Cryptography Legal Issues

Hello everyone. I am a law student in the United States, and I work on my school's Law Review, which is an academic legal publication. We are required to write an article on an unresolved legal issue, and Cryptography seems like it could possibly present some novel legal issues.

I was wondering if anyone is curious about any other legal issues that Cryptography presents. It would help me find a topic my article, and provide this community with any legal information I come across.

I have done a fair amount of preliminary research into the subject, so if you have any legal questions that I am familiar with, I'll do my best to answer them.

Keep in mind that I'm restricted to writing about US law. Any and all suggestions/comments/questions are appreciated.

Edit: Also, please keep in mind that I possess only a basic knowledge of how Security and Cryptography actually work, so you'll have to take that into account.

Until the 90s, cryptography was classified as a munition in the US export control list. Therefore, exporting crypto software was almost verboten in those times. While some restrictions were loosened in the 90s, there are some restrictions even now on exporting crypto software to rogue nations and organizations and mil-grade cryptography still requires a munitions export license.

I'm curious about the subject as far as knowing what the legal issues are currently myself. Mainly, if I was to write some C code routines that implemented (say) 128-bit or 256-bit encryption, would I need special permission to publish that code on my web-page (as there seems to be restrictions on crypto > 64-bit and something about notifying the BIS). Does it apply even to well-known algorithms that can be found in textbooks.

Practical cryptographic schemes are defined as "computationally secure" -- meaning that they are designed (and this is a necessity in order to make practical, usable encryption schemes) to have a negligible (extremely, extremely small) chance of being broken by an attacker. I have absolutely no background in cyber security law, but you may be want to look into the liability of someone (say, a cyber-security company) who correctly implements a cryptographic scheme that happens to be broken, compromising their clients' data.

Also, you could look into liability for a business who incorrectly implements a cryptographic scheme although I suppose that would be something along the lines of malpractice. I recommend looking into my first suggestion because even when a business is obsequious and implements a cryptographic scheme exactly correctly there is always a very, very, very, very small chance that someone could break the scheme by getting lucky. If that happens who's responsible?

Good luck!