G The International Scope of Cryptography Policy
G.1 INTERNATIONAL DIMENSIONS OF CRYPTOGRAPHY POLICY
Any U.S. cryptography policy must take into account a number of international dimensions, the most important of which is the fact that the United States today does not have unquestioned dominance in the economic, financial, technological, and political affairs of the world as it might have had at the end of World War II. Thus, the United States is not in a position to dictate how the rest of the world should regard cryptographic technology as it becomes more relevant to nonmilitary and nondiplomatic matters.
A second critical consideration is the international scope of business, as described in Chapter 1. Increasingly, firms need to be able to communicate with their subsidiaries or affiliates across national boundaries, as well as with nonaffiliated partners in joint ventures or in strategic alliances. Whether multinational or not, U.S. firms will need to communicate with customers and suppliers on a worldwide basis. Foreign customers need to be able to pay U.S. vendors, and vice versa, in a way that respects different monetary systems; thus, financial transactions occur increasingly over international boundaries, resulting in a truly global banking and financial system. To the extent that these various types of communications must be secure, cryptography provides a very important tool for
ensuring such security.1 Thus, differing national policies on cryptography that lead to difficulties in international communications work against overall national policies that are aimed at opening markets and reducing commercial and trade barriers.
Related is the fact that U.S. companies, including the high-technology companies that manufacture information technology products with worldwide acceptance and popularity, face the potential of significant foreign competition, as discussed in Chapter 4. To the extent that these companies constitute major U.S. national assets, policy actions that affect their international competitiveness must be considered very carefully.
A final international dimension is that other nations also have the option to maintain some form of export controls on cryptography, as well as controls on the import and use of cryptography. Such controls form part of the context in which U.S. cryptography policy must be formulated.
G.2 SIMILARITIES IN AND DIFFERENCES BETWEEN THE UNITED STATES AND OTHER NATIONS WITH RESPECT TO CRYPTOGRAPHY
Despite the international scope of cryptography policy, the international scene is dominated by national governments. All national governments have certain basic goals in common:
• To maintain national sovereignty,
• To protect public safety and domestic order,
• To look after their nation's economic interests, and
• To advance their national interests internationally.
These common goals translate into policy and interests that are sometimes similar and sometimes different between nations. Perhaps the most important point of similarity is that national governments are likely to take actions to mitigate the threat that the use of cryptography may pose to their ability to achieve the goals listed above.2 A corollary is that foreign national governments are likely to resist unilateral U.S. decisions
1 In the international arena, as elsewhere, not all aspects of cryptography are necessarily equally critical to all problems of security. For example, to some extent, the security of international electronic payments and other financial transactions can be enhanced through collateral (nonconfidentiality) uses of cryptography, as discussed in Chapter 2.
2 Experience in other Internet-related matters suggests that many governments are willing to wield their influence in areas that they believe affect the public safety and welfare. For example:
• The CompuServe on-line service suspended access worldwide to approximately 200 Internet "newsgroups" at the request of the German government. These newsgroups were
that affect the use of cryptographic technologies within their borders (e.g., by threatening their control over cryptography). For example, they will likely oppose the use of cryptographic communications systems within their borders for which the keys are escrowed solely in the United States.
The existence of a range of limited, shared interests among nations nevertheless suggests at least the possibility of international cooperation and formal agreements on cryptography policy. For example, law enforcement is a concern that constitutes a generally shared interest. The reason is that many nations have a more or less equivalent sense of actions that should subject an individual to the sanction of law, at least in certain domainsmurder and kidnapping are examples of actions that are crimes in almost every nation.3 Some aspects of law enforcement have explicitly international dimensions, such as global organized crime and terrorism.4 A second area of shared interest is in maintaining the integrity
suspected of carrying child pornography. See John Markoff, "On-Line Service Blocks Access to Topics Called Pornographic," New York Times, December 29, 1995, p. Al.
• The People's Republic of China declared its intent to supervise the content of all financial news reports that collect information in China. Specifically, it announced that "foreign economic information providers will be punished in accordance with the law if their released information to Chinese users contains anything forbidden by Chinese laws and regulations, or slanders or jeopardizes the national interests of China." See Seth Faison, "Citing Security, China Will Curb Foreign Financial News Agencies," New York Times, January 17, 1996, p. A1. China is also attempting to develop Internet-compatible technology that will enable a strong degree of government control over the content that is accessible to Chinese residents. See "Chinese Firewall: Beijing Seeks to Build Version of the Internet That Can Be Censored,'' Wall Street Journal, January 31, 1996, p. 1.
• Singapore announced that it would hold providers of access to the Internet and content providers responsible for preventing information deemed to be pornographic or politically objectionable from reaching Internet users in Singapore. See Darren McDermott, "Singapore Unveils Sweeping Measures to Control Words, Images on Internet," Wall Street Journal, March 6, 1996, p. B6.
