Richmond Journal of Law & Technology International Protection of U.S. Law Enforcement Interests in Cryptography by Marcus Maher Cite As: Marcus Maher, Note, International Protection of U.S. Law Enforcemnt Interests in Cryptography, 5 RICH J. L. & TECH 13 (Spring 1999) The tool of cryptography is used increasingly by businesses, individuals and the government for ensuring the security and privacy of information and communications. Cryptography's use by criminals is becoming widespread as well. The same aspects of cryptography that make it useful for security and privacy make it particularly troublesome for law enforcement. The use of cryptography by criminals can prevent law enforcement from obtaining information needed for the prevention and prosecution of crime. The United States has acted to regulate cryptography and protect the legitimate interests of law enforcement, while attempting to balance the needs of legitimate users of cryptography.1 Until very recently, however, the U.S. has done comparatively little internationally to protect U.S. law enforcement interests in cryptography. Given the international nature of many crimes, such international protection of U.S. law enforcement interests will be necessary to make domestic protections of these interests meaningful. This paper first addresses the problems facing U.S. law enforcement personnel that are important for international protection of their interests. This includes international crimes, such as international organized crime, terrorism, computer crimes and economic espionage. This also includes the nature of cryptography itself. In Part II, the current state of the law is addressed with respect to areas important for protection of U.S. law enforcement interests. First, there is a discussion of the formal mechanisms for U.S. law enforcement activities internationally. Second, U.S. cryptography regulation is discussed. Finally, there is a discussion of the regulations, or lack thereof, of foreign countries. Third, there is a discussion of international organizations that have addressed the issue of cryptography regulation. Part III addresses the policy questions associated with the regulation of cryptography. First, the fundamental policy perspectives associated with cryptography regulation are discussed. These perspectives are: the business perspective, the individual privacy perspective, the law enforcement perspective and the free market perspective. Second, the particular policy concerns of various countries that have addressed cryptography regulation are detailed. These concerns include fears about the adequacy of security provided by cryptography under a given regulation, concerns about the threat posed by a given system to their sovereignty or national security, as well as the interests of individual privacy and the free market approach. In Part IV, the approach to finding a solution to the problem of cryptography is discussed. First, the appropriate forum must be chosen to negotiate the regulatory system. This forum should ideally be medium-sized and focused on issues of international crime. Second, the substance of the regulatory solution is considered. Any solution must provide for authorized law enforcement access to information, in addition to being tailored to the interests of participating nations. It should also include industry involvement and a compliance assessment mechanism. Finally, in Part V, the general approach detailed in Part IV is applied to potential solutions. I. Introduction to the Problems Facing U.S. Law Enforcement Two problems suggest a need for international cryptography regulation to protect law enforcement interests. The first of these problems is international crime. The investigation and prosecution of crimes involving the United States and individuals in foreign countries often require access to information located in or originating from foreign countries. The second problem involves the technological capabilities of cryptography. The current nature of cryptography can prevent law enforcement access to communications and stored data that is necessary to investigate and prosecute crime. A. International Criminal Threats to U.S. Law Enforcement Criminals in foreign countries can pose a substantial problem for U.S. law enforcement. Traditionally, this has largely involved international organized crime, such as drug cartels and mafia organizations with ties to foreign countries. In recent years, attacks by foreign terrorists have begun to occur within the United States. U.S. law enforcement has consequently begun to take an active role in the investigation and prosecution of terrorists, in addition to attempting to prevent terrorists attacks. Finally, the nature of the Internet allows for computer crimes and economic espionage to be committed against U.S. citizens and businesses anywhere in the world. Each of these types of crime implicates a need for U.S. law enforcement to access evidence in or originating from foreign countries. 1. International Organized Crime A general definition of "organized crime" includes a number of elements. Six of these elements are: (1) a lack of an ideology; (2) an enduring hierarchical organizational structure; (3) a restrictive membership with specialization of activities; (3) a willingness to use or threaten to use force; (4) profiting from criminal activity, including providing illegal goods and services; (5) maintaining a code of secrecy; and (6) engaging in long-term planning.2 Organized crime is one of the most important international criminal problems facing U.S. law enforcement.3 Traditional crime syndicates are building partnerships across the globe, moves that extend their reach, diversify their bases, and make them increasingly invulnerable to local law enforcement efforts. They are diversifying into a wide range of contraband such as narcotics, aliens, and weapon smuggling. Criminal service industries such as money laundering and document forgery, that run the business end of organized crime, are today more sophisticated than ever.4 International organized crime threatens the U.S. through massive consumption of law enforcement resources, threatens American lives and restricts trade and business activities.5 Organized crime groups take full advantage of available technology to further their ends. First, organized crime groups use technology to strengthen their influence internationally. "[I]n the globalized, electronic late 20th century overseas corruption is no longer something faraway. With the lowering of technological and political barriers to trade and finance, the United States has become a new frontier for foreign criminal organizations which have found fertile field in some areas of American Society. . . ."6 Second, transnational criminal organizations utilize technology to circumvent law enforcement. It has been noted that drug organizations utilize night-vision equipment, cellular phones and their own intelligence organizations to defeat the U.S. border patrol, Customs Service and DEA.7 Finally, these organized crime groups utilize technology and modern business techniques as a standard part of their day-to-day operations.8 Clearly, the use of technology by organized crime enhances the threat they pose to U.S. law enforcement. 2. International Terrorism U.S. federal statutes define "terrorism" as an act involving criminal violence that "appears to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by assassination or kidnapping."9 An alternative definition of terrorism describes it as "peacetime equivalents of war crimes."10 International terrorism also poses a significant problem for U.S. law enforcement through traditional terrorist activities, use of weapons of mass destruction and attacks on the U.S. information infrastructure. Although the threat of harm from terrorism is greater outside the United States, the Trade Center bombing indicates that there is nonetheless substantial risk to lives and property in the United States as a result of international terrorism.11 The activities of terrorists have largely been confined to such activities as bombings, hi-jackings and kidnappings. However, there is potential for dangerous escalation of their activities into use of chemical and biological weapons.12 It is also likely that international terrorist organizations will make increasing use of technology, both as a tool and as a target. Typical international terrorist organizations make skillful use of modern communications technologies for intelligence gathering, expansion of their areas of activities and world-wide communications.13 Further, the National Information Infrastructure (NII) is expected to be an increasingly attractive target for terrorism. The coming wave of cyberterrorism will present an even greater challenge. New, highly educated, computer literate generations of terrorists are not thinking in terms of truckloads of explosives, nor briefcases of sarin gas. . . . Tomorrow's hightech terrorists are plotting attacks with one's and zero's at a place where we are most vulnerable -- namely the point at which the "physical" and "virtual" worlds converge . . . .14 The changing nature of international terrorist organizations may make the terrorist involvement with technology even more likely. New "transient" terrorist organizations are likely to include well-educated individuals comfortable with the use of technology. Further, the nature of these organizations means that they have no "established headquarters, supply lines or communications networks to penetrate or intercept."15 The increased likelihood of the interrelationship between terrorism and technology will pose increasingly greater challenges for U.S. law enforcement. 3. Computer Crime Computer crime consists of the use of computers by criminals in three different ways. "First, a computer may be the target of the offense."16 The criminal might want to steal information stored on the computer, damage the computer or simply break into a particular system. Second, computers may be used as a tool to facilitate a traditional offense.17 Finally, computers may contain evidence of a crime, such as a drug trafficker's records or customer lists.18 Recent surveys indicate the increasing incidences of computer crime. One survey found that nearly 25% of the 898 organizations surveyed had experienced a verifiable computer crime in the prior year. In another survey, 98.5% of respondents had been the victims of computer crime, while 43.3% were victimized more than 25 times.19 A recent test of business computers involved an attack on 38,000 computers, with a 65% success rate. However, only 4% of the attacks were detected by the businesses, and only 27% of the attacks detected were reported.20 There is a wide belief that a major step in combating computer crime would come from providing appropriate incentives for using effective security measures. As a practical matter, such measures may be more effective at stopping computer crime than statutory prohibitions.21 The United States suffers in many ways from computer crime. U.S. losses from computer crime are estimated at $10 billion.22 This does not include traditional crimes where computers were used to facilitate the crime. Additionally, there is substantial potential for economic and military espionage through attacks on computers. Recently there have been attacks on medical research data and patient files, indicating that American health and safety may also be at stake.23 Computer crime has an international element as well. Current technology allows computer crimes to be committed with great speed across great distances. Thus, attacks against U.S. computers can be executed from anywhere in the world, as easily as they can be in the United States.24 The ease with which international boundaries can be crossed in the commission of computer crimes indicates the need for substantial international cooperation. As a result, for the investigation of computer crime, "the harmonization of the various national coercive powers is an important factor in the smooth functioning of the international instruments of mutual assistance, since a state whose assistance is requested can only carry out measures permissible by its own law."25 4. Economic Espionage Economic espionage involves the theft or misappropriation of a business' trade secret.26 Surveys indicate that most economic espionage in the U.S. is due to the "insider" activity of employees and former employees, with few instances attributable to foreign intelligence personnel.27 Nonetheless, governments