11 June 1998
Source: http://www.bsa.org/ceoforum/pdfs/key_escrow.pdf (317k)
Thanks to BSA
TABLE OF CONTENTS
1. Introductory Background1.1 Purpose
1.2 Assumptions and Limitations
1.3 Summary Findings
2. The Increasing Use of Encryption
3. Costs of Third-Party Key Escrow3.1 Based on Conservative Estimates, On Average, 89.2 Million People Will Escrow Encryption Keys Each Year3.1.1 Keys Held by Employees and Business Establishments
3.1.2 Keys Held by Home Users
3.2 Users Cost Will Average $1.7 Billion Per Year
3.3 Payments to Escrow Agents Will Average $6.0 Billion Per Year3.3.1 Escrow Services for Businesses Will Cost $4.2 Billion Per Year
3.3.2 Escrow Services for Households Will Cost $1.8 Billion Per Year
3.3.3 Annual Cost of Key Recovery Requests Will Average $12 Million Per Request
Despite the almost decade-long national debate about U.S. encryption policy and the FBIs repeated calls for back-door access to encrypted information, there has been no careful analysis of the cost of a government-inspired key escrow encryption system. In this report, Nathan Associates Inc., commissioned by the Business Software Alliance, provides one. As a result of this analysis, we now know that a government-driven key escrow encryption system is a very expensive proposition for American taxpayers and computer users. This expense must be weighed against the utility of such a system in the deliberations about U.S. encryption policy.
The main findings of the study are high-lighted below:
As anyone who follows this issue knows, U.S. encryption policy is very controversial. This study does not address the differences of opinion about whether a government-inspired key escrow encryption system is technologically feasible or whether criminals who want to avoid law enforcement will use it. The BSA continues to have reservations about the feasibility and ultimate merit of such a system. The high cost documented in this study only adds to their concerns.
In this digital age of encrypted electronic communications and stored data, governments are seeking ways to preserve a wiretapping capability (remote anonymous access) for law enforcement purposes. Encryption is based on mathematical procedures to scramble data so that it is extremely difficult if not impossible for anyone other than the authorized recipients to recover the original plaintext. Encryption is used to protect data and prevent crimes. Governments also are concerned that criminals will use encryption to conceal their communications and illicit data. Therefore, a government-inspired key escrow proposal floated among policymakers in the United States attempts to address the issue encrypted data and communications. The proposal requires computer users to keep the keys to their encrypted electronically-stored data and their encrypted communications with a government-approved third party (escrow agent).1 When appropriately requested by an authorized law enforcement official, the escrow agent would be required to reveal the key without notifying the encryption user, thereby preserving the ability of governments to secretly monitor electronically-communicated and stored information. Although it is argued that revealed keys would only be used in appropriate judicially-approved circumstances,2 for the system to be functional, all computer users that employ security systems based on encryption technologies will be subject to the requirement.
In a May 1997 report, the Center for Democracy and Technology (CDT) examined the fundamental properties of a variety of proposed encryption key escrow requirements, including a government-mandated key escrow system.3 The report addresses tradeoffs that naturally exist in any key recovery system.4 For example, the most secure third-party key escrow system will impose the highest costs on encryption users and the greatest incentive not to comply. But, a simple and relatively inexpensive system is likely to be insecure, and, in the end, more costly to society.
While the CDT study identifies cost categories of any key escrow system, it did not quantify cost. The four categories of costs identified in the report were:
1. Operational costs of key escrow agents: Costs of maintaining and controlling keys, and responding to law enforcement requests for keys.
2. User costs: Expense of choosing, using, and managing a key escrow system, as well as the cost of losses from lessened security and mistaken or fraudulent disclosures of sensitive data.
3. Product design and engineering costs: New expenses incurred to design secure products that conform to the key escrow requirements.
4. Government oversight costs: New budgetary requirements for government, law enforcement, and private certification bodies to test and approve key escrow products, certify and audit approved escrow agents, and support law enforcement requests for and use of recovered key information.
This study, prepared by the Family, Industry, and Community Economics group of Nathan Associates Inc., analyzes and estimates the direct cost of a government-approved, third-party key escrow system. Within the system, costs will be imposed on businesses whose employees encrypt communications and sensitive data, and on households that access the Internet and have a need to use encryption. Medical records, electronic commerce, home banking, and electronic mail are particularly important and rapidly growing applications requiring encryption.
