The proliferation of the Internet as a means of connecting individuals and organizations has created new commercial opportunities for businesses. Businesses now sell products and services through the Internet in volumes that twenty years ago were technologically, economically and practically infeasible. Commercial transactions by computer were once the province of technologically trained and sophisticated users who controlled large, complex computer systems and networks for government and big business. Today, relatively unsophisticated home computer users can purchase products and services from home and communicate by e-mail around the world.
The widespread use of the Internet has created a market for tools that the public can use to access the network, and for tools to protect data communications. The rapid rise of the Internet has also created a need for new laws to govern commercial and business transactions in "cyberspace".1 Unfortunately, the development of a legal and regulatory framework lags behind the rise of Internet technology.2
The rules of law controlling exports of U.S.-made strong public key encryption technology from the U.S. and Canada to overseas markets are particularly unsettled. The executive, legislative and judicial branches each seek to drive the creation of export rules for this technology. In 1996, President Clinton, under authority of the International Emergency Economic Powers Act, in the interest of protecting national security and foreign policy, issued an order placing limits on strong encryption technology exports3. In the interim between issuance of the Executive Order and promulgation of the regulations authorized under the Executive Order, a California district court judge ruled that the restrictions on exports were unconstitutional.4
Meanwhile, several legislative proposals for controls on strong encryption exports were introduced in both the 104th and 105th sessions of Congress.5 Some of the bills proposed to deregulate exports entirely, while others proposed to allow exports as long as the U.S. government has the keys to decode encrypted messages.6 Moreover, industry groups have joined the debate and voiced concerns about the economic impact of export restrictions on U.S. industry.7 Finally, human rights and free speech organizations, and the vendors of privacy software, have weighed in with their opinions, and raised invasion of privacy issues and concerns about how the U.S. government may abuse its power and spy on its citizens if it has the keys to decode encrypted messages.8
This paper examines the current policy debate over strong encryption exports. Part I of this paper briefly summarizes the history of the Internet and U.S. data security products, and provides an overview of U.S. encryption products. Part II describes the U.S. laws and proposed bills that regulate encryption technology exports. It also discusses the commercial implications behind limiting exports of encryption technology. Part III summarizes the status of foreign laws governing encryption technology exports. Part IV discusses from a law and economics point of view the efficiency considerations that may drive the development of laws controlling strong encryption exports. The paper concludes in Part V.
I. The Origins of the Internet and U.S. Data Encryption Technology
Much of the U.S. debate over strong encryption export laws is framed in terms of the interests of government in protecting national security versus the interests of private individuals and industry in protecting communications from government intrusion and in competing in the worldwide electronic commerce market. In addition, there is debate over whether encryption products are a form of protected speech, safe from government regulation, or a category of munitions subject to government controls. Finally, there is controversy about whether strong encryption is a public domain technology, thus exempt from the statute regulating munitions, or whether this technology is integral to maintaining U.S. defense.
The Internet and encryption technology have origins in military defense applications. However, today, industry and individuals have integrated this technology into daily life. In order to understand the current debate over strong encryption product export laws, it is important to understand why export controls over strong encryption products exist. The history of the Internet and of strong encryption products provides a background to understand the debate.
A. From the ARPANET to the Internet
The Internet, the global "network of computer networks", began as a research project called ARPANET in the United States Defense Department's Advanced Research Projects Agency.9 Prior to ARPANET, in order to send a message from one computer to another, both computers needed to be in direct, constant communication with each other. These computers controlled the movement of data from a source to a destination.10 They first exchanged the address of the source and destination. The computers then exchanged the message itself. If one computer went down during the interchange of information, then communication on the network was halted until the computer connection was restored or until backup system became available.
ARPANET created a network of computers whereby if any computer went down, the message could be automatically re-routed to fill in the gap in the network. The technology also allowed a single message to be divided into bundles, called "packets", containing the message itself plus the address of the source and of the destination. "Data could be routed from source to destination through any computer on the network" because each packet contained the routing information.11 Messages could be routed to the destination computer through computers and local networks at random because the address information was included in the packet. Once the data arrived at its destination, the destination computer could reconstruct the message from the packets.
This technology has certain advantages for military and commercial applications. First, a network of interlinked computer systems is more reliable than a network controlled by a single computer; the network functions even if a particular source or destination computer is down. In fact, a major factor motivating ARPANET research, in the late 1960's, was the need for reliable communications between military and industrial facilities in the event of nuclear war or similar disaster.12 Furthermore, commercial applications, such as those that exist in the banking and credit/debit card industries, require "fault tolerant" networks that are capable of handling a high volume of transactions, that do not corrupt the data in transmission, and that perform reliably on a regular schedule.