and companies of highly industrialized nations are often involved with the theft of trade secrets to gain a competitive edge over economic rivals such as the United States, either across the board or in specific industries. "[L]ess industrialized countries tend to limit their economic collection activities to a few key industrial sectors."28 The modern business environment creates a substantial risk of economic espionage. Information is an increasingly valuable asset to businesses. However, the modern trend of out-sourcing and collaboration, coupled with a more mobile, less loyal workforce increases the risk of economic espionage. The end of the Cold War resulted in the unemployment of substantial numbers of military spies. These former spies are now looking for opportunities in the commercial world to put their skills to work.29 As businesses enter the information age, the value of trade secrets will continue to grow. However, the same conditions that enhance the value of trade secrets, increases a criminal's ability to steal them. The amount of information that can be stored in digital form eliminates much of the constraint associated with having to steal physical documents. Finally, the ability to copy data quickly, accurately and secretly makes identification of trade secret theft difficult to detect.30 B. Introduction to Cryptography Cryptography is the "art and science of keeping messages secure."31 Cryptography has been described as a struggle between two worlds; people who wish to engage in private communication and those wishing to intercept the communications.32 Thus, someone sending a message (plaintext), could scramble (encrypt) the message (now ciphertext) so that the interceptor cannot read it.33 They must scramble the message so that, upon receipt, the receiver of the message can unscramble (decrypt) the message.34 Plaintext is encrypted and decrypted using keys. For symmetric algorithms, either the encryption key or the decryption key can be calculated if the other is known.35 With public-key algorithms, knowledge of the encryption key does not allow the calculation of the decryption key in any reasonable amount of time.36 Key length is an important aspect of the strength of a system of cryptography (cryptosystem). In both symmetric and public-key cryptography, the strength of the encryption is directly related to the key length. A longer key will provide greater security. Nonetheless, there are still two important points to consider regarding key length. First, the strength of the encryption algorithm also plays an important role in the security of a cryptosystem and should not be ignored. Second, with increased key length comes increased computational time to use the key. Thus, an incredibly long key may be strong, but takes so long to apply that it is not useful.37 An important aspect of using keys is key management. In particular, the means of distributing keys is a major concern. In a classical, symmetric, cryptosystem, both the decryption and encryption keys allow the determination of the other. Thus, these keys cannot be publicized. Parties must find some way of transmitting the keys to each other through a secure channel. For sufficiently long keys (as long as the message to be sent, or longer), it would be just as easy to transmit the message itself through this secure channel. Thus, nothing is gained from cryptography.38 Public-key cryptosystems address this problem. Since the private decryption key cannot be determined from the public encryption key, the public key may be freely distributed without much risk to the integrity of the system.39 "The easiness of key management can justly be regarded as the chief advantage of public-key cryptography."40 Cryptography is useful for more than just securing communications. In addition to providing secrecy of both communicated and stored information, cryptography can be used to ensure the integrity of data, provide a means of identification and provide capabilities for non-repudiation.41 Even with technical knowledge, development of a functional cryptosystem can be a difficult process. Given the number of books, articles and information on the Internet, access to the basic knowledge underlying cryptography is not difficult to come by. However the skill to implement this knowledge is not easily obtained. There are many design choices made in the implementation of a cryptosystem that can substantially affect its effectiveness. The development of products based on the same algorithm by different parties could result in cryptosystems of substantially different strength. Further, the integration of a cryptosystem into a usable product can be a difficult task. This is particularly important for integrated products intended to provide some useful function, such as word processing or e-mail, beyond encryption. However, the incremental monetary cost of adding encryption functionality to a software product is small.42 C. The Resulting Problems for U.S. Law Enforcement Although some commentators have argued that the current use of cryptography by criminals does not warrant concern by law enforcement,43 it appears that an increasing number of crimes have involved the use of encryption.44 There is potential for criminals, terrorists and spies to be able to thwart law enforcement efforts by using cryptography.45 For example, terrorists could exchange encrypted messages that law enforcement would be unable to access, preventing law enforcement from stopping the attack. Similarly, the records and customer lists of drug dealers could theoretically be kept safely away from law enforcement through the use of cryptography. Law enforcement, therefore, has an interest in continued access to both encrypted communications and stored encrypted data. 1. Encrypted Communications Wiretapping is a means for law enforcement to obtain information that they would be unlikely to obtain otherwise.46 To the extent that such information can be obtained through other sources, such as informants or listening devices, the information is not as complete, and may come at great risk. Apart from the dangers associated with informing on a criminal or terrorist organization, the credibility of such informants is typically challenged in court. Hidden listening devices can be risky to plant, and often record only one side of a conversation.47 Thus, the information obtained from intercepted communications may be irreplaceable. The primary challenge for decrypting communications comes from the need for real-time decryption. Information from communications is most important for crimes that are preventable due to the ability of law enforcement to act quickly because of the intercepted information. An example of the value of intercepted communications occurs in terrorism cases, where real-time surveillance can provide information useful in thwarting a terrorist act.48 2. Stored Encrypted Data Data stored on computers can be an important source of information for law enforcement investigations and prosecutions.49 White-collar crimes often have paper trails. Drug dealers keep records of various information. Stolen trade secrets will often be stored on computers. Intercepted communications may have important time constraints associated with their decryption. However, stored data is often used in prosecutions and investigations, with a time scale of days, months or years. The time required to decrypt is less important.50 FBI Director Freeh noted that: [a] file may have existed for many days or weeks or even years, and the time within which decryption is necessary (e.g., to build a criminal case) is measured on the time scale of investigatory activities; by contrast, the relevant time scale in the case of decrypting communications may be the time scale of operations, which might be as short as minutes or hours.51 II. Current Legal Regimes and Associated Problems for Law Enforcement The discussion in Part I indicates that there is a substantial threat of international crime affecting the United States. The prevention, investigation and prosecution of these crimes creates a need for U.S. law enforcement to access data stored in a foreign country or communications originating from foreign countries. Agreements among foreign and U.S. law enforcement agencies are an important aspect of the legal environment that affects U.S. law enforcement access to evidence. Cooperation agreements between the U.S. and foreign countries can substantially ease access to information. The absence of such agreements makes it very difficult to access needed information, especially with the use of cryptography. However, even if U.S. law enforcement agencies have access to information, it is meaningless if the information is not in a usable form. While cryptography can be a valuable tool used by private entities to combat crime, the current technology of cryptography can prevent legitimate law enforcement access to information. Legal regulation of cryptography could carve out protections for law enforcement interests. Some regulation of cryptography exists already, thus, it is first necessary to evaluate the adequacy of current regulations. This includes evaluation of cryptography regulation by the United States and foreign countries, as well as activities by multinational organizations.52 A. U.S. Law Enforcement Activities Internationally Even if cryptography regulation eases law enforcement access to data, U.S. law enforcement agencies must have some means of gathering this foreign information. Currently, international law enforcement cooperation occurs informally, through letters rogatory, or through Mutual Legal Assistance Treaties (MLATs). MLATs have become one of the best methods U.S. law enforcement has in prosecuting international crime.53 These treaties supplant the letters rogatory system of legal cooperation between the United States and many governments, which is widely considered time-consuming and inadequate.54 Letters rogatory also involve substantial bureaucratic steps involving many agencies in both countries. However, one of the most significant problems with letters rogatory is that there is no obligation on the foreign court to agree to the request. MLATs, on the other hand, cover a broad range of offenses, and often do not require dual criminality for assistance to be provided.55 MLATs provide a quicker, more efficient means of obtaining evidence from foreign countries.56 They can also help overcome limitations on U.S. access to evidence resulting from foreign laws and legal systems.57 Furthermore, MLATs eliminate the most significant problem with letters rogatory because, as treaties, MLATs require the compliance of the foreign government. One major limitation with MLATs, however, is that they must be separately negotiated with each country.58 Outside the United States, a different approach has been taken to address this problem. The Council of Europe has devised new multilateral law enforcement conventions. It has formed groups to combat drug abuse, drug trafficking59 and the searching and seizing of the proceeds of crime.60 The Convention on Laundering calls for substantial alterations to domestic legislation by parties, to the extent necessary to facilitate cooperation. However, members may refuse to cooperate under certain expressly noted circumstances.61 In contrast to the greater scope of MLATs, multilateral conventions afford much greater convenience and standardization. These treaties cover aspects of law enforcement including the provision of evidence, the exchange of prisoners and the transfer of criminal proceedings.62 Thus far, negotiations of MLATs and other multinational treaties have centered on the international drug problem.63 However, it is possible that new types of technology will replace illicit drugs as the dominant form of contraband in the future.64 This could open the door for new law enforcement techniques, new international conventions, and new domains of international law enforcement activity.65 It could also provide an opportunity for U.S. law enforcement to seek and obtain new agreements specifically tailored to their interests within the realm of technology. B. The United States Approach to Regulation of Cryptography The current U.S. approach to the regulation of cryptography is in the form of export control. Encryption exports are currently regulated under the Export Administration Act of 1979 (EAA).66 Until November 1996, the export of cryptography was controlled by the Arms Export Control Act (AECA).67 In 1996, encryption products