3 At the same time, differences of national law in certain other important areas should not be overlooked. Specifically, the crimes for which an individual may be extradited vary from nation to nation (e.g., some nations will not extradite a person for financial fraud); in addition, some nations may criminalize certain activity related to computers and/or electronic communications that other nations do not. Enforcement of laws is often difficult over national boundaries, even if relevant laws in another nation do criminalize particular acts. The reason is that if Nation A suffers the brunt of actions taken by a citizen resident of Nation B, Nation B may have little incentive to prosecute those actions even if its laws criminalize them, since it does not particularly suffer from those actions. Both of these factors complicate the feasibility of achieving international agreements. Some discussion of different international perspectives on computer crime can be found in the United Nations Manual on the Prevention and Control of Computer-Related Crime, available on-line at http:// www.ifs.univie.ac.at/~pr2gq1 /rev4344.html.
4 See, for example, Phil Williams, "Transnational Criminal Organizations and International Security," Survival, Volume 36(1), Spring 1994, pp. 96-113.
of the financial systems of each nation, because failures in one part of an interconnected financial system may well ripple through the entire system. Individual privacy is another common interest; in some nations, for example, the notion of widespread government surveillance of communications in society causes public and political concern, as it would in the United States.5
On the other hand, there are many national differences that potentially obstruct the achievement of agreements:
• Differing expectations regarding citizens' rights (e.g., rights to privacy, rights to trial, rights to express dissent freely, the relative balance of personal versus societal rights) and methods by which such rights can be enforced. For example, the United States has a tendency to enforce privacy rights through market mechanisms, whereas many European governments generally take a more active policy role in protecting such rights. Moreover, the United States has a rich tradition of public debate and argument, and dissenting discourse is far more the rule than the exception compared to most foreign nations, whose publics tend to exhibit a greater willingness to grant certain powers to the state, a less adversarial relationship toward the government, and more trust in the ability of government to do what is in the national interest. (Indeed, at a public meeting a representative of the National Security Agency noted complaints from foreign intelligence services that the U.S. policy debate had raised public visibility of the cryptography issue within their countries.)
• Business-government relationships. In some nations, it is the expectation that national intelligence services will cooperate with and assist businesses that in the United States would be regarded as entirely separate from government. Indeed, many foreign nations operate with fewer and more blurred lines between government and "private" businesses than is true in the United States. In areas such as standards setting that are relevant to businesses, the United States tends to rely on market forces rather than government much more than other nations do.
• What constitutes "fair" business practices. In principle, many nations give lip service to the idea of confidentiality in commercial transactions and the notion of fair competition, but the actual practices of nations are often at variance with these statements.
• Status. As a global power, the U.S. scope of activities for monitoring external traffic (i.e., traffic between two other nations) is greater than that of other nations, which are concerned mostly about communications
5 For example, a disclosure that a Spanish military secret service intercepted hundreds of mobile telephone conversations caused considerable public uproar. See "Spaniards Stunned by Military Eavesdropping," New York Times, June 16, 1995, p. A5.
into and out of their borders. The status of the United States as a global power also makes its citizens and facilities high-profile targets for terrorist attacks throughout the world.
• Access to technology. On average, U.S. citizens tend to have a higher degree of access to and familiarity with information technology than do citizens of other nations. Furthermore, the information technology deployed internationally has tended to be less sophisticated than that deployed in the United States; with some exceptions, this lack of sophistication is reflected generally as well in the level of deployed technology that supports security.6 Thus, the body politic in the United States arguably has more at stake than that in other nations.
Finally, the foreign governments relevant to the policy issues of cryptography range from very friendly to very hostile.
• Some nations are very closely aligned with the United States, and the United States has no real need to target their communications (nor they ours).
• Some nations are allies in some domains and competitors in others, and the circumstances of the moment determine U.S. needs for access to their communications.
• Some nations are pariah or rogue nations, and as a general rule, the United States would be highly interested in the substance of their communications.
G.3 FOREIGN EXPORT CONTROL REGIMES
The United States is not the only nation that imposes export control restrictions on cryptography. Many other nations, especially former members of the Coordinating Committee (CoComsee below), control the export of cryptography to some extent.7 CoCom nations included Australia, Belgium, Canada, Denmark, France, Germany, Greece, Italy, Japan, Luxembourg, the Netherlands, Norway, Portugal, Spain, Turkey, the United Kingdom, and the United States.8
6 For example, 37% of U.S. households have personal computers, compared with 21% in Spain, 9% in Britain, 19% in Germany, 14% in Italy, 15% in France (excluding Minitel), and 15% in other European nations. See John Tagliabue, "Europeans Buy Home PC's at Record Pace," New York Times, December 11, 1995, p. D1.
7 The most authoritative study on the laws of other nations regarding controls on the export, import, and use of cryptography is a study produced by the Department of Commerce and the National Security Agency. See Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, Washington, D.C., released January 11, 1996.
8 National Research Council (NRC), Finding Common Ground, National Academy Press, Washington, D.C., 1991, p. 62 (footnote).
CoCom was a Western response to the threat of the Soviet Union in the days of the Cold War.9 Under the CoCom export control regime, member nations agreed to abide by regulations governing the export of many militarily useful items, including cryptography, to nations that were potential adversaries of the West (generally Eastern bloc nations and rogue nations).
