Note: for index of full report see: http://jya.com/nrcindex.htm

---------



                              G


       The International Scope of Cryptography Policy 



     G.1 INTERNATIONAL DIMENSIONS OF CRYPTOGRAPHY POLICY


   Any U.S. cryptography policy must take into account a
number of international dimensions, the most important of
which is the fact that the United States today does not have
unquestioned dominance in the economic, financial,
technological, and political affairs of the world as it might
have had at the end of World War II. Thus, the United States
is not in a position to dictate how the rest of the world
should regard cryptographic technology as it becomes more
relevant to nonmilitary and nondiplomatic matters.

   A second critical consideration is the intemational scope
of business, as described in Chapter 1. Increasingly, firms
need to be able to communicate with their subsidiaries or
affiliates across national boundaries, as well as with
nonaffiliated partners in joint ventures or in strategic
alliances. Whether multinational or not, U.S. firms will need
to communicate with customers and suppliers on a worldwide
basis. Foreign customers need to be able to pay U.S. vendors,
and vice versa, in a way that respects different monetary
systems; thus, financial transactions occur increasingly over
international boundaries, resulting in a truly global banking
and financial system. To the extent that these various types
of communications must be secure, cryptography provides a very
important tool for ensuring such security.(l) Thus, differing
national policies on cryptography that lead to difficulties in
international communications work against overall national
policies that are aimed at opening markets and reducing
commercial and trade barriers.

   Related is the fact that U.S. companies, including the
high-technology companies that manufacture information
technology products with worldwide acceptance and popularity,
face the potential of significant foreign competition, as
discussed in Chapter 4. To the extent that these companies
constitute major U.S. national assets, policy actions that
affect the international competitiveness of these companies
must be considered very carefully.

   A final international dimension is that other nations also
have the option to maintain some form of export controls on
cryptography, as well as controls on the import and use of
cryptography. Such controls form part of the context in which
U.S. cryptography policy must be formulated.

----------

   (1) In the international arena, as elsewhere, not all
aspects of cryptography are necessarily equally critical to
all problems of security. For example, to some extent, the
security of international electronic payments and other
financial transactions can be enhanced through collateral
(nonconfidentiality) uses of cryptography, as discussed in
Chapter 2.

____________________________________________________________


        G.2 SIMILARITIES AND DIFFERENCES BETWEEN THE 
            UNITED STATES AND OTHER NATIONS WITH 
                   RESPECT TO CRYPTOGRAPHY


   Despite the international scope of cryptography policy, the
international scene is dominated by national governments. All
national governments have certain basic goals in common:

   +    To maintain national sovereignty,

   +    To protect public safety and domestic order,

   +    To look after their nation's economic interests, and

   +    To advance their national interests internationally.

   These common goals translate into policy and interests that
are sometimes similar and sometimes different between nations.
Perhaps the most important point of similarity is that
national governments are likely to take actions to mitigate
the threat that the use of cryptography may pose to their
ability to achieve the goals listed above.(2) A corollary is
that foreign national governments are likely to resist
unilateral U.S. decisions that affect the use of cryptographic
technologies within their borders (e.g., by threatening their
control over cryptography). For example, they will likely
oppose the use of cryptographic communications systems within
their borders for which the keys are escrowed solely in the
United States.

   The existence of a range of limited, shared interests among
nations nevertheless suggests at least the possibility of
international cooperation and formal agreements on
cryptography policy. For example, law enforcement is a concern
that constitutes a generally shared interest. The reason is
that many nations have a more or less equivalent sense of
actions that should subject an individual to the sanction of
law, at least in certain domains--murder and kidnapping are
examples of actions that are crimes in almost every nation.(3)
Some aspects of law enforcement have explicitly international
dimensions, such as global organized crime and terrorism.(4)
A second area of shared interest is in maintaining the
integrity of the financial systems of each nation, because
failures in one part of an interconnected financial system may
well ripple through the entire system. Individual privacy is
another common interest; in some nations, for example, the
notion of widespread government surveillance of communications
in society causes public and political concern, as it would in
the United States.(5)

   On the other hand, there are many national differences that
potentially obstruct the achievement of agreements:

   +    *Differing expectations regarding citizens' rights*
(e.g., rights to privacy, rights to trial, rights to express
dissent freely, the relative balance of personal versus
societal rights) *and methods by which such rights can be
enforced*. For example, the United States has a tendency to
enforce privacy rights through market mechanisms, whereas many
European governments generally take a more active policy role
in protecting such rights. Moreover, the United States has a
rich tradition of public debate and argument, and dissenting
discourse is far more the rule than the exception compared to
most foreign nations, whose publics tend to exhibit a greater
willingness to grant certain powers to the state, a less
adversarial relationship toward the government, and more trust
in the ability of government to do what is in the national
interest. (Indeed, at a public meeting a representative of the
National Security Agency noted complaints from foreign
intelligence services that the U.S. policy debate had raised
public visibility of the cryptography issue within their
countries.)

   +    *Business-government relationships*. In some nations,
it is the expectation that national intelligence services will
cooperate with and assist businesses that in the United States
would be regarded as entirely separate from government.
Indeed, many foreign nations operate with fewer and more
blurred lines between government and "private" businesses than
is true in the United States. In areas such as standards
setting that are relevant to businesses, the United States
tends to rely on market forces rather than government much
more than other nations do.

   +    *What constitutes "fair" business practices*. In
principle, many nations give lip service to the idea of
confidentiality in commercial transactions and the notion of
fair competition, but the actual practices of nations are
often at variance with these statements.