were transferred from the Munitions List of the AECA to the Commerce Control List of the EAA.68 Commercial products containing encryption generally require an export license or a license exception.69 Additionally, a license is required to provide technical assistance to a foreign person in the development of foreign cryptography.70 Unlike the export regulations of some foreign countries, it would appear that "export" includes electronic means, such as transition via the Internet.71 Agencies such as the Justice Department, the State Department, and the Defense Department also have a say in decisions for commercial encryption export licenses.72 There has been substantial activity in Congress regarding encryption controls. In the 105th Congress, the Senate bill, the Secure Public Networks Act, S. 909, 105th Cong. (1997), would have liberalized many export controls. However, it also would have required a governmental "back door" for all products procured by the government or with government funds, or for use on a communications network established by the government or with government funds.73 This would have effectively required mandatory key recovery for a large number of networks. An early version of the House bill, the Security and Freedom Through Encryption Act, H.R. 695, 105th Cong. (1997), would have implemented the same requirements, but was ultimately amended leaving only the loosened regulations.74 Two other Senate bills, The Pro-CODE bill, S. 377, 105th Cong. (1997) and the E-Privacy Act, S. 2067, 105 Cong. (1998) would have substantially liberalized export restrictions, and placed restrictions on the government's ability to restrict access to encryption or to require mandatory key recovery. However, the sessions ended before any of these bills were passed. As for financial institutions, the Commerce Department has begun to loosen restrictions. The new policy would lift the current ban on exports of strong encryption technology, if tailored specifically for and restricted to financial transactions, by U.S. companies engaged in banking and other financial services.73 Companies would also be allowed to export strong, general purpose encryption software for use by financial institutions provided that a key recovery system is built into the product within two years.74 The new liberalized stance would allow the export of encryption technologies with any key length, with or without key recovery, to subsidiaries and strategic partners of U.S. companies world-wide.75 Finally, the export of recoverable encryption to firms in certain foreign countries, for proprietary use only, is permitted.76 C. Foreign Approaches to Cryptography Regulation Foreign countries have taken varied approaches to the regulation of cryptography. Some countries have no regulations; some countries have minimal regulation; and some countries, like the United States, have substantial regulation. 1. Countries Without Regulations There are a number of countries that appear to have no cryptography regulation whatsoever. This can be important for several reasons. First, although a country may not be especially technologically advanced, it may pose a particular threat for various international crimes which could affect the United States. Secondly, the country may be a technologically advanced country capable of substantial development of encryption technology. Without regulation, these countries could become a source of cryptography to those involved in international crime. Also, they could pose a threat to U.S. producers of encryption technologies because they would have no restrictions upon use or export. Thus, the access to un-regulated encrypted technology could adversely affect the U.S. encryption developers worldwide because their market share could be lost. a. Low-Tech Countries without Regulation A substantial number of the countries posing terrorism and organized crime threats are lacking in any cryptography regulation. With the exception of Israel, which poses essentially no terrorist threat to the U.S., the status of encryption regulation in most Mid-Eastern countries is uncertain.76 The increased technological knowledge of terrorists indicates that they could develop their own cryptography. The potential lack of domestic regulations within these countries would mean that there would be no means of access for law enforcement. A lack of export restrictions means that once a terrorist organization develops encryption technology, it can be used freely within the terrorist community. Thus, all that is necessary is for one group to develop a product that could be freely distributed throughout the terrorist community. The lack of regulation is significant in terms of investigating terrorist organizations, and ultimately bringing terrorists to justice after attacks. Communication interception is particularly important to prevent terrorist attacks. Additionally, the time associated with cracking the encrypted communications may be too long to prevent potential terrorist attacks. Thus, this lack of sufficient regulation may result in the potential inability to prosecute terrorists after an attack. A number of countries which harbor organized crime organizations are also lacking in cryptography regulation. In particular, Latin America, Nigeria and China lack any meaningful encryption regulation.77 Much of the law enforcement interest with respect to organized crime is in investigating offenses, which impliedly relates to stored data. Consequently, the lack of encryption regulations initially appears to be marginally less of a concern. However, with adequate strength of encryption, law enforcement may not be able to break the encryption in sufficient time. Thus, the information would not be useful at all. Interception of communications can play a role in organized crime investigations as well. While it initially appears countries which are organized crime risks are less of a threat than terrorist countries, this may not be borne out in reality. While law enforcement has somewhat less of a time constraint with regard to organized crime, the likelihood that organized crime groups will take advantage of this situation is much greater. Although terrorists have historically used relatively low-tech methods of attack, there is evidence of an increasing move toward the use of modern technology.80 On the other hand, organized crime has consistently used technology to circumvent law enforcement. Thus, there is a greater likelihood that a terrorist might use some standard commercial encryption program, while organized crime groups are more likely to develop their own cryptosystems. Cryptography regulation protecting law enforcement interests would clearly be of value for these countries. b. High-Tech Countries Without Regulation There are also a number of countries that, despite their high-tech capabilities, have not addressed the problem of cryptography regulation. Of particular importance are the countries in Asia, such as India,78 that are big producers, distributors and users of computer technology. These countries tend to pose threats of economic espionage, which implicates increased use of strong encryption by U.S. businesses. Thus, any need for foreign cryptography regulation would seem to be negated. However, many Asian countries are identified as threats in organized crime.80 When coupled with their technical capabilities and lack of regulation, these countries pose a substantial threat to law enforcement access to information about their international criminal organizations. Additionally, without regulations, these countries could serve as suppliers of cryptography to other criminal organizations. Thus, regulation could be useful for these countries as well. 2. Countries with Minimal Regulation of Cryptography There are a number of countries that have some regulation of cryptography, at least officially, that satisfies minimal compliance with some treaty or organization to which the countries belong. These are primarily countries that are part of the Wassenaar Arrangement, or the European Union (EU).79 These countries' official regulation of cryptography follow the minimum standards set by the Wassenaar Arrangement or the EU.80 Typically, this means export restrictions requiring licenses for export of strong encryption and keeping the technology away from controlled destinations. The nature of the organizations that mandate the regulations, affects the attitude of the country toward the regulations and their enforcement. Since the Wassenaar Arrangement had a military focus, there were no terms incorporated to require domestic regulation to assure law enforcement access to information.81 The EU is a larger, economic arrangement, thus the interests of the participants may again not be as focused on law enforcement. Further, as part of a larger arrangement - control of dangerous military goods with Wassenaar and a large economic community with the EU - the participating countries are not always highly motivated to fully enforce regulation of the relatively minor product of cryptography. For example, it has been noted that Finland, New Zealand and Switzerland are somewhat less rigorous in their enforcement of their regulations.81 This can be problematic for several reasons. Since these countries are fairly technologically advanced, they are good sources of encryption programs for criminal or terrorist organizations when existing regulations are not enforced. Additionally, these countries pose threats of money laundering and computer crime. Without domestic encryption regulation, law enforcement has no assurance of access to the evidence of these crimes. Thus, improved regulatory systems, with compliance assessment mechanisms, could be valuable. 3. High-Tech Countries with Substantial Regulation There are a few countries, like the United States, that have substantial regulation of cryptography. However, even these regulations tend to be regulations on the import and export of cryptography. Domestic encryption is still addressed only sparsely.82 The likelihood that the technology will be exported to a controlled country is minimized, but threats still exist from criminals and criminal organizations within these countries. Also, there may be a threat of organized crime from countries such as Italy and Russia. Thus, even in the countries with the strongest cryptography regulations, it is unlikely that law enforcement interests are adequately protected. D. Organizations Addressing Cryptography 1. Military Perspective Cryptography is addressed as a military good under the Wassenaar Arrangement.83 The regulation of cryptography is as a dual-use good and is focused on licensing for export and preventing export to certain countries.84 This focus does not provide for law enforcement access to encrypted information in appropriate circumstances. Further, the choice of controlled countries seems based on military allegiances rather than upon potential for criminal activity. While the military perspective provides some protection of law enforcement interests, it is clearly tailored to military interests rather than law enforcement interests. 2. Business Perspective A number of organizations have addressed cryptography regulation from the perspective of electronic commerce. This approach tends to take a decidedly pro-business, and pro-strong encryption perspective. These organizations acknowledge some legitimate law enforcement interest. A balancing between business and law enforcement interests is suggested, but policies tend to favor the business perspective,85 allowing for protection of law enforcement interest only when they do not affect business use.86 The conclusions and recommendations of these organizations favor a relatively expansive right to develop and use cryptography.87 Needless to say, these organizations do not adequately represent the interests of law enforcement. 