The regime was more successful in those instances in which the technology in question was U.S. source, and thus what was needed from other CoCom members was control over re-export, or in which there was strong cooperation based on political agreement that the technology should be kept away from controlled destinations, despite its general availability in other CoCom nations. CoCom controls did not work perfectly, but they had some nontrivial impact. For example, export controls did not prevent the Soviets from obtaining certain types of computers, but they probably had fewer of those computers than if there had been no export controls. This had some advantages for the West: the Soviets were locked into old first-generation computers in many cases; also, they did not have many and, thus, had to use them only on their highest-priority projects.
On the other hand, CoCom controls were less successful when
• Non-CoCom countries (e.g., Taiwan and Korea) developed indigenous capabilities to produce CoCom-controlled technologies and a willingness to sell them;
• CoCom member nations disagreed among themselves about the danger of exporting certain products to Eastern bloc nations; and
• The items in question were dual-use items.
All of these conditions currently or potentially obtain with respect to cryptography,10 although they should not be taken to mean that cooperative, multinational CoCom-like controls on cryptography would be hopeless. Also, it is important to note that the intent of the CoCom export control regime was to prevent militarily significant technologies (including cryptography) from falling into the hands of the Eastern bloc, rather than to inhibit mutually advantageous sharing of military technology among the member states.
History demonstrates that the United States has always applied tighter export controls for security and foreign policy reasons than any agreement with other nations might otherwise mandate.11 For example,
9 For detailed discussion of the CoCom regime, see NRC, Finding Common Ground, 1991, and NRC, Balancing the National Interest, National Academy Press, Washington, D.C., 1987.
10 For example, most countries have not yet attained the degree of success in producing shrink-wrapped software applications incorporating cryptography that the United States has; potentially, they could do so and become significant suppliers of such applications.
11 For example, see NRC, Finding Common Ground, 1991, pp. 99-100.
since cryptography is in general controlled by the United States as a munitions item, the same export controls on cryptography apply to products destined for England (a CoCom member) and Saudi Arabia (a non-CoCom member), though the decision-making process might well generate different answers depending on the receiving nation. A staff study by the U.S. International Trade Commission found that the export controls on encryption maintained by many other nations apply for the most part to certain proscribed (or "rogue") nations. Thus, there are in general more restrictions on the export of products with encryption capability from the United States than from these other nations, even though all of the nations in question maintain export controls on encryption.12
G.4 FOREIGN IMPORT AND USE CONTROL REGIMES
A number of nations discourage cryptography within their jurisdictions through a combination of import controls and use controls. Import controls refer to restrictions on products with encryption capability that may be taken into a given nation; use controls refer to restriction on the use of such products within their jurisdictions.
At the time of this writing (early 1996), Finland, France, Israel, Russia, and South Africa assert the authority, through an explicit law or decree, to exercise some degree of explicit legal control over the use and/or import of cryptography within their borders;13 a number of other nations are reported to be investigating the possibilities of legal restrictions. On the other hand, the fact that a law regulating the use of cryptography is on the books of a nation does not mean that the law is consistently enforced. For example, at the International Cryptography Institute 1995 conference,14 speakers from France and Russia both noted the existence of such laws in their nations and observed that for the most part those laws generally were not enforced and thus did not inhibit the widespread use of cryptography in those nations.15
12 Office of Industries, U.S. International Trade Commission, Global Competitiveness of the U.S. Computer Software and Service Industries, Staff Research Study #21, Washington, D.C., June 1995, Chapter 3.
13 Department of Commerce and National Security Agency, A Study of the International Market for Computer Software with Encryption, 1996, Part II.
14 International Cryptography Institute (ICI) 1995, George Washington University, Sept. 22.
15 Still, the mere existence of such lawswhether or not enforcedserves as an obstacle to large vendors who wish to sell products with encryption capabilities or to provide encryption services, thereby reducing their availability to the average consumer. In addition, such nations may well practice selective enforcement of such laws. For example, a representative of a major computer company with a French subsidiary observed at the ICI 1995 conference that although French laws forbidding the use of unregistered encryption were not regularly enforced against private users, they did inhibit this company from marketing products with encryption capabilities in France.
The flip side of unenforced laws is the case of a nation that applies informal controls: a nation without explicit laws forbidding the use of secure communications devices may nonetheless discourage their import.16 In addition, nations have a variety of mechanisms for influencing the use of cryptography within the country:
• Laws related to the public telephone system. In most nations the government has the legal authority to regulate equipment that is connected to the public telephone network (e.g., in homologation laws). In the event that a nation wishes to discourage the use of encrypted telephonic communications, it may choose to use existing homologation laws as a pretext to prevent users from connecting to the network with secure telephones.
• Laws related to content carried by electronic media. In some nations, the transmission of certain types of content (e.g., sexually explicit material) is prohibited. Thus, a nation could argue that it must be able to read encrypted transmissions in order to ensure that such content is indeed not being transmitted.