   +    *Status*. As a global power, the U.S. scope of
activities for monitoring external traffic (i.e., traffic
between two other nations) is greater than that of other
nations, which are concerned mostly about communications into
and out of their borders. The status of the United States as
a global power also makes its citizens and facilities
high-profile targets for terrorist attacks throughout the
world.

   +    *Access to technology*. On average, U.S. citizens tend
to have a higher degree of access to and familiarity with
information technology than do citizens of other nations.
Furthermore, the information technology deployed
internationally has tended to be less sophisticated than that
deployed in the United States; with some exceptions, this lack
of sophistication is reflected generally as well in the level
of deployed technology that supports security.(6) Thus, the
body politic in the United States arguably has more at stake
than that in other nations.

   Finally, the foreign governments relevant to the policy
issues of cryptography range from very friendly to very
hostile.

   +    Some nations are very closely aligned with the United
States, and the United States has no real need to target their
communications (nor they ours).

   +    Some nations are allies in some domains and
competitors in others, and the circumstances of the moment
determine U.S. needs for access to their communications.

   +    Some nations are pariah or rogue nations, and as a
general rule, the United States would be highly interested in
the substance of their communications.

----------

   (2)  Experience in other Internet-related matters suggests
that many governments are willing to wield their influence in
areas that they believe affect the public safety and welfare.
For example:

   + The CompuServe on-line service suspended access worldwide
to approximately 200 Internet news groups at the request of
the German government. These news groups were suspected of
carrying child pornography. See John Markoff, "On-Line Service
Blocks Access to Topics Called Pornographic," *New York
Times*, December 29, 1995, page A-1.

   + The People's Republic of China declared its intent to
supervise the content of all financial news reports that
collect information in China. Specifically, it announced that
"foreign economic information providers will be punished in
accordance with the law if their released information to
Chinese users contains anything forbidden by Chinese laws and
regulations, or slanders or jeopardizes the national interests
of China." See Seth Faison, "Citing Security, China Will Curb
Foreign Financial News Agencies," *New York Times*, January
17, 1996, page A-l. China is also attempting to develop
Internet-compatible technology that will enable a strong
degree of government control over the content that is
accessible to Chinese residents. See "Chinese Firewall:
Beijing Seeks to Build Version of the Internet That Can Be
Censored," *Wall Street Journal*, January 31, 1996, page 1.

   + Singapore announced that it would hold providers of
access to the Internet and content providers responsible for
preventing information deemed to be pornographic or
politically objectionable from reaching Internet users in
Singapore. See Darren McDermott, "Singapore Unveils Sweeping
Measures to Control Words, Images on Internet," *Wall Street
Journal*, March 6, 1996, page B-6.

   (3)  At the same time, differences of national law in
certain other important areas should not be overlooked.
Specifically, the crimes for which an individual may be
extradited vary from nation to nation (e.g., some nations will
not extradite a person for financial fraud); in addition, some
nations may criminalize certain activity related to computers
and/or electronic communications that other nations do not.
Enforcement of laws is often difficult over national
boundaries, even if relevant laws in another nation do
criminalize particular acts. The reason is that if Nation A
suffers the brunt of actions taken by a citizen resident of
Nation B, Nation B may have little incentive to prosecute
those actions even if its laws criminalize them, since it does
not particularly suffer from those actions. Both of these
factors complicate the feasibility of achieving international
agreements. Some discussion of different international
perspectives on computer crime can be found in the United
Nations Manual on the Prevention and Control of
Computer-Related Crime, available from
http://www.ifs.univie.ac.at/~pr2gql/rev4344.html.

   (4)  See, for example, Phil Williams, "Transnational
Criminal Organizations and International Security,"
*Survival*, Volume 36(1), Spring 1994, pages 96-113.

   (5)  For example, a disclosure that a Spanish military
secret service intercepted hundreds of mobile telephone
conversations caused considerable public uproar. See
"Spaniards Stunned by Military Eavesdropping," *New York
Times*, June 16, 1995, page A-5.

   (6)  For example, 37% of U.S. households have personal
computers, compared with 21% in Spain, 9% in Britain, 19% in
Germany, 14% in Italy, 15% in France (excluding Minitel), and
15% in other European nations. See John Tagliabue, "Europeans
Buy Home PC's at Record Pace," *New York Times*, December 11,
1995, page D-1.

____________________________________________________________


             G.3 Foreign Export Control Regimes

   The United States is not the only nation that imposes
export control restrictions on cryptography. Many other
nations, especially former members of the Coordinating
Committee (CoCom -- see below), control the export of
cryptography to some extent. CoCom nations included Australia,
Belgium, Canada, Denmark, France, Germany, Greece, Italy,
Japan, Luxembourg, the Netherlands, Norway, Portugal, Spain,
Turkey, United Kingdom, and the United States.(8)

   CoCom was a Western response to the threat of the Soviet
Union in the days of the Cold War.(9) Under the CoCom export
control regime, member nations agreed to abide by regulations
governing the export of many militarily useful items,
including cryptography, to nations that were potential
adversaries of the West (generally Eastern bloc nations and
rogue nations).

   The regime was more successful in those instances in which
the technology in question was U.S. source, and thus what was
needed from other CoCom members was control over reexport, or
in which there was strong cooperation based on political
agreement that the technology should be kept away from
controlled destinations, despite its general availability in
other CoCom nations. CoCom controls did not work perfectly,
but they had some nontrivial impact. For example, export
controls did not prevent the Soviets from obtaining certain
types of computers, but they probably had fewer of those
computers than if there had been no export controls. This had
some advantages for the West: the Soviets were locked into old
first-generation computers in many cases; also, they did not
have many and, thus, had to use them only on their
highest-priority projects.