3. Law Enforcement Perspective In their 1996 summit, the G-7 nations set out 25 recommendations for dealing with international terrorism.88 The G-7 nations took a pro-law enforcement approach to the problem, and encryption regulation was part of the answer.89 While the general attitude of the recommendations gave the appearance of favoring law enforcement, the G-7 recommendations provided no detail. The recommendations may indicate an appropriate forum or approach that will best represent law enforcement interests, however, they gave no practical guidance to nations about cryptography policy. Thus, they provided no real assistance to law enforcement interests. III. Current Policy Environment Consideration of the current environment of legal regulation is useful for a determination of whether further or different regulation is necessary. However, an understanding of what regulatory changes are necessary for protection of law enforcement interests is only the first step. There are a number of competing policies related to cryptography regulation. Any regulations that are negotiated will need to involve a balancing of these basic policy choices, with particular attention paid to the policies of the other countries involved in the regulatory system. A. Basic Policy Choices There are four major policy approaches to addressing the issue of cryptography. These approaches are (1) protection of business information, (2) protection of individual privacy, (3) protection of law enforcement interests, and (4) a laissez faire/free market policy. 1. Protection of Business Information U.S. corporations are at great risk of industrial espionage. The current business environment enhances the risk of such espionage. Workers increasingly utilize networks to telecommute to the office, use cellular telephones to communicate with colleagues, or download e-mail onto their laptops while away from the office, potentially exposing trade secrets to spies.90 This threat comes not only from domestic and foreign competitors, but also foreign intelligence agencies.91 Foreign governments routinely use their intelligence services to acquire valuable information about U.S. corporations. Cryptography can be used to limit illegal invasions of privacy through illegal eavesdropping and hacking activity. 92 Additionally, it may discourage low-tech theft. For example, a stolen laptop with an encrypted disk represents a loss of hardware, but not of any trade secrets kept on that computer.93 Banks and financial institutions also have an interest in the use of cryptography to ensure secrecy. In fact, The Treasury Department requires encryption of all U.S. electronic funds transfer messages.94 Encryption is used generally to protect such information as account information and customer identification numbers.95 Various professionals also have a motivation to use encryption to preserve confidentiality. Lawyers, doctors, accountants and others have a professional responsibility to keep their clients' information secret. The relative ease with which computers can be compromised or cellular phone conversations can be intercepted when least expected,96 creates a substantial risk of revealing information. 2. Individual Privacy Interest Cryptography can be used to protect individual privacy as well. Individuals commonly use cellular phones and e-mail, and store personal information.97 Without encryption, all of these are susceptible to interception and collection. People may derive a sense of security from the knowledge that their communications and data are safe from unauthorized snooping.98 Limitations on cryptography may diminish this feeling of security.99 Thus, both actual and perceived privacy of the average citizen may be enhanced by cryptography. Privacy can be particularly important for individuals expressing unpopular opinions and beliefs. A lack of privacy can make such communications subject to monitoring by the government, and may discourage such speech.100 In the past, even within the United States, the government has kept track of individuals and organizations expressing unpopular opinions.101 Cryptography could help ensure that even unpopular opinions are able to be expressed. The idea that the "free flow of information among nations strengthens democracy and political liberty" is arguably one of the central principles underlying all U.S. communication policy.102 Limiting methods of communication to only those susceptible to government interception would undermine this principle.103 Finally, in the modern information economy, the protection of privacy has an economic element. The collection of personal information is widespread, and the information gathered is put to such diverse uses as legitimate as marketing or as nefarious as fraud. Thus, exerting control over who has access to personal information has definite economic value. Cryptography can be used as a tool to keep personal information private and prevent such unauthorized use.104 3. Law Enforcement Interest in Encryption 105 In testimony before the House of Representatives Telecommunications, Trade and Consumer Protection Subcommittee, Deputy Assistant Attorney General Robert S. Litt summarized the law enforcement interests in cryptography in the following statement: "We are gravely concerned that the proliferation and use of unbreakable encryption would seriously undermine these duties to protect the American people, even while we favor the spread of strong encryption products that permit timely and legal law enforcement access and decryption."106 Law enforcement also has a substantial interest in the private uses of cryptography. In many cases, private use of strong encryption may be one of the best methods of preventing crime.107 Cryptography could also be an important tool in protecting critical infrastructures, such as the finance industry and telecommunications industries.108 There has been substantial activity by law enforcement along these fronts recently, indicating that law enforcement recognizes its role in this area.109 Law enforcement thus has both an interest in strong encryption technology that provides protection to businesses and individuals, and an interest in ensuring continued law enforcement access to information to the same extent as before the general use of encryption. 4. Free Market Approach Under the free market approach, matters would simply be left to the forces of the free market, thereby eliminating direct and indirect restrictions on the sale of cryptography. The lack of adequate encryption capabilities due to export controls could cause the U.S. software industry to lose from six to nine billion dollars annually from overseas software sales. It has been claimed by members of the software industry that the government is "permitting a situation to persist that is directly threatening the continued viability and success of the American software industry."110 In a letter to President Clinton, The Computer & Communications Industry Association argued that current U.S. cryptography policy ''fails to accommodate the competitiveness concerns of the sellers of encryption products," and further noted that foreign companies, such as Japan's NTT Electronic Technology Inc., have developed products offering up to 128-bit encryption capability.111 There is a major concern that excessive encryption regulation in the U.S. could prevent American software developers from being able to compete internationally. B. Policy Stances of Foreign Countries In addition to recognizing the general policy arguments in the cryptography debate, it is necessary to consider the policy approaches favored by the countries with which the United States is negotiating. At a distance, however, it is difficult to determine the policy approach that most other countries will adopt. Further, several specific concerns about the nature of a particular solution may be raised by countries in addition to the basic policy arguments. In reality, for most countries, all policy concerns will play some role, with differences occurring only in the balancing of these interests. Finally, it is only possible to reasonably estimate the policy stances of countries that are currently active in encryption regulation by examining either individual initiatives or their participation in an organization addressing cryptography. 1. Concerns About the Adequacy of Security A number of countries have expressed some concerns about the adequacy of security that would be available to individuals and businesses under various regulatory schemes.112 These concerns include a general fear that the encryption available under the regulatory schemes will be inadequate to provide any real protection. In a number of instances, the concerns relate specifically to the use of a key escrow/trusted third party approach to regulation.113 2. Concerns About the Threat the System Poses to Their Country There have also been concerns that a given system may pose a threat to a foreign country.114 Some of these concerns center around a fear that law enforcement would make unauthorized use of encryption keys to monitor the communications of their citizens. Many concerns center around a fear of abuse of the system by the United States. One concern is that a system giving total control of trusted third parties to the United States would pose a threat to the sovereignty of foreign countries.115 There is an additional concern that the U.S. would abuse their access to encryption keys to gather intelligence information about foreign governments.116 3. Privacy Concerns Although most of the countries that have participated in international forums on cryptography regulation recognize the importance of individual privacy, few countries use individual privacy as the central motivation for their cryptography policies.117 Personal privacy, however, likely plays some role in most countries' policies. 4. Free Market Approach Finally, some countries have offered support for the approach of leaving the development of cryptography in the hands of the software developers themselves.118 Many of these countries prefer this approach because it favors their own software developers in the marketplace.119 These countries view cryptography restrictions as a negative force which decreases the availability of any number and variety of products incorporating encryption.120 5. The Speculative Nature of Any Conclusions In this area of consideration, it is important to note that few countries' viewpoints are represented. The best indications of policy preferences come from interactions in international discussions on the issue. Unfortunately, only a relatively small percentage of countries have participated in such forums. While conclusions may be drawn about the policies of the participating countries, any speculation on the views of other countries is risky. IV. The General Nature of Any Adequate Solution Any solution to the problem of unaddressed law enforcement interests requires several characteristics to be successful. Important elements to consider are the forum that should be used to develop a regulatory system, and what that system should be. When considering the appropriate forum for the solution, both the propriety of the forum and the interests of the participating countries should be evaluated. In developing a regulatory system, the architects of the system should take into account, again, the interests of the participating countries, but also methods to ensure the involvement of private parties in the development of regulations. Additionally, designers should provide for an appropriate compliance assessment mechanism. A. The Appropriate Forum While the theoretical discussion of the appropriate choice of forum is divided into two separate considerations, practically, these aspects will likely need to be considered simultaneously. Unless organizations or forums are created from scratch, the choice of topic and participant nations will likely dictate the size of the forum. Similarly, consideration of only organizations of a particular size will limit the choice of geographic region or topics that can be included in the agreement. 1. The Size of the Forum As was seen with the discussion of cooperation among law enforcement agencies internationally,121 agreements reached on a country-by-country basis often provide the most complete and efficient means of cooperation between the law enforcement of different countries.122 Thus, it is reasonable to expect that agreements on cryptography on a country-by-country basis would achieve regulations most narrowly tailored to law enforcement interests. However, it can be burdensome to negotiate separate agreements with each country, considering the fact that it is important to U.S. law enforcement interests for nearly every country to have some regulation of cryptography.123 The international forums discussing cryptography, of which the U.S. has been a participant, are an alternative to individual agreements. International forums, however, have two important shortcomings. First, with the generally large number of participants with diverse interests, the regulatory system agreed upon may not be narrowly tailored. In order to achieve consensus it may be necessary to develop a plan that suits the lowest common denominator. A better regulatory regime could be achieved in a forum lacking these few participants. Secondly, many of the forums have had no real power to constrain the actions of the participants. Thus, any decisions reached in these forums may not translate into any real benefit for U.S. law enforcement with respect to the participating countries. Ultimately, the best approach may be similar to that taken by the Council of Europe.124 The use of moderately-sized multinational organizations can eliminate some of the effort that would be required to negotiate with each member individually, but these organizations are not so large as to force law enforcement interests to be inadequately protected. This type of organization can also lead to the development of enforceable treaties or other agreements that could provide real protection of law enforcement interests. 