• Trade laws or other practices related to the protection of domestic industries. Many nations have trade policies intended to discourage the purchase of foreign products and/or to promote the purchase of domestic products; examples in the United States include "buy American" laws. Such policies could be used selectively to prevent the import of products with encryption capabilities that might pose a threat to the law enforcement or national security interests of such a nation. In other nations, laws may be explicitly neutral with respect to local or foreign purchases, but long-standing practices of buying locally may prove to be formidable barriers to the import of foreign products.
• Licensing arrangements. A company (especially a foreign one) seeking to do business under the jurisdiction of a particular cryptographyunfriendly government may have to obtain a number of licenses to do so. Many governments use their discretionary authority to impose "unofficial" requirements as conditions for doing business or granting the licenses necessary to operate (e.g., the need to bribe various government
16 The feasibility of such practices is documented in a 1992 report by the U.S. Department of Commerce, which describes foreign governments' assistance to their domestic industries. This report found that foreign governments assist their industries by creating barriers to the domestic market (e.g., through tariffs or quotas, testing regulations, investment restrictions, and product and service standards), by devising incentives for domestic production (e.g., tax policies and legal regimes for intellectual property that favor domestic industries), and by aiding in market development (e.g., guaranteeing a certain minimum level of sales through government purchase, providing foreign aid to buy domestic goods, applying political pressure to potential customers). See U.S. Department of Commerce, Foreign Government Assistance to Domestic Industry, U.S. Government Printing Office, Washington, D.C., September 1992, p. iii.
individuals or informal "understandings" that the company will refrain from using cryptography).
Many anecdotal examples of active government discouragement of cryptography circulate in the business community. For example, a businessperson traveling in a foreign nation brought a secure telephone for use in her hotel room; a few hours after using it, she was asked by a hotel manager to discontinue use of that phone. A press report in the Karachi daily Dawn reported on February 26, 1995, that the government of Pakistan shut down a cellular network run by Mobilink, a joint venture between Motorola and Pakistani SAIF Telecom, because it was unable to intercept traffic.17
Nevertheless, it is possible (or will be in the near future) to circumvent local restrictions through technical means even if attempts are made to enforce them. For example, direct satellite uplinks can carry communications without ever passing that information through the telecommunications network of the host nation.18 If available, superencryption (i.e., encrypting information before it is entered into an approved encryption device) can defeat an eavesdropper armed with the key to only the outer layer of encryption; the use of superencryption cannot even be detected unless a portion of the encrypted communication is decrypted and analyzed. (See also the discussion in Chapter 7 on prohibiting the use of unescrowed encryption.)
To summarize, in some cases, a U.S. vendor that receives an export license from U.S. authorities to sell in a given foreign market may well encounter additional complications due to the import and use controls of the target nation. Indeed, a number of other nations rely on U.S. export controls to keep strong encryption products out of the market in their countries.
G.5 THE STATE OF INTERNATIONAL AFFAIRS TODAY
Today, international communications are conducted with no universally adopted information or communications privacy and security standards or policies. This is not surprising; the communications systems in
17 According to the article, the company was unable to provide interception services to Pakistani intelligence agencies. According to a Mobilink official, "There are no commercial products . . . that enable over-the-air monitoring of calls." However, it remains unclear why agencies would require monitoring of wireless mobile-to-base traffic, instead of intercepting at the base station. Although the Global System for Mobile Communication's digitally encrypted wireless traffic may be hard to tap in real time, it is decrypted at the base station.
18 There are several systems in preparation that use low-Earth-orbit satellites to provide direct communications links, including Iridium and Odyssey.
use worldwide are highly heterogeneous, are made by many different manufacturers, and embody many different standards; under these circumstances, security-specific aspects of these systems cannot be expected to be either standardized or government certified. In the absence of common understanding, ensuring information privacy or security is an ad hoc affair. Cryptographic equipment is freely available, and standards to ensure interoperability and compatibility emerge, in many cases, through a market process with no intervention on the part of any national government. Cryptographic equipment on the market is not always tested or certified by national authorities or any organization with the responsibility for undertaking such testing.
Some of the future consequences of this current are likely to include the following:
• Interoperability of communications equipment involving cryptography will be difficult.19
• Some companies and businesses will be able to implement very high quality security, while others fall victim to the purveyors of shoddy security products.
• National governments will be unable to use wiretapping as a tool for enforcing criminal laws and pursuing national security interests in many cases.
Needless to say, these consequences are undesirable for reasons related to business and commerce, national security, and law enforcement. How governments have responded to these undesirable consequences is discussed in Section G.7.
G.6 OBTAINING INTERNATIONAL COOPERATION ON POLICY REGARDING SECURE COMMUNICATIONS
If the use of the global information infrastructure (GII) is to grow with the blessings of governments, common arrangements among governments are needed. To the extent that U.S. national cryptography policy affects communications and information transfer across national boundaries, it has international implications.
One approach is that the United States will set a standard on secure communications that accommodates the needs of various national governments around the world. This approach is based on the assumption that the United States is the dominant player with respect to international communications and information transfer, and that actions taken by the
19 Indeed, in the absence of standards, interoperability is often a problem even when cryptography is not involved.
United States to promote a future global information infrastructure set at least a de facto standard to which all other parties to the GII will have to adhere. The result would be that U.S. national policy becomes the de facto international policy.