   On the other hand, CoCom controls were less successful when

   +    Non-CoCom countries (e.g., Taiwan and Korea) developed
indigenous capabilities to produce CoCom-controlled
technologies and a willingness to sell them;

   +    CoCom member nations disagreed among themselves about
the danger of exporting certain products to Eastern bloc
nations;

   +    The items in question were dual-use items.

   All of these conditions currently or potentially obtain
with respect to cryptography,(10) although they should not be
taken to mean that cooperative, multinational CoCom-like
controls on cryptography would be hopeless. Also, it is
important to note that the intent of the CoCom export control
regime was to prevent militarily significant technologies
(including cryptography) from falling into the hands of the
Eastern bloc, rather than to inhibit mutually advantageous
sharing of military technology among the member states.

   History demonstrates that the United States has always
applied tighter export controls for security and foreign
policy reasons than any agreement with other nations might
otherwise mandate.(11) For example, since cryptography is in
general controlled by the United States as a munitions item,
the same export controls on cryptography apply to products
destined for England (a CoCom member) and Saudi Arabia (a
non-CoCom member), though the decision-making process might
well generate different answers depending on the receiving
nation. A staff study by the U.S. International Trade
Commission found that the export controls on encryption
maintained by many other nations apply for the most part to
certain proscribed (or "rogue") nations. Thus, there are in
general more restrictions on export of products with
encryption capability from the United States than from these
other nations, even though all of the nations in question
maintain export controls on encryption.(12)

----------

   (7)  The most authoritative study on the laws of other
nations regarding controls on the export, import, and use of
cryptography is a study produced by the Department of Commerce
and the National Security Agency. See Department of Commerce
and National Security Agency, *A Study of the International
Market for Computer Software with Encryption*, U.S. Government
Printing Office, Washington, D.C., January 11, 1996. 

   (8)  National Research Council (NRC), *Finding Common
Ground*, National Academy Press, Washington, D.C., 1991, page
62 (footnote).

   (9)  For detailed discussion of the CoCom regime, see NRC,
*Finding Common Ground*, 1991, and NRC, *Balancing the
National Interest*, National Academy Press, Washington, D.C.,
1987.

   (10) For example, most countries have not yet attained the
degree of success in producing shrink-wrapped software
applications incorporating cryptography that the United States
has; potentially, they could do so and become significant
suppliers of such applications.

   (11) For example, see NRC, *Finding Common Ground*, 1991,
pages 99-100.

____________________________________________________________


         G.4 FOREIGN IMPORT AND USE CONTROL REGIMES


   A number of nations discourage cryptography within their
jurisdictions through a combination of import controls and use
controls. Import controls refer to restrictions on products
with encryption capability that may be taken into a given
nation; use controls refer to restriction on the use of such
products within their jurisdictions.

   At the time of this writing (early 1996), Finland, France,
Israel, Russia, and South Africa assert the authority, through
an explicit law or decree, to exercise some degree of explicit
legal control over the use and/or import of cryptography
within their borders;(13) a number of other nations are
reported to be investigating the possibilities of legal
restrictions. On the other hand, the fact that a law
regulating the use of cryptography is on the books of a nation
does not mean that the law is consistently enforced. For
example, at the 1995 Conference of the International
Cryptography Institute (ICI),(14) speakers from France and
Russia both noted the existence of such laws in their nations
and observed that for the most part those laws generally were
not enforced and thus did not inhibit the widespread use of
cryptography in those nations.(l5)

   The flip side of unenforced laws is the case of a nation
that applies informal controls: a nation without explicit laws
forbidding the use of secure communications devices may
nonetheless discourage their import.(l6) In addition, nations
have a variety of incentives for domestic production (e.g.,
tax policies and legal regimes for intellectual property that
favor domestic mechanisms for influencing the use of
cryptography within the country:

   +    *Laws related to the public telephone system*. In most
nations the government has the legal authority to regulate
equipment that is connected to the public telephone network
(e.g., in homologation laws). In the event that a nation
wishes to discourage the use of encrypted telephonic
communications, it may choose to use existing homologation
laws as a pretext to prevent users from connecting to the
network with secure telephones.

   +    *Laws related to content carried by electronic media*.
In some nations, the transmission of certain types of content
(e.g., sexually explicit material) is prohibited. Thus, a
nation could argue that it must be able to read encrypted
transmissions in order to ensure that such content is indeed
not being transmitted.

   +    *Trade laws or other practices related to the
protection of domestic industries*. Many nations have trade
policies intended to discourage the purchase of foreign
products and/or to promote the purchase of domestic products;
examples in the United States include "buy American" laws.
Such policies could be used selectively to prevent the import
of products with encryption capabilities that might pose a
threat to the law enforcement or national security interests
of such a nation. In other nations, laws may be explicitly
neutral with respect to local or foreign purchases, but
long-standing practices of buying locally may prove to be
formidable barriers to the import of foreign products.

   +    *Licensing arrangements*. A company (especially a
foreign one) seeking to do business under the jurisdiction of
a particular cryptography-unfriendly government may have to
obtain a number of licenses to do so. Many governments use
their discretionary authority to impose "unofficial"
requirements as conditions for doing business or granting the
licenses necessary to operate (e.g., the need to bribe various
governrnent individuals), and "understanding" that the company
will refrain from the use of cryptography could be required
for the granting of a license.