2. The Subject Matter of the Forum The subject addressed by a cryptography forum can have a substantial impact on the policy approach, and will, in turn, affect the regulatory approach favored by the participants. This result becomes evident by observing the outcomes of the various organizations that have addressed the issue of cryptography.125 Those with a business, or even military, orientation have not reached solutions that would adequately protect legitimate law enforcement access to information. Although the G-7 forum is not generally focused on crime, by addressing cryptography in the criminal context, its policy conclusions were the most promising for law enforcement. This indicates that an organization focused on criminal law issues may develop a plan that best protects law enforcement interests. The expertise of the participants of the organizations addressing criminal law, could result in structurally better treaties. Treaties that are vague or overly general may lead to difficulties in enforcement and implementation. General diplomats may not be sufficiently versed in the terminology of criminal law, but when treaties specifically addressing criminal law are negotiated within such organizations, more specialized officials may be used, leading to better treaties.126 Finally, it would be inefficient to "re-invent the wheel" with regard to cooperation among the law enforcement and governing bodies of foreign countries. Any international agreement that provides for U.S. law enforcement access to encrypted information will likely involve substantial U.S. law enforcement interaction with other countries. The United States, through Mutual Legal Assistance Treaties and other organizations, has already established relationships with foreign law enforcement and foreign governmental bodies. The U.S. should take advantage of these pre-existing forums and relationships when addressing the protection of law enforcement interests in cryptography. Choice of forum would also automatically address the question of the subject matter of the organization, as the organizations would have been established to address law enforcement problems. B. Choosing the Appropriate Regulatory System Based on a consideration of the needs of law enforcement, the policy approaches that must be balanced, and an analysis of existing legal regimes, several basic elements necessary for an adequate solution to the problem of cryptography are indicated. These interests are: (1) providing adequate protection of law enforcement interests, (2) tailoring the details of the system to the interests of the countries involved, (3) involving industry in the regulatory regime, and (4) creating compliance assessment mechanisms. 1. Adequate Protection of Law Enforcement Interests There are a number of legitimate law enforcement needs requiring access to encrypted information.127 To protect legitimate law enforcement interests, any regulatory regime must protect law enforcement access to encrypted communications and stored data. Such protection could come through a pure system of cryptography regulation, or a mixed system of cryptography regulation coupled with changes in other legal rules to accommodate law enforcement investigations or prosecutions.128 2. Solutions Tailored to the Interest of the Countries Involved Even for the few countries for which policy goals could be determined, it was seen that there were diverse interests behind each cryptography policy.120 Thus, a different approach may need to be taken with each country. The choice of forum to tailor interests must, of course, be balanced against the size and subject matter addressed by the organization.121 3. Involvement of Industry One of the elements to which the success of money laundering prevention has been attributed is the involvement of the private sector in the development of regulations.122 The involvement of the software industry could give the government a better indication of the technological capabilities of software developers at a given time.123 Businesses could play a role in the choice of a regulatory system to minimize the difficulties faced in compliance, minimize the effects on their international competitiveness, and retrieve keys from trusted third parties when their own keys were lost, to recover data. In fact, ensuring international competitiveness of U.S. software developers could be a valuable means of assisting law enforcement. U.S. businesses are directly regulable by the U.S. government, theoretically maximizing the protection of their interests that law enforcement can achieve. If this regulation is done in such a way as to ensure continued international competitiveness of U.S. products, U.S. law enforcement could have legitimate access to encrypted communications even when originating in countries without their own encryption regulations. Thus, it may be in the interest of U.S. law enforcement to ensure the competitiveness of U.S. encryption developers in the international market. 4. A Compliance Assessment Mechanism Also contributing to the success of the approaches addressing money laundering have been assessment mechanisms. In this context, compliance assessments not only ensured that agreements were being adhered to, but aided foreign governments in establishing a functional internal mechanism for administration of the agreement. Often in response to compliance assessments, countries would discover that it would be necessary or helpful to include multiple governmental bodies in the administration of the agreement.124 Such an assessment mechanism is clearly necessary in the context of cryptography regulation. Several countries that are part of the Wassenaar Arrangement, which regulates, among other things, export of encryption technology, have been lax in their compliance.125 Clearly, even our allies need careful attention in some circumstances. Additionally, one of the main tools used by organized crime groups is the neutralization of public officials and politicians through corruption or intimidation.126 Compliance assessments could help unearth such problems. The intra-governmental coordination-facilitation benefits of a compliance assessment could be helpful as well. There seems to be internal disagreement within the governments of a number of foreign countries as to who should be in charge of cryptography regulation.127 If compliance assessments facilitate intra-governmental cooperation, that will benefit the system as a whole. V. An Example of Practical Application of the General Solution The theoretical framework for a solution to the cryptography problem discussed in Part IV can be demonstrated through examples of its practical application. This first involves an evaluation of potential forums to be used to address cryptography regulation. Second, practical solutions to the problems will be addressed, balancing law enforcement needs with other policy interests and national concerns, in addition to a consideration of lessons learned from existing legal regimes. A. The Appropriate Forum As noted in Part IV, the two inquiries with regard to the appropriate forum should be addressed simultaneously. Thus, this discussion will incorporate both aspects. Additionally, only a few organizations, and thus only a few geographic regions, will be addressed by means of example. 1. South America The Inter-American Drug Abuse Control Commission (CICAD) is perhaps one of the best examples of the kind of organization that would be an appropriate forum for the negotiation of cryptography regulations. The purpose of CICAD is to address the control of international drug crime. Part of the role of CICAD is to facilitate the cooperation and interaction between law enforcement bodies of member states.128 Thus, needless duplication of effort when cooperation for cryptography regulation and law enforcement access is established could be avoided. Further, CICAD leads to the creation and adoption of multilateral treaties.129 Thus, there could be real constraints placed on CICAD members. With 32 members, within a single geographic region, it appears to be a reasonable size without resulting in excessive duplication of effort. 2. Europe Europe poses slightly greater difficulty for a choice of forum than South America. There are two organizations covering Europe that could potentially be good forums for the development of cryptography regulations. The first organization is the Financial Action Task Force on Money Laundering (FATF). This organization exists to foster international cooperation in combating illegal money laundering. As with CICAD, this organization facilitates cooperation and interaction between law enforcement bodies of the member states. With 28 members, it is probably small enough and sufficiently geographically tailored to be a good forum for the negotiation of encryption regulations. Finally, although the actions of the FATF do not appear to result in treaties, they do seem to be able to bind the actions of the members to some extent. It is not clear whether the existing means of constraints would be satisfactory to implement a system of cryptography regulations.130 The second European organization, the Organization for Security and Co-operation in Europe (OSCE), could also be an adequate forum. Unlike the FATF, the OSCE has led to several treaties. Thus, it could ensure the adherence of members to any regulatory regime developed. However, the subject-matter of the organization appears to be more military-oriented than crime-oriented. Additionally, with 55 members, it would appear to be a somewhat larger than appropriate to provide the maximum tailoring of interests.131 Thus, each of these organizations has respective advantages and disadvantages. 3. Asia Asia appears to be a difficult region for which to find an appropriate organization. Most of the organizations of which Asian nations and the United States are a part seem oriented to economic discussions rather than criminal discussions. The Association of Southeast Asian Nations (ASEAN) may be one of the better possibilities. ASEAN consists of 21 countries, clearly a reasonable size. Several treaties have also come out of ASEAN activities. Thus, the actions of member states could be adequately constrained by this organization. However, the subject matter of this organization is primarily economic, with minimal discussion of security issues with a military focus. Thus, it is not clear that the subject-matter is appropriate for adequate protection of law enforcement interests through regulation of cryptography. The absence of an appropriate organization is particularly problematic given the importance of Southeast Asia as a region that is technologically advanced, possibly being a source of encryption technology for criminal or terrorist organizations. This region is also of particular concern for organized crime and economic espionage. Given the unique characteristics of the region, it is unfortunate that there is apparently no better forum for the discussion of cryptography regulation. 4. The Middle East There appears to be no suitable organization for addressing cryptography regulation in the Middle East either. This is of particular concern given the terrorist threat posed by countries in this region. This leaves several options for overall cryptography regulation. The United States could try to negotiate with the countries individually, or establish an organization to address these problems. However, given the poor relations between the United States and many of the countries posing terrorist threats, it is unlikely that the nations would participate, even if the United States were able to reach an agreement with them. Thus, the best remaining option is to control the accessibility of cryptography to these countries to whatever extent possible. B. The Substance of the Approach The substance of the approach to cryptography regulation must have several elements. This includes both domestic regulation, and possibly import and export restrictions. Industry involvement could come in various ways, including through participation in compliance assessment. 