Return to Cyberlaw Home Page and Contents
Return to Nicholas Johnson Home Page
Global Telecom, Media and Electronics, Inc. needs to develop a presence in Asia if it is to continue as a player in the Global Information Economy. This preliminary report assesses conditions in the Southeast Asian country of Laos and recommends the steps that GTME can take to establish a presence in Laos. This initial presence will then serve as the foundation for GTME's further development in Asia.
Laos is one of the least developed Southeast Asian countries. It is landlocked with a primitive infrastructure. Its population of approximately five million is dispersed over an area about the size of Utah, resulting in an overall population density of 54 people per square mile.1 Located in a mountainous region, the landscape consists primarily of mountains, hills, and river valleys and is dominated by jungle. The climate is monsoonal, with two main seasons: rainy and dry. Laos is very much an agricultural country. Over 90% of its people engage in subsistence farming, cultivating mainly rice.2 Even this dedication of resources is insufficient, however, and more rice must be imported. Fish and fruit serve as staples of the Laotian diet.
The terrain controls life in Laos. Due to the mountains and rivers, land travel is minimal. Since water is the primary resource, it dominates both travel and production. Some villages even have rivers as their main streets.3 Transportation is predominantly water-based. Production of hydroelectric power is a major industry; electricity is the primary export of Laos.
The peoples of Laos experience a very divisive ethnic diversity. Three main groups exist; all but the last are originally from China and are culturally related to the Thai. The urbanized Lao are socially and politically dominant. Although Laos has never had a formal census, the Lao are estimated to compose half the population.4 Originally from China, they live in the fertile river valleys where Laos' cities are located. Their religion, Theravada Buddhism, is the state religion. The second group practices agriculture, and is divided into three sub-groups. They are the Tai, the Meo and the Man. The Tai dominate agriculture in mountain valleys and have a tribal infrastructure.5 The Meo and Man live in the northern mountains. The Meo still have very strong Chinese elements present in their culture and practice slash-and-burn agriculture.6 Little is known about the Man. The third population element is the Kha, consisting of about one-fourth of the total population. This group is composed of darker-skinned peoples who are widely distributed throughout the country. About sixty Kha tribes live in Laos, but they appear to have little sense of ethnic unity. Both their name and history indicate the probable reason: Kha in Lao means slave. While no longer enslaved, the Kha are still scorned by the majority of the population.7
Laos has a turbulent history, mostly due to the overflow of forces that rarely focused on this country. In 1893, it became a French protectorate along with several neighboring countries. In 1949 it regained independence and became a constitutional monarchy.8 Neutralist, communist and conservative factions fought for control of the government. In 1962 a coalition government was formed with a neutralist premier. By 1964, however, the communists had withdrawn from the coalition and renewed armed combat with the aid of North Vietnamese troops.9 Although the United States attempted to intervene, bombing the Ho Chi Minh trail-the communists' supply route from North Vietnam to Laos and South Vietnam-in the end the communists won. The communists secured victories in Cambodia and South Vietnam in April of 1975; by May the Laotian troops ceased fighting and the communists took over in Laos too.10 The Lao People's Democratic Republic was proclaimed on December 3, 1975.
Economically, Laos is the least developed of the former Indo-Chinese states.11 Although overwhelmingly agricultural, the farming communities do not produce enough to support the country and food is one of the major imports. Exports from Laos include electricity, wood products, tin and coffee.12 Other mineral deposits such as copper, lead, and iron exist but have yet to be exploited.
Industry in Laos is in the early stages of development. Rice mills, sawmills, and some manufacturing of tobacco products, matches and beverages currently exist. Inadequate transportation and communications are major barriers to further industrial development. Transportation in Laos is practically non-existent compared to the United States. Of the few roads that do exist, only one-seventh of the highways in the entire country are paved; Laos has no railroads. The Mekong River serves as the main highway for Laos, but even it is obstructed by waterfalls and rapids.
The communications structure is also very limited. General phone service is poor. There is on average one phone per 526 people.13 Locally, there are an average of sixteen phone lines for one thousand people. Intercity communications are limited to radio signals. Even government users must tolerate generally erratic radio communications. Radios are the most common electric appliance, with one radio per about ten people. Televisions are not as rare as telephones, but still uncommon with one television per fifty-nine people.14 The mountainous terrain limits the broadcasts possible, resulting in ten AM broadcast stations, no FM stations, and only two television broadcast stations.
Since 1986, the communist government has been decentralizing control and urging controlled privatization.15 Even this strategy has only resulted in 7.6% annual growth. Unemployment is about 21%.
Global Telecom, Media and Electronics, Inc. should serve as an agent for Visa International and establish an infrastructure capable of supporting the entrance of Visa into the Laos economy. One possible method is to establish a working relationship with a local financial institution, and set up the preliminary communications network within Vientiane. Tourism is already an established industry in Laos, albeit a small one. GTME can not only introduce the basic Visa services such as credit cards, but also lay the groundwork for the eventual integration of on-line services. The short-term goals will be to introduce the "smart card" version of the credit card to Laos, and promote electronic commerce using the Secure Electronics Transactions (SET) global standard. Long-term goals include establishing an infrastructure, as well as sufficient demand, to support an Internet Service Provider (ISP) in Laos that is similar to other GTME ventures in the area.
Visa International has established itself as an international player since its introduction in 1974. It has already made connections with financial institutions throughout the Asia-Pacific region, and has arrangements with financial institutions in Australia, Japan, Philippines, Taiwan, Hong Kong, Korea, New Zealand, Indonesia, Malaysia, Singapore, and Thailand. Visa recognizes that "[t]he countries of Asia-Pacific continue to lead the world in economic growth and offer fertile markets for growth and innovation in the payment card industry. Asia-Pacific is remarkable for its economic diversity but growth occurred (sic) in all four types of economies represented in the region-emerging, developing, newly-industrialized and developed."16 Those countries in which Visa is already operating represent the advanced economies of the region.