The Nathan Associates study considers only the first two cost categories identified in the CDT report: the operational costs of key recovery escrow agents (which users will be required to pay to the escrow agent) and user costs. Escrow agents costs, passed on to the user, will include escrow account set-up and maintenance costs, as well as the cost of recovering keys. User costs are the monetary value of time spent complying with the mandate, and the cost of unauthorized use of sensitive data, the latter of which is not analyzed here.
The estimate was developed in the following three-step process:
The cost estimates are based only on escrow services demanded and provided in the United States. To be effective, government law enforcement agencies will need to require access to encrypted communications and electronically-stored data worldwide, a factor not accounted for here.
Finally, only direct costs were estimated. When encryption users are required to purchase third-party key escrow services, the pattern of spending on all goods and services in the U.S. economy will be disrupted. Sales in some industries will decline and, as a result, cost-cutting measures will be taken, including laying off employees. These and other indirect impacts have not been estimated.
The approach to key recovery analyzed in this study differs from the current market-driven approach. Businesses are demanding key recovery services only for their encrypted electronically-stored data, not for their electronic communications. Furthermore, most users choose where to place their keys, often choosing to self-escrow keys. The proposal analyzed here, however, will require businesses and home users of encryption to keep keys in escrow for communications, as well as stored data. Moreover, it will require such escrow to be with a government-approved third party. While the proposal will allow self-escrow to a limited extent and other (non-specified) recovery mechanisms, the basic thrust remains government-approved third-party escrow.
The analysis we present is based on two key assumptions. First, we must assume that the system
mandated is technologically feasible and secure. The CDT report questions its feasibility and finds that any key recovery infrastructure introduces vulnerabilities.5 By entrusting keys with a third party, the third party itself becomes a point of vulnerability. In addition, the key repositories become high-value targets for those seeking access to encrypted communications and data. Second, we assume that users, including criminals who want to avoid law enforcement, will comply with the mandate. This assumption also has been widely questioned.6
Few companies currently offer encryption key recovery services. Those that do serve the business community by escrowing keys to stored databases, not encrypted communications. Although the issue of key recovery is global, the analysis and estimates presented here are relevant to the U.S. market only.
The cost-estimating methodology is based on three additional assumptions. First, we make the simplifying assumption that an encryption user will set-up and maintain an escrow account with a key escrow service provider, and, more importantly, pay a fee for the escrow service that does not vary with the number of keys held by the user. Given the number of keys an individual could generate, this is a significant assumption. Certainly the cost of the system will vary with the number of keys held in escrow, but determining the number of keys and how the number of keys will affect the cost of the system requires information that currently is not available. Second, for the purpose of estimating the cost of providing key escrow services to U.S. households, we assume that the basic fee structure will be similar to the current fee structure for safe deposit box services at commercial banks. However, another measure we could have chosen is the monthly fee paid for a home security alarm monitoring service. When you compare safe deposit box fees to home security alarm monitoring fees, the difference is significant. The fee for a safe deposit box is approximately $40 per year. The fee for a home security monitoring service is approximately $40 per month. Our third assumption is that user costs are measured by the opportunity cost of time spent complying with the mandate.
The costs estimated here represent only a fraction of all costs that will be imposed on the U.S. economy by the government mandate. First, we consider only the first two cost categories identified in the CDT report: the operational costs of key recovery escrow agents and user costs. More importantly, our user costs estimate does not include costs of compromised sensitive data. No product design, engineering, and government oversight costs are included here. Second, the costs we estimated are only the direct impacts of the mandate. Indirect impacts on sales and employment throughout the U.S. economy are not quantified here.
The cost of the mandate will total at least $7.7 billion per year during its first five years. In the initial year, 88 percent of this amount will be incurred by U.S. business establishments whose employees use encryption. By the fifth year, however, increasing demand for Internet access and electronic commerce by home users of personal computers will shift the majority of the costs onto U.S. households. Therefore, only 36 percent of the cost of the mandate will be incurred by U.S. business establishments in the fifth year of the mandate. The annual cost of the mandate is equivalent to $12 million per court-approved wiretap order and $6,000 per wiretap-order-allowed listening opportunity.
Although the estimate detailed here is a very conservative accounting of all costs, it is significant.