1. Domestic Regulation Domestic regulation of cryptography is often proposed in terms of regulation of trusted third parties (TTP) or key escrow agents. While other solutions may be possible, the current prominence of this approach to regulation makes it a good solution for consideration. a. Trusted Third Parties (TTP) A commonly suggested approach for encryption regulation involves the use of TTPs or key escrow agents. The TTPs would be in charge of key management - they would issue and hold encryption keys. In appropriate circumstances, for example a valid warrant, they could provide law enforcement with keys to allow interception of encrypted communications or access to stored encrypted data. This provides reasonable protection for law enforcement needs. With a warrant, law enforcement could access encrypted information when necessary. Use of TTPs could also provide reasonable protection to businesses and individuals. Under this system, law enforcement will have access to information regardless of encryption strength. Consequently, there will be no need for restrictions on encryption technology. Since a TTP must have some reason to provide the encryption key, this should prevent foreign governments and competitors from freely conducting industrial espionage. b. Industry Interests Regulating cryptography through the use of TTPs would also facilitate U.S. encryption developers' competitiveness in the world market. If software developers comply with key escrow requirements, then any information encrypted with this software can be accessed by law enforcement through the TTP, meaning that any export restrictions could be substantially cut back, or even eliminated. This would put developers at much less of a disadvantage relative to developers constrained by export restrictions. More formal representation of interests could come through industry participation in future refinements to the cryptography regulation system. A less formal process similar to the Federal Communication Commission's (FCC) comment process for proceedings and proposed rules may be appropriate.132 There may also be some room, within a general regulatory framework, for TTPs to engage in some self-regulation. The software industry could be involved in policy-making more directly through such a process.133 Finally, the more countries that adopt a particular cryptography regulatory regime, the less the developers of any single country will be disadvantaged. If all the countries that are major developers of encryption technology adhere to similar regulatory regimes, the net effect on competition from regulatory restrictions will be minimal. c. Technological Solutions to Concerns About TTPs Several fears remain about TTPs. First, there is the fear that they will be dominated by law enforcement, who will have access to any encrypted information they want, regardless of the legitimacy of their interests. Second, there is fear among foreign countries that the United States will dominate the TTPs and abuse their power. Finally, there is the fear that a centralized bank of keys would provide a tempting target for thieves, and would put cryptosystems at much greater risk than they would be susceptible to than if keys were maintained by individuals. These problems could be addressed by technological solutions. Both the fear of U.S. domination and the fear of how attractive a localized depository of all encryption keys would appear to a criminal could be addressed by decentralization of TTPs. Each country should be responsible for maintaining their own TTPs.134 This will help ensure that the United States is not able to abuse the system. It also makes the key management system more diffused, making any particular TTP less attractive to a criminal.135 The concern about illegitimate use of the system by law enforcement could be addressed, in part, through a system of encryption utilizing multiple keys. In particular, a system of "secret-sharing with prevention" could be used.136 Five keys would exist for every cryptosystem, with two keys required for decryption. The owner of the encryption program would have two keys, allowing them free use of their program. One key would be provided to law enforcement upon a request of the TTP. Another would be provided to a judicial officer, or to law enforcement upon a showing of judicial authorization. A final key would be used either as an additional key for the court, or perhaps some national security agency. This system allows law enforcement access to the encrypted information upon a request of the court, as with current warrant requirements, or with the cooperation of the owner of the encryption program.137 The "prevention" aspect of the system adds an extra element of protection. It allows a foreign government to prevent the U.S. from accessing the communications of a member of their intelligence agency.138 A system could also be set up whereby an individual is able to petition a court or other party to get them to invoke the fifth key on the individual's behalf.139 This system would not provide perfect prevention of abuse by law enforcement personnel. However, the protection provided by the current system, requiring warrants for searches and wiretaps, is arguably no better.140 Thus, the balance between law enforcement's need for access and the right to privacy would remain roughly the same. 2. Import Restrictions Since the key to law enforcement access to encrypted information is use of the TTPs, use of encryption programs not complying with the regulatory system will frustrate this access. As a consequence, restrictions prohibiting the import of software developed in countries without any escrow requirements would be appropriate. It will be impossible to prevent access to any encryption technology that does not comply with the escrow requirements. However, import restrictions should minimize its presence within any country utilizing a TTP regulatory system. 3. Export Restrictions Export restrictions pose a more difficult question. Software complying with the key escrow system will have adequate law enforcement protections built in. Therefore, there is little justification for export restrictions. At the very least, there could be some relaxation of export controls for encryption products with properly escrowed keys.141 4. Compliance Assessment Mechanism Self-regulation is an appropriate method of evaluating and determining standards of compliance for some aspects of TTPs.142 Certain aspects of TTP operations, such as the security of keys, or the procedures for software developers to comply with escrow requirements, should be self-regulated. Self-regulation would allow the software industry to have some control over their own fate, while removing some of the burden of monitoring the regulatory system from the government. Some international compliance assessment will likely be necessary, as well. It is unclear exactly what form this international regulation should take. It should probably be facilitated by the organization through which the cryptography regulations were developed. VI. Conclusion The international nature of crime and cryptography make it necessary for there to be international regulation of cryptography. The current technological and legal environment does not adequately protect legitimate law enforcement interests in access to information. However, a solution may yet be possible that would restore the balance between privacy and law enforcement need for access. However, any such solution must be implemented on an international scale if it is to be effective. a J.D., Harvard Law School, 1999. I thank Prof. Phillip Heymann for his helpful comments. 1 See infra. Part II.B. 2 See Brian Sullivan, International Organized Crime: A Growing National Security Threat, 74 STRATEGIC FORUM 2 (1996). 3 See, e.g., Threat from International Organized Crime and Terrorism Before the House Comm. on International Relations; 105th Cong. 94 (1997) available in 1997 WL 615544 (F.D.C.H.) (statement of Louise Shelley, Directory, Center for Transnational Organized Crime and Corruption, American University) (transnational organized crime will be a defining issue of the 21st Century); Recent Developments in Transnational Crime affecting U.S. Law Enforcement and Foreign Policy; Mutual Legal Assistance Treaty in Criminal Matters with Panama, Treaty Doc. 102-15; 1994 International Narcotics Control Strategy Report Before the Senate Subcomm. on Terrorism, Narcotics and International Operations of the Comm. on Foreign Relations, 103rd Cong. 4, 13 (1994) (statement of James Woolsey, CIA director) (noting that "Attorney General Reno singled out terrorism, drug trafficking and international money laundering as achieving such as degree of sophistication as to threaten U.S. National security interests."). 4 Recent Developments, supra note 3 at 27 (statement of Hon. Robert S. Gelbard, Assistant Secretary for International Narcotics Matters, Department of State). There are a substantial number of foreign countries that are the source of organized crime posing a particular threat to the United States. For organized cocaine trafficking, the relevant countries include Argentina, Bolivia, Brazil, Chile, Columbia, Mexico, Peru and Venezuela as well as the Caribbean and Central America. For heroin, the implicated countries include Burma, China, Pakistan, and Afghanistan. Foreign countries housing organizations of general organized crime threat include China, Italy, Nigeria and Russia. See id. at 4-13 (statement of James Woolsey, CIA Director). Foreign countries posing a threat from the laundering of drug money include Cayman Islands, Columbia, Italy, Mexico, Panama,, Russia, and Venezuela. See Threat to U.S. Trade, supra note 3 at 116-25 (statement of Stanley E. Morris, Director, Financial Crimes Enforcement Network, Department of Treasury). 5 See Sullivan, supra note 2 at 1. 6 Threat to U.S. Trade, supra note 3 at 92 (statement of Robert S. Leiken, President, New Moment). 7 See Threat to U.S. Trade, supra note 3 at 67 (statement of Senator Dominici). 8 See Recent Developments, supra note 3 at 5 (statement of James Woolsey, CIA director). 9 18 U.S.C.  3077(1)(B) (1994). 10 PHILIP B. HEYMANN, TERRORISM AND AMERICA 4 (1998) (citing the definition proposed by Professor Alex P. Schmid of Leiden University in the Netherlands). 11 See Current and Projected National Security Threats to the United States Before the Senate Select Committee on Intelligence 105th Cong. 21 (1997) (statement of Toby T. Gati, Assistant Secretary of State for Intelligence and Research). Foreign countries posing particular terrorist threats include Iran, Iraq, Sudan, Syria, among other countries in the Middle Eastern region. See id. at 4-11 (statement of George J. Tenet, Acting Director, Central Intelligence); see also id. at 25-7 (statement of Toby T. Gati, Assistant Secretary of State for Intelligence and Research concerning Iran, Iraq, Syria, and Libya). 12 Cf. id. at 13 (statement of Lieutenant General Patrick M. Hughes, USA, Director, Defense Intelligence Agency) (explaining that, if terrorists use weapons of mass destruction, they will likely be chemical or biological because of ease in building, transporting and hiding). 13 See id. at 93 (statement of John H. Moseman, Director of Congressional Affairs, CIA). 14 The Threat from International Organized Crime and Global Terrorism Before the House of Representatives Comm. on International Relations, 105th Cong. 85 (1997) available in 1997 WL 615574 (F.D.C.H.) (statement of Arnaud de Borchgrave, Director, Global Organized Crime Project, Center for Strategic and International Studies). 15 Current and Projected National Security Threats, supra note 11 at 93 (statement of John H. Moseman, Director of Congressional Affairs, CIA). 16 See Scott Charney & Kent Alexander, Computer Crime, 45 EMORY L. J. 931, 934 (1996). 17 "[F]or example, a bank employee may use a computer program to skim small amounts of money from a large number of bank accounts, thus generating a significant sum for personal use." Id. 18 See id. 19 See id. at 935. 