   Many anecdotal examples of active government discouragement
of cryptography circulate in the business community. For
example, a businessperson traveling in a foreign nation
brought a secure telephone for use in her hotel room; a few
hours after using it, she was asked by a hotel manager to
discontinue use of that phone. A press report in the Karachi
daily *Dawn* reported on February 26, 1995, that the
government of Pakistan shut down a cellular network run by
Mobilink, a joint venture between Motorola and Pakistani SAIF
Telecom, because it was unable to intercept traffic.(17)

   Nevertheless, it is possible (or will be in the near
future) to circumvent local restrictions through technical
means even if attempts are made to enforce them. For example,
direct satellite uplinks can carry communications without ever
passing that information through the telecommunications
network of the host nation.(l8) If available, superencryption
(i.e., encrypting information before it is entered into an
approved encryption device) can defeat an eavesdropper armed
with the key to only the outer layer of encryption; the use of
superencryption cannot even be detected unless a portion of
the encrypted communication is decrypted and analyzed. (See
also the discussion in Chapter 7 on prohibiting the use of
unescrowed encryption.)

   To summarize, in some cases, a U.S. vendor that receives an
export license from U.S. authorities to sell in a given
foreign market may well encounter additional complications due
to the import and use controls of the target nation. Indeed,
a number of other nations rely on U.S. export controls to keep
strong encryption products out of the market in their
countries.

----------

   (12) Office of Industries, U.S. International Trade
Commission, *Global Competitiveness of the U.S. Computer
Software and Service Industries*, Staff Research Study #21,
Washington, D.C., June 1995, Chapter 3.

   (13) U.S. Department of Commerce-National Security Agency,
*A Study of the International Market for Computer Software
with Encryption*, 1996, Part II.

   (14) International Cryptography Institute, George
Washington University, 1995.

   (15) Still, the mere existence of such laws -- whether or
not enforced -- serves as an obstacle to large vendors who
wish to sell products with encryption capabilities or to
provide encryption services, thereby reducing their
availability to the average consumer. In addition, such
nations may well practice selective enforcement of such laws.
For example, a representative of a major computer company with
a French subsidiary observed at the 1995 ICI conference that
although French laws forbidding the use of unregistered
encryption were not regularly enforced against private users,
they did inhibit this company from marketing products with
encryption capabilities in France.

   (16) The feasibility of such practices is documented in a
1992 report by the U.S. Department of Commerce, which
describes foreign governments' assistance to their domestic
industries. This report found that foreign governments assist
their industries by creating barriers to the domestic market
(e.g., through tariffs or quotas, testing regulations,
investment industries), and by aiding in market development
(e.g., guaranteeing a certain minimum level of sales through
government purchase, providing foreign aid to buy domestic
goods, applying political pressure to potential customers).
See U.S. Department of Commerce, *Foreign Government
Assistance to Domestic Industry*, U.S. Government Printing
Office, Washington, D.C., September 1992, page iii.

   (17) According to the article, the company was unable to
provide interception services to Pakistani intelligence
agencies. According to a Mobilink official, "There are no
commercial products ... that enable over-the-air monitoring of
calls." However, it remains unclear why agencies would require
monitoring of wireless mobile-to-base traffic, instead of
intercepting at the base station. Although GSM's digitally
encrypted wireless traffic may be hard to tap in real time, it
is decrypted at the base station.

   (18) There are several systems in preparation that use
low-Earth-orbit satellites to provide direct communications
links, including Iridium and Odyssey.

____________________________________________________________


        G.5 THE STATE OF INTERNATIONAL AFFAIRS TODAY

   Today, international communications are conducted with no
universally adopted information or communications privacy and
security standards or policies. This is not surprising; the
communications systems in use worldwide are highly
heterogeneous, are made by many different manufacturers, and
embody many different standards; under these circumstances,
security-specific aspects of these systems cannot be expected
to be either standardized or government certified. In the
absence of common understanding, ensuring information privacy
or security is an ad hoc affair. Cryptographic equipment is
freely available, and standards to ensure interoperability and
compatibility emerge, in many cases, through a market process
with no intervention on the part of any national government.
Cryptographic equipment on the market is not always tested or
certified by national authorities or any organization with the
responsibility for undertaking such testing.

   Some of the future consequences of this current are likely
to include the following:

   +    Interoperability of communications equipment involving
cryptography will be difficult.(19)

   +    Some companies and businesses will be able to
implement very high quality security, while others fall victim
to the purveyors of shoddy security products.

   +     National governments will be unable to use
wiretapping as a tool for enforcing criminal laws and pursuing
national security interests in many cases.

   Needless to say, these consequences are undesirable for
reasons related to business and commerce, national security,
and law enforcement. How governments have responded to these
undesirable consequences is discussed in Section G.7.

----------

   (19) Indeed, in the absence of standards, interoperability
is often a problem even when cryptography is not involved.

____________________________________________________________


     G.6 OBTAINING INTERNATIONAL COOPERATION ON POLICY 
               REGARDING SECURE COMMUNICATIONS


   If the use of the global information infrastructure (GII)
is to grow with the blessings of governments, common
arrangements among governments are needed. To the extent that
U.S. national cryptography policy affects communications and
information transfer across national boundaries, it has
international implications.