The committee does not believe that this approach is feasible today. Rather, the committee proceeds from the belief that the United States will be an important but not the controlling international player with respect to international communications and information transfer. Thus, the United States cannot operate unilaterally and will have to reach accommodation with other national governments.
By taking as given the fact that nation-states will continue to try to exert sovereignty over activities within their borders, including the pursuit of law enforcement and national security activities, the following statements seem warranted:
1. Common and cooperative policies are possible if and only if national governments agree to them.
2. National governments will allow policies to be set in place if these policies are consistent in some overall sense with the equities they seek to maintain.
3. A national government will not base its policies on the assumption that it will abuse the rights of its citizens (as it defines them).
By assumption, cryptography threatens the ability of national governments to monitor the communications of others. Thus, according to statement 2, controls on the use of cryptography are a plausible governmental policy option as discussed above. At the same time and despite this threat, some foreign governments could be willing to allow secure international communications on a case-by-case basis, where the scope and nature of use are clearly delimited (i.e., relatively small-scale use, clearly specified use). Of course, the United States places no restrictions at all on the use of secure communications domestically at this time.
Over the next 10 years, some of those countries will surely change their minds about encryption, though in what direction is as yet not clear. Other nations are beginning to pay attention to these issues related to interception of communications and wiretapping and have many of the same concerns that the U.S. government has. Indeed, as international partnerships between U.S. and foreign telecommunications companies increase, it is likely that foreign intelligence agencies' awareness of these issues will increase. Such concerns in principle suggest that an international agreement might be possible with respect to these issues.
At the same time, the United States has a stronger tradition of individual liberties than many other nations, and it is conceivable that the United States might be the "odd man out" internationally. For example, the official U.S. view that it will not impose legal restrictions on the use of
cryptography within its borders may run contrary to the positions taken by other nations. An international agreement that accommodates such differing degrees of legal restriction is hard to imagine.
A global information infrastructure allows conceptually for two different policy structures regarding international communication and data transmission:
1. Common policies shared and implemented by many nations cooperatively, or
2. Individual policies implemented by each nation on its own.
Of course, it may be that some group of nations can agree to a set of common policies, while other nations will operate individually.
By definition, individual policies of nations may conflict at national borders.20 For nations whose policies on cryptography do not agree, international interconnection will be possible only through national gateways and interfaces that handle all international traffic.21 For example, Nations A and B might require users to deposit all cryptographic keys with the national government but otherwise leave the choice of cryptographic equipment up to the relevant users. An A national communicating with a B national might see his or her traffic routed to a switch that would decrypt A's transmission into plaintext and re-encrypt it with the B national's key for ultimate transmission to the B national.22
20 Although the notion of a global information infrastructure is based to a large degree on the idea that national boundaries are porous to information, nations can and do exert some influence over what information may cross their borders. For example, while traffic may traverse many countries between Nation A and Nation B, it is not inconceivable that an intermediate nation might attempt to establish a policy on cryptography that any incoming traffic had to be sent in the clear. Enforcing such a policy would be technically difficult for individual nations to accomplish in today's networking environment, but a different architecture might make it easier.
21 An additional challenge is the emergence of national or commercial parties that will provide communications that are independent of any physical infrastructure under the control of any given nation. For example, a person in Japan might use a portable device to communicate with someone in Peru, connecting directly through a future American communications satellite. Such a channel might bypass entirely the Japanese and Peruvian national authorities. Even more complicated might be the use of a communications satellite bought from an American manufacturer by Indonesia and launched into orbit by the French. (However, satellite communications are subject to a degree of control over services offered, in the form of international agreements in the International Telecommunication Union on the uses of electromagnetic frequency spectrum.)
22 Policies regarding cryptography are complicated further by policies on data. For example, a number of European nations will not permit the transport of personal data (e.g., on employees) out of their countries for privacy reasons, even though a multinational firm might like to be able to process such data in one central location. To ensure that such data are not transported, those nations may demand the ability to inspect all transborder data flows outward.
This hypothetical arrangement is insecure in the sense that text can be found in the clear at the border interface points. It is therefore clumsy and arguably unworkable on a practical scale. Thus, the problem of obtaining international cooperation on policy regarding secure communication is addressed here.
In the export control domain, attempts are under way to establish an organization known as the New Forum to achieve some common policy regarding exports. The mandate of the New Forum is to ''prevent destabilizing buildups of weapons and technologies in regions of tension, such as South Asia and the Middle East, by establishing a formal process of transparency, consultation, and multilateral restraint [in the export of critical technologies]."23 The New Forum is expected to include the CoCom nations, as well as Hungary, Poland, and the Czech Republic and a number of cooperating states. The New Forum is similar in many ways to CoCom, but one critical difference is that unlike CoCom, New Forum members do not have veto power over individual exports involving member nations; member states retain the right to decide how to apply the New Forum export control regime to specific instances.24
In the domain of policy regarding the use of encryption, serious attempts at international discussion are beginning as of this writing (early 1996). For example, in December 1995, the Organization for Economic Cooperation and Development (OECD) held a meeting in Paris, France, among member nations to discuss how these nations were planning to cope with the public policy problems posed by cryptography.
