent holders in these countries. For the holders of unitary patents, this means that they cannot protect their inventions in these countries through the unitary patent, but they have to resort to the classical European patent or the national patent . They therefore have to bear the costs and formalities related to the validation and maintenance of their patent in these countries, as well as the risks of a fragmented protection and legal uncertainty . For the national patent holders in these countries, this means that they cannot benefit from the advantages of the unitary patent, but they have to face the increased competition of the holders of unitary patents in the other EU countries . They also have to adapt to the rules and procedures of the UPC, which can be seized by the holders of unitary patents to assert their rights against them or to challenge the validity of their classical European patents .

What are the legal issues of the unitary patent for non-participating countries?

The legal issues of the unitary patent system for non-participating countries are complex and not yet fully resolved. One of the main questions is how to deal with cross-border infringement cases involving unitary patents and national patents. For example, if an inventor from a non-participating country, such as Spain, wants to exercise their rights on their classical European patent in a participating country, such as France, where a unitary patent holder is allegedly infringing their patent, which law should they take into account? Well, the question is not easy to answer, as it will have to take into account many international norms. In the end, this very important aspect will be “subjected” to a very complex situation that will necessarily be defined with the successive application of the law.

Another question is how to ensure a fair balance between the interests of the holders of unitary patents and those of national patent holders in non-participating countries. For instance, if a national patent holder in Spain wants to challenge the validity of a unitary patent that covers an invention similar to theirs, how can they do so without having to go before the UPC, which may not be accessible or convenient for them? Conversely, if a unitary patent holder wants to enforce their rights against a national patent holder in Spain who is allegedly infringing their patent, how can they do so without having to go before a national court that may not be familiar or favourable with the unitary patent? These questions raise issues of jurisdiction, recognition and enforcement of judgments, as well as substantive law harmonisation.

These legal issues are likely to generate uncertainty and litigation for both unitary patent holders and national patent holders in non-participating countries. They may also create barriers and distortions in the internal market and affect innovation and competitiveness. Therefore, it is desirable that these issues are addressed and clarified as soon as possible, either by legislative or judicial means.

Conclusion

The unitary patent is a new scheme that offers a simplified, economical and uniform protection in 17 EU member states. It is accompanied by a Unified Patent Court, which has exclusive jurisdiction to settle disputes relating to unitary patents. The unitary patent has advantages and disadvantages for inventors and innovative companies, depending on their strategy and market. Spain is one of the few EU countries that does not intend to join the unitary patent, mainly for linguistic reasons. Its exclusion has consequences for both unitary patent holders and Spanish actors in the patent market. The unitary patent also raises legal issues for non-participating countries, which are not yet fully resolved.

In conclusion, the unitary patent system is a major innovation in the field of intellectual property in Europe, but it also poses significant challenges for its implementation and acceptance. It aims to foster innovation and competitiveness in the EU, but it also creates disparities and conflicts between participating and non-participating countries. It offers a simplified and uniform protection for inventors and innovative companies, but it also exposes them to risks and uncertainties in cross-border litigation. It is therefore important that the unitary patent is carefully monitored and evaluated, and that its benefits and drawbacks are balanced and communicated to all stakeholders.

(1) https://www.epo.org/applying/european/unitary/unitary-patent.html

(2) https://www.epo.org/applying/european/unitary.html

(3) https://www.gov.uk/guidance/the-unitary-patent-and-unified-patent-court

Freemindtronic’s NFC hardware wallets with credit card management are PCI DSS compliant

Why the NFC hardware wallet with credit card manager is PCI DSS compliant

Why Freemindtronic NFC hardware wallets with credit card management are PCI DSS compliant.

NFC hardware wallets with credit card management the patented nfc hardware wallet designed and developed by Freemindtronic SL Andorra has a secure manager function, with physical protection of the Bank Cards.

These are  highly  secure  NFC  devices  for storing encrypted data in AES  256. They have a multi-factor access control and authentication system. These factors  are set at the discretion of the user. They may be different  for each credit card stored in the device. It is even possible to limit a data’s access to a geographical area.

This is a physical safe Gre reen Tech. Indeed, theNFC device works without a battery, since it recoverstheenergy via the NFC signal of the phone that serves as its terminal.
This allows it to always keep available stored data, for 40 years, without maintenance, without the need to be connected to an energy source.