An average annual cost of $7.7 billion represents more than seven percent of sales of all products and services by the software industry in the U.S. economy.7
The remainder of this report describes these and other estimates in more
detail. All cost estimates are detailed in Section 3. Data and calculations
are presented in the Appendix.
The use of sophisticated encryption products is on the rise. At the end of
1997, 1,619 hardware and software encryption products were produced and
distributed by 949 companies in at least 68
countries.8 More than half (56 percent) of these
products were produced in the United States. Based on a survey of 1,600 U.S.
businesses, the U.S. Chamber of Commerce estimated that, in 1995, 17 percent
of U.S. businesses used encryption to protect
confidentiality.9 Another survey of 1,300
information-security managers conducted in 1996 by Ernst & Young and
Information Week found that 26 percent used encryption to protect data files,
and 17 percent used encryption to protect
telecommunications.10 The Chamber of Commerce
estimates the use of encryption by U.S. businesses is growing 29 percent
per year.11 By 2000, 60 percent of U.S. businesses
will use encryption.
The key recovery proposal analyzed in this study is one requiring the escrow of encryption keys with a government-approved third party. Keys to encrypted electronic digital communications and electronically stored data will be escrowed. In the evolving market for encryption and key recovery, businesses are demanding key recovery services only for encrypted stored data, but not for their electronic communications. Therefore, data available for estimating the cost of the requirement are limited.
Data limitations require reliance on the following specific assumptions:
We consider two sources of demand for key escrow services. U.S. business establishments employing workers using encryption will be required to set-up and maintain escrow service agreements. U.S. households using encryption also will be required to escrow their encryption keys.
The total cost estimated here includes only the following two cost categories representing part of four cost categories identified in the CDT report.
Businesses and households will pay the operational costs of key recovery agents. The agents will charge encryption users fees to cover the costs of setting up and maintaining an escrow account. They also will pass on to businesses and households the
cost of requests by the government for key recovery. (Although business establishments, employees, and home users could conceivably request recovery of their keys, we do not include the agents costs of complying with such requests.) User costs are measured by the time spent complying with the mandate. Compliance activities include finding escrow service providers, reviewing contract offerings, choosing from among competing service providers, and entering into a written service contract.
The period of our analysis is the first five years of the mandate. The five-year time frame allows for growth in the demand for encryption based on recent trends. More importantly, it eliminates the distortion of the high cost that will occur during the first year of the mandate when all businesses and households currently using encryption will be required to enter into escrow service agreements. The general methodology consists of three major steps. First, we estimate the number of people in the United States using encryption. U.S. workers using encryption are allocated to business establishments to derive an estimate of the number of U.S. business establishments that must set-up and maintain key escrow accounts with escrow service providers. Each home user of encryption will be required to set-up and maintain a key escrow account. Next, we estimate the costs of complying with the mandate. Compliance activities are the responsibility of each establishment employing workers who use encryption and each home user of encryption. In the third step, we estimate escrow account set-up and annual maintenance fees, and the cost incurred to comply with a key recovery request from government law enforcement agencies. The average annual estimated costs by major category and market segment are summarized as follows.
|Average Cost category and Market segment||Average
Compliance by establishments
|USER FEES TO COVER ESCROW AGENTS COSTS
Paid per establishment Set-up
|Paid per employee
|Paid per home user
Set-up and maintenance
In this analysis, an encryption user is anyone who at any time during the year sent or received an encrypted communication or worked with encrypted electronically-stored data. People use encryption, often without knowing that they are doing so. For example, encryption is used when someone establishes Internet connections through an Internet service provider and accesses a page on the World Wide Web. Anyone who engages in electronic commerce transactions uses encryption, as do people who engage in electronic banking transactions or other electronic financial transactions. Employees who connect to a client-server network rely on an encrypted connection to provide a secure passageway to the network. When employees connect to their office computer while at home or otherwise away from the office, their connection is encrypted.