In order to stimulate thought about alternative ways of approaching an international regime for cryptography (with respect to both export control and use), it is useful to consider how international regimes in other areas of policy are constructed. This is to a certain extent a taxo-
Controlling inbound data may pose problems. For example, a dictatorial government may assert the right to monitor data flowing into its nation, perhaps to combat subversive agitation. Even democratic governments may wish for the ability to monitor certain incoming data to prevent money laundering.
Laws governing privacy can conflict with laws on cryptography. For example, a law on data privacy may require that certain sensitive data associated with an individual be protected, while a law on cryptography may forbid the use of cryptography. Such laws would obviously conflict if a situation arose in which cryptography were the only feasible tool for protecting such data.
In short, policies regarding data export, import, and privacy are an additional dimension of resolving policy with respect to cryptography.
23 U.S. State Department, "Press Release: New Multilateral Export Control Arrangement," Office of the Spokesman, Washington, D.C., January 23, 1996.
24 See Sarah Walking, "Russia Ready to Join New Post-CoCom Organization," Arms Control Today, September 1995, pp. 31-33.
nomic exercise, but it has the virtue that it opens wider perspectives than if we limit ourselves to prior arrangements in the law enforcement and intelligence fields. Moreover, it permits an analysis to profit from experience in other fields of foreign policy. That said, most successful international efforts are built on precedents from the past, and therefore it may be a mistake to start out too ambitiously.
Two dimensions should be kept separate, one organizational and the other substantive. Is there to be an international organization; a treaty; something less, such as an international agreement; parallel bilateral agreements; or, at the least ambitious end, merely a coordination of policy between the U.S. executive branch and other governments?
With respect to international agreement on the substantive dimension, four different approaches reflect varying levels of ambition:
• Unification of law in the cooperating countries involved. Unification means simply that the law of each cooperating country would be the same.
• Harmonization. Harmonization refers to a general similarity of law among national laws, with purely local differences or relatively unimportant differences remaining. These differences would be slight enough to preclude major distortions of trade or serious policy disagreements among nations. Harmonization of law is particularly common in Europe.
• Mutual recognition. Under mutual recognition, when one government approves a product manufactured within its borders as being consistent with an agreed-upon standard, another government will allow that product to be imported and used within its territory. In a world with a variety of cryptographic options, the options then would have to be certified by the home government before they could be imported and used in the territories of cooperating countries. For example, perhaps mutual recognition would require that any escrow holder certified by one government would be acceptable to other governments.
• Interoperability. Cooperating nations would work, perhaps in part through telephone companies and PTTs, to ensure that encrypted communications across national borders would remain encrypted but also conform to national laws. Interoperability would require some agreement among cooperating nations that limited the kinds of encryption acceptable domestically and provided for exchange of keys. (For example, a foreign government might require an interface for international communications at a border through which traffic would have to be passed in the clear or encrypted in a way that it could read.) Technical approaches to interoperability would probably require translation facilities that reconcile policies at national borders, automatic recognition of protocols being used, and automatic engagement of the necessary technology.
The feasibility of a cooperative regime on secure international communications is likely to require the consensus of a core group of nations. Such a consensus would then set standards that other nations would have to follow if they wanted to share the benefits of interacting with those core nations; nations that refuse to accept the arrangement would by implication be cut off from applications that demand cryptographic protection (although they would still be able to transact and communicate in the clear). For obvious reasons, this suggests that the core group of nations would have considerable aggregate economic power and influence. (Note that a division of the world into core and noncore nations might require the fractionation of a multinational company's information network into those inside and outside the core group.)
G.7 THE FUNDAMENTAL QUESTIONS OF INTERNATIONAL CRYPTOGRAPHY POLICY
If the assumption is made that escrowed encryption is the underpinning of national governments' attempting to manage cryptography, three basic questions arise regarding cryptography policy internationally.
G.7.1 Who Holds the Keys?
Any of the agents described in Chapter 5 are candidates for key holders: these include government agencies, private for-profit organizations that make a business out of holding keys, vendors of escrowed encryption products, and customers themselves (perhaps the end user, perhaps an organization within the corporation making the purchase). The various pros and cons of different types of escrow agents described in Chapter 5 apply equally in an international context.
G.7.2 Under What Circumstances Does the Key Holder Release the Keys to Other Parties?
From the standpoint of U.S. policy, one essential question is which nation's or nations' laws control the actions of escrow agents vis-à-vis the release of keys. Conceptually, three possibilities exist:
1. The U.S. government (or escrow agents subject to U.S. law) holds all keys for all escrowed encryption products used by U.S. persons or sold
by U.S. vendors, regardless of whether these products are used domestically or abroad.25
2. The U.S. government (or escrow agents subject to U.S. law) holds all keys for all escrowed encryption products used by U.S. persons, and foreign governments (or escrow agents subject to the laws of those foreign governments) hold all keys for escrowed encryption products used by nationals of those governments.26
3. Both the U.S. government and Nation X have access to all keys for escrowed encryption products that are used in Nation X, and either the United States or Nation X can obtain the necessary keys.