20 See id. at 936. 21 See Cole Durham, The Emerging Structures of Criminal Information Law: Tracing the Contours of a New Paradigm, INFORMATION TECHNOLOGY CRIME 533, 567 (1994). 22 See Charney & Alexander, supra note 16 at 937. 23 See id. at 937-8. 24 Thus, any country where there is a computer and a modem is a source of a computer crime directed against the United States. The problems of computer crime is widely recognized worldwide. See generally, INFORMATION TECHNOLOGY CRIME (Ulrich Sieber, ed.) (1994) (containing national computer crime reports from 29 different countries). 25 See Ulrich Sieber, Commentary and Preparatory Questions for the National Reports, in INFORMATION TECHNOLOGY CRIME 5, 11 (1994). 26 See, e.g., Economic Espionage Act, 18 U.S.C.A.  1831, 1832 (Supp. 1998). 27 See Current and Projected National Security Threats, supra note 11 at 127-8 (responses of Barbara Larkin, Assistant Secretary of Legislative Affairs, State Department). 28 Economic Espionage Before the House of Representatives Subcommittee on Crime of the Committee on the Judiciary, 104th Cong. 11 (1996) (statement of Louis Freeh, Director, FBI). Thus, any country could conceivably pose a threat in this area, either presently, or in the future, although the threat will vary with the country. However, several countries that have been identified as particular threats of economic espionage include China, Cuba, France, India, Israel, Iran, Iraq, Libya, Pakistan, Russia, South Korea, Syria and Taiwan. See KENNETH W. DAM & HERBERT S. LIN EDS., NATIONAL RESEARCH COUNCIL, CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY 32-3 (1996) (hereinafter "CRISIS"). 29 See James H. A. Pooley, et al., Understanding the Economic Espionage Act of 1996, 5 TEX. INTELL. PROP. L. J. 177, 178 (1997). 30 Cf. H.R. Rep. No. 104-788, at 11 (1996) reprinted in 1996 U.S.C.C.A.N. 4021, 4030. 31 BRUCE SCHNEIER, APPLIED CRYPTOGRAPHY 1 (2d. ed. 1996). 32 See ARTO SALOMAA, PUBLIC-KEY CRYPTOGRAPHY 1 (2d ed. 1996). 33 See Schneier, supra note 31. 34 See id; see also F.L. BAUER, ENCRYPTED SECRETS 25-6 (1997). 35 For a description of the various forms of attacks on a system of cryptography by a cryptanalyst, see Schneier, supra note 31 at 5-7. The four most common types of attacks are: (1) Ciphertext-only attack, where the cryptanalyst uses the encrypted text of several messages encrypted with the same algorithm to determine either the plaintext of these messages or the key used to encrypt them; (2) Known-plaintext attack, where the cryptanalyst has the ciphertext of several messages, along with their plaintext, which he uses to determine the key; (3) Chosen-plaintext attack, is the same as (2), except that the cryptanalyst gets to choose the plaintext that is encrypted; and (4) Adaptive-chosen-plaintext attack, which is a variation on (3) in which the cryptanalyst can modify his choice of plaintext based on the results of previous encryption. See id. 36 See id. at 3-4. A useful illustration is the phone directory of a major city. If you know a person's name, it is relatively easy to find their phone number. However, it is exceedingly difficult to use the phone book to determine the person associated with a particular phone number. See Salomaa, supra note 32 at 71. 37 See Schneier, supra note 31 at 151-63. 38 See Salomaa, supra note 32 at 71. 39 Public-key cryptography is less susceptible to attack by using the encryption key to determine the decryption key, however it is susceptible to other forms of attack. See e.g., Schneier, supra note 31 at 48-9. 40 Id. 41 See CRISIS, supra note 28 at 77. 42 See id. at 74-5. 43 A recent report by the National Strategy Information Center on encryption technology concluded that it is too early to determine the exact impact that encryption will have on crime. The report further noted that current use of cryptography by organized crime is relatively low. Some reasons for this include the expense and difficulty in cryptography use as well as the fear of losing access to data as a result of key loss. Report Says Stronger Crypto May Hinder Law Enforcement, Suggests Further Study, 2 Elec. Info. Pol'y. & L. Rep. 31 (BNA) (Aug. 8, 1997). 44 The forensics lab of the FBI's Computer Analysis Response Team (CART) reported that about 5% of cases encountered involved use of cryptography, roughly double the level in 1994. Id. There is increasing anecdotal evidence of crimes involving cryptography. For example: An international terrorist was plotting to blow up 11 U.S.-owned commercial airliners in the Far East. His laptop computer which was seized during his arrest in Manila, contained encrypted files concerning this terrorist plot. A subject in a child pornography case used encryption in transmitting obscene and pornographic images of children over the Internet. A major international drug trafficking subject recently used a telephone encryption device to frustrate court-approved electronic surveillance. Department of Justice, Letter from Attorney General Janet Reno, et al. to Members of Congress, (last modified July 18, 1997) [hereinafter Letter from Attorney General]. For a more extensive list of about 20 instances of terrorism, organized crime, espionage, and child pornography utilizing cryptography see Dorothy E. Denning and William E. Baugh, Jr., Cases Involving Encryption in Crime and Terrorism (last modified Oct. 7, 1997) . 45 See, e.g., Letter from Attorney General, supra note 42; Testimony of Robert S. Litt, (last modified Sep. 4, 1997) . 46 See CRISIS, supra note 28 at 81- 4. 47 See id. at 83. 48 See id. at 88-90. 49 See CRISIS, supra note 28 at 82-4. 50 See id. at 90. 51 Id. at 94. 52 Some commentators have argued persuasively that the engineering of technologies such as cryptography is itself a form of regulation. See, e.g., Lawrence Lessig, The Constitution of Code: Limitations on Choice-Based Critiques of Cyberspace Regulation 5 CommLaw Conspectus 181 (1997) (discussing how code can regulate in cyberspace). However, this paper will focus on the more traditional conceptions of regulation through laws and treaties. For a brief discussion of the appropriate role of the government in the technical development of cryptography see Marcus Maher, Note, An Analysis of Internet Standardization, 3 VA. J. L & TECH 5  45-50 (1998) . 53 "Currently, the United States has MLATs in force with Switzerland, Turkey, Italy, the Netherlands, Canada, Mexico, the Bahamas, Argentina, Spain, Thailand, and the United Kingdom dependent territories in the Caribbean (the Cayman Islands, Anguilla, Montserrat, the British Virgin Islands and the Turks and Caicos Islands). MLATs have been signed but not brought into force with nine other governments: Uruguay, Jamaica, Morocco, Nigeria, Belgium, Colombia, United Kingdom, Korea and Panama." See New MLAT Treaties Increase DOJ's Reach, 4 NO. 7 DOJ Alert 7 (1994) [hereinafter New MLAT]. 54 See id. A letter rogatory is a formal request to a court in another country from a judge in the United States asking for assistance in gathering evidence. 55 See Marian Nash, Judicial Assistance, 86 AM. J. INT'L L. 548, 551 (1997). 56 One of the most important goals of MLATS is the establishment of quick, efficient communication directly between law enforcement bodies. See id. at 550. 57 The ability to communicate directly with foreign law enforcement bodies is particularly valuable in the context of civil law countries that are often reluctant to fulfill legal assistance requires submitted by prosecutors rather than judges. See id. MLATs can also assist substantially in overcoming bank and business secrecy laws. Such laws have frequently caused problems for the investigation of large-scale international criminal activities, including drug trafficking and white collar crime. See Bruce Zagaris, Dollar Diplomacy: International Enforcement of Money Movement and Related Matter - a United States Perspective, 22 Geo. Wash. J. Int'l L. & Econ. 465, 497-8 (1989). 58 See New MLAT, supra note 53 at 7. 59 The Pompidou Groups was formed in 1971 by the Council of Europe to address drug abuse and trafficking through fact-finding and coordination of international agreements. See Scott Carlson and Bruce Zageris, International Cooperation in Criminal Matters: Western Europe's International Approach to International Crime, 15 NOVA L. REV. 551, 565-6 (1991). 60 The Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime (hereinafter Convention on Laundering) was drafted to allow parties to the convention the cooperation of other members in investigation and seizure in diverse areas including arms dealing and trafficking in children. See id. at 567-8. 59 See id. at 568-70. 60 See Ethan A. Nadelmann, The Role of the United States in the International Enforcement of Criminal Law, 31 HARV. INT'L L. J. 37, 45 (1990). 63 See id. at 74-76. 64 See id. at 76. 65 See id. at 74-76. 66 See 50 U.S.C. app.  2403 (Supp. III 1997). 67 See 22 U.S.C.  2767 (Supp. III 1997); see also Stewart A. Baker and Michael D. Hintze, Government Regulation of Encryption: Domestic and International Developments 760 PLI/COMM 445, 447 (1997); Find Law, Executive Order on Administration Of Export Controls On Encryption Products (visited Feb. 19, 1999) 68 See Find Law, Executive Order on Administration Of Export Controls On Encryption Products (visited Feb. 19, 1999) ; see also Baker, supra note 65, at 447. 69See Commerce and Foreign Trade, 15 C.F.R.  744.9 (1997) 70 See id. 71 See Commerce and Foreign Trade, 15 C.F.R.  734.2(b) (1997). 72 See Baker, supra note 67, at 448; Find Law, Executive Order on Administration Of Export Controls On Encryption Products (visited Feb. 19, 1999) . 73 See Sec. 202-205. 74 See H.R. 695 Security and Freedom Through Encryption (SAFE) Act (Reported in the House), (visited Mar. 5, 1999) (Sections 201-203, struck out in reported version). 75 See Steptoe & Johnson L.L.P., Fact Sheet: The New Encryption Export Regulation, (last modified Oct 2,1998) (this does not include export to subsidiaries in the seven state sponsors of terrorism). 76 See id. (these countries include: Anguilla, Antigua, Argentina, Aruba, Austria, Australia, Bahamas, Barbados, Belgium, Brazil, Canada, Denmark, Dominica, Ecuador, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Kenya, Luxembourg, Monaco, The Netherlands, New Zealand, Norway, Poland, Portugal, Seychelles, Spain, St.Kitts and Nevis, St. Vincent/Grenadines, Sweden, Switzerland, Trinidad and Tobago, Turkey, the united Kingdom and Uruguay). 77 Most Middle Eastern countries are not members of the organizations which are responsible for much encryption regulation at the national level, such as the Wassenaar Arrangement or the European Union, see infra note 80 and details of any independently undertaken encryption regulations of many of these countries are difficult to obtain. Cf. Bert-Jaap Koops, Crypto Law Survey, (last modified Feb. 1999) (noting the absence or minimal nature of cryptography regulations in Saudi Arabia and the existence of some regulations in Isreal); An International Survey of Encryption Policy, (visited Mar. 4, 1999) (noting their ability to obtain information about the encryption laws of Iran). 78 See supra Part I.A.2. 78 As with China, there is some token regulation of cryptography in India, but it is not sufficient to pose any real problem for developers of cryptography. 79 See Wassenaar Arrangement (visited Feb. 9, 1999) http://www.wassenaar.org/. 80 See Sullivan, supra note 2 at 3 (discussing organized crime originating in China and Japan); Recent Developments in Transnational Crime, supra note 3 at 15-17 (prepared statement of James Woolsey, CIA Director)(discussing the organized crime threat of various segments of Asia). 81 See CRISIS, supra note 28 at 453 (noting that the Coordinating Committee (CoCoM), the predecessor of the Wassenaar Arrangement was a Cold War response to the threat of the Soviet Union which required member countries to implement regulations governing export of military items, including cryptogrraphy). 81 See The United States Department of Commerce and the National Security Agency, A Study of the International Market for Computer Software with Encryption, II-16, 25, 30-31 [hereinafter Encryption Study]. 82 See Koops, supra note 77 (of the 60 countries surveyed, fewer than 10 have any kind of domestic controls.). 83 See supra note 80. 84 See Stewart A. Baker and Michael D. Hintze, Government Regulation of Encryption: Domestic and International Developments, 760 PLI/Comm. 445, 455 (1997). 