   One approach is that the United States will set a standard
on secure communications that accommodates the needs of
various national governments around the world. This approach
is based on the assumption that the United States is the
dominant player with respect to international communications
and information transfer, and that actions taken by the United
States to promote a future global information infrastructure
set at least a de facto standard to which all other parties to
the GII will have to adhere. The result would be that U.S.
national policy becomes the de facto international policy.

   The committee does not believe that this approach is
feasible today. Rather, the committee proceeds from the belief
that the United States will be an important but not the
controlling international player with respect to international
communications and information transfer. Thus, the United
States cannot operate unilaterally and will have to reach
accommodation with other national governments.

   By taking as given the fact that nation-states will
continue to try to exert sovereignty over activities within
their borders, including the pursuit of law enforcement and
national security activities, the following statements seem
warranted:

   1. Common and cooperative policies are possible if and only
if national governments agree to them.

   2. National governments will allow policies to be set in
place if these policies are consistent in some overall sense
with the equities they seek to maintain.

   3. A national government will not base its policies on the
assumption that it will abuse the rights of its citizens (as
it defines them).

   By assumption, cryptography threatens the ability of
national governments to monitor the communications of others.
Thus, according to statement 2, controls on the use of
cryptography are a plausible governmental policy option as
discussed above. At the same time and despite this threat,
some foreign governments could be willing to allow secure
international communications on a case-by-case basis, where
the scope and nature of use are clearly delimited (i.e.,
relatively small-scale use, clearly specified use). Of course,
the United States places no restrictions at all on the use of
secure communications domestically at this time.

   Over the next 10 years, some of those countries will surely
change their minds about encryption, though in what direction
is as yet not clear. Other nations are beginning to pay
attention to these issues related to interception of
communications and wiretapping and have many of the same
concerns that the U.S. government has. Indeed, as
international partnerships between U.S. and foreign
telecommunications companies increase, it is likely that
foreign intelligence agencies' awareness of these issues will
increase. Such concerns in principle suggest that an
international agreement might be possible with respect to
these issues.

   At the same time, the United States has a stronger
tradition of individual liberties than many other nations, and
it is conceivable that the United States might be the "odd man
out" internationally. For example, the official U.S. view that
it will not impose legal restrictions on the use of
cryptography within its borders may run contrary to the
positions taken by other nations. An international agreement
that accommodates such differing degrees of legal restriction
is hard to imagine.

   A global information infrastructure allows conceptually for
two different policy structures regarding international
communication and data transmission:

   1. Common policies shared and implemented by many nations
cooperatively, or

   2. Individual policies implemented by each nation on its
own.

   Of course, it may be that some group of nations can agree
to a set of common policies, while other nations will operate
individually.

   By definition, individual policies of nations may conflict
at national borders.(20) For nations whose policies on
cryptography do not agree, international interconnection will
be possible only through national gateways and interfaces that
handle all international traffic.(21) For example, Nations A
and B might require users to deposit all cryptographic keys
with the national government but otherwise leave the choice of
cryptographic equipment up to the relevant users. An A
national communicating with a B national might see his or her
traffic routed to a switch that would decrypt A's transmission
into plaintext and reencrypt it with the B national's key for 
ultimate transmission to the B national.(22)

   This hypothetical arrangement is insecure in the sense that
text can be found in the clear at the border interface points.
It is therefore clumsy and arguably unworkable on a practical
scale. Thus, the problem of obtaining international
cooperation on policy regarding secure communication is
addressed here.

   In the export control domain, attempts are under way to
establish an organization known as the New Forum to achieve
some common policy regarding exports. The mandate of the New
Forum is to "prevent destabilizing buildups of weapons and
technologies in regions of tension, such as South Asia and the
Middle East, by establishing a formal process of transparency,
consultation, and multilateral restraint [in the export of
critical technologies].(23) The New Forum is expected to
include the CoCom nations, as well as Hungary, Poland, and the
Czech Republic and a number of cooperating states. The New
Forum is similar in many ways to CoCom, but one critical
difference is that unlike CoCom, New Forum members do not have
veto power over individual exports involving member nations;
member states retain the right to decide how to apply the New
Forum export control regime to specific instances.(24)

   In the domain of policy regarding the use of encryption,
serious attempts at international discussion are beginning as
of this writing (early 1996). For example, in December 1995,
the Organization for Economic Cooperation and Development
(OECD) held a meeting in Paris, France, among member nations
to discuss how these nations were planning to cope with the
public policy problems posed by cryptography.

   In order to stimulate thought about alternative ways of
approaching an international regime for cryptography (with
respect to both export control and use), it is useful to
consider how international regimes in other areas of policy
are constructed. This is to a certain extent a taxonomic
exercise, but it has the virtue that it opens wider
perspectives than if we limit ourselves to prior arrangements
in the law enforcement and intelligence fields. Moreover, it
permits an analysis to profit from experience in other fields
of foreign policy. That said, most successful international
efforts are built on precedents from the past, and therefore
it may be a mistake to start out too ambitiously.

   Two dimensions should be kept separate, one organizational
and the other substantive. Is there to be an international
organization; a treaty; something less, such as an
international agreement; parallel bilateral agreements; or, at
the least ambitious end, merely a coordination of policy
between the U.S. executive branch and other governments?

   With respect to international agreement on the substantive
dimension, four different approaches reflect varying levels of
ambition:

   +    *Unification of law in the cooperating countries
involved*. Unification means simply that the law of each
cooperating country would be the same.

   +    *Harmonization*. Harmonization refers to a general
similarity of law among national laws, with purely local
differences or relatively unimportant differences remaining.
These differences would be slight enough to preclude major
distortions of trade or serious policy disagreements among
nations. Harmonization of law is particularly common in
Europe.