The cost of requiring encryption users to hold keys in escrow will depend first on the number of users and then on the number of encryption keys used by each. Because of the complexity of this issue, we made the very conservative assumption that each encryption user holds only one key. This assumption, made purely for the sake of simplicity, results in an extremely low estimate of the number of keys held in escrow. Encryption users can generate new keys practically every time they log onto a new Internet web site (and, in fact, do so with a popular technology, secure socket layer or SSL), save a document or send a message. Repeatedly generating new keys is recommended for the highest levels of security to protect against crime. Furthermore it is likely that they will use different keys for different applications. For example, users might choose one key for personal use and another for business use. Within these two categories, users might choose one key for their electronic communications and another for their electronically-stored information. Moreover, within this layer, users might choose to encrypt different applications differently. For example, Internet transactions using one Internet service provider might be encrypted one way; transactions using another provider might be encrypted another way. The database created using one developers application software might be encrypted differently from the database created using another developers application.
On average, 89.2 million people will use encryption at least once and hold at least one key in escrow during each year of our analysis. Of these total users, 44.8 million will be using encryption at work (35 percent of the 129.6 million employed civilians in the U.S. economy in 1997) and 44.5 million will be using encryption at home.
Hidden in the annual average is a shifting pattern of use. In the first year, 43.3 million people use encryption at work, and only 19.5 million people use encryption at home. By the fifth year, Internet home use will have grown substantially. As a result, 67.6 million people will be using encryption at home in the fifth year. Only 46.3 million people will be using encryption at work.
According to a report by the U.S. Census Bureau, 51.1 million adults used computers at work in 1993.12 Approximately 41 million, or 22 percent of the U.S. adult population, were reported to use computers in occupations that we deemed more likely to involve the use of encrypted communications or data. Such occupations are executive, administrative, and management; professional specialties; sales; and administrative and clerical.
Even with the conservative assumption that the proportion of the U.S. adult population using computers at work in these occupations in 1997 is no different from the proportion in 1993, we still concluded that a total of 43.3 million people used encryption at least once at work during 1997. Starting with this estimate for the first year of our analysis, we project use to grow 1.7 percent per year during the succeeding four years.13 In the fifth year, 46.3 million employees will be using encryption at work at least once. Over the five years of our analysis, the average number of employees using encryption per year at least once during the year is 44.8 million, approximately 35 percent of the 129.6 million civilians employed in 1997.
Based on the distribution of employees by establishment size in the U.S. economy in 1995, we estimated 3.1 million U.S. establishments employed workers who used encryption at least once in 1997. These establishments were mostly small; 89 percent employed fewer than 25 people. Of all encryption users at work, 29 percent were employed at these small establishments. If a third-party key escrow proposal is adopted through mandates or incentives that provide few alternatives, by the fifth year after adoption, 3,270,000 establishments will require escrow services for the encryption keys used by their employees.
Internet users accessing the World Wide Web via Netscapes Navigator Browser, Microsofts Internet Explorer, or by most other means, will be using encryption (SSL) probably without realizing it. Thus, based on household Internet access, the 19.5 million people who accessed the Internet also used encryption at home at least once in 1997. Reported demand for Internet access ranges from 16 million to 23 million.14 Although Internet home use has been reportedly growing 75 percent per year, our projection of household demand for encryption is based on successive yearly increases of 60 percent, 45 percent, 30 percent, and 15 percent, respectively. By the fifth year of our period of analysis, 67.6 million people will be using encryption at home at least once during the year.
To estimate the user costs of complying with the mandate, we need to estimate the amount of time users spend each year in compliance activities and the monetary value of their time. Compliance activities include identifying escrow service providers, obtaining fee structures from service providers, reviewing agreement offerings, completing an agreement, transmitting the materials to be escrowed, and updating and monitoring the agreement as necessary.
The total time spent on compliance activities by each user of encryption will be, at the barest minimum, three hours each year. Identifying escrow service providers can involve as little as perusing a telephone directory or going to the Internet. We estimate each user will spend at least 15 minutes on the initial activities of identifying service providers, contacting at least two providers, and requesting information on their service offerings and fees. It is not unreasonable to assume that an individual will take 20 minutes to review carefully an escrow service agreement and its fee structure. A careful review of the terms of agreement offered by at least two competing service providers will require at least 40 minutes. Choosing a provider, completing an agreement, and transmitting the items to be escrowed is likely to take at least an additional 60 minutes. And, in the course of a year, it is likely that users will devote at least another hour to maintaining their relationships with their escrow service providers. Hence, in total, during a year, each user will likely spend a minimum of 2 hours and 55 minutes in compliance activities.
We make the further conservative assumption that compliance activities will be the responsibility of a single individual at all business establishments with employees using encryption. Each home user of encryption also will spend time on compliance activities.