Products used in Nation X would most likely be purchased in Nation X, but this is not a requirement. Note also that a wide variety of escrowing schemes exist, many of which are described in Chapter 5.
For the most part, options 1 and 3 compromise the sovereignty of foreign nations, and it is hard to imagine that a strong U.S. ally would publicly announce that its citizens and industries were vulnerable to U.S. spying without their approval. Early in this study (late 1994), the committee took testimony from senior Administration officials to the effect that option 1 was likely feasible, but the Administration appears to have backed off from this position in its most recent statements (late 1995).
Only option 2 is symmetric: the United States holds keys for escrowed encryption products used by U.S. persons or sold in the United States, and foreign nations do the same for their persons and products. Option 2 could meet the international law enforcement concern in much the same way that the law enforcement agencies of various nations cooperate today on other matters. Such cooperation might be the focus of explicit bilateral agreements between the United States and other nations; such agreements might well build on existing cooperative arrangements for law enforcement (Box G.1), and they are most likely to be concluded successfully if they are arranged informally, on a case-by-case basis in which the scope and nature of use are clearly delimited (i.e., relatively small-scale and
25 Under the Clipper initiative, U.S. policy is that the two escrow agents in the United States have Clipper/Capstone keys because they are available and put into escrow at the time they are programmed at the U.S. factory. Since there is no formal policy governing what should be done if a foreign nation purchases Clipper-compliant devices, the current policy obtains by default.
26 An important operational question is the following: If the keys are generated in the United States, on what basis could any foreign user be confident that the United States did not retain a copy of the keys that were issued to him or her? Such a question arises most strongly in a hardware-based escrow encryption product with a U.S.-classified design in which the United States is the designated key generator for reasons of classification.
The United States has mutual assistance agreements for law enforcement with many other nations. These agreements, managed by the Criminal Division of the Department of Justice with a State Department liaison, provide for mutual cooperation for the prevention, investigation, and prosecution of crime, to the extent permitted by the laws of each nation, in many areas. In general, these agreements discuss cooperation in certain listed areas as illustrative, but they usually have a "catchall" category. Some of the listed areas include:
• Assistance in obtaining documents;
• Release of interviews and statements of witnesses;
• Arrangement of depositions;
• Assistance in securing compulsory process (e.g., subpoenas);
• Cooperation in obtaining extradition consistent with existing extradition treaties; and
• Cooperation in obtaining forensic information (e.g., laboratory results and fingerprints).
These agreements are meant to enhance the collection of information and evidence in foreign nations when a crime is being committed or planned. Thus, they could serve as the vehicle for cooperative action with respect to sharing cryptographic keys available to the government (pursuant to its law enforcement objectives) of a given nation for specific law enforcement purposes; keys given by Nation A to Nation B would be obtained in accordance with the laws of Nation A and the mutual assistance agreement between Nations A and B. These agreements do not make new law; unlike treaties, they simply facilitate cooperation with respect to existing law.
To adapt these agreements to cover sharing of cryptographic information, the nations involved could use the catchall category or explicitly negotiate agreements covering this area; the first could suffice until the second was implemented.
In general, these agreements have worked well. Nevertheless, some problems exist. For example, they may not work fast enough to provide time-urgent responses to pressing law enforcement needs. In addition, some nations that are party to a mutual assistance agreement may not be trustworthy with respect to certain areas (e.g., the Colombian government with respect to drugs, the Mexican government with respect to immigration matters and smuggling of aliens).
clearly specified use). Alternatively, access might be requested on an ad hoc basis as the occasion arises, as is the case for other types of informally arranged law enforcement cooperation.
Option 2 alone will not satisfy U.S. needs for intelligence gathering from the foreign nations involved, because by assumption it requires the involvement (and hence the knowledge) of an escrow agent that is subject to another nation's jurisdiction. Further, it is inconceivable that the United States is a party to any formal or informal agreement to obtain keys from
nations that are most likely to be the targets of interest to U.S. decision makers (e.g., rogue nations). On the other hand, options 1 and 3 also pose problems for U.S. intelligence gathering, because even with the ability to obtain keys individually, the United States loses the ability to conduct good bulk intercepts. On the assumption that there is no large-scale "master key," individual keys would still have to be obtained. This would inevitably be a time-consuming process and could diminish the flow of signals intelligence information, since obtaining individual keys is a much more time- and labor-intensive activity than listening to unencrypted traffic.
The Administration's position on foreign escrow agents is stated in one of its proposed criteria for liberalized export consideration for escrowed encryption software. Specifically, it proposes that the relevant keys be escrowed with "escrow agent(s) certified by the U.S. Government, or ... by foreign governments with which the U.S. Government has formal agreements consistent with U.S. law enforcement and national security requirements."27
Note that all of the issues discussed in Chapter 5 with respect to liability for unauthorized disclosure of keys necessarily apply in an international context.28
G.7.3 How Will Nations Reach Consensus on International Cryptography Policy Regarding Exports and Use?