These Hardware wallets are trying to combat the risk of contamination linked to COVID; indeed, they are used without contact via an NFC phone

These Hardware wallets are Air Gap 1. That is, they are  physically isolated from any computer network. The data is stored encrypted only in the device’s non-volatile memory.  They are physically accessible only by theuserand/or their administrators.

This Cold Wallet does not collect any personal data. It doesn’t use a remote server, cloud, or remote backup unit. 

After authenticating the Cold Wallet user, he can automatically fill out the fields of a credit card to make hispayments online. This is  a similar gesture to contactless payment, but to  make  online purchases. Beyond the risk of COVID contamination,they fight cybersecurity attacks, since theuserdoes not touch the  computer keyboard.  The data  is  transmitted from the device  and  encrypted   to the computer system. The data displayed on the screen is offended, shielded froms ss s and prying systems indiscreet or malicious.

Thus, the user can make his purchases online on any computer system or phone without leaving any information of his bank cards. In fact, the user does not need to back up their bank card data in a computer system, in a phone, or in online shopping sites.

Who is affected by the PCI DSS standard?

The PCI standard is dedicated to the data security of the payment card industry (PCIDSS). It is a  set of security standards designed to ensure that all businesses that accept, process, store or transmit credit card information maintain a secure environment.2

The PCI DSS standard applies to any organization, regardless of the size or number of transactions, that accepts, transmits or stores cardholderdata.

It applies to all merchants who trade withbank cards. This also applies to merchants who do not store credit cards data but who have received credit or debit cards as a method of payment.

You can check out the PCI DSS standard on the www.pcisecuritystandards.org website(https://www.pcisecuritystandards.org/document_library). 

Freemindtronic’s Cold Wallet NFC are not bank cards

These NFC devices are not bank cards.  They are also not  payment instruments  frequently used for retail purchases. The definition of a bank card is defined in particular by the European Parliament and Council regulation of 29 April  2015 (EU) 2015/751. (https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:32015R0751&from=FR).

Similarly, these Cold Wallet NFC are  not  means of  payment. These are  NFC   devices that allow you to fill in information fields of bank cards,   in a secure way,  to  makepayments. This is made  fromcomputersystems   and connected phones  (e.g.  computer, smartphone, tablet), but whose transaction is necessarily carried out by existing means of payment, subject to the PCI DSS standard.

PCI DSS does not apply to Freemindtronic SL Cold Wallet NFC

For several reasons, Freemindtronic SL Cold Wallet NFC cannot be subject to all PCI DSS standards.

First, these Hardware wallets are not an organization, nor a trader.

Second, they donot have the functions of payment cards.

Third, they do not allow payment transactions to be carried out on a terminal. An electronic payment terminal is a device that allows a merchant to accept and process credit card payments. The device allows you to record the transaction, debiting the customer’s bank account and crediting the professional’s account with the amount of the sale.  Nordoes it allow you to make money ata bank counter.

Finally, they are also not an electronic payment method (E-payment). Because electronic payment is a means of conducting commercial transactions for the exchange of goods or services over the Internet.

More information

These Hardware wallets have a control system that prohibits token of invalid bank cards.

In addition, the storage of credit card information does not include the PIN. 

Physical protection of the bank card

These Hardware wallets effectively protect against the risk of fraudulent use of bank cards as a result of theft, loss or    malicious persons. Simply physically erase the CCV from the credit card after backing up the information in the Cold Wallet. 

Demo – tutorial:

Cybersécurité anti phishing

These Cold Wallet NFC also havecontrolsystems  including  intelligent self-connectionto an original website. The user always connects to the original sites where he automatically manages the favorites.

An associated plugin is compatible with many web browsers, Chromium, Chrome, Brave, Opera, Firefox, Edge. It has a HTTPS control system and exposure to phishing risks based on domainnames.

in short

Even if Freemindtronic’s Cold Wallet NFC is not affected by PCI DSS standards, these curity level, combined with that of bank cards and their uses, is greatly increased to limit the area of attack in the face of identity theft and fraudulent uses.

These Cold Wallet NFC are the most secure, highly secure, mobile storage units dedicatedto physical protection and security of the use of sensitive data such as the visible information of bank cards on connected media as well as their uses on the internet and intranet.

