Joi's Diary

Japan's cops are getting smarter, but only some of them.

I was on the National Police Agency (NPA) study group committee that put together the recent unauthorized access bill. In the past, MITI has done most of the security-related policy work, setting up, for example, JPCERT-the Japanese version of the Computer Emergency Response Team-charged with tracking vulnerabilities and problems, and managed by the Japan Information Technology Prom-otion Agency (IPA).

This failed to address the fact that Japan did not have a law making computer breaking and entering-or even theft of computer information-illegal. As MITI was dragging their feet, the NPA got bashed at the Birmingham Summit for being the only developed nation without such a law, so the NPA took the initiative and put together a team to draft the bill. The NPA, which gets bashed when it tries to show any leadership, needed more political support, and the agency-often at odds with the Ministry of Posts and Telecom-munications (MPT)-took the odd step of joining forces with the MPT to get the necessary political backing to push the bill through.

As the midnight oil burned over the drafting table, the MPT and NPA allowed the shocked-to-be-left-out MITI onto the team, and produced a rather unusual three-ministry draft bill signed off by MITI, the MPT, and the NPA. Although I was on the committee and opposed it rather vehemently, a provision to require ISPs to keep logs for the police was still in the NPA's final draft version. A combination of the MPT's privacy concerns and MITI's desire to keep busi-nesses unencumbered by extra costs helped remove this provision from the final bill, which was passed by the Diet on August 13 and will be effective as of February 13, 2000. Now that the police have a law to enforce, the NPA and the various police forces are ramping up their cybercop resources.

So, some of the cops are getting smarter-but some are still pretty stupid. I was recently asked by Mr. Makino, the head of the Internet Lawyers Conference, to testify as an expert witness in a case in Osaka. The case involved the trial of a young man who had written a piece of software called FLMASK. FLMASK was a clever tool that allowed certain parts of graphic images to be scrambled into mosaics. The tool also allowed people to remove the mosaics, and the graphic image creator could add a password if desired. Obviously, it's a great tool for people running porn sites. Hardcore images could be uploaded, casual viewers would see suitably censored pictures, and anyone interested enough could see the goodies (presumably upon payment of a fee). The police didn't like this technical workaround of the porn laws, so they decided that FLMASK or no, a porn site was a porn site. They also decided that even if the site was offshore, it didn't matter. To make their point, they arrested and convicted one Mr. Maekawa who was operating a porn site offshore using FLMASK. That was rather disturbing for me, but when the Osaka prosecutors went after the author of FLMASK for having a link from his Web page to Mr. Maekawa's site (a user of FLMASK), under the premise that a link constitutes the running of a nonphysical pornography establishment (in Japanese mutempo fuzoku eigyo-the regulations regarding what constitutes mutempo fuzoku eigyo were expanded to include pornography on the Internet in April), it all became much too strange for me. This would mean that anyone who linked to some other site would be held responsible for the content on the linked-to site. I went and spent several hours discussing with the court and the prosecutors how silly it was to say that a link constituted active distribution of content which, in the case of banned images, constituted accessory to a crime. The verdict will probably come in January 2000.

Next item on the Net security blotter was the Ministry of Justice's wiretap bill, clearing the Diet on August 12, likely as the result of pressure from the U.S. When the ACLU asked the CIA under the Freedom of Information Act whether they had been putting pressure on Japan regarding cryptographic or wiretapping policy, they received the standard "we can't tell you the answer," which usually means that they did (see my homepage for a copy of the CIA's letter).

What the Japanese Diet did not understand when deliberating the bill is that we are no longer in the days of analog wires, tapes, and headphones. We are in the age of link encryption, PGP, and secure phones. The wiretap bill talks about the interception of e-mail messages, but what it fails to address is what happens in the case of strong cryptography, which can't be cracked by the police. In the U.S., the National Security Agency (NSA) and the FBI have tried to ban strong crypto-it's very inconvenient when listening in on crooks' communications.

Japan does not have a spy agency per se, so no one here's been focusing on this issue, but the U.S. has been putting pressure on Japan for added leverage during domestic policy debates. I talked to various politicians about the risk of a wiretap bill forcing a restriction on cryptography, which would limit Japan's competitiveness in e-business. As everyone knows, cryptography is a key element in secure transactions. Any effort to restrict strong cryptography dramatically increases the cost and the risk associated with e-business, and will have a chilling effect. According to lawyer Makino, even though the bill passed, what was discussed in the Diet will have an effect on how the law is implemented. I spoke to several Liberal Democratic Party (LDP) members asking them to push the cryptography debate onto the floor, with no success. I gave a briefing to various Minshuto (ruling coalition) politicians about this subject and Mr. Toru Unno raised my question on the floor. I think the exchange went sort of like:

Q: What about cryptography?
A: (MITI guy) We will make our best effort to decipher the encryption. (Note: I don't think 'best effort' is good enough for most strong crypto.)
Q: Will you restrict the use of cryptography?
A: (MITI guy) No. We do not expect to restrict the use of cryptography at this time. (Although cryptography exports are already restricted on a regular basis.)

So, hopefully, this exchange will give us e-business cryptography users a head start when the police figure out that the wiretap bill doesn't help them in catching any criminal with a brain, because they will all be using PGP.