If GTME joined with Visa in Laos, both companies would be in the valuable position of directing and benefiting from the growth of a developing economy. The Visa office in Bangkok, Thailand, was opened not only "to service Members in the rapidly-developing Thai market" but also to act "as a gateway to the emerging markets of Indo-China."17 GTME can use the resources of the Bangkok office to direct the arrival of the information age to Laos.
Visa's credo is "Think Globally, Act Locally." To ensure this strategy functions properly, Visa divides the world into six regions: Asia-Pacific, Canada, Europe (European Union), Central and Eastern Europe with the Middle East and Africa, Latin America, and the United States. Each region follows the long-range guidance offered by the Visa International headquarters in San Francisco, ensuring a coherent system that functions across all the regions. At the same time, each region has a board of directors that is responsible for adapting Visa programs to the local markets. This permits the flexibility that is required to cultivate an emerging market in an Eastern culture while enabling Visa to function in the international business world.
Visa, like GTME, recognizes that we are in the age of an Information Economy. Recently, Visa devoted considerable effort to develop a Secure Electronic Transactions standard, or SET. This new global standard will ensure that purchases may be made electronically with minimal risk of credit card theft or fraud. SET was developed in a cooperative effort by Visa, IBM, Verisign, and other international participants. In Singapore, Visa International is working with the National Computer Board "to pilot the secure use of credit cards in electronic commerce...."18 Participants in this pilot project include: ABACUS Distribution Systems (travel information and reservations system), CSA Research (software publishing), Mentor Internet Solution (shopping mall), Times Publishing Group (media & publishing), Citibank, Cyberway, IBM, Microsoft, National Computer Systems, Netscape, Oracle Systems, Pacific Internet, and Tandem Computers.19
One major concern is the culture within which GTME will operate. Given that the Laotian government is communist, and the populace predominantly Buddhist, GTME will have to tread very carefully in establishing itself as a reputable and acceptable entrant into the Laotian business world.20 Also of concern is the potential impact that this technological and economic "upgrade" will have on Laos. Considering the agricultural nature of the Laotian economy, GTME may have some difficulty expanding beyond the cities into the countryside. However, that should not discourage GTME from taking this step, as the benefits of establishing a strong presence in Laos far outweigh such a minor drawback. First, Laos is just one of the emerging markets in Southeast Asia. A strong presence in Laos will serve as the springboard into neighboring countries. Second, developing a connection with Visa International will open a new range of possibilities for GTME to explore. Visa's home office in California combines with a recently opened branch office in Thailand to offer GTME access to a large international resource base. Furthermore, technology offers a feasible solution to the geographical barriers presented in Laos. Satelite uplinks should sufficiently provide access to the Web when the time comes to offer it, even in areas other than the "civilized" urban plains.
This paper will touch briefly on the issues of regulation and privacy, and focus primarily on the issue of encryption.
Since this will be a joint venture between GTME (acting as an agent for Visa) and a local Laotian financial institution, it may be subject to Laotian banking regulations. Furthermore, the Laotian government has particular guidelines for foreign companies operating in the country.21 Since GTME and Visa will work in cooperation with a local financial institution, restrictions will likely be minimized. Precisely which regulations and restrictions will apply has yet to be determined.
Once GTME complies with any legal requirements for doing business in Laos, GTME will have to address the issue of privacy and the possibility for fraud within the new payment card system it proposes to establish in Laos. Laotian rules regarding the right to privacy must be examined in order to determine how if at all they will affect the system GTME sets up for Visa. Encryption and passwords can be used to diminish the possibilities of fraud or electronic theft using the credit card system.
Determining the legal standards for privacy in Laos requires at least a working knowledge of both the language and the legal system. Such an in-depth exploration is best saved for a later date, when an expert can be located to conduct the necessary research. Therefore, for the limited purposes of this report, the issue of privacy will be evaluated under the paradigm of U.S. law.
The right to privacy in the United States has a long and complicated history. Such a right is not explicitly enumerated in the U.S. Constitution, nor in the Bill of Rights, nor in any subsequent amendments. However, over the course of the past few decades, the Supreme Court has increasingly recognized that the right to privacy is implicit in the Fourth Amendment of the U.S. Constitution.22 As more cases have come before the Court, the precise scope of the right to privacy alternately expands and contracts, depending in large part on the particular fact pattern and the type of privacy at issue.23
Discussions of privacy in computer-related cases have focused primarily on the invasion of privacy due to searches and seizures.24 While the Supreme Court has yet to rule on this issue, it is probable that existing legal standards will be modified to apply to computer-related crimes.25 Courts are still struggling to determine exactly what standards pertain to those crimes uniquely affected by technological advancements and how those standards will be applied. It is difficult to identify any particular trend, primarily because decisions vary according to the depth of the judges' understanding of the pertinent technology. Those judges who demonstrate a significant grasp of the nature of new technologies tend to include in their decisions a clear rationale for their analysis; those who have difficulty understanding the new technologies rely on the old familiar rules and may blindly apply them to new situations.
