Cryptography

How Cryptography is Free Speech

A victory for the First Amendment, the Clinton Adminstration has signed a new law that, effective January 1, 2000, will remove the export restrictions on encryption software. What follows is a brief history of the controversy that lead to this major reversal of policy.

One of the hotbeds of intellectual property is cryptography and the right to export new technology in this area versus perceived or real governmental issues with the export of certain encryption programs that are considered controlled materials. It has come to the forefront because of concerns of citizens to keep their private e-mail and their funds and commerce on the Internet private.

Basically, Encryption involves running a "plaintext" message through software that translates the message according to an equation or algorithm into unreadable "cipher text." Decryption is the translation back to plaintext when the message is received by someone with an appropriate "key." The message is both encrypted and decrypted by compatible keys. The software has generated issues because if the method of encryption is as complex as 56 bits or more, it is very difficult to, within a reasonable timeframe and use of resources, to "tap", "hack", or "spy on." This came to a head when the State Department refused to allow the export, via the Internet, of notes and articles about software Professor Bernstein had invented. The software was called "Snuffle" and was about how to write a greater than 56 bit software. This lead to litigation.

The brilliant analysis of US District Court (San Francisco) Judge Marilyn Hall Patel is interesting for its conclusions as well as the process she went through to hold that the law may be unenforceable.

The government position can be summed up as follows: encryption software as described cannot be exported without a license because it is considered trading in arms. The reasoning is that if this were exported, users could be engaging in espionage and terrorism in the U.S. by using such powerful encryption tools. National security and the "cold war" arms race led to several laws that limit encryption, due to the perceived necessity of the State Department to be able to decode potentially dangerous secret communications. The encryption industry on the other hand says that Europeans and others are allowed to use the best and brightest technology and can unfairly compete with US companies in this area by being able to sell encryption software without these licensing restrictions. Since this case, a Presidential Order has transferred the responsibility for this to the Commerce department, rather than State.

FACTS of the case: One of the first successful challenges was a case brought by a Chicago professor, DANIEL J. BERNSTEIN in Bernstein Vs State Dept (No. C-95-0582 MHP), December, 1996. Prof. DANIEL J. BERNSTEIN's argument was that the licensing provisions of two laws, the Arms Export Control Act ("AECA"), 22 U.S.C. Section 2778, that allows the President to define what items are listed on the US Munitions List (USML) and the International Traffic in Arms Regulations ("ITAR"), 22 C.F.R. Section 120-30 (1994) that require licensing of all such software has now been held to be an unconstitutional "prior restraint" on free speech. The "speech" actually encompasses the encryption software "C" language itself (Prof. Bernstein calls "Snuffle.c" and "Unsnuffle.c") and his teaching and publication of articles on the science of applied mathematics that deal with encryption. Prof. Bernstein wanted to publish the software on the Internet. The U.S. government has, to be fair, now modified the policy, and placed responsibility for this under the Commerce Department. This author believes, having met and worked with members of Commerce who are sensitive to industry needs, that a very sensible common ground will be met. The Clinton Administration is doing a great job of fostering these industries, and listens and responds to criticism.

DEFINITIONS: A "defense article" is defined by the ITAR as any item or technical data that has been designated in the USML (munitions list). 22 C.F.R. Section 120.6. A "defense service" is any assistance rendered to a foreign person in the United States or abroad in the development or use of a defense article, 22 C.F.R. Section 120.9(a)(1), or the furnishing of technical data to a foreign person, 22 C.F.R. Section 9(a)(2). "Technical data" is defined as a defense article when it is covered by the USML. There are some exemptions, like ATM encryption of passwords, and general "public domain" scientific principals, and others. A commodity jurisdiction ("CJ") request was submitted to the State Department to determine whether three items were controlled by ITAR.

Prof.Bernstein says he is free to publish; THE STATE DEPARTMENT disagrees and believes that the licensing provisions are not only valid but essential to the National Security. While arguably right, the case holds that the government cannot restrain what is otherwise valid free speech by such unfettered licensing provisions. The government may impose valid time, place and manner restrictions when they are "content neutral" (meaning that State does not measure the restrictions based on the content of the "speech"), are narrow and leave open alternative channels for the "speech" to be communicated.