User Experience

These devices, available in credit card format, are usedas for contactless payment at merchants. Thanks to the simple and fast system of self-filling the  information fields of bank cards,we have the same known sensations as those of  contactless payment. It can therefore be said that  itisCold Wallet  NFC  allowsattempt to make online payments without contact.

1 Air Gap : https://www.techopedia.com/definition/17037/air-gap Yes https://www.automation.com/en-us/articles/2011-2/scada-securitys-air-gap-fairy-tale

2 https://www.pcicomplianceguide.org/faq/#1

Why does the Freemindtronic hardware wallet comply with the law?

Why the Freemindtronic Hardwares Wallet complies with directives, regulations and decrees

Freemindtronic hardwares wallet is having regard to Decree No. 2018-418 of 30 May 2018  resulting from Law No. 2016-1321 of 7 October 2016  for a Digital French Republic, relating to the modalities of implementation of the digital safe service. Unless we are mistaken, it appears that the innovative patented solutions of 100% electronic safes for offline use have not yet been regulated.

The electronic safe solutions that may be affected by the decree are non-exhaustively, EviCypher, EviTag, EviCard,  EviKey, EviDisk,  FullKey NFC,  EviKey & EviDisk

art. R. 55-1The decree provides a framework for the operation of digital safes. Thus, the provider of digital safes is required to inform the user in a clear, fair and transparent way about its service, prior to the conclusion of a contract. In particular, he must communicate

  • The type of space made available to it and the associated conditions of use;
  • The technical mechanisms used;
  • The Privacy Policy;
  • The existence and implementation of the guarantees of proper functioning.

Since Freemindtronic SL clearly tells users:

  • the pre-defined space available before the acquisition of the devices, as well as the possibility of checking for themselves the amount of memory used,
  • the terms of use are available invideos, at any time on the internet, via YouTube as well as through various publications written on the website,
  • that no material and/or digital information is collected in any way whatsoever, which consequently generates the total anonymity of the user,
  • the complete technical data sheets of the devices are available on the Freemindtronic SL website.
  • the implementation of the guarantee is published on the website. A large part of Freemindtronic SL solutions are guaranteed lifetime devices.

art. R. 55-3 – The said decree specifies that the integrity, availability and accuracy of the origin of the data and documents stored in the digital safe are guaranteed by appropriate security measures and in accordance with the state of the art.

Since Freemindtronic SL can guarantee users:

Data integrity, which is guaranteed by the manufacturer of STMicroelectronics components for at least 1 million error-free write cycles, and 40 years of data retention in non-volatile memory.

Their availability since Freemindtronic SL devices work without maintenance, without battery, by recovering electrical energy via the NFC signal of a smartphone. Thus, such a device allows users to access at any time, for at least 40 years, the data contained in the vault.

The accuracy of the origin of the data: it is the user himself who stores the data in the electronic memory of The Vaults of Freemindtronic SL

Memory access is physically locked by multiple hardware devices, such as a unique peering key with at least one user-defined administrator password. These security measures  implemented imply the material and/or digital impossibility of corrupting the backed up data. It will also be impossible for the manufacturer to be able to access the automatically encrypted contents of said memory of the device. It is specified that the user has additional functions that allow him to harden himself the level of security according to the use of Freemindtronic’s electronic safes.

art. R. 55-4 The said decree specifies that the traceability of the operations carried out on the data and documents stored in the digital safe require at least the implementation of the following measures:

  • The recording and timestamp of accesses and access attempts;
  • Recording operations affecting the content or organization of the user’s data and documents;
  • Recording maintenance operations affecting data and documents stored in digital vaults.
  • The retention periods of this traceability data constitute a mandatory mention of the contract for the provision of electronic safe services.

Since Freemindtronic’s electronic safes,

  • have a tamper-proof and non-modifiable black box. That this black box traces in particular the number of attempts to enter the administrator password and that this information is automatically saved in the black box.
  • manage the recording of data dynamically, machine to machine (M2M) between the NFC terminal and the NFC device. That the backup system is carried out in real time with the physical electronic memory of the device, on the volatile memory of the terminal, without preservation of this data.
  • have non-volatile memories, capable of retaining the data backed up by the user for at least 40 years, without the need for an electrical power source.
  • has certified documents from the manufacturer of the electronic components used by Freemindtronic SL in these devices which establish without a doubt that the average time between failures is estimated after a 1 million cycles of writes per memory block, no maintenance operation is necessary.

art. R. 55-5.- The said decree indicates that the identification of the user when accessing the digital safe service must be ensured by an electronic means of identification adapted to the security issues of the service.