The Katz standard has been applied to cyberspace-related situations to determine whether an unconstitutional infringement of privacy occurred.26 This standard bases the level of protection afforded to the right of privacy upon a two-prong expectation standard. According to the Katz standard, the Fourth Amendment protects people based upon an objective reasonable expectation of privacy, and a subjective expectation of privacy.27 The ultimate question asked when applying the Katz standard is whether the individual making the claim has a legitimate expectation of privacy in the invaded place.28 The Maxwell case affirmed both that standard and its application to cyberspace cases.29
After evaluating what legal standards apply to cyberspace privacy issues, the question becomes what relevance that has to GTME and the current proposal. Since Laos is a communist country, GTME will probably need to ensure some form of control over access to the Internet in order to obtain permission to establish an ISP. This can be done in a number of ways, foremost being the restriction of Internet access to certain pre-approved sites. Which sites are authorized for an account to access is likely to vary depending on the particular account.30 Although unlikely to succeed in the long-run due to the vast and amorphous nature of the 'Net, such governmental censorship should prove sufficient to appease the Laotian government and provide a window of opportunity for GTME to establish a presence in the country.
Determining what methods are permissible to determine who has access to which sites invokes not only the Fourth Amendment right to privacy, but also the First Amendment's freedom of speech and the Fourteenth Amendment's due process requirements. The right to privacy applies to this situation because the government would be acting to determine what material it is and is not permissible to access, even in the privacy of one's own home.31 Such censorship clearly violates the First Amendment.32
Congress is still deciding how to balance the need to protect children from indecent material on the Internet with privacy interests. Two bills were introduced to the House in 1997 which require Internet Service Providers to offer filtering software. HR 774: Internet Freedom and Child Protection Act of 1997 was introduced by Rep. Lofgren (D-CA) on February 13, 1997. HR1180: Family-Friendly Internet Access Act of 1997 was introduced by Rep. McDade (R-PA) on March 20, 1997. Both bills were referred to the Committee on Commerce and then to the Subcommittee on Telecommunications, Trade and Consumer Protection.
The United States government has for some time restricted the exportation of cryptography technology under an approach known as the Munitions Rule. In essence, that approach classifies encryption software as military or defense articles which are subject to export restrictions. The International Traffic in Arms Regulations (ITAR) regulates the export of such articles by including them on the United States Munitions List.33 Items on the Munitions List may be exported, but only if a license is obtained to do so.34 All cryptographic systems and software were included on the Munitions List, and as recently as early 1997, those restrictions were still enforced by the Commerce Department and the Justice Department. The Commerce Department was authorized to limit the strength of encryption that can be exported from the United States; the Justice Department was able to review any export license application.35
The history of encryption software offers some insight into the government's rationale. Traditionally, governments developed and used encryption software to protect extremely sensitive intelligence information.36 That information was frequently military-related, or at least sensitive information to which access was carefully restricted. If individuals or companies were permitted to export encryption technology, the risk existed that some unauthorized entity could use that exported technology to break the government's encryptions. Since that would result in a threat to national security, encryption software and technology was restricted and treated as dangerous munitions.37
As the state of the world has shifted from the Cold War mentality to one of globalization, so too have the uses of cryptography. No longer is the government automatically the entity most dependent on encryption. Businesses and multinational corporations encode important information to prevent competitors from gaining access to secret plans or strategies. Corporations are not alone in their use of cryptography. With the explosion of the World Wide Web and increased Internet access, the application of encryption to everyday life has steadily increased.
According to the National Research Council, cryptography has four major uses: ensuring data integrity, authenticating users, facilitating non-repudiation (the linking of a specific message with a specific sender), and maintaining confidentiality.38 It has also become an active discipline within the academic world of applied mathematics.39 Applications of cryptography focus on protecting privacy of users, from personal messages via e-mail, transactions at ATM machines, and electronic commerce on the Internet. The stronger encryption software available, the better the protection afforded to users.
The traditional munitions approach disadvantaged American security software manufacturers. Software companies were required either to develop weak forms of encryption software that would pass the government's export restrictions or develop different forms for domestic and international markets. Those companies who developed software for international markets were at a competitive disadvantage since software developers from other countries did not necessarily have similar restrictions limiting their software.40 In fact, the U.S. policy was said to be "export jobs, not cryptography."41
Businesses were not the only ones disturbed by the Munitions Rule. Scholars, Web afficionados, and even the average consumer would benefit from reduced encryption restrictions. With the increase in communications technologies susceptible to interception, encryption provides the elevated level of security that consumers require to conduct their lives without worrying about who is listening. Consumers also benefit from encryption when using digital commerce, including transactions on the Web, digital signatures, and electronic cash. For example, "[m]ost experts agree that the chances of having your credit card number swiped from a computer on the Internet are lower than having money stolen from your home by a burglar.... In reality, the digital encryption found in leading Web browsers makes online shopping safe for most people."42
Just as courts have had to cope with technology modifying privacy issues, so have courts struggled to evaluate encryption export restrictions in a globalized world that increasingly relies on encryption. Technology and its accompanying changes to our culture have to some extent outpaced the substantive law of the United States, resulting in some decisions that seem at odds with common sense, including the Applied Cryptography case. Recently, however, courts have recognized that the media information is contained in-printed or electronic-does not affect the constitutional protections afforded to all speech.43
The book Applied Cryptography by Bruce Schneier includes listings of encryption software source code, which technically render it subject to the export restrictions. The State Department reportedly authorized export of the book since it was in the public domain, and thus outside their jurisdiction. Floppy disks containing the exact same source code as the book, however, fell under the State Department's jurisdiction as a munition requiring a license to export.44 According to Philip Karn, this restriction was announced despite the fact that the same software had been available on an Internet site for over two years, and the Administration was aware of that site.45 Critics of the government's approach have pointed out that "the encryption horse has not only left the barn, it has been on a worldwide tour."46
The case of Daniel Bernstein v. United States Department of State directly challenged the constitutionality of the ITAR. The plaintiff, Bernstein, was a graduate student when he developed an encryption algorithm. He wrote a paper in English describing his algorithm and the mathematical theory behind it, and also wrote the encryption and decryption in source code.47 In 1992, Bernstein asked the State Department to determine whether his paper and his source code were controlled by the ITAR. The State Department decided that Bernstein's encryption algorithm was a defense article on the Munitions List, and therefore subject to licensing before he could export it.