85 See Stewart A. Baker, Decoding the OECD's Guidelines for Cryptography Policy, 31 INT'L LAW. 729 (1997) (Organization of Economic Cooperation and Development (OECD) suggested guidelines for Cryptography policy). 86 See generally Recommendation No. R (95) 13, (last modified Apr. 15, 1996) (Council of Europe's (COE) is generally recommending that the negative effects on law enforcement should be reduced as long as business interests are unaffected). 87 See Recommendation No. R (95) 13, supra note 88 (Council of Europe (COE) policy); see also Decoding the OECD's Guidelines, supra note 87 (Organization for Economic Cooperation and Development (OECD) suggested policy guidelines); GUIDEC, (last modified Mar. 25, 1998) (International Chamber of Commerce (ICC) document to facilitate electronic commerce). 88See Angela Drolte, G-7 Group Bent on Curbing Terrorism Appears Ready to Regulate Encryption, 1 Elec. Info. Pol'y. & L. Rep. 16 (BNA) (Aug. 2, 1996). 89 See id. (G7/P8 Ministerial Conference on Terrorism, (last modified Dec. 6, 1996) . 90 See A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. PA. L. REV. 709, 722 (1995). 91See id. at 723. 92 See id. 93 See id at 722. 94 See Gerald Murphy, U.S. Dep't of the Treasury, Directive: Electronic Funds and Securities Transfer Policy-Message Authentication and Enhanced Security, No. 16-02,  3 (Dec. 21, 1992). 95 See Froomkin, supra note 92 at 719-20. 96 See e.g., Guy Gugliotta and Nick Madigan, Couple Thought Tape Was 'Part of History', WASH. POST, Jan. 14, 1997, at A1, A4 (interception of Newt Gingrich's cellular phone conversation by Florida couple, indicating ease of interception of phone conversation). 97See Froomkin, supra note 92 at 729-30. 98See id. 99 See id. 100 See id. at 730-5. 101 See id. (noting that "[d]uring the 1970s, the FBI kept information in its files covering the beliefs and activities of more than one in four hundred Americans; during the 1960s, the U.S. Army created files on about 100,000 civilians."). 102 See Note, Jaleen Nelson, Sledge Hammers and Scalpels: the FBI Digital Wiretap Bill and Its Effect on Free Flow of Information and Privacy, 41 UCLA L. REV. 1139, 1155 (1994) (citing U.S. International Telecommunications Policy, 3 U.S. DEP'T OF STATE DISPATCH, Aug. 10, 1992, at 636). 103 See id. at 1156. 104 See CRISIS, supra note 28 at 41-2. 105 For a more detailed description of the law enforcement interests in cryptography, see supra Part I.C. 106 Testimony of Robert S. Litt, supra note 45. 107 See supra Part III.A.1. 108 See Testimony of Robert S. Litt, supra note 45. 109 See e.g., Computer Fraud and Abuse Act, 18 U.S.C.A.  1030 (1996) (criminalizing various computer eavesdropping and hacking activity); The Economic Espionage Act, 18 U.S.C.A.  1831 et. seq. (1996) (criminalizing the theft of trade secrets); President's Commission on Critical Infrastructure Protection, (last modified Dec. 29, 1997) (commission established to consider threats to and means of protecting critical infrastructures from computer attacks); Critical Infrastructure Assurance Office, (last modified Oct. 16, 1998) (an organization created as a result of the recommendations of the President's Commission that will facilitate the creation of a national plan to protect critical infrastructures); National Infrastructure Protection Center, (last modified Oct. 17, 1998) (an outgrowth of the FBI's computer crime unit, established to develop computer protection policies and investigate computer crimes). 110 See Bob Violino, Gore Rebuffs Software Industry, INFORMATION WEEK , Feb. 7, 1994, at 15. 111 See Angela Drolte, Commerce Department to Reassess Aspects Of New Export Rules for Encryption Products, 2 Elec. Com. & L. Rep. 8 (BNA) (Feb. 21, 1997). Also signing the letter to President Clinton were: the National Association of Manufacturers, the Business Software Alliance, the National Retail Federation, the Association of Research Libraries, the Securities Industry Association, the Software Publishers Association, the Information Technology Association of America, the Commercial Internet eXchange, the Direct Marketing Association, the Pro Trade Group, the Online Bankers Association, the National Foreign Trade Council, and the Electronic Messaging Association. Id. 112 The countries that have expressed this as a major interest include: Australia, Italy, Japan, Norway and Switzerland. See Stewart A. Baker, Summary Report on the OECD Ad Hoc Meeting of Experts on Cryptography, (last modified Nov. 13, 1996) . 113 See id. 114 Countries expressing this concern include: Canada, Denmark, France, The Netherlands, and the United Kingdom. See id.; Angela Drolte, Many OECD Nations At May Meeting Favored Middle Approach To Crypto Policy, 1 Elec. Info. Pol'y & L. Rep. 6 (BNA) (May 17, 1996). 115 Although it may not truly fall within the scope of "national sovereignty" concerns, it has been noted that China would be the least likely of the major powers to join in any agreement to regulate cryptography. This is due to the nature of the Chinese government and China's interactions with other countries. China has been unwilling to participate in international meetings on cryptography. "[G]iven that China is the frequent target of sanctions as a result of its arms proliferation and human rights practices, it is questionable whether China would cooperate with other nations on the sensitive issue of encryption." See Baker, Government Regulation, supra note 67 at 459. 116 See Baker, Summary Report on the OECD, supra note 114. 117 In the OECD discussions of cryptography, "a dwindling band of smaller countries - principally Canada - took on the task of stressing the importance of privacy...." Baker, Summary Report on the OECD, supra note 114. Other countries promoting this interest include Australia and Switzerland. See also id. 118 These countries include: Canada, Germany, Japan, Norway and Turkey. See Drolte, Many OECD Nations, supra note 116; Stewart Baker, Japan Enters the Crypto Wars (visited Feb. 26, 1998) . 119 See supra notes 110 - 111 and accompanying text. 120 See Drolte, Many OECD Nations, supra note 116 (noting the concern of Germany, Norway and Turkey that a key escrow system could "weaken the development of products and services on the Internet."). 121 See supra Part II.D. 122 Namely, the Mutual Legal Assistance Treaties. See supra Part II.A. 123 One commentator noted that, "no large country produces as few treaties and as much rhetoric about international cooperation as the United States." Thus, not only is there the practical difficulty of dealing with so many nations on an individual basis, but the difficulties of the politics involved in treaty establishment. The resulting time scale for passages of hundreds of MLATs could substantially delay U.S. action on cryptography regulation. See Zageris, supra note 57 at 550. 124 See supra note 59 and accompanying text. 125 See supra Part II.C. 126 This has been offered as an explanation by one commentator for why the Council of Europe Conventions on Inter-State Cooperation in Penal Matters are of higher technical quality than the international instruments of both the League of Nations and the UN. See M. Cherif Bassiouni , Policy Considerations on Inter-State Cooperation in Criminal Matters, 4 PACE Y.B. INT'L L. 123, 127-8 (1992). 127 See supra Part III.A.3. 128 For example, Danish courts will shift the burden of proof to the defendant if he does not provide certain kinds of evidence that is within his control and an approach from the Netherlands would require citizens to decrypt information when necessary for purposes of a criminal investigation. See Stewart Baker, Summary Report on the OECD, supra note 114. 120 See supra Part III.B. 121 See supra Part IV.A. 122 See Threat to U.S. Trade, supra note 3 at 55-65 (statement of Alan S. Abel, Director, Coopers & Lybrand L.L.P.). 123 The approach already proposed by England for dealing with encryption regulation through TTPs would include substantial industry communication in the development of the TTP system. See Baker, Summary Report on the OECD, supra note 114. 124 See Threat to U.S. Trade, supra note 3 (statement of Alan S. Abel, Director, Coopers & Lybrand L.L.P.). 125 As noted at Part II.B.2., Finland, New Zealand and Switzerland have been found to be somewhat lax in their enforcement of the Wassenaar Arrangement export restrictions. See Encryption Study, supra note 83 at II-16, 25, 30-1. 126 See Sullivan, supra note 2 at 2. (During the OECD discussions, Austria raised the issue of the potential for the mafia to buy up a TTP and obtain secret keys not available to law enforcement.) See also Baker, Summary Report on the OECD, supra note 114. 127 For example, there seems to be some confusion in Japan between the Ministry of Posts and Telecommunications (MPT) and the Ministry of International Trade and Industry (MITI) as to control of cryptography policy. See Baker, Japan Enters the Crypto Wars, supra note 120. This kind of conflict has even occurred within the U.S. between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). See e.g., Don Clark, Spies Inhibit Data Security, March 25, 1991 S.F. Chron., at B1 (The National Research Council panel on computer security, noted "internecine political squabbles" between NIST and the NSA over encryption standards). 128 See Inter-American Drug Abuse Control Commission (CICAD) (visited Feb. 21, 1999) . 129 See Multilateral Treaties, (visited Feb. 21, 1999) . 130 See About FATF, (visited Feb. 21, 1999) . 131 See Fact Sheet, (last modified Feb. 6, 1998) . 132 See How to Comment, (visited Feb. 21,1999) 133 Something analogous to the National Association of Securities Dealers (NASD), which regulates securities dealers within the general framework of U.S. securities laws, could be allowed to engage in the monitoring of key security, procedures for issuing keys, etc. with regard to TTPs. Software industry representatives could be part of this body. See Profile, (visited Feb. 21, 1999) . 134 There would need to be some sort of information attached to any encrypted information indicating the country or particular TTP where the keys are escrowed to indicate to any law enforcement agency where to request keys. 135 Clearly, the smaller TTPs would still be more attractive than individuals all holding their own keys. No TTP system could avoid this problem completely, but greater diffusion would help. 136 The basic idea of "secret sharing" is similar to a system for launching nuclear missiles. To prevent accidental launch, five keys could be given out to five different Generals. Two keys could be required to launch the missile. In this way, no one person could launch the missiles themselves. See Schneier, supra note 31 at 71. 137 The "protection" element of secret-sharing with protection means that every "key" has a "yes" share and a "no" share. For example, in our 5 key system, 3 "no" keys would be able to overrule the 2 "yes" keys, and prevent access to the encrypted information. See id. at 73. The likelihood is that the owner would always keep their "no" keys in place unless decrypting the information themselves. Thus, the remaining three keys would be the deciding factors. 138 An example using an international law enforcement problem could best demonstrate this system. If U.S. law enforcement wishes to decrypt certain communications using encryption from a foreign TTP, they could get one key immediately upon request of the TTP. For the second key, the U.S. agency would need to proceed through established protocols to obtain a second key with the permission of the foreign government or judicial system. If the foreign government wanted to prevent the U.S. from accessing the information, if the individual was involved in one of their intelligence agencies, for example, they could use the fifth key in concert with the individual to prevent U.S. access. 139 There is still the problem of how an individual would know when their encrypted information was being access, and thus they would have need to avail themselves of the system to prevent access. 140 See supra notes 97-99 and accompanying text. 141 Under the current U.S. system there is a policy that would allow 64-bit encryption to be treated the same as weaker encryption products if the 64-bit products are "properly escrowed." The criteria for proper escrow of products are intended to ensure that the escrow of keys cannot be easily circumvented. See CRISIS, supra note 28. 142 Both Australia and the EU have suggested that self-regulation for TTPs would be an appropriate method of regulation. See Baker, Summary Report on the OECD, supra note 114. -45 -