   +    *Mutual recognition*. Under mutual recognition, when
one government approves a product manufactured within its
borders as being consistent with an agreed-upon standard,
another government will allow that product to be imported and
used within its territory. In a world with a variety of
cryptographic options, the options then would have to be
certified by the home government before they could be imported
and used in the territories of cooperating countries. For
example, perhaps mutual recognition would require that any
escrow holder certified by one government would be acceptable
to other governments.

   +    *Interoperability*. Cooperating nations would work,
perhaps in part through telephone companies and PTTs, to
ensure that encrypted communications across national borders
would remain encrypted but also conform to national laws.
Interoperability would require some agreement among
cooperating nations that limited the kinds of encryption
acceptable domestically and provided for exchange of keys.
(For example, a foreign government might require an interface
for international cornmunications at a border through which
traffic would have to be passed in the clear or encrypted in
a way that it could read.) Technical approaches to
interoperability would probably require translation facilities
that reconcile policies at national borders, automatic
recognition of protocols being used, and automatic engagement
of the necessary technology.

   The feasibility of a cooperative regime on secure
international communications is likely to require the
consensus of a core group of nations. Such a consensus would
then set standards that other nations would have to follow if
they wanted to share the benefits of interacting with those
core nations; nations that refuse to accept the arrangement
would by implication be cut off from applications that demand
cryptographic protection (although they would still be able to
transact and communicate in the clear). For obvious reasons,
this suggests that the core group of nations would have
considerable aggregate economic power and influence. (Note
that a division of the world into core and noncore nations
might require the fractionation of a multinational company's
information network into those inside and outside the core
group.)

----------

   (20) Although the notion of a global information
infrastructure is based to a large degree on the idea that
national boundaries are porous to information, nations can and
do exert some influence over what information may cross their
borders. For example, while traffic may traverse many
countries between Nation A and Nation B, it is not
inconceivable that an intermediate nation might attempt to
establish a policy on cryptography that any incoming traffic
had to be sent in the clear. Enforcing such a policy would be
technically difficult for individual nations to accomplish in
today's networking environment, but a different architecture
might make it easier.

   (21) An additional challenge is the emergence of national
or commercial parties that will provide communications that
are independent of any physical infrastructure under the
control of any given nation. For example, a person in Japan
might use a portable device to communicate with someone in
Peru, connecting directly through a future American
communications satellite. Such a channel might bypass entirely
the Japanese and Peruvian national authorities. Even more
complicated might be the use of a communications satellite
bought from an American manufacturer by Indonesia and launched
into orbit by the French. (However, satellite communications
are subject to a degree of control over services offered, in
the form of international agreements in the International
Telecommunication Union on the uses of electromagnetic
frequency spectrum.)

   (22) Policies regarding cryptography are complicated
further by policies on data. For example, a number of European
nations will not permit the transport of personal data (e.g.,
on employees) out of their countries for privacy reasons, even
though a multinational firm might like to be able to process
such data in one central location. To ensure that such data
are not transported, those nations may demand the ability to
inspect all transborder data flows outward.

   Controlling inbound data may pose problems. For example, a
dictatorial government may assert the right to monitor data
flowing into its nation, perhaps to combat subversive
agitation. Even democratic governments may wish for the
ability to monitor certain incoming data to prevent money
laundering.

   Laws governing privacy can conflict with laws on
cryptography. For example, a law on data privacy may require
that certain sensitive data associated with an individual be
protected, while a law on cryptography may forbid the use of
cryptography. Such laws would obviously conflict if a
situation arose in which cryptography were the only feasible
tool for protecting such data.

   In short, policies regarding data export, import, and
privacy are an additional dimension of resolving policy with
respect to cryptography.

   (23) U.S. State Department, "Press Release: New
Multilateral Export Control Arrangement," Office of the
Spokesman, Washington, D.C., January 23, 1996.

   (24) See Sarah Walking, "Russia Ready to Join New
Post-CoCom Organization," *Arms Control Today*, September
1995, pages 31-33.

____________________________________________________________


       G.7 THE FUNDAMENTAL QUESTIONS OF INTERNATIONAL 
                     CRYPTOGRAPHY POLICY


   If the assumption is made that escrowed encryption is the
underpinning of national governments' attempting to manage
cryptography, three basic questions arise regarding
cryptography policy internationally.


                  G.7.1 Who Holds the Keys?

   Any of the agents described in Chapter 5 are candidates for
key holders: these include government agencies, private
for-profit organizations that make a business out of holding
keys, vendors of escrowed encryption products, and customers
themselves (perhaps the end user, perhaps an organization
within the corporation making the purchase). The various pros
and cons of different types of escrow agents described in
Chapter 5 apply equally in an international context.


     G.7.2 Under What Circumstances Does the Key Holder 
             Release the Keys to Other Parties?

   From the standpoint of U.S. policy, one essential question
is which nation's or nations' laws control the actions of
escrow agents vis-a-vis the release of keys. Conceptually,
three possibilities exist:

   1. The U.S. government (or escrow agents subject to U.S.
law) holds all keys for all escrowed encryption products used
by U.S. persons or sold by U.S. vendors, regardless of whether
these products are used domestically or abroad.(25)

   2. The U.S. government (or escrow agents subject to U.S.
law) holds all keys for all escrowed encryption products used
by U.S. persons, and foreign governments (or escrow agents
subject to the laws of those foreign governments) hold all
keys for escrowed encryption products used by nationals of
those governments.(26)

   3. Both the U.S. government and Nation X have access to all
keys for escrowed encryption products that are used in Nation
X, and either the United States or nation X can obtain the
necessary keys.