Second, many different computer systems can communicate with each other as long as the communications interface between the computer systems uses a common data transfer protocol.13 The advantage is that any individual user on a computer system can continue to use the software and interfaces that are familiar to that user, and also can communicate with other users whose computer system may use entirely different software and have an entirely different look and feel. This means that individual sites can preserve their existing technology investment, an important consideration for both business and government when choosing a new technology to integrate into existing systems.
Third, large computer systems usually require technically experienced personnel to create programs, maintain the systems, and keep them up and running. They also usually require a staff to train and support the system's users. However, a distributed computer network can use technical personnel from many organizations to maintain and manage the system. No one organization needs to shoulder the huge cost associated with keeping all of the computers on the network up and running, and training and supporting all of the users of the system.
Universities were among the first to recognize the advantages of this technology. Universities became linked to the ARPANET so that users could send e-mail and share files electronically with colleagues around the world. This technology also allowed universities to link computer hardware for purposes of running large experiments that could not be performed on just one machine. Next, large computer companies, and then businesses were quick to realize the advantages of the new computer technology. However, at this point finding the correct address on the system and sending messages required technical expertise beyond the level of the most computer users. Thus, even after the Defense Department expanded access to the ARPANET, it was out of the reach of most computer users.
Software companies began providing gateways so that users without technical experience could use the network. In 1984, the ARPANET split into two branches, the ARPANET and the Internet. Web browsers, graphical interfaces to the network, allowed users to search for other users or Web sites without knowing the exact address of the other user or site. This enabled people without technical knowledge to find sites and addresses on the Internet.
Although the Internet's open nature and network architecture are inherited from the ARPANET, the Internet differs from its roots in ways other than the fact that it has a graphical user interface. First, unlike the Defense Department's project, the Internet is an entirely public network. For a small fee, usually waived for the first three months of use, any computer user with access to a modem and an authorized phone number can establish an e-mail account and send messages and data to any other user on the Internet. For an additional, nominal investment, a user can establish a Web site and post information to the Internet that any Internet user can access.
Second, the rapid proliferation of Internet technology has created an explosive market opportunity for a new type of business transaction -- digital commerce.14 Financial services companies that traditionally have relied on high volume transaction computer networks are exploring new ways to create electronic value on the Internet. For example, credit card companies are interested in carrying out transactions over the Internet, and banks are looking for ways to create an electronic version of the check.
Third, the Internet is no longer a computer network limited to and largely controlled by the United States government. It has transcended "internal as well as external political borders." In fact, it is sometimes impossible to tell where an Internet user or Web site owner is physically located.
The public nature of Internet access, the potential market opportunities that lie in exploiting the technology, and the Internet's global characteristics create legal, technological and political challenges. For example, because messages travel among many computers on route from the sender to the recipient, there is the possibility that messages may be intercepted or altered between sender and recipient. This has created a need for tools to ensure that a message's sender is truly who the sender claims to be, and to guarantee that the message remains intact on its way to the recipient. Of course, as these encryption tools are developed, there are attempts to develop methods for breaking the code.
A legal challenge lies in the fact that jurisdiction over a dispute is often closely tied to a physical location. However, which law to apply in a dispute originating from a transaction conducted in cyberspace is not so easily determined if the physical location of the parties can not be identified. Moreover, even if the parties' locations are determined, the law governing transactions in cyberspace may be entirely different between the jurisdictions, or nonexistent in the appropriate jurisdictions. The question of which rules apply . . . is not easy to answer. The concern here is how parties to contracts and other agreements conducted over the Internet can be certain that their agreements are secure, and which law applies to resolve any disputes developing from claims that the agreement was altered in transmission."15
Furthermore, now that ordinary people have access to computers and use them to send e-mail, there is increased concern that government will have access to personal information sent over the Internet. Since encryption technology is sometimes thought to be something only governments and spies -- not normal people -- would use, it is not designed into most Internet software.16 Many Internet users think that they are anonymous when they are online, and that their communications are not accessible. Of course, this is not usually the case. Personal privacy concerns have led private individuals to voice public disagreement with the government's ability to "wiretap and decode all kinds of information" transmitted over the Web.17
B. The Development of Strong Encryption Products in the United States
Networked computer systems usually have several levels of security. The first level can be a password protecting the computer hardware from being turned on by any one who does not know the password. The next level usually prohibits any one who is not authorized to access the local network from accessing the local network server. At the third level, a local network administrator can restrict a network user's rights and limit that user's ability to perform certain functions on that network.