Bernstein challenged the ITAR on the grounds that it violated his First Amendment rights to publish, teach and discuss his algorithm with other scientists.48 U.S. District Judge Marilyn Hall Patel found that source code is speech, and therefore protected under the First Amendment.49 In December of 1996, she further found that the licensing requirements of the ITAR as applied to source code violated the First Amendment.50
Shortly before the decision in Bernstein II, President Clinton issued an Executive Order transferring jurisdiction over export controls on civilian encryption products and related technology from the State Department to the Commerce Department, specifically to the Bureau of Export Administration.51 Rather than being placed on the Munitions List, encryption products are on the Commerce Control List under Export Administration Regulations (EAR).52 Critics claim that the jurisdictional transfer merely modified the label of encryption software from munitions to encryption items, without changing the substance of the law.53
The Commerce Department has updated regulations to reflect the new inclusion of encryption products on the Commerce List. Those updates include "a specific definition of export for encryption...software...which includes downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the United States, over wire, cable, radio, electromagnetic, photo-optical, photoelectric or other comparable communication facilities accessible to persons outside the United States, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code outside the United States."54 Discrepancies still remain, however, in the treatment of printed material and electronic material.55
After the transfer of encryption products from the Munitions List to the Commerce List, Bernstein filed an amended complaint challenging the constitutionality of the EAR as applied to encryption software. As Judge Patel pointed out, "[g]overnments may impose valid time, place and manner restrictions when they are content neutral, narrowly tailored to serve a substantial governmental interest, and leave open alternative channels for communication."56 Prior restraints to free speech, however, are presumptively unconstitutional;57 licensing schemes may serve as prior restraints.58 In order for a prior restraint licensing scheme to be valid, it should follow three procedural safeguards.59 The Court in FW/PBS examined a licensing scheme using the following safeguards from Freedman: 1) any restraint prior to judicial review can only be imposed for a brief and specified time period during which the status quo prevails; 2) expeditious judicial review must be available; and 3) the censor must bear the burden of going to court to suppress speech and once there bears the burden of proof.60
The District Court in Bernstein II had examined the ITAR and found it to effect "an unconstitutional prior restraint on speech due to inadequate procedural safeguards."61 Bernstein in his amended complaint contended that the EAR suffered the same defect. Judge Patel found that to be the case, and said so quite clearly.
The new regulations are directed quite specifically and "by their terms" to an entire field of applied scientific research and discourse.... [W]hile the export of a commercial cryptographic software program may not be undertaken for expressive reasons, that same activity-indisputably regulated under the EAR-is often undertaken by scientists for purely expressive reasons. By the very terms of the encryption regulations, the most common expressive activities of scholars-teaching a class, publishing their ideas, speaking at conferences, or writing to colleagues over the Internet-are subject to a prior restraint by the export controls when they involve cryptographic source code or computer programs. In the field of applied science ideas are not just expressed in abstract, theoretical terms, but in precise applications. Those applications are subject to licensing under the encryption regulations and are excluded from the exemptions for fundamental research and educational information. This is precisely the kind of law identified in Lakewood that risks self-censorship on the part of those that must apply for licenses and censorship on the part of the decision maker.62
The EAR had maintained a distinction between printed and electronic material, as mentioned above. Judge Patel characterized that as an "irrational" distinction "that makes little or no sense," particularly since printed material can be scanned or converted into useable source code.63 The defendants attempted to defend the distinction by explaining that to convert encryption code from print form to a working product required a certain level of skill, but the court was "somewhat confounded by this explanation."64 Those who are most likely to pose a threat to national security, and thus justify the regulations, are those who are the most willing to devote significant amounts of time and resources to doing so. Restricting the export of electronic material while allowing export of the same information in a printed form actually defeats the purpose of the regulation.65 Furthermore, the Supreme Court recently indicated that the Internet-the epitome of information in electronic form-is subject to the same First Amendment protections as print media.66
Although Bernstein III seems to indicate that encryption export regulation is unconstitutional as currently approached, the District Court declined to issue a nationwide injunction prohibiting the enforcement of the EAR licensing requirements for encryption products. Instead, the District Court held that the injunctive relief should be narrow pending appeal, because the legal issues were "novel, complex, and of public importance."67 Therefore, the Commerce Department68 was enjoined from enforcing the regulations against the plaintiff or against anyone who seeks to use, discuss or publish plaintiff's encryption program.69
Recently, industry concern and public opinion has caused a re-consideration of the government's approach to encryption software. As Senator Trent Lott explained on October 21, 1997:
While we are restricting our own international commerce, foreign companies are now manufacturing and selling stronger, more desirable encryption systems...anywhere in the world they want. Clearly, our policy doesn't make sense. Just as clearly, our export policies on encryption have not kept up to speed with either the ongoing changes in encryption technology or the needs and desires of foreign markets for U.S. encryption products.70
Senator Lott is not alone in recognizing the need for a change, nor is he the first politician to publicly express the need for new legislation.