Since Freemindtronic’s solutions have several identification parameters that can be predetermined by the user himself, namely: administrator password, user password, pairing of NFC terminals, enslavement to a geolocation point, encryption key, physical blockchain segments, password encryption keys, and a code for displaying and sharing data called jamming.

art. R. 55-6. The said decree, according to the guarantee, as provided for in 4 ° of Article L. 103, of the exclusivity of access to the documents and data of the user or to the data associated with the operation of the service requires at least the implementation of the following measures:

“1° An access control mechanism limiting the opening of the digital safe to only persons authorized by the user;

“2° Security measures to guarantee the confidentiality of stored documents and data as well as the corresponding metadata;

“(3) Encryption by the digital safe service of all documents and data stored by or transferred to or from the digital safe. This encryption must be carried out using cryptographic mechanisms in accordance with the state of the art and allow an evolution of the size of the keys and algorithms used.

Since Freemindtronic SL,

  • has implemented several security systems to protect the opening of the electronic safe:  physical, digital and human identification. The first check requires to know the physical pairing key of the device to authorize the connection with a computer terminal with NFC technology. The second control requires the user to know the administrator code that he himself has previously saved in the device to access the services. Other security systems can be added, forming a symmetric and/or asymmetric encryption key that, segmented into a physical blockchain in physical memory, makes access to encrypted data saved in physical memory totally inaccessible.
  • has implemented a multi-factor authentication method to simultaneously identify the terminal authorized to use the device and the user. This makes it possible to guarantee exclusive access to the backed-up data to the user and/or his/her rights holders.
  • has implemented a backup process by which all attached data and metadata are encrypted in the unconnected device that guarantees the confidentiality of the data stored in the electronic safe.
  • uses dynamically scalable encryption key sizes and uses qualified standardized standards, such as AES256-bit and/or RSA4096-bit keys. Said keys can themselves be encrypted in AES256 bits and segmented in a physical blockchain, in one or more separate devices. Such an implementation makes it impossible, at the known state of the art, to access the said keys or the possibility of guessing them via a brute force attack.

Decision of the Jaroch Technology Committee meeting on 12 June 2018,

Having regard to Decree No. 2018-418 of 30 May 2018 which will enter into force on 1 January 2019;

Where as Freemindtronic SL clearly indicates to users the conditions of use, the technical mechanisms used and the implementation of the guarantees associated with its electronic safe solutions;

Whereas appropriate security measures are implemented to guarantee the integrity, availability and accuracy of the origin of the data stored in the electronic safe;

Whereas the traceability of the operations carried out on the data stored in the electronic safe is effective;

During the Occitanie CyberMatines on LMI TV @lemondeinformatique april 22, 2020, Fullsecure conducted offline protection and physical use demonstrations of sensitive data such as passwords and encryption keys. The backup media in credit card or Tag formats operate without contact with a phone serving as an NFC terminal.

This demo shows an electronic self-connection system to a computer, a motherboard Bios, a Windows session and a VPN with the devices from Freemindtronic hardwares wallet & contactless virtual keyboard

Retrocompatible solutions for offline encryption of any type of data on computer and phone

Another demo shows how to encrypt any data on computer and smartphone, an operation compatible with all computer systems and messaging services, including SMS.

We are talking about compatible retro solutions that offer the advantage of securing the use of any type of computer hardware, computer, smartphone, software, application while maintaining maximum security of the use of sensitive data, whether personal or professional.

Finally, Fullsecure gives a tip to make a desktop “smart”: Secure the sensitive data of any computer discreetly, discreetly, thanks to its mini devices hardened in Pin’s format.

In addition, data sharing is contactless, reducing the risk of contagion during this period of pandemic due to Covid19. Indeed, it is enough to approach your smartphone to the Fullsecure device to manage and use the data contained in pin’s.

Fullsecure offers a wide range of products to meet data security needs in mobility and/or in the workplace.

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.