   Products used in Nation X would most likely be purchased in
Nation X, but this is not a requirement. Note also that a wide
variety of escrowing schemes exist, many of which are
described in Chapter 5.

   For the most part, options 1 and 3 compromise the
sovereignty of foreign nations, and it is hard to imagine that
a strong U.S. ally would publicly announce that its citizens
and industries were vulnerable to U.S. spying without their
approval. Early in this study (late 1994), the committee took
testimony from senior Administration officials to the effect
that option 1 was likely feasible, but the Administration
appears to have backed off from this position in its most
recent statements (late 1995).

   Only option 2 is symmetric: the United States holds keys
for escrowed encryption products used by U.S. persons or sold
in the United States, and foreign nations do the same for
their persons and products. Option 2 could meet the
international law enforcement concern in much the same way
that the law enforcement agencies of various nations cooperate
today on other matters. Such cooperation might be the focus of
explicit bilateral agreements between the United States and
other nations; such agreements might well build on existing
cooperative arrangements for law enforcement (Box G.1), and
they are most likely to be concluded successfully if they are
arranged informally, on a case-by-case basis in which the
scope and nature of use are clearly delimited (i.e.,
relatively small-scale and clearly specified use).
Alternatively, access might be requested on an ad hoc basis as
the occasion arises, as is the case for other types of
informally arranged law enforcement cooperation.

   Option 2 alone will not satisfy U.S. needs for intelligence
gathering from the foreign nations involved, because by
assumption it requires the involvement (and hence the
knowledge) of an escrow agent that is subject to another
nation's jurisdiction. Further, it is inconceivable that the
United States is a party to any formal or informal agreement
to obtain keys from nations that are most likely to be the
targets of interest to U.S. decision makers (e.g., rogue
nations). On the other hand, options 1 and 3 also pose
problems for U.S. intelligence gathering, because even with
the ability to obtain keys individually, the United States
loses the ability to conduct good bulk intercepts. On the
assumption that there is no large-scale "master key,"
individual keys would still have to be obtained. This would
inevitably be a time-consuming process and could diminish the
flow of signals intelligence information, since obtaining
individual keys is a much more time- and laborintensive
activity than listening to unencrypted traffic.

   The Administration's position on foreign escrow agents is
stated in one of its proposed criteria for liberalized export
consideration for escrowed encryption software. Specifically,
it proposes that the relevant keys be escrowed with "escrow
agents certified by the U.S. government or by foreign
governments with which the U.S. government has formal
agreements consistent with U.S. law enforcement and national
security requirements."(27)

   Note that all of the issues discussed in Chapter 5 with
respect to liability for unauthorized disclosure of keys
necessarily apply in an international context.(28)

----------

   (25) Under the Clipper initiative, U.S. policy is that the
two escrow agents in the United States have Clipper/Capstone
keys because they are available and put into escrow at the
time they are programmed at the U.S. factory. Since there is
no formal policy governing what should be done if a foreign
nation purchases Clipper-compliant devices, the current policy
obtains by default.

   (26) An important operational question is the following: If
the keys are generated in the United States, on what basis
could any foreign user be confident that the United States did
not retain a copy of the keys that were issued to him or her?
Such a question arises most strongly in a hardware-based
escrow encryption product with a U.S.-classified design in
which the United States is the designated key generator for
reasons of classification.

   (27) See Box 5.3, Chapter 5.

   (28) Some agreements establish the extent and nature of
liability in other contexts (e.o., the Warsaw Convention and
airline travel), thus sugg,esting that the international
dimensions of liability for unauthorized release of keys are
not necessarily insurmountable.

____________________________________________________________


         G.7.3 How Will Nations Reach Consensus on 
International Cryptography Policy Regarding Exports and Use? 


*Harmonized Export Policies*

   Agreement on the following points would be necessary to
develop a common export control policy that would help to
preserve law enforcement and intelligence-gathering
capabilities by retarding the spread of cryptography
worldwide:

   +     Rough concurrence among nations exporting
cryptography about the nations whose access to encryption
capabilities should be kept to a minimum and what policy
toward those nations should be;

   +    Willingness to allow relatively free trade in products
with encryption capabilities among member nations;

   +    Willingness to abide by prohibitions on reexport to
rogue nations; and

   +    Agreement among member nations about the types of
encryption capabilities that would constitute a threat if
widely deployed.

   The extent to which agreement on these points can be
reached is an open question, although there are precedents to
some degree in the U.S. bilateral arrangements with various
other nations for cooperation in law enforcement matters. A
high degree of concurrence among these nations (a
"crypto-CoCom") would help to retard the spread of encryption
capabilities to rogue nations, with all of the attendant
benefits for law enforcement and national security.

   Many problems stand in the way of achieving a plausible
crypto-CoCom regime. These include the following:

   +    The scope of a crypto-CoCom. Given that the basic
algorithms for cryptography are known worldwide, it is not
clear that the developed nations of the world have a true
monopoly on the technology. Many of the traditional lesser
developed countries in Asia and Latin America are
demonstrating significant interest in modernizing their
communications infrastructures, and they will almost certainly
be driven to an interest in secure communications as well.

   +    The absence of a pervasive threat. With the demise of
the Soviet Union, it has proven much more difficult for the
United States to take the lead in matters requiring
international cooperation.

