[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[comp.security.pgp-announce] US ITAR crypto exportrestrictions declared unconstitutional

From: galactus@stack.nl (Arnoud "Galactus" Engelfriet)
Newsgroups: comp.security.pgp.announce,alt.security.pgp
Subject: US ITAR crypto export restrictions declared unconstitutional
Followup-To: comp.security.pgp.discuss
Date: 20 Dec 1996 08:14:20 +0100
Organization: MCGV Stack, Eindhoven University of Technology, the Netherlands.
Lines: 246
Approved: Arnoud "Galactus" Engelfriet <pgp-announce-moderator@news.pgp.net>
Distribution: world
Message-ID: <pgpmoose.199612200813.4088@toad.stack.nl>
NNTP-Posting-Host: toad.stack.nl
X-Auth: PGPMoose V1.1 PGP comp.security.pgp.announce iQBVAgUBMro8ukBc6/qHZsS5AQHMzgH+M5sujowboc/ZgOHvw0DvW4ij6vuO8N+F rJYeWELlN5euoaxeu6DzgHJiV7Fsd9g4OwOiZl1fW8cB/Zcg0G9fFw== =sn/9
Xref: sobolev comp.security.pgp.announce:120 alt.security.pgp:12098

<URL: http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/HTML/
bernstein_961218_pressrel.html >