The next level prohibits unauthorized users from logging on to the local network from sites outside of the network. Some companies provide authorized users access to the Internet from the local network. These companies usually have an Internet server as a computer on the local network, and need data security to ensure that only authorized network users can access the Internet. They also need security to ensure that Internet users only can access authorized portions of that company's network, including the Internet server. Finally, these companies need security to ensure that any authorized messages sent between the companies' local network and the Internet are inaccessible by any unauthorized viewer that manages to get through all of the other levels of computer security.
Traditional methods of computer security suffice to prohibit unauthorized attempts to access a computer system. However, encryption technology protects the contents of messages sent between computers and data residing on computers.
Cryptography, the study of using mathematical algorithms to encode data, has at its root military applications dating back to 405 B.C.18 More recently, the British in World War I used the contents of a decoded German message to convince the United States of the threat of Mexico joining the war, and to persuade the United States to join the war. In World War II, deciphering the German Enigma encryption machine and Japanese cipher systems helped the Allied forces strategize to win the war.
A strong demand for encryption tools for private individuals and industries arose as a result of the proliferation of computer networks and transactions, and of the increased sophistication of computer hackers. It is estimated that unauthorized computer systems breakins in 1995 cost businesses $800 million.
Encryption tools have become more sophisticated and harder to decode as the demand for more secure computer systems has increased. The latest technology is "pubic key cryptography".19 With this technology, a user creates a public key to encode messages and a private key to decode messages. The user then sends the public key to the user who wants to send the message, and retains the private key to decode the message when it is received. Thus, even if the message or the public key is intercepted, the interceptor can not decode the message without the private key, which is never sent over the computer network.
Some public key encryption algorithms are harder to decode than others. The most sophisticated encryption schemes are based on the product of two prime numbers. The length of the prime numbers determines how easy or difficult it is to break the key. The length also determines whether the product is classified as "strong" encryption technology for purposes of regulation under U.S. law.
Three scientists at MIT, Rivest, Shamir and Adleman developed the most widely used public key encryption system, known as RSA. Its development was financed with funds from National Science Foundation and U.S. Navy grants; it was patented by MIT in 1983. Since then, it has been licensed and sublicensed for use in other encryption products, including certain versions of Phil's Pretty Good Privacy Software (PGP). (There is a current lawsuit over whether some versions of PGP violate RSA's patents.20)
Both RSA and PGP use "strong" encryption technology. One estimate is that it would take 100 million powerful personal computers 280,000 years to decode the algorithms used in PGP.21 Current decoding technology is insufficient to allow the government to decipher messages encoded with these products. These products would meet the needs of the most security conscious companies.
II. United States Strong Encryption Product Export Law
Various statutes, federal regulations, state law and judge made law govern the export of strong encryption products in the U.S. These laws are sometimes in conflict; most are behind the technology curve and are usually patches on existing laws developed for earlier technologies.22
A. Statutes and Regulations
Until October 1996, most strong encryption products were classified as munitions and regulated under the Arms Export Control Act of 1976 ("AECA"). The AECA authorizes the President
in furtherance of world peace and the security and policy of the United States . . . to control the import and export of defense articles and defense services . . . to designate those items which shall be considered as defense articles and defense services . . . and to promulgate regulations for the import and export of such articles and services.23
Items that the President determines are subject to the import and export controls are placed on the United States Munitions List ("USML").
Items on the USML are regulated under the International Traffic in Arms Regulations ("ITAR"). In order to export an item on the list, the vendor seeks a permit from the Department of State's Defense Trade Control Office. The lengthy review process involves the Department of State, and possibly the National Security Agency and the Department of Commerce, and is governed by frequently changing procedures.
Until recently, the AECA prohibited the export of most strong encryption products.24 The export of weaker encryption products was not banned, presumably because the National Security Agency could decode messages encrypted with the technology and therefore they did not present a threat to national security.25
In October 1996, after extensive discussion with encryption software vendors, President Clinton agreed to remove most strong cryptographic products from the USML.26 Cryptographic products created for military use would remain on the list.27 He proposed to let encryption software vendors sell their products overseas as long as they agreed to build in to the technology "back doors", known as key-escrow features, that the government could use to decode encrypted messages. This proposal embodies the policy known as "key-escrow policy". Under this scheme, encryption software vendors would place copies of the keys to decode messages in escrow so that the government could use the keys to decipher messages if necessary for national security or public safety.
