Encryption - Recent Developments In Japan

By Stewart Baker (sbaker@steptoe.com)

Japanese policy toward encryption continues to develop along several not-entirely-parallel tracks.

Industrial Policy. MITI's interest in cryptography as a building block of industrial policy continues to be strong. MITI's information-technology Promotion Agency has established a new security center to deal specifically with encryption issues. And MITI is encouraging algorithm research, including university research on elliptic curve encryption. Most of the $300 million set aside by the Japanese government for encryption and electronic commerce research has been spent or obligated. Future levels of funding are not known.

Export Controls. In the area of export controls, however, there has been a tightening during the last year. Japanese export controls distinguish between highly sensitive exports (those with mainly military uses) and sensitive exports that could have military uses but may also have non-military uses. Sensitive technologies are usually the subject of a general license allowing more or less untrammeled exports to most friendly and developed markets - the United States, other NATO countries, and the like. Individual or validated licenses are not required for such technology.

Until recently, Japan has treated encryption as a sensitive but not a highly sensitive technology - i.e., as technology with both military and commercial applications. Thus, exports to allies have not required validated licenses. Within the past year, this practice has changed. Despite its extensive commercial application, Japan now treats encryption as an exception to the usual rule for such products and requires a validated license for all encryption exports no matter what the destination. This of course brings Japanese practice more closely into line with U.S. practice.

Japan does not have written standards for what encryption export licenses will be granted and what licenses will be denied. Unlike the United States, there are no hard-and-fast key-length triggers. The decision is more discretionary, but no doubt key length, algorithm, and expected use all play a role. There are reports that the Japanese government is more likely to allow exports of cryptographic technology where the cryptography is used only for authentication or where a limited number of fields are encrypted, such as in SET or other financial applications. Because the criteria are not published or publicized, these policies can only be approximated and they may change without notice.

Law Enforcement. Finally, the debate over law enforcement and encryption seems to have had a surprising fall-out in Japan. The Justice Ministry has proposed, for the first time, a statute authorizing wiretaps of Japanese nationals.

Despite persistent reports to the contrary, Japanese officials have wiretapped Japanese nationals in the past. Nonetheless, such taps remain quite rare. Courts have reviewed the few wiretaps that have taken place and have treated the taps as legally authorized despite several constitutional provisions that might be thought to restrict or prohibit it, including Article 21(2) protecting the secrecy of communications, Article 13 requiring respect for individuals and the public welfare, and Articles 31 and 35 regarding due process and protection of residences and conditions for search and seizure.

The courts have approved wiretaps where necessary to permit the government to verify evidence of certain felonies. One legal scholar gave an oral example of the circumstances in which taps have been approved. A yakuza (organized crime) gang once established dedicated lines for placing orders for illegal drugs via answering machine. Yakuza members would call the answering machine, place an order, and call back later to receive an indication of where the drugs could be found. The police spent years trying to identify the dealer who was running this remote distribution arrangement. After several years, they were able to demonstrate to a court that the ring could only be broken by tapping the line. They were given authority to tap it for a total of two days.

Evidently hoping to expand somewhat this authority, the Judicial Advisory Committee's criminal division recommended in July that a law be enacted regularizing wiretaps. The statute resembles U.S. procedures but is somewhat stricter on all counts. Wiretaps would be authorized only in the event of serious felonies -- those that carry a life sentence or are particularly serious, such as kidnapping, drugs, and weapons crimes. The police must establish that there is a high likelihood that the communications relate to crimes, and they must persuade the court that there is no other means for collecting evidence in this matter. If the police succeed in meeting this standard, they may obtain a warrant to conduct a tap for ten days or less as determined by the warrant-issuing Judge. The tap may be extended for up to 30 days thereafter.

In general, legislation is enacted if it is supported by the Japanese government, as this proposal is. But this proposal will generate considerable controversy. The outcome of that controversy may ultimately shape the Japanese position on key recovery. Currently, the Japanese government remains resolutely neutral on the topic of key recovery, neither supportive nor antagonistic toward the use of key recovery techniques. Japanese industry, meanwhile, continues to see value in key recovery, at least for private sector and corporation encryption of stored data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com