In the spring of 1997, Congress considered three proposed bills dealing with encryption. The Security and Freedom through Encryption Act (SAFE), Encrypted Communications Privacy Act (ECPA), and the Promotion of Commerce On-line in the Digital Era (Pro-Code). Originally, the administration "maintained its need for access to encrypted communications in order to thwart the four horsemen of the Internet apocalypse-the money launderer, the drug dealer, the child pornographer and the international terrorist."71 Over time, that insistence has faded and the administration's policy has been more amenable to loosening export restrictions. The preference still exists, however, for some system that would permit the government to recover any matters encrypted with the stronger level of encryption allowed for export.
The SAFE bill was originally proposed in 1996, and re-introduced in 1997. It addresses three major concerns: in-country restrictions, use of encryption in criminal acts, and exportation of encryption software. SAFE would prohibit government restrictions on encryption used by U.S. citizens, and relax export restrictions on generally available software unless such restrictions are justified. Justification requires evidence that "such software will be (A) diverted to a military end-use or an end use supporting international terrorism; (B) modified for military or terrorist end-use; or (C) re-exported [without required authorization]."72 The bill does not eliminate export authorization requirements, but significantly relaxes restrictions. It also addressed concerns about criminal application of encryption software by providing additional penalties for use of encryption in the commission of a crime.
Also proposed in 1997, the ECPA would guarantee the right to use any strength of encryption domestically. It resembled the SAFE Act in that it would prohibit government requirements of a key recovery program, relax export restrictions, and increase penalties for criminal application of encryption software. However, the ECPA addressed an additional issue: guidelines to be followed when there is a voluntary disclosure of an encryption key to an escrow agent. It included penalties for unauthorized disclosure by that agent, and outlined a procedure that law enforcement personnel should follow if access to that key was necessary.73
The third major bill introduced in 1997 addressing the issue of cryptography was the Pro-CODE bill. It is similar to a bill introduced in 1996 under the same name. The Pro-CODE bill prohibits the government from enacting any encryption policy for any users other than the government. It also differs from the other two in that it does not increase penalties for use of cryptography in the commission of a crime. Furthermore, it proposes "the creation of an information security board to foster coordination between government and industry, and to collect and disseminate non-proprietary information about cryptography."74 There is a significant distinction between Pro-CODE and the other two bills introduced in early 1997; this bill prohibits the export of encryption products not only in the circumstances described above, but also if evidence exists that the encryption product will be used to evade enforcement of U.S. law or taxation by the United States.75
The conflicting interests of law enforcement and computer industries is at the center of the complicated debate over encryption regulation. Some prefer increased industrial freedom, while others focus on law enforcement concerns. This debate has resulted in two distinctly different possibilities being pursued by the House of Representatives and the Senate. The House has been working on the SAFE Act since its introduction in early 1997. The Senate has been considering the Pro-CODE bill, along with a few other proposals, although the Senate has not yet focused on encryption as much as the House has.
The SAFE Act would loosen existing regulations, and prohibit mandatory key escrow. The philosophy behind this bill is that prevention is the best method of deterring criminal behavior. If stronger versions of encryption were available, electronic criminals would find their work more difficult. Rep. Bob Goodlatte (R-Va.), the sponsoring representative, told a House subcommittee in May: "If an ounce of prevention is worth a pound of cure, then an ounce of encryption is worth a pound of subpoenas."76
The bill has already survived months of examination, and the scrutiny of several House committees. It has been through the Committee on Commerce, the Select Committee on Intelligence, the Committee on National Security, the Committee on International Relations, the Committee on the Judiciary, the Subcommittee on International Economic Policy and Trade, the Subcommittee on Courts and Intellectual Property, and the Subcommittee on Telecommunications, Trade, and Consumer Protection. A few changes have appeared, but it is recognizably the SAFE Act proposed by Rep. Goodlatte and 54 of his colleagues.
On September 24, 1997, the House Commerce Committee rejected amendments that would have required a mandatory key escrow in all encryption systems in the U.S.; instead, the committee approved a proposal that would double penalties for criminal use of cryptography and create a new FBI center for surveillance.77 The House Judiciary Committee has also approved the bill.78 Although software companies and the cryptography industry, civil liberties groups,79 and members of the scientific community80 have all expressed concern over the proposal approved by the Commerce Committee, various interest groups are uniting in support of the SAFE Act's overall approach to encryption export regulation, making the SAFE Act the forerunner in cryptography legislation.81
The House has also been considering the Computer Security Enhancement Act of 1997 (CSEA). This bill was sent to the House Science Committee, and addresses concerns raised by the current encryption legislation debate. It does not effect export regulations; rather, it would "enhance the ability of the National Institute of Standards and Technology (NIST) to improve computer security."82 To meet this goal, the CSEA outlines the role the NIST should play in dealing with the application of cryptography to government use, in assessing encryption products available outside the United States, and in establishing a voluntary public key management infrastructure.
The CSEA reacts to the current encryption export debate by asserting that "[f]ederal policy for control of the export of encryption technologies should be determined in light of the public availability of comparable encryption technologies outside of the United States in order to avoid harming the competitiveness of United States computer hardware and software companies."83 Therefore, it indicates that the NIST should research issues and assess current technology, particularly the status of key management infrastructures.84 Essentially, the CSEA affirms the importance of the NIST and clarifies what its role should be in helping the government adapt to changing technologies. According to the Electronic Privacy Information Center, the measure would help restore public confidence in decision-making on technical standards by federal agencies.85
The ECPA quickly faded from the scene, leaving the Pro-CODE bill in the Senate to wrestle with the conflicting goals of the administration and various civil liberties groups. The Pro-CODE's strict stance on the criminal use of cryptography and its key escrow encryption requirement were not the only provisions to stir debate. In particular, the Pro-CODE's "evasion of law enforcement and taxation" export restriction was viewed as an extension of current law.86 However, the Senate Commerce Committee defeated the bill in May.
