[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[comp.security.pgp-announce] US ITAR crypto exportrestrictions declared unconstitutional
- Subject: [comp.security.pgp-announce] US ITAR crypto exportrestrictions declared unconstitutional
- From: Thomas Roessler <firstname.lastname@example.org>
- Date: Fri, 20 Dec 1996 15:46:58 +0100
- Apparently-To: <email@example.com>
- Comment: This message comes from the debate mailing list.
- Sender: firstname.lastname@example.org
From: email@example.com (Arnoud "Galactus" Engelfriet)
Subject: US ITAR crypto export restrictions declared unconstitutional
Date: 20 Dec 1996 08:14:20 +0100
Organization: MCGV Stack, Eindhoven University of Technology, the Netherlands.
Approved: Arnoud "Galactus" Engelfriet <firstname.lastname@example.org>
X-Auth: PGPMoose V1.1 PGP comp.security.pgp.announce iQBVAgUBMro8ukBc6/qHZsS5AQHMzgH+M5sujowboc/ZgOHvw0DvW4ij6vuO8N+F rJYeWELlN5euoaxeu6DzgHJiV7Fsd9g4OwOiZl1fW8cB/Zcg0G9fFw== =sn/9
Xref: sobolev comp.security.pgp.announce:120 alt.security.pgp:12098
COURT DECLARES CRYPTO RESTRICTIONS UNCONSTITUTIONAL
Free Speech Trumps Clinton Wiretap Plan
December 19, 1996, 16:50 Pacific time.
Electronic Frontier Foundation Contacts:
Shari Steele, Staff Attorney
John Gilmore, Founding Board Member
Cindy Cohn, McGlashan & Sarrail
San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold
War export restrictions on the privacy technology called cryptography.
Her decision knocks out a major part of the Clinton Administration's
effort to force companies to build "wiretap-ready" computers, set-top
boxes, telephones, and consumer electronics.
The decision is a victory for free speech, academic freedom, and the
prevention of crime. American scientists and engineers will now be
free to collaborate with their peers in the United States and in other
countries. This will enable them to build a new generation of tools
for protecting the privacy and security of communications.
The Clinton Administration has been using the export restrictions to
goad companies into building wiretap-ready "key recovery" technology.
In a November Executive Order, President Clinton offered limited
administrative exemptions from these restrictions to companies which
agree to undermine the privacy of their customers. Federal District
Judge Patel's ruling knocks both the carrot and the stick out of
Clinton's hand, because the restrictions were unconstitutional in the
The Cold War law and regulations at issue in the case prevented
American researchers and companies from exporting cryptographic
software and hardware. Export is normally thought of as the physical
carrying of an object across a national border. However, the
regulations define "export" to include simple publication in the U.S.,
as well as discussions with foreigners inside the U.S. They also
define "software" to include printed English-language descriptions and
diagrams, as well as the traditional machine-readable object code and
human-readable source code.
The secretive National Security Agency has built up an arcane web of
complex and confusing laws, regulations, standards, and secret
interpretations for years. These are used to force, persuade, or
confuse individuals, companies, and government departments into making
it easy for NSA to wiretap and decode all kinds of communications.
Their tendrils reach deep into the White House, into numerous Federal
agencies, and into the Congressional Intelligence Committees. In
recent years this web is unraveling in the face of increasing
visibility, vocal public disagreement with the spy agency's goals,
commercial and political pressure, and judicial scrutiny.
Civil libertarians have long argued that encryption should be widely
deployed on the Internet and throughout society to protect privacy,
prove the authenticity of transactions, and improve computer security.
Industry has argued that the restrictions hobble them in building
secure products, both for U.S. and worldwide use, risking America's
current dominant position in computer technology. Government officials
in the FBI and NSA argue that the technology is too dangerous to
permit citizens to use it, because it provides privacy to criminals as
well as ordinary citizens.
"We're pleased that Judge Patel understands that our national security
requires protecting our basic rights of free speech and privacy," said
John Gilmore, co-founder of the Electronic Frontier Foundation, which
backed the suit. "There's no sense in `burning the Constitution in
order to save it'. The secretive bureaucrats who have restricted these
rights for decades in the name of national security must come to a
larger understanding of how to support and preserve our democracy."
Reactions to the decision
"This is a positive sign in the crypto wars -- the first rational
statement concerning crypto policy to come out of any part of the
government," said Jim Bidzos, President of RSA Data Security, one of
the companies most affected by crypto policy.