Further, the President agreed to transfer export control over encryption products from the Department of State to the Department of Commerce. Encryption software vendors also gained more control over the development and use of back doors.
In November 1996, President Clinton signed Executive Order 13,026 which codified many aspects of the agreement reached with software industry leaders the previous month. In addition, the Order specified that cryptographic products are not to be regulated as other commodities under the Department of Commerce's regulations. The Order mandated that the Department of Commerce establish separate controls for encryption product exports. In addition, the Order directed the Department of Commerce to specify that export includes transfer by electronic means including the Internet and e-mail systems. Finally, if export control legislation is enacted, then the Order specified that encryption product regulations would be reexamined to see if the Department of Commerce's regulations regarding encryption products are still adequate. If they are not, then encryption products will be placed back on the USML.
However, important differences existed between the October agreement and the Executive Order. First, although control over exports was moved to the Department of Commerce, the Department of Justice is also to be involved in the export control process. Second, the President can still place export controls on encryption products developed in the United States if those products are readily available outside the United States and if the export of the products would be detrimental to United States national security or foreign policy. Although the White House agreement was once hailed as the breakthrough needed by the beleaguered encryption software industry, many in the industry feel that the Order and subsequent Department of Commerce regulations, which are based on the Department of State regulations, "failed to eliminate many barriers to encryption export."28
Both industry and the courts have challenged the laws on which the government's encryption policy is based. Three significant decisions examine whether the export policy promulgated by the State Department is unconstitutional as applied to encryption software products.
A. Case Law
1) The Karn-Schneier Case
One issue with the ITAR is that its regulations can be construed as vague and ambiguous when applied to encryption software products. The case of Phil Karn illustrates this point. Karn applied for an export license for two items: a book of source code, written by Bruce Schneier, containing the algorithms for strong encryption products, and a version of the book on diskette. The State Department granted the export license for the book but not for the diskette "on the grounds that the disk was a munition within the meaning of the ITAR."29 The main concern was that the diskette version of the source code was easily compiled into a working version of the product. Karn pointed out that the contents of any book can easily be scanned into a computer format, and argued that the prior licensing requirement was a prior restraint on speech in violation of the First Amendment. At the District Court level, a judge held that the government was not regulating the book based on its content, but rather based on its possible use to provide foreign governments with machine readable encryption source code. The court also declined to scrutinize President Clinton's decision to place encryption products on the munitions list.
Karn appealed the district court decision, which was rendered under the regulations developed by the Department of State, not the Department of Commerce. One week after oral argument, the D.C. Circuit Court decided that the case had to be reheard in the district court given that the Department of State regulations had been superseded by the Department of Commerce regulations.
2. Peter Junger's Computers and the Law Class30
In 1993, Professor Peter Junger wrote an encryption program for a class he teaches on computers and the law. Concerned about distributing the encryption program to foreign students in his class, Professor Junger contacted the Department of State, the Department of Commerce, the National Security Agency and the Office of Defense Trade Controls to determine whether export regulations applied to his program. He never received a determinative answer, and after three years filed suit.
Professor Junger argued that the ITAR was unconstitutional because it imposed prior restraints on free speech and was vague and overbroad. Junger argued that the export requirements were a prepublication licensing scheme and that the source code was a means of original expression. Thus, ITAR export controls regulated the content of the product, not its capability. As such, procedural safeguards needed to be in place. The government argued that the ITAR controls are "expressly linked to the capability of the product, not the content of ideas or speech."31 As such, "the courts should examine the regulations as content neutral."
3. The Bernstein Case
Bernstein, a graduate student who sought to distribute an encryption algorithm plus an explanation and a computer implementation, also challenged the constitutionality of the ITAR on First Amendment grounds. He claimed that the ITAR imposed an unconstitutional prior restraint on speech. A California district court judge ruled that the ITAR was a prior restraint on speech, and that the national security interests at stake did not justify the prior restraints on distributing encryption technology. Therefore, the section of the ITAR that dealt with encryption was required to have adequate procedural safeguards, which the judge found were not in place. The ITAR regulations did not provide for a time limit in which the agency needed to render a decision on a license application, nor did it provide for prompt judicial review. Furthermore, although the court did not reach the issue of whether the regulatory purpose behind the regulations is content neutral, the court found that the export controls restrict speech based on the content of that speech.