                  Free Speech Trumps Clinton Wiretap Plan
   December 19, 1996, 16:50 Pacific time.
                  Electronic Frontier Foundation Contacts:
                        Shari Steele, Staff Attorney
                       301/375-8856, ssteele@eff.org
                    John Gilmore, Founding Board Member
                         415/221-6524, gnu@toad.com
                      Cindy Cohn, McGlashan & Sarrail
                     415/341-2585, cindy@mcglashan.com
   San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold
   War export restrictions on the privacy technology called cryptography.
   Her decision knocks out a major part of the Clinton Administration's
   effort to force companies to build "wiretap-ready" computers, set-top
   boxes, telephones, and consumer electronics.
   The decision is a victory for free speech, academic freedom, and the
   prevention of crime. American scientists and engineers will now be
   free to collaborate with their peers in the United States and in other
   countries. This will enable them to build a new generation of tools
   for protecting the privacy and security of communications.
   The Clinton Administration has been using the export restrictions to
   goad companies into building wiretap-ready "key recovery" technology.
   In a November Executive Order, President Clinton offered limited
   administrative exemptions from these restrictions to companies which
   agree to undermine the privacy of their customers. Federal District
   Judge Patel's ruling knocks both the carrot and the stick out of
   Clinton's hand, because the restrictions were unconstitutional in the
   first place.
   The Cold War law and regulations at issue in the case prevented
   American researchers and companies from exporting cryptographic
   software and hardware. Export is normally thought of as the physical
   carrying of an object across a national border. However, the
   regulations define "export" to include simple publication in the U.S.,
   as well as discussions with foreigners inside the U.S. They also
   define "software" to include printed English-language descriptions and
   diagrams, as well as the traditional machine-readable object code and
   human-readable source code.
   The secretive National Security Agency has built up an arcane web of
   complex and confusing laws, regulations, standards, and secret
   interpretations for years. These are used to force, persuade, or
   confuse individuals, companies, and government departments into making
   it easy for NSA to wiretap and decode all kinds of communications.
   Their tendrils reach deep into the White House, into numerous Federal
   agencies, and into the Congressional Intelligence Committees. In
   recent years this web is unraveling in the face of increasing
   visibility, vocal public disagreement with the spy agency's goals,
   commercial and political pressure, and judicial scrutiny.
   Civil libertarians have long argued that encryption should be widely
   deployed on the Internet and throughout society to protect privacy,
   prove the authenticity of transactions, and improve computer security.
   Industry has argued that the restrictions hobble them in building
   secure products, both for U.S. and worldwide use, risking America's
   current dominant position in computer technology. Government officials
   in the FBI and NSA argue that the technology is too dangerous to
   permit citizens to use it, because it provides privacy to criminals as
   well as ordinary citizens.
   "We're pleased that Judge Patel understands that our national security
   requires protecting our basic rights of free speech and privacy," said
   John Gilmore, co-founder of the Electronic Frontier Foundation, which
   backed the suit. "There's no sense in `burning the Constitution in
   order to save it'. The secretive bureaucrats who have restricted these
   rights for decades in the name of national security must come to a
   larger understanding of how to support and preserve our democracy."
   Reactions to the decision
   "This is a positive sign in the crypto wars -- the first rational
   statement concerning crypto policy to come out of any part of the
   government," said Jim Bidzos, President of RSA Data Security, one of
   the companies most affected by crypto policy.
   "It's nice to see that the executive branch does not get to decide
   whether we have the right of free speech," said Philip Zimmermann,
   Chairman of PGP, Inc. "It shows that my own common sense
   interpretation of the constitution was correct five years ago when I
   thought it was safe to publish my own software, PGP. If only US
   Customs had seen it that way." Mr. Zimmermann is a civil libertarian
   who was investigated by the government under these laws when he wrote
   and gave away a program for protecting the privacy of e-mail. His
   "Pretty Good Privacy" program is used by human rights activists
   worldwide to protect their workers and informants from torture and
   murder by their own countries' secret police.
   "Judge Patel's decision furthers our efforts to enable secure
   electronic commerce," said Asim Abdullah, executive director of
   Jerry Berman, Executive Director of the Center for Democracy and
   Technology, a Washington-based Internet advocacy group, hailed the
   victory. "The Bernstein ruling illustrates that the Administration
   continues to embrace an encryption policy that is not only unwise, but
   also unconstitutional. We congratulate Dan Bernstein, the Electronic
   Frontier Foundation, and all of the supporters who made this victory
   for free speech and privacy on the Internet possible."
   "The ability to publish is required in any vibrant academic
   discipline. This ruling re-affirming our obvious academic right will
   help American researchers publish without worrying," said Bruce
   Schneier, author of the popular textbook Applied Cryptography, and a
   director of the International Association for Cryptologic Research, a
   professional organization of cryptographers.
   Kevin McCurley, President of the International Association for
   Cryptologic Research, said, "Basic research to further the
   understanding of fundamental notions in information should be welcomed
   by our society. The expression of such work is closely related to one
   of the fundamental values of our society, namely freedom of speech."
   Background on the case
   The plaintiff in the case, Daniel J. Bernstein, Research Assistant
   Professor at the University of Illinois at Chicago, developed an
   "encryption algorithm" (a recipe or set of instructions) that he
   wanted to publish in printed journals as well as on the Internet.
   Bernstein sued the government, claiming that the government's
   requirements that he register as an arms dealer and seek government
   permission before publication was a violation of his First Amendment
   right of free speech. This is required by the Arms Export Control Act
   and its implementing regulations, the International Traffic in Arms
   In the first phase of this litigation, the government argued that
   since Bernstein's ideas were expressed, in part, in computer language
   (source code), they were not protected by the First Amendment. On
   April 15, 1996, Judge Patel rejected that argument and held for the
   first time that computer source code is protected speech for purposes
   of the First Amendment.
   Details of Monday's Decision
   Judge Patel ruled that the Arms Export Control Act is a prior
   restraint on speech, because it requires Bernstein to apply for and
   obtain from the government a license to publish his ideas. Using the
   Pentagon Papers case as precedent, she ruled that the government's
   "interest of national security alone does not justify a prior
   Judge Patel also held that the government's required licensing
   procedure fails to provide adequate procedural safeguards. When the
   Government acts legally to suppress protected speech, it must reduce
   the chance of illegal censorship by the bureacrats involved -- in this
   case, the State Department's Office of Defense Trade Controls. Her
   decision states, "Because the ITAR licensing scheme fails to provide
   for a time limit on the licensing decision, for prompt judicial review
   and for a duty on the part of the ODTC to go to court and defend a
   denial of a license, the ITAR licensing scheme as applied to Category
   XIII(b) acts as an unconstitutional prior restraint in violation of
   the First Amendment." Professor Bernstein is now free to publish his
   ideas without asking the government's permission first.
   She also ruled that the export controls restrict speech based on the
   content of the speech, not for any other reason. "Category XIII(b) is
   directed very specifically at applied scientific research and speech
   on the topic of encryption." The Government had argued that it
   restricts the speech because of its function, not its content.
   The judge also found that the ITAR is vague, because it does not
   adequately define how information that is available to the public
   "through fundamental research in science and engineering" is exempt
   from the export restrictions. "This subsection ... does not give
   people ... a reasonable opportunity to know what is prohibited." The
   failure to precisely define what objects and actions are being
   regulated creates confusion and a chilling effect. Bernstein has been
   unable to publish his encryption algorithm for over four years. Many
   other cryptographers and ordinary programmers have also been
   restrained from publishing because of the vagueness of the ITAR. Brian
   Behlendorf, a maintainer of the popular public domain "Apache" web
   server program, stated, "No cryptographic source code was ever
   distributed by the Apache project. Despite this, the Apache server
   code was deemed by the NSA to violate the ITAR." Judge Patel also
   adopted a narrower definition of the term "defense article" in order
   to save it from unconstitutional vagueness.
   The immediate effect of this decision is that Bernstein now is free to
   teach his January 13th cryptography class in his usual way. He can
   post his class materials on the Internet, and discuss the upcoming
   class's materials with other professors, without being held in
   violation of the ITAR. "I'm very pleased," Bernstein said. "Now I
   won't have to tell my students to burn their notebooks."
   It is unclear exactly where Judge Patel's decision applies -- in the
   Northern District of California (containing San Francisco and Silicon
   Valley) or throughout the country. Check with your own lawyer if you
   contemplate taking action based on the decision.
   It is not yet clear from the decision whether the export controls on
   object code (the executable form of computer programs which source
   code is automatically translated into) have been overturned. It may be
   that existing export controls will continue to apply to runnable
   software products, such as Netscape's broswer, until another court
   case challenges that part of the restrictions.
   Lead counsel on the case is Cindy Cohn of the San Mateo law firm of
   McGlashan & Sarrail, who is offering her services pro bono. Major
   additional pro bono legal assistance is being provided by Lee Tien of
   Berkeley; M. Edward Ross of the San Francisco law firm of Steefel,
   Levitt & Weiss; James Wheaton and Elizabeth Pritzker of the First
   Amendment Project in Oakland; and Robert Corn-Revere, Julia Kogan, and
   Jeremy Miller of the Washington, DC, law firm of Hogan & Hartson.
   The Electronic Frontier Foundation (EFF) is a nonprofit civil
   liberties organization working in the public interest to protect
   privacy, free expression, and access to online resources and
   information. EFF is a primary sponsor of the Bernstein case. EFF
   helped to find Bernstein pro bono counsel, is a member of the
   Bernstein legal team, and helped collect members of the academic
   community and computer industry to support this case.
   Full text of the lawsuit and other paperwork filed in the case is
   available from EFF's online archives at:
   The full text of Monday's decision is available at:
Submissions for this group: <URL:mailto:pgp-announce-submit@news.pgp.net>
Comments about this group: <URL:mailto:pgp-annouce-moderator@news.pgp.net>
Guidelines for submssion are posted weekly to the newsgroup.
The PGP FAQ is at <URL:http://www.pgp.net/pgpnet/pgp-faq/>