The forerunner in the Senate is now the Secure Public Networks Act (SPNA), introduced on June 17 by Sens. John McCain (R-Ariz.) and Bob Kerrey (D-Neb). The Senate Commerce Committee approved the SPNA two days after its introduction. Although it has yet to be formally reported by the Senate Commerce Committee, indications are that the Senate will address the SPNA when Congress reconvenes in January.87 This bill maintains a limit on the strength of encryption that can be exported without a license, but allows the export of stronger encryption if a key recovery system is included in the product. The administration has backed the SPNA since it supports export restrictions and establishes a key recovery infrastructure, both of which are high on the administration's encryption policy wish list. An amendment to the original bill calls for the establishment of an advisory board, consisting of four industry representatives and officials from the National Security Administration, the FBI, the CIA, and the Office of the President.88
Previously, the emphasis has been on exported encryption technology. However, the FBI has stepped in and advocated a series of new mandatory controls on the domestic sale and use of encryption products.89 Louis Freeh, director of the Federal Bureau of Investigation, in 1996 testified before members of the Senate Judiciary Committee and the Senate Committee on Commerce, Science, and Transportation. He told the Commerce Committee that "the law enforcement community fully supports a balanced encryption policy that satisfies both the commercial needs of industry and law abiding individuals for robust encryption products while at the same time satisfying law enforcement's public safety needs."90 Freeh also pointed out that national security and public safety are not necessarily incompatible with societal and industrial concerns over privacy, information security, and electronic commerce. As he explained, however, "it would be irresponsible for the United States, as the world's technology leader, to move towards the adoption of a national policy that would knowingly and consciously unleash on a widespread basis unbreakable, non-key escrow encryption products that put citizens in the U.S. and worldwide at risk."91
The SPNA is made to order for the FBI; it contains new domestic encryption controls which grant the FBI's request for immediate access capabilities. Under a third-party key escrow infrastructure, the key to decrypting information would be protected, but accessible to law enforcement officials who follow proper procedural safeguards such as obtaining a search warrant.
The concern over export restrictions still exists. The question is which school of thought will prevail: one supported by the industry, resulting in relaxed restrictions, or one supported by the administration and law enforcement, resulting in a key management system? The vocal presence of the FBI is a new element in the cryptography debate which serves to highlight the difference between the wants of the industry and the needs of law enforcement. To be competitive, the computer industry needs to be able to develop and market strong encryption technology. To catch criminals, law enforcement officials would like to be able to access encrypted information.
The debate between the interests of the industry and law enforcement is illustrated by discussion in the Senate. First, Freeh set forth the FBI's position advocating a key management infrastructure for domestic as well as exported encryption technology; in 1997, the FBI followed through with a proposal advocating domestic controls on cryptography. Sen. Lott responded to the FBI's proposal, pointing out that there have never been domestic restrictions on encryption technology, and asserting that such restrictions would be unconstitutional.92 Furthermore, the technology required to establish such a system does not exist, according to Sen. Lott's research.93
Only time will tell which faction will control Congress. The House appears to favor the SAFE approach, modifying export restrictions to allow stronger encryption technology to be exported. Since the Senate has not directly addressed the SPNA, it is difficult to predict the outcome. The "balanced" approach that both sides claim to want does yet not exist; somehow a compromise will have to be reached. At this point, however, it seems likely that export restrictions will be relaxed and some type of voluntary key management infrastructure established.
While difficulties may exist in entering the Laotian market, the opportunities afforded by a joint venture with Visa are sufficient to make the challenge worth it. Getting in on the groundwork of the emergence of Southeast Asia into a growing international information economy is the chance that GTME needs to continue to be an intenternational power.
While the debate over the regulation of encryption technology rages, the Supreme Court's decision in Reno v. ACLU and the Bernstein III case indicate that the First Amendment protects electronic communication. Therefore, prior restraints such as those currently imposed by export restrictions are unconstitutional. Congress should adapt its legislation to reflect the new decisions; however, the division between the industry and the law enforcement positions will prevent effective cooperation in the near future. At this point any predictions of the final outcome are mere guesses without an understanding of the intricacies of the current Congress. The most logical approach is that embodied in the SAFE Act, relaxing export restrictions that have been found unconstitutional anyway.
Whatever the outcome of the encryption legislation debate, it will not immediately affect the proposed joint venture in Laos. The Clinton administration has already approved export of stronger encryption technology than previously permitted, and all legislation under consideration maintains that at least that level of exportable encryption. For the time being, that level of encryption should be sufficient, particularly since we will be dealing with a developing country that is unlikely to have produced affective hackers. If it should become necessary, we can always obtain stronger encryption software from other countries; after all, there is no regulation of the importation of encryption technology.
1 WORLD ALMANAC 791 (1997).
2 16 ENCYCLOPEDIA AMERICANA 739 (1982).
3 Id.
4 Id.
5 Id.
6 ENCYCLOPEDIA AMERICANA, supra note 2.
7 Id.
8 WORLD ALMANAC, supra note 1.
9 Id.
10 Id.
11 ENCYCLOPEDIA AMERICANA, supra note 2.
12 Id.
13 WORLD ALMANAC, supra note 1.
14 Id.
15 See Lao People's Democratic Republic Embassy Homepage, Foreign Investment Management Committee, Policy Guidelines For Foreign Investment In the Lao People's Democratic Republic (visited Oct. 2, 1997)(hereinafter Policy Guidelines) <http://www.laoembassy.com/news/policy.html>.