It is worth noting that these cases dealt with the export of the source code, which must be entered into a computer program and compiled before it can be used. The impact of these cases on other cases involving the export of strong encryption that has been compiled and is ready for retail sale has not been determined.
Also, although these cases attack the constitutionality of the regulations on First and Fifth Amendment grounds, other legal doctrine may render these arguments moot. In United States v. Martinez, the court reviewed a conviction for export of a piece of cryptographic hardware that was on the USML and thus was subject to export restriction. The court held that placing the items on the USML was a "political question" and this was not subject to judicial review.
The political question doctrine, which traces its roots back to a judicial decision in 1848, Luther v. Borden, applies to "certain domestic concerns of a state [that] are political in nature and, therefore, cannot be reviewed by the judicial branch."32 Although the exact circumstances in which the doctrine should apply are unclear, it has been applied in several areas, including Constitutional amendments, affairs of state and foreign affairs. Situations in which it has been applied can be characterized along three dimensions: (1) The Court, due to lack of information, cannot fully clarify the relevant questions involved, (2) the Court will defer to the constitutionally proper decisions of another branch, and (3) the Court will defer to the wider responsibilities of the elected branches. Under this rationale, the regulation of encryption product exports by the ITAR may be a non-justiciable question. Much of the information about the threat to national security of encryption products is government classified and the President has express authority to add or remove items from the list.
C. Proposed Bills
Several bills have been introduced in Congress to address the interests of business in electronic commerce and the national security interest. Perhaps the leading pro-encryption legislation, entitled "The Promotion of Commerce On-Line in the Digital Era Bill", or Pro-CODE, died in the 104th Congress but was reintroduced in the 105th. The goal of the bill was to promote the security of the Internet so that the full growth of electronic commerce can be realized. However, the development of an encryption software market has been hampered by the existing regulations. Consequently, these regulations should be replaced, and the free market should be allowed to operate to produce different kinds of encryption technology, without the constraints of a "back door" for the government to decode messages.
Under this bill, the Secretary of Commerce could only regulate encryption products for federal government systems, and could not prohibit the export of or the sale of any product with encryption capabilities. State and federal governments would be prohibited from requiring "back doors" as a condition of sale, and the Secretary of Commerce would have exclusive authority to promulgate regulations for encryption product exports, except where the product is specifically designed for military applications. Furthermore, if a product is in the public domain, then export of that product only requires a general export license.
The Security and Freedom Through Encryption Act ("SAFE") also deregulates controls on exporting encryption products. One significant difference is that it creates stiffer penalties for the use of encryption products in the furtherance of a crime.
The Encrypted Communications Privacy Act, introduced in the last two Congresses is similar in some ways to Pro-CODE and SAFE. For example, it gives the Secretary of Commerce exclusive control to regulate encryption product exports, and provides that no license may be required for export of products that are generally in the public domain. However, it differs significantly from the two other bills in that it supports government back doors, while also requiring standards for release of access to the back doors. It also does not go as far in deregulating which encryption products are subject to the Department of Commerce's control. This bill has received criticism from the software community which opposes any key escrow system.
D. Implications of U.S. Laws for U.S. Businesses
There are several considerations for U.S. businesses that create or use encryption technology. According to the new Department of Commerce regulations, strong encryption software developers must put key-escrow technology in their products. They have years to complete this change. In the meantime, the case law raises the issue of whether these new regulations are valid and constitutional considering the lack of procedural safeguards. Thus these companies face the issue of whether to develop a second product line using strong encryption with or without keys or maintaining their product lines using the weaker encryption technology. These companies already face a disadvantage in the international marketplace, because other countries currently export strong encryption products.
U.S. banks and financial services companies that want to compete in the electronic commerce market do not need to build key recovery into their direct home banking software products.33 The new regulations allow them to export general purpose software that uses encryption technology as long as key-escrow is imbedded in these technologies within two years.34 The Department of Commerce justified relaxing export restrictions in this area because banks and financial services institutions are already subject to "explicit legal requirements and have shown a consistent ability to provide appropriate access to transaction information in response to authorized enforcement requests."35
Other industries must still comply with tighter export regulations. The business community has expressed concerns that the lack of security that encryption software can provide has a chilling effect on electronic commerce. By one estimate, the fear of having one's product duplicated online " has at least partially resulted in abysmal sales of only $350 million over the Internet, as compared with $53 billion spent on catalog shopping."36 The U.S. accounts for less than half of the worldwide encryption market, primarily due to encryption export controls.