Harmonized Export Policies
Agreement on the following points would be necessary to develop a common export control policy that would help to preserve law enforcement and intelligence-gathering capabilities by retarding the spread of cryptography worldwide:
• Rough concurrence among nations exporting cryptography about the nations whose access to encryption capabilities should be kept to a minimum and what policy toward those nations should be;
• Willingness to allow relatively free trade in products with encryption capabilities among member nations;
• Willingness to abide by prohibitions on re-export to rogue nations; and
• Agreement among member nations about the types of encryption capabilities that would constitute a threat if widely deployed.
27 National Institute of Standards and Technology, Draft Software Key Escrow Encryption Export Criteria, November 6, 1995; see Box 5.3, Chapter 5.
28 Some agreements establish the extent and nature of liability in other contexts (e.g., the Warsaw Convention and airline travel), thus suggesting that the international dimensions of liability for unauthorized release of keys are not necessarily insurmountable.
The extent to which agreement on these points can be reached is an open question, although there are precedents to some degree in the U.S. bilateral arrangements with various other nations for cooperation in law enforcement matters. A high degree of concurrence among these nations (a "crypto-CoCom") would help to retard the spread of encryption capabilities to rogue nations, with all of the attendant benefits for law enforcement and national security.
Many problems stand in the way of achieving a plausible cryptoCoCom regime. These include the following:
• The scope of a crypto-CoCom. Given that the basic algorithms for cryptography are known worldwide, it is not clear that the developed nations of the world have a true monopoly on the technology. Many of the traditional lesser developed countries in Asia and Latin America are demonstrating significant interest in modernizing their communications infrastructures, and they will almost certainly be driven to an interest in secure communications as well.
• The absence of a pervasive threat. With the demise of the Soviet Union, it has proven much more difficult for the United States to take the lead in matters requiring international cooperation.
• The implied connection between third-party decryption for governments and export-import controls. International arrangements will have to satisfy the needs of participating nations for third-party decryption before they will agree to relax import and use controls.
Harmonized Policies Regarding Use
As noted above, the Organization for Economic Cooperation and Development held a December 1995 meeting in Paris among member nations to discuss how these nations were planning to cope with the public policy problems posed by cryptography.29 What this meeting made clear is that many OECD member nations are starting to come to grips with the public policy problems posed by encryption, but that the dialogue on harmonizing policies across national borders has not yet matured. Moreover, national policies are quite fluid at this time, with various nations considering different types of regulation regarding the use, export, and import of cryptography.
29 Additional information on this meeting can be found in Stewart Baker, Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography, Steptoe and Johnson, Washington, D.C., undated. Available on-line at firstname.lastname@example.org or check http://www.us.net/ ~steptoe/276908.html.
The majority view of the assembled nations was that national policies had to balance the needs of corporate users, technology vendors, individuals, law enforcement, and national security. A number of participants appeared to favor a "trusted third-party" approach that would rely on nongovernment entities (the trusted third party) to serve as the generators of cryptographic keys for confidentiality for use by the public as well as escrow agents holding these keys and responding to legally authorized requests for encryption keys for law enforcement purposes.30 However, the needs of national security were not mentioned for the most part. 31,32
30 See, for example, Nigel Jefferies, Chris Mitchell, and Michael Walker, A Proposed Architecture for Trusted Third Party Services, Royal Holloway, University of London, 1995.
31 For additional industry-oriented views on international policies concerning the use of cryptography, see U.S. Council for International Business, Business Requirements for Encryption, New York, October 10, 1994; INFOSEC Business Advisory Group, Commercial Use of Cryptography, statement presented at the ICC-BIAC-OECD Business-Government Forum, Paris, France, December 1995; European Association of Manufacturers of Business Machines and Information Technology Industry (EUROBIT), Information Technology Association of Canada (ITAC), Information Technology Industry Council (ITIC), and Japan Electronic Industry Development Association (JEIDA), Principles of Global Cryptographic Policy, statement presented at the ICC-BIAC-OECD Business-Government Forum, Paris, France, December 19, 1995. The statements from the Paris meeting are available on-line at http:// www.cosc.georgetown.edu/~denning / crypto/#ici.
32 Intelligence needs may conflict directly with needs for business information security. For example, U.S. and foreign companies sometimes form consortia that work cooperatively to make money; national intelligence agencies often funnel information to individual companies to develop competitive advantage. One major reason that U.S. companies operating internationally want to have encrypted communications is to protect themselves against the threat of national intelligence agencies. Thus, they would require that any escrow arrangements at a minimum include audit trails to ensure that their communications were being monitored in accordance with laws governing criminal investigations and the like (in the United States, this might be a court order) to ensure that data from wiretaps were not being funneled to foreign competitors. However, it is very hard to imagine that a foreign intelligence agency would be willing to provide such assurances or to live with such audit restrictions. Ultimately, the trade-off might be the willingness of an international corporation to bargain with the host nation about the ability to have secure communications, using its willingness to invest in the host nation as its ultimate bargaining chip to force the host nation to acquiesce.