   +    The implied connection between third-party decryption
for governments and export-import controls. International
arrangements will have to satisfy the needs of participating
nations for third-party decryption before they will agree to
relax import and use controls.


*Harmonized Policies Regarding Use*

   As noted above, the Organization for Economic Cooperation
and Development held a December 1995 meeting in Paris among
member nations to discuss how these nations were planning to
cope with the public policy problems posed by
cryptography.(29) What this meeting made clear is that many
OECD member nations are starting to come to grips with the
public policy problems posed by encryption, but that the
dialogue on harmonizing policies across national borders has
not yet matured. Moreover, national policies are quite fluid
at this time, with various nations considering different types
of regulation regarding the use, export, and import of
cryptography.

   The majority view of the assembled nations was that
national policies had to balance the needs of corporate users,
technology vendors, individuals, law enforcement and national
security. A number of participants appeared to favor a
"trusted third-party" approach that would rely on
nongovernment entities (the trusted third party) to serve as
the generators of cryptographic keys for confidentiality for
use by the public as well as escrow agents holding these keys
and responding to legally authorized requests for encryption
keys for law enforcement purposes.(30) However, the needs of
national security were not mentioned
for the most part (3l),(32)

----------

   (29) Additional information on this meeting can be found in
Stewart Baker, *Summary Report on the OECD Ad Hoc Meeting of
Experts on Cryptography*, Steptoe and Johnson, Washington,
D.C., undated. Contact sbaker@steptoe.com or check
http://www.us.net/~steptoe/276908.htm.

   (30) See for example, Nigel Jefferies, Chris Mitchell, and
Michael Walker, "A Proposed Architecture for Trusted Third
Party Services," Royal Holloway, University of London, 1995.

   (31) For additional industry-oriented views on
international policies concerning the use of cryptography, see
U.S. Council for International Business, *Business
Requirements for Encryption*, New York, October 10, 1994;
INFOSEC Business Advisory Group, *Commercial Use of
Cryptography*, statement presented at the ICC-BIAC-OECD
Business-Government Forum, Paris, France, December 1995;
European Association of Manufacturers of Business Machines and
Information Technology Industry (EUROBIT), Information
Technology Association of Canada (ITAC), Information
Technology Industry Council (ITIC), and Japan Electronic
Industry Development Association (JEIDA), *Principles of
Global Cryptographic Policy*, statement presented at the
ICC-BIAC-OECD Business-Government Forum, Paris, France,
December 19, 1995. The statements from the Paris, France
meeting are available on line at
http://www.cosc.georgetown.edu/~denning/crypto/#ici.

   (32) Intelligence needs may conflict directly with needs
for business information security. For example, U.S. and
foreign companies sometimes form consortia that work
cooperatively to make money; national intelligence agencies
often funnel information to individual companies to develop
competitive advantage. One major reason that U.S. companies
operating internationally want to have encrypted
communications is to protect themselves against the threat of
national intelligence agencies. Thus, they would require that
any escrow arrangements at a minimum include audit trails to
ensure that their communications were being monitored in
accordance with laws governing criminal investigations and the
like (in the United States, this might be a court order) to
ensure that data from wiretaps were not being funneled to
foreign competitors. However, it is very hard to imagine that
a foreign intelligence agency would be willing to provide such
assurances or to live with such audit restrictions.
Ultimately, the trade-off might be the willingness of an
international corporation to bargain with the host nation
about the ability to have secure communications, using its
willingness to invest in the host nation as its ultimate
bargaining chip to force the host nation to acquiesce.

____________________________________________________________


BOX G.1 On Mutual Assistance Agreements for Law Enforcement

   The United States has mutual assistance agreements for law
enforcement with many other nations. These agreements, managed
by the Criminal Division of the Department of Justice with a
State Department liaison, provide for mutual cooperation for
the prevention, investigation, and prosecution of crime, to
the extent permitted by the laws of each nation, in many
areas. In general, these agreements discuss cooperation in
certain listed areas as illustrative, but they usually have a
"catchall" category. Some of the listed areas include:


   +    Assistance in obtaining documents;

   +    Release of interviews and statements of witnesses;

   +    Arrangement of depositions;

   +    Assistance in securing compulsory process (e.g.,
subpoenas);

   +    Cooperation in obtaining extradition consistent with
existing extradition treaties; and

   +    Cooperation in obtaining forensic information (e.g.,
laboratory results and fingerprints).

   These agreements are meant to enhance the collection of
information and evidence in foreign nations when a crime is
being committed or planned. Thus, they could serve as the
vehicle for cooperative action with respect to sharing
cryptographic keys available to the government (pursuant to
its law enforcement objectives) of a given nation for specific
law enforcement purposes; keys given by Nation A to Nation B
would be obtained in accordance with the laws of Nation A and
the mutual assistance agreement between Nations A and B. These
agreements do not make new law; unlike treaties, they simply
facilitate cooperation with respect to existing law.

   To adapt these agreements to cover sharing of cryptographic
information, the nations involved could use the catchall
category or explicitly negotiate agreements covering this
area; the first could suffice until the second was
implemented.

   In general, these agreements have worked well.
Nevertheless, some problems exist. For example, they may not
work fast enough to provide time-urgent responses to pressing
law enforcement needs. In addition, some nations that are
party to a mutual assistance agreement may not be trustworthy
with respect to certain areas (e.g., the Colombian government
with respect to drugs, the Mexican government with respect to
immigration matters and smuggling of aliens).

____________________________________________________________

[End Appendix G]