III. Encryption Policy Outside the U.S.
In order to exploit the potential of the Internet as a global commercial marketplace, U.S. companies need to comply with U.S. encryption export laws as well as the import laws of other countries. Furthermore, "market forces -- such as the burgeoning success of European Union ("EU") software companies offering addon encryption security to Netscape and Microsoft products by EU financial institutions -- and internal practice concerning mandatory key recovery -- such as the Organization for Economic Cooperation and Development's ("OECD") refusal to endorse mandatory key escrow" will drive U.S. industries' demand for looser export controls.37
No international agreement exists for the export and import of encryption technology. However, U.S. policy in this area does not yet appear to drive the world development and use of strong encryption technology. Thus, it is useful to examine policies and laws abroad to determine if a more workable solution may come from other quarters.
A. Encryption Technology Policies and Laws Abroad
Governments abroad have developed separate controls for ensuring the integrity and security of personal data and the use of encryption technology. In the European Union, personal data security is usually regulated by legislation. The purpose of this legislation is to impose data security requirements that protect personal data, such as personnel data. The enabling legislation is Article 17 of the 1995 Directive issued by the Commission of the European Communities. This legislation requires that corporate data controllers employ state of the art technology to protect personal data. Article 17 does not specify exactly what state of the art technology to employ, but leaves it up to the individual countries to determine what technology will meet the standard.
Encryption technology may be used to protect personal, as well as business data. As in the U.S., "government encryption regulation is driven by two distinct interests: (1) a foreign intelligence interest in information that implicates national security; and (2) a law enforcement interest in collecting evidence of criminal activity."
Some governments have enacted export controls in response to the threat to national security posed by encryption technology. Other governments have enacted import controls. A third form of control used is use controls. Some governments do not enact export controls for a number of reasons. First, the government may want to use encryption technology to comply with the requirement to use state of the art technology to protect personal data. Second, the government may want to use industrial policy to encourage the development of an encryption software industry. Third, the domestic use of encryption may not be widespread, and thus may not warrant regulation.
The European Union recently decided not to require companies to place copies of encryption keys in escrow. However, the member countries have some flexibility in implementing their own encryption policies.
France imposes import controls and export controls similar to those employed in the U.S. The Service Central de la Securite des Systemes d'Information (SCSSI) is the government agency that administers the decree governing security products. Encryption products, which must be authorized for distribution, are distinguished from authentication, digital signature or access control technologies, which only require a registration for their use. Moreover, the use of products employing strong encryption technology may be restricted or denied. France has supported the key escrow policy, and has proposed a law that would require French businesses to adhere to the policy, and require companies that embed this technology in their products to release their source code to the French government.
Israel employs a scheme similar to the French policy controlling both the import and export of encryption products. A court order implementing the Supervision of Products and Utilities Law of 1957 requires the prelicensing for use of any encryption product.
While Russia has laws governing the import and use of encryption products, little enforcement activity has occurred to date. Russia's laws governing encryption technology require that the product be licensed prior to its import, production, use or export. Russian law also specifies that only licensed products can be used in communications between commercial banks and the Central Bank. Although Russia has not participated in OECD discussions related to international encryption policymaking, there is a possibility that they will participate in upcoming discussions on encryption control rules in the Wassenaar agreement.
Licensing rules apply to import and exports of encryption products in the People's Republic of China. A list of restricted encryption products is maintained, and approval for use of these products may not be easy to obtain. China is not a member of the OECD or of the Wassenaar agreement, and has not been present at multinational encryption policymaking meetings.
The development of an encryption policy in Japan is considered to play a major role in "strengthening Japan's role as a major player in developing a global information infrastructure".38 Encryption technology is seen as a central enabling technology for electronic commerce. Encryption policy in Japan is not dominated by technological and military concerns, but rather by commercial interests. Two additional factors play a role in Japanese encryption policy. The first is that Japan was not a predominant figure in the Cold War, and thus has not had to confront national security interests associated with encryption technology. In addition, Japan has not had a history of wiretapping and similar privacy violations by police and other government figures. Thus concerns about government abuse of power that figure largely in the debate over encryption policy in the U.S., do not play a major role in formulating encryption policy in Japan. Unlike the U.S. where the military and law enforcement agencies play a crucial role in setting and administering encryption policy, in Japan, encryption rules are administered by commerce and telecommunications ministries, and encryption research is funded by the Ministry of International Trade and Industry.