The remaining piece of information required to estimate total compliance costs at U.S. business establishments and at U.S. households is the value of the time of the individual engaged in compliance activities. In this analysis, we do not distinguish between the time value of the employee at the business establishment who is responsible for compliance activities and the time value of the home users of encryption. A monetary value of time spent on these activities is conservatively measured by the average annual wages of all U.S. employees. The monetary value of time spent on compliance activities is at least $11.82 per hour, the average hourly earnings of employees in private nonagricultural industries in 1996.15 Studies have shown that employees who use computers at work earn wages that are 10 percent to 15 percent higher than the wages earned by those who do not use computers at work.16 Therefore, the value of time spent on compliance activities is likely to be greater than $11.82 per hour.
The total cost of compliance per year will be $1.7 billion. On average, more than 3 million U.S. business establishments will spend 9.5 million hours or $112 million per year on compliance activities. U.S. households will spend 133.4 million hours or $1.6 billion per year on compliance.
The government mandate will require U.S. business establishments and households to establish and maintain key escrow agreements with escrow service providers. The providers of escrow services will charge customers for the costs of setting up escrow accounts. Escrow agents also will incur costs associated with government requests for key recovery.
Our estimate of the payments to escrow agents to comply with the government mandate is based on the simplifying assumption that escrow service providers charge a set fee for an escrow account. For businesses whose workers use encryption, the account is opened and held by the business establishment. The fee varies with the number of employees at the establishment who use encryption, but not with the number of keys used by each employee. The fee charged home users likewise does not vary with the number of keys used and escrowed by the home user of encryption.
The fee structure analyzed here should not be interpreted to mean that the cost of the infrastructure required by the government mandate will not be sensitive to the number of keys held in escrow. Indeed, as explained earlier in section. 3.1, it is likely that encryption users will require different keys for different uses and applications and, hence, have to hold numerous keys in escrow. Instead, the fees analyzed here should be thought of as the minimum cost of providing key escrow service to the typical encryption user, because we assume only one key per user per year.
Although one would expect to find some economies of scale in the provision of key escrow service, the data available to us are not adequate for modeling and measuring these economies. The limitations of the data are perhaps most obvious in the home segment of the market, where we estimate the fee per account to be $40, based on a typical annual fee for safe-deposit box rental at commercial banks. Even box rentals vary with the size of the box. But for a given box size, the renter can hold one or more valuables without paying a higher fee.
In the business segment of the market, the fee structure of escrow service providers will consist of a set-up fee and an annual maintenance fee. Business establishments whose workers use encryption will be required to pay the set-up fee, which varies with the number of employees at the establishment. Larger establishments pay a higher set-up fee. The annual maintenance fee consists of an establishment component and a component based on the number of employees with keys held in escrow. The per employee maintenance fee varies with the number of employees at the establishment. Smaller establishments pay a higher per employee maintenance fee.
During the first five years of the escrow requirement, business establishments will pay $4.2 billion per year to set-up and maintain escrow agreements with service providers. The set-up fee will range from $2,500 for the smallest establishments to $25,000 for the largest.17 Annual maintenance fees will be approximately $783 per year, regardless of the size of the establishment.18 Annual per employee fees will range from $1.00 at the smallest establishments to $0.05 at the largest establishments.19
For the purpose of estimating the cost of providing key escrow services to U.S. households, we assume that the basic fee structure will be similar to the current fee structure for safe deposit box service at commercial banks. Alternatively, the fee might approximate the current fee for home security alarm monitoring services. The difference is significant. The fee for a safe deposit box is approximately $40 per year. The fee for a home security monitoring service is approximately $40 per month.
The total fee for all home users will average $1.8 billion per year during the first five years of the requirement. Again, this figure is based on the conservative estimate that home users pay a combined set-up and maintenance fee of $40 per year.
The major purpose of requiring that encryption keys be held in escrow is to maintain the governments ability to conduct covert surveillance in the electronic digital age. Therefore, an additional element of payments to escrow agents must account for the costs of complying with government requests for key recovery under the mandate.
Individuals, as well as governments, could make requests for key recovery. In this report, we estimate costs for incidents of request by the government only. Costs will depend on the number of requests and the cost per request.