16 Visa Expo: Visa Worldwide, (visited March 18, 1997) <http://www.visa.com>.
17 Id.
18 Visa Expo: Visa Worldwide: NCB and Visa Launch Contest To Develop Internet Web Site For Secure Electronic Commerce Project (article dated February 20, 1997) <http://www.visa.com>.
19 Id.
20 See Lao PDR Embassy Homepage, How To Do Business With Laos: A Guide to trade and investment 1996-1997 (visited October 31, 1997) <http://www.laoembassy.com>
21 See Policy Guidelines, supra note 15.
22 Professor Jean Love, Lectures at the University of Iowa College of Law: Constitutional Law II (Summer 1996).
23 Id.
24 See United States v. Maxwell, 48 M.J. 568 (United States Air Force Court of Criminal Appeals, April 28 1995) (Col. Maxwell's computer files containing child pornography were obtained from America On Line, leading to his conviction for service-discrediting misconduct; when he appealed, the existing search and seizure standards were applied to "cyberspace" searches to uphold his conviction.), reprinted in NICHOLAS JOHNSON & DAVID LOUNDY, LAW OF ELECTRONIC MEDIA IN A CYBERSPACE AGE (forthcoming in 1998).
25 Id.
26 Katz v. United States, 389 U.S. 347, 88 S.Ct. 507 (1967), reprinted in JOHNSON, supra note 24.
27 Id.
28 See Id.; United States v. Jacobsen, 466 U.S. 109 (1984); Oliver v. United States, 466 U.S. 170 (1984).
29 Maxwell, supra note 24.
30 A system that would meet those criteria could be modeled after "white" censorship programs that restrict access on school accounts to certain approved sites.
31 This may be comparable to U.S. restrictions regarding pornography, in which possession of pornographic material in the home is legal, but purchasing, selling and transporting it is not.
32 Remember the Communications Decency Act? That was a similar attempt to regulate what portions of the Internet were approved for public consumption. After significant portions of the CDA were found to be unconstitutional, Congress returned to the drawing board.
33 22 U.S.C.A. 2778(a)(1).
34 22 U.S.C.A. '2778(b)(2).
35 Dan Pacheco & Michael Whitney, Encryption for the Rest of Us (visited April 18, 1997) <http://www.washingtonpost.com/wp_srv/tech/analysis/encryption/encrypt.html>.
36 JOHNSON, Chapter 12, supra note 24.
37 One might wonder why the government restriction was so broad-based and not limited to the exportation of software and technology it used. However, enforcing a specific restriction would indicate which technologies were currently in use and defeat the purpose of restricting the flow of encryption. Furthermore, encryption developed by a society is usually reflective of that society; each piece of software or technology available to the "enemy" would combine to expand its understanding of the societal approach to encryption. Consequently, an enemy would have an easier time of cracking the encryption in use by the government.
38 Daniel Bernstein v. United States Dept. of State, No. C-95-0582 MHP, 1997 WL 530866, at *1 (N.D.Cal., Aug. 25, 1997) (hereinafter Bernstein III), citing Tien Decl., Exh. E, National Research Council, National Academy of Sciences, Cryptograph's Role in Securing the Information Society C-2 (Pre-publication Copy, May 30, 1996).
39 Bernstein III, supra note 38, at *2.
40 Philip Karn, Written Testimony Before the House Judiciary Committee, Subcommittee on Courts and Intellectual Property (dated March 20, 1997) (hereinafter Written Testimony) <http://people.qualcomm.com/karn/export/housewritten.html>.
41 David Loundy, Congress scrambles to address encryption issues, CHI. DAILY L. BULLETIN, March 13,1997, at 5 (visited April 18, 1997) <http://www.loundy.com/CDLB/3Encryption_Bills.html>.
42 Pacheco, supra note 35.
43 See Reno v. American Civil Liberties Union, ---U.S.---, 117 S.Ct. 2329, 138 L.Ed.2d 874 (1997).
44 Philip Karn, Statement Before the House Judiciary Committee, Subcommittee on Courts and Intellectual Property (dated March 20, 1997) (hereinafter Statement) <http://people.qualcomm.com/karn/export/houseoral.html>.
45 Id. The Internet site is based in Italy at <ftp://idea.dsi.unimi.it/pub/security/crypt/applied-crypto/>.
46 Written Testimony, supra note 40.
47 Source code, written in a computer programming language, is only one step away from actual implementation of a program. Once the source code is converted into a binary version called object code, a computer can read that object code and perform the encryption and decryption.
48 See Bernstein v. United States Dept. of State, 922 F.Supp. 1426 (N.D.Cal.1996) (hereinafter Bernstein I).
49 Id. See Written Testimony, supra note 40; Bernstein III, supra note 38, at *22 n. 20.
50 Bernstein v. United States Dept. of State, 945 F.Supp. 1279 (N.D.Cal.1996) (hereinafter Bernstein II).
51 Exec. Order No. 13026: Administration of Export Controls on Encryption Products, Nov. 15, 1996; see also Written Testimony, supra note 40.
52 15 C.F.R. 730 et seq. (1997).
53 Written Testimony, supra note 40.
54 Bernstein III, supra note 38, at *4.
55 Compare 15 C.F.R. '734.3(b)(2) (exempting printed material that sets forth encryption source code from the EAR) with '734.3(b)(3) (explicitly including encryption source code in electronic form as subject to the EAR).
56 Bernstein III, supra note 38, at *14.
57 Organization for a Better Austin v. Keefe, 402 U.S. 415, 419, 91 S.Ct. 1575,1578, 29 L.Ed.2d 1 (1971), cited in Bernstein III, supra note 38, at *14.