ISSUES: presented include whether the export licensing controls on cryptography software violates the First Amendment. It could violate our inviolate protections if the regulations consist of a "prior restraint" on free speech, that is, if they fail a three part test: (1) the licensing provision are not imposed for a brief and specified period during which the status quo prevails; (2) they are subject to expeditious judicial review; and (3) the censor must bear the burden of going to court to suppress speech and once there bears the burden of proof. (Freedman vs. Maryland, 380 US 51, 58 (1965)).

THE COURT FOUND that Source Code is "speech" and thus subject to strict First Amendment Free Speech scrutiny. The licensing provisions of Category XIII(b) of the USML, the court found, provided insufficient procedural safeguards because it, "bestows on a government official substantial power to discriminate based on the content of the speech or to burden speech by delaying a licensing decision." The "export" license was a "vague" restriction on the free speech because it included publication where publication, such as posting software on the Internet or distributing it freely among colleagues, could be said to be tantamount to sending it out of the United States "in any manner". The Munitions List. Category XIII(b) is directed very specifically at applied scientific research and speech on the topic of encryption. That it regulates encryption in the interest of national security does not alone justify a prior restraint. This type of restriction, where it does not prevent a direct, immediate, and irreparable damage to our Nation or its people, does not warrant a violation of the right to the free speech. There were just not enough procedural safeguards to justify preventing the best encryption engineering from being restrained.

THE STATE DEPARTMENT POLICY is that if the software contains private and public keys and if it is limited to 56-bit methods, it may get a license for export, but if not, the procedure was too arbitrary and does not withstand the scrutiny of the First Amendment tests applied. "The ITAR scheme places not even minimal limits on the discretion of the licensor and hence nothing to alleviate the danger of arbitrary or discriminatory licensing decisions. Under the three part test of the Freedman case, (1) there is no limit to the time in which the ODTC must make a licensing decision. (2) ITAR does not provide for judicial review of licensing decisions, prompt or otherwise, and the AECA makes the initial designation of items as defense articles unreviewable, and (3) there is no burden on the ODTC to go to court to justify the denial. Moreover, applications for licenses can be disapproved and approved licenses can be revoked, suspended or amended without prior notice in the interests of national security or whenever it "is otherwise advisable".

AS A PRACTICAL MATTER, officials overseeing a license may decide to reject it merely because a case takes too long, or the applicant dares to refuse to convert the samples into "C" language, which might not be appropriate for the type of software, or other reason. The court stated, "Here the relevant provision of the ITAR is directed at speech on a particular subject matter--cryptography. The Supreme Court has held in other cases that "the First Amendment's hostility to content-based regulation extends not only to a restriction on a particular viewpoint, but also to a prohibition of public discussion of an entire topic." Burton v. Freeman, 504 U.S. 191, 197 (1992) "

The VAGUENESS violation: Not only are the licensing provisions violative of the First Amendment, but also the "Technical Data" provisions of the law are unenforceable. The Court stated that these are vague, since the uncertainty created in scientists about what speech is subject to regulation under the ITAR is unacceptable. Given the direct application of the basic exemptions to First Amendment protections, fundamental research is defined as "basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community". Cryptography algorithms and theory are often published in scientific journals. However, cryptography algorithms are also covered by Category XIII(b) of the USML. Given these two facts, it would be hard for scientists to discern when their work was a defense article and when it was wholly exempt from the ITAR without going through a CJ determination before any effort at publication. In fields of applied science, what is commonly taught in universities may well overlap with what the government might choose to regulate. In this instance the deterrent effect on protected expression appears both real and substantial. Young v. American Mini Theaters, Inc., 427 U.S. at 60. These academic exemptions from the definition of technical data, 22 C.F.R. Sections 120.10(a)(5) & 120.11(a)(8), are accordingly "void for vagueness."

CONCLUSION: The court concluded that, since the laws are void under the analysis, the State Department could not prosecute Professor Bernstein under them unless the decision is reversed on appeal. This writer believes that the case DOES NOT go much beyond the facts presented, and thus may not wind up being wide precedent to invalidate these licensing provisions for all fact patterns involving cryptography. I also believe that the State Department may appeal the decision, that it could get to the Supreme Court and that it could be reversed. Stand by, the issues presented will undoubtedly resurface in other contexts and we have not heard the last of them.

On appeal from the original Bernstein decision, in 1999 the U.S. 9th Circuit Court of Appeals upheld judge Patel and thus began a policy reversal mentioned at the top of this article. Happy and secure software to all!

This article is intended to be general only, and does not provide legal advice for any particular legal situation. It is recommended that you consult your attorney regarding your particular legal situation. Questions and comments about this article are welcome.