B) International Encryption Policy Coordination
In order for the global information infrastructure to function effectively, there is a need for unprecedented, multinational coordination among governments. As mentioned above, the EU has adopted a flexible policy that does not require companies to use key-escrow technology, but that allows individual countries to develop their own data security policies.
The U.S. has led the attempts to forge consensus on encryption policy. Coordination of encryption policy among governments can be especially difficult given the military defense and law enforcement implications of the technology. In 1995, the U.S. government drove the OECD meeting on encryption policies, because of concerns about countries developing extremely different policies. To date, these efforts may have sparked some governments to pay more attention to this issue.
IV. Encryption Export Law - Alternatives
According to industry and user groups, encryption technology controls hamper the competitiveness of U.S. companies.39 Encryption export controls are based on an arcane and ineffective set of rules that may have been appropriate when the government and the military were the primary users of computers and when the National Security Agency retained "the sole authority to fund research in cryptography."40 However, the use of technology by individuals and businesses has grown at a "staggering" pace; new rules are needed to address "issues of cyberlaw".41 One possible question is, assuming this is the case, is there a rule of law that would allow U.S. companies to compete more effectively and efficiently in the global market?
Perhaps President Clinton used the threat of an export ban to get companies to agree to implement a key-escrow policy. While lifting the ban on exports of strong encryption products allows some industries to be more competitive in the electronic commerce industry, it does not remove all legal impediments to the promotion of competitiveness of U.S. companies.
Strong encryption technology is available on the world market. The problem remains that if given a choice between using an encryption technology that is virtually unbreakable, and that the government does not have the keys to decode, and using one developed in the U.S. that the U.S. government has the keys to decode, many businesses may choose to use the one that has not implemented the government back door. However, if U.S. technology does not implement the key escrow policy, then the U.S. government would need to go directly to the developer to get the source code every time the government had a need to decode a message. This would dramatically increase the transaction costs of law enforcement. Furthermore, the encryption software industry would be forced to bear the burden of some of these costs. Also, this strategy would involve private industry in the decision of who to investigate and prosecute when that decision is usually left up to law enforcement officials.
From a security perspective, key escrow is not effective if the U.S. is the only country to implement the policy. Therefore in order for the President's key escrow policy to work, it must be a uniform, global standard. After all, an international system would need to provide a means for a foreign government to receive a surveillance target's keys from a foreign escrow agent. From an economic perspective, adopting one key escrow policy worldwide would reduce the transaction costs associated with investigating and prosecuting criminal behavior across international borders. Although encryption export limitations impede the operation of the open market, these limitations may be the most efficient law if adopted on a worldwide basis. For countries that seek a balance between national security and free trade, there is an incentive to implement and promote a worldwide, key escrow standard.
One result of completely deregulating U.S. encryption technology exports may be to completely open up the market for unescrowed encryption to U.S. companies. However, there are legitimate security concerns, particularly about crimes committed outside of the U.S. that have an impact on the U.S. The underlying issue is that national security is a public good -- and companies do not want to bear the cost for that good by developing technology that means they can not compete. Another way to frame this argument is that intellectual property, like other property, comes with both rights and obligations. Perhaps cryptography companies are under an obligation to build their technology to facilitate national security goals.
Proposals that impose increased penalties on criminals that use encryption software in furtherance of a crime may not achieve the objective of providing an incentive to discourage criminals from using encryption software. It is also worth noting that the high penalty for exporting strong encryption software did not prevent the release of PGP on the Internet.
In 1995, OECD meeting on encryption policy raised "the consciousness of other governments about the problem of uncontrolled encryption."42 Is it likely that foreign rules and policies would be more efficient than the current U.S. rule?
Most countries have a licensing scheme, and many countries have adopted the U.S. rule or a version of it. Although the EU has neither endorsed nor required key-escrow, some of its countries impose these restrictions. And these countries face the same tradeoffs as faced in the U.S. For example, France's policy would interfere with market forces by requiring companies that want to sell encryption technology or embed this technology in their products to reveal their source code. Furthermore, what incentives would Japan, a country that does not face the security versus competitiveness tradeoff -- have to employ key escrow technology?
Although there is a big push from industry to do so, it is unlikely that encryption exports will be completely deregulated in the U.S. The OECD meeting demonstrated to the private sector, in the U.S. and abroad, "that defeating U.S. export controls would not open the door to a vast market for unescrowed encryption, but could instead spark new and perhaps inconsistent national government regulation of encryption in countries where encryption previously was not regulated." The challenge is to implement international laws that do not impede market forces and that promote electronic commerce.