Assuming that the criminal tendency of the population of encryption users is not significantly different from the tendency of the general adult population, key recovery requests will range from 444 during the first year of our analysis to 851 during the fifth year, an average 640 per year. Our estimate is based on the incidence of court-approved wiretap orders in 1996 7.076 per million adults between the ages of 18 and 64. In 1996, the courts approved 1,149 orders that allowed federal, state, and local law enforcement officials to listen to approximately 2.3 million telephone calls.20 The adult population between the ages of 18 and 64 totaled 162.4 million in 1996. Our estimate of key recovery requests is the product of the incidence rate and the number of encryption users.
The cost per key recovery request will be $69, an estimate that is an average of costs reported by two sources.21 Combining the number of key recovery requests and the cost per request yields an estimate of escrow agents cost of key recovery requests that averages $44,200 per year. Although this amount seems small, it is only one cost component.
The entire cost of the government mandate can be attributed to the governments purported need to secretly monitor electronic digital communications and electronically-stored data. Therefore, the cost of key recovery is more appropriately measured on the basis of the total cost of the mandate. When expressed in this manner, the cost averages $12 million per request ($7.7 billion divided by 640 requests). On the basis of the number of telephone conversations that will be monitored as a result of these requests, the cost will be $6,000 per call ($7.7 billion divided by 1.3 monitored calls).
Protecting the privacy of citizens in the digital era presents unique technological challenges. If citizens who protect their privacy using encryption were required to keep in escrow the key to decoding their encrypted communications and data, U.S. business establishments and households would incur an average annual cost of $7.7 billion. Based on average annual number of key recovery requests, the infrastructure cost will total $12 million per request per year, an apparently expensive undertaking.
1 Key escrow in this paper refers to proposals under which keys would be stored with government approved third parties. This study does not analyze the costs of voluntary, market driven key recovery, which has different components and assumptions. Many such systems involve self-escrow systems. Additionally, some in law enforcement argue that a key escrow system or other system that guarantees access to plaintext data would be acceptable. However, this study does not address the other systems because it is unclear which systems would be acceptable. The study only addresses third party government-approved systems.
2 There is some question as to whether this can be accomplished under existing legal authority or whether it would require an expansion of such authority, issues not addressed here.
3 The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption, A Report by an Ad Hoc Group of Cryptographers and Computer Scientists, Center for Democracy and Technology, Washington, May 1997.
4 Ibid., p. 18.
5 Ibid., p. 11.
6 Hearing of the Subcommittee on the Constitution, Federalism, and Property Rights, Senate Committee on the Judiciary, March 17, 1998.
7 Software companies receipts from sales of all U.S. software industry products and services totaled $102.8 billion in 1996. See Nathan Associates Inc., Building an Information Economy, Software Industry Positions U.S. for New, Digital Era, Business Software Alliance, Washington, June 1997.
8 See http://www.tis.com/research/crypto/crypt_surv.html; Internet.
9 See Encryption Policy and Market Trends, Dorothy E. Denning, May 17, 1997, http://guru.cosc.georgetown.edu/~denning/crypto/Trends.html; Internet, p. 3.
10 Ibid., p. 4.
11 Ibid., pp. 3-4.
12 Computer Use in the United States: October 1993, U.S. Census Bureau.
13 Projected rate is based on the Bureau of Labor Statistics, Employment Outlook: 1994 to 2005, U.S. Department of Labor.
14 See www.ci.zd.com/news/inetuseb.html; Internet and etrg.findsvp.com/financial/homeuse.html; Internet.
15 Economic Report of the President, February 1997, Table B-45, p. 352.
16 Alan B. Krueger, How Computers Have Changed the Wage Structure: Evidence From microdata, 1984-1989, Quarterly Journal of Economics, CVIII (1), 1993.
17 Based on information reported by DataSecurities International and Sourcefile.
18 Based on set-up fees reported by Fort Knox Escrow Services, International Escrow Corp., and Timberwolf Systems, Inc.
19 Based on information provided by DataSecurities International.
20 Neil Munro, TECHNOLOGY What Bugs The FBI, National Journal, May 9, 1998, p. 2.
21 International Escrow Corp. reported a cost per request of $75. Sourcefile, a provider of software escrow services, reported the cost could range between $25 and $100, which yields an average of $62.50.
This study was prepared for the BSA by:
Nathan Associates, Inc.
2101 Wilson Boulevard
Arlington, VA 22201
HTML by JYA/Urban Deadline