58 Bernstein III, supra note 38, at *14, citing FW/PBS, Inc. v. Dallas, 493 U.S. 215, 110 S.Ct. 596 (1990).
59 Freedman v. Maryland, 380 U.S. 51, 58, 85 S.Ct. 734, 738 (1965).
60 Id. at *15, citing FW/PBS, 493 U.S. at 227, 110 S.Ct. at 605-06.
61 Bernstein III, supra note 38, at *15.
62 Id., at *16.
63 Id., at *17. See also Bernstein II, supra note 50, at 1291 n. 10.
64 Bernstein III, supra note 38, at *17.
65 Id.
66 Reno v. ACLU,supra note 43.
67 Bernstein III, supra note 38, at *21.
68 Other defendants, including the CIA the Departments of Energy and Justice, were dismissed because they only serve in an advisory capacity. The Secretary of State was also dismissed since the State Department was no longer involved with the applicable regulations.
69 Id., at *21-22.
70 Senator Trent Lott, Address to U.S. Senate (October 21, 1997) <http://www.cdt.org/crypto/legis_105/971021_lott.html>.
71 Loundy, supra note 41.
72 Security and Freedom Through Encryption Act, HR 695, 105th Cong. (1997). The text of the bill can be found on WESTLAW cited as 1997 Cong US HR 695. 73 Encrypted Communications Privacy Act of 1997, S 376, 105th Cong. (1997). It was introduced by Sen. Leahy (D-VT) on February 27, 1997, and referred to the Senate Committee on Judiciary. Electronic Privacy Information Center, EPIC Online Guide to 105th Congress Privacy and Cyber-Liberties Bills (last updated July 10, 1997) <http://www.epic.org/privacy/bill_track.html>.
74 Loundy, supra note 41.
75 The Pro-CODE bill would both relax export controls on cryptography and create a secret Information Security Board that would give law enforcement agencies special access to the development of new plans for privacy enhancing techniques. It was introduced by Senator Burns (R-MT) on February 27, 1997, and referred to the Committee on Commerce. Hearings were held on March 19, 1997. Electronic Privacy Information Center, EPIC Online Guide to 105th Congress Privacy and Cyber-Liberties Bills (last updated July 10, 1997) <http://www.epic.org/privacy/bill_track.html>.
76 Elizabeth Corcoran, Who Will Hold the Key? Two Bills Reflect the Split Over Restrictions, WASH. POST, Aug. 4, 1997, at F15 (visited Oct. 31, 1997) <http://www.washingtonpost.com/wp-srv/tech/analysis/encryption/issues.html>.
77 Electronic Privacy Information Center, Recent Crypto News and Documents (last modified Sept. 24, 1997) (hereinafter Crypto) <http://www.epic.org/crypto/>.
78 Bill Summary & Status for the 105th Congress: SAFE Act (visited Oct. 31, 1997) <http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.695>.
79 EPIC, An Open Letter to Members of the House Commerce Committee (dated Sept. 24, 1997) <http://www.epic.org/crypto/legislation/oxley_amendment_letter.html>; Internet Privacy Coalition, Coalition Letter on SAFE Encryption Legislation (H.R. 695) (dated Apr. 28, 1997) <http://www.privacy.org/ipc/safe_letter.html>.
80 Scientific Societies Letter on Crypto Restrictions (dated Sept. 24, 1997) <http://Info.acm.org/usacm/crypto/societies_crypto_letter_1997.html>.
81 See supra notes 79 & 80.
82 Computer Security Enhancement Act of 1997, HR 1903, 105th Cong. (1997). The text of the bill can be found on WESTLAW cited as 1997 Cong US HR 1903.
83 Id. 2 (a)(5).
84 For a criticism of key management infrastructures, see Hal Abelson, et al, The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption: Final Report, (dated May 27, 1997) <http://www.crypto.com/key_study/report.html>.
85 Crypto, supra note 77. The EPIC testified before the House Science Committee. The testimony of EPIC Advisory Board Member Peter Neumann is located on-line at <http://www.csl.sri.com/neumann/judiciary.html>.
86 Loundy, supra note 41.
87 Center for Democracy & Technology, Senate Majority Leader Trent Lott(R-MS) Criticizes FBI Domestic Encryption Control Proposal (posted Oct. 23, 1997) <http://www.cdt.org/crypto/legis_105/lott.html>.
88 Senate Committee Approves Encryption Bill, 16 No. 14 Banking Pol'y Rep. 9 (July 21, 1997).
89 Lott, supra note 70.
90 Louis J. Freeh, Statement before the Committee on Commerce, Science, and Transportation, United States Senate (dated July 25. 1996) <http://www.crypto.com/events/072596/freeh.html>.
91 For the full testimony supporting a key escrow policy, see Id.
92 "Where is probable cause? Why has the FBI assumed that all Americans are going to be involved in criminal activities? Where is the Constitution?" Lott, supra note 70. For an answer to Sen. Lott's questions, consider the words of H.L. Mencken: "It is the invariable habit of bureaucracies, at all times and everywhere, to assume...that every citizen is a criminal. Their one apparent purpose, pursued with a relentless and furious diligence, is to convert the assumption into a fact. They hunt endlessly for proofs, and, when proofs are lacking, for mere suspicions. The moment they become aware of a definite citizen, John Doe, seeking what is his right under the law, they begin searching feverishly for an excuse for withholding it from him." Quoted in Phil Karn, Privacy and Security (last modified Jul. 28, 1997) <http://people.qualcomm.com/karn/privacy.html>.
93 Lott, supra note 70.
Return to Cyberlaw Home Page and Contents
Return to Nicholas Johnson Home Page