In conclusion, there are other privacy-related subjects up for legislation, including privacy of information about children, protection of consumer privacy rights, Internet consumer privacy rights protection and protection of consumer information by the FTC.43 While developing state, federal and international rules that promote efficient electronic markets is challenging, it is worth developing rules that are "flexible and that will fit technology as well tomorrow as they might today."44
1 Allard, Nicholas W. and Kass, David A. Law and Order in Cyberspace: Washington Report. 19 Hastings Comm/Ent L. J. 563, 568-69 (1997)).
2 See id. at 569.
3 Executive Order 13,026 (November 1996) from White House web page, www.whitehouse.gov (visited October 15, 1997).
4 See Bernstein v. U.S. Dept. of State, 945 F. Supp. 1279 (1996).
5 See 19 Hastings Comm/Ent L. J. at 578-581. See also Congress Weighs in on Encryption Policy, 16 No. 11 Banking Pol'y Rep. 10 (1997); Senate Committee Approves Encryption Bill, 16 No. 14 Banking Pol'y Rep. 9 (1997).
6 See 19 Hastings Comm/Ent L. J. at 578-581.
7 Corwin, Philip. Administration Entangles Digital Signatures with Encryption Policy. 16 No. 8 Banking Pol'y Rep. 1 (1997).
8 See Court Declares Crypto Restrictions Unconstitutional: Free Speech Trumps Clinton Wiretap Plan. Electronic Frontier Foundation Web page, visited Oct. 15, 1997.
9 Hodkowski, William A. The Future of Internet Security: How New Technologies will Shape the Internet and Affect the Law. 13 Santa Clara Computer & High Tech. L. J. 217, 221 (1997).
10 See id.
11 Id. at 222.
12 Corwin, Philip S. The Virtual Dotted Line: Understanding Digital Signatures. 16 No. 4 Banking Pol'y Rep. 1 (Feb. 17, 1997).
13 See 13 Santa Clara Computer & High Tech. L. J. at 222.
14 See 16 No. 4 Banking Pol'y Rep. at 1.
15 See id.
16 13 Santa Clara Computer & High Tech. L. J. at 235.
17 Electronic Frontier Foundation. Court Declares Crypto Restrictions Unconstitutional. Free Speech Trumps Clinton Wiretap Plan. EFF Web Site 1 (Dec. 19, 1996).
18 Stay, Ronald J. Cryptic Controversy: U.S. Government Restrictions on Cryptography Exports and the Plight of Philip Zimmerman. 13 Ga. St. U. L. Rev. 581, 582 (1997).
19 13 Santa Clara Computer and High Tech. L. J. at 229.
20 10 No. 6 Software Bulletin 159 (1997).
21 Kerben, Jason. The Dilemma for Future Communication Technologies: How to Constitutionally Dress the Crypto-Genie. 5 CommLaw Conspectus 125, 129 (1997).
22 19 Hastings Comm/Ent L. J. at 569.
23 22 USCA § 2778 (1976).
24 19 Hastings Comm/Ent L. J. at 574.
25 13 Santa Clara Computer & High Tech. L. J. at 238.
26 Encryption Agreement in Jeopardy from WWW 1 (1996).
27 19 Hastings Comm/Ent L. J. 575.
28 19 Hastings Comm/Ent L. J. at 576.
29 13 Ga. St. U. L. Rev. at 598.
30 5 CommLaw Conspectus at 145-46.
31 5 CommLaw Conspectus at 145.
32 13 Ga. St. U. L. Rev. at 601.
33 16 No. 11 Banking Pol'y Rep. 9, 10 (1997).
35 Id. at 9.
36 5 CommLaw Conspectus at 139.
37 16 No. 8 Banking Pol'y Rep. 1, 18-19 (1997).
38 Baker, Stewart. Government Regulation of Encryption Technology: Frequently Asked Questions. 452 PLI/Pat 287, 290 (1996).
39 The New Encryption Regime in a Nutshell. 3 No. 5 Intell. Prop. Strategist 8 (1997).
40 5 CommLaw Conspectus 125.
41 19 Hastings Comm/Ent L. J. at 569.
42 19 Hastings Comm/Ent L. J. at 563.
43 19 Hastings Comm/Ent L. J. at 584-85.
44 19 Hastings Comm/Ent L. J. at 569.