"It's nice to see that the executive branch does not get to decide
whether we have the right of free speech," said Philip Zimmermann,
Chairman of PGP, Inc. "It shows that my own common sense
interpretation of the constitution was correct five years ago when I
thought it was safe to publish my own software, PGP. If only US
Customs had seen it that way." Mr. Zimmermann is a civil libertarian
who was investigated by the government under these laws when he wrote
and gave away a program for protecting the privacy of e-mail. His
"Pretty Good Privacy" program is used by human rights activists
worldwide to protect their workers and informants from torture and
murder by their own countries' secret police.
"Judge Patel's decision furthers our efforts to enable secure
electronic commerce," said Asim Abdullah, executive director of
Jerry Berman, Executive Director of the Center for Democracy and
Technology, a Washington-based Internet advocacy group, hailed the
victory. "The Bernstein ruling illustrates that the Administration
continues to embrace an encryption policy that is not only unwise, but
also unconstitutional. We congratulate Dan Bernstein, the Electronic
Frontier Foundation, and all of the supporters who made this victory
for free speech and privacy on the Internet possible."
"The ability to publish is required in any vibrant academic
discipline. This ruling re-affirming our obvious academic right will
help American researchers publish without worrying," said Bruce
Schneier, author of the popular textbook Applied Cryptography, and a
director of the International Association for Cryptologic Research, a
professional organization of cryptographers.
Kevin McCurley, President of the International Association for
Cryptologic Research, said, "Basic research to further the
understanding of fundamental notions in information should be welcomed
by our society. The expression of such work is closely related to one
of the fundamental values of our society, namely freedom of speech."
Background on the case
The plaintiff in the case, Daniel J. Bernstein, Research Assistant
Professor at the University of Illinois at Chicago, developed an
"encryption algorithm" (a recipe or set of instructions) that he
wanted to publish in printed journals as well as on the Internet.
Bernstein sued the government, claiming that the government's
requirements that he register as an arms dealer and seek government
permission before publication was a violation of his First Amendment
right of free speech. This is required by the Arms Export Control Act
and its implementing regulations, the International Traffic in Arms
In the first phase of this litigation, the government argued that
since Bernstein's ideas were expressed, in part, in computer language
(source code), they were not protected by the First Amendment. On
April 15, 1996, Judge Patel rejected that argument and held for the
first time that computer source code is protected speech for purposes
of the First Amendment.
Details of Monday's Decision
Judge Patel ruled that the Arms Export Control Act is a prior
restraint on speech, because it requires Bernstein to apply for and
obtain from the government a license to publish his ideas. Using the
Pentagon Papers case as precedent, she ruled that the government's
"interest of national security alone does not justify a prior
Judge Patel also held that the government's required licensing
procedure fails to provide adequate procedural safeguards. When the
Government acts legally to suppress protected speech, it must reduce
the chance of illegal censorship by the bureacrats involved -- in this
case, the State Department's Office of Defense Trade Controls. Her
decision states, "Because the ITAR licensing scheme fails to provide
for a time limit on the licensing decision, for prompt judicial review
and for a duty on the part of the ODTC to go to court and defend a
denial of a license, the ITAR licensing scheme as applied to Category
XIII(b) acts as an unconstitutional prior restraint in violation of
the First Amendment." Professor Bernstein is now free to publish his
ideas without asking the government's permission first.
She also ruled that the export controls restrict speech based on the
content of the speech, not for any other reason. "Category XIII(b) is
directed very specifically at applied scientific research and speech
on the topic of encryption." The Government had argued that it
restricts the speech because of its function, not its content.
The judge also found that the ITAR is vague, because it does not
adequately define how information that is available to the public
"through fundamental research in science and engineering" is exempt
from the export restrictions. "This subsection ... does not give
people ... a reasonable opportunity to know what is prohibited." The
failure to precisely define what objects and actions are being
regulated creates confusion and a chilling effect. Bernstein has been
unable to publish his encryption algorithm for over four years. Many
other cryptographers and ordinary programmers have also been
restrained from publishing because of the vagueness of the ITAR. Brian
Behlendorf, a maintainer of the popular public domain "Apache" web
server program, stated, "No cryptographic source code was ever
distributed by the Apache project. Despite this, the Apache server
code was deemed by the NSA to violate the ITAR." Judge Patel also
adopted a narrower definition of the term "defense article" in order
to save it from unconstitutional vagueness.
The immediate effect of this decision is that Bernstein now is free to
teach his January 13th cryptography class in his usual way. He can
post his class materials on the Internet, and discuss the upcoming
class's materials with other professors, without being held in
violation of the ITAR. "I'm very pleased," Bernstein said. "Now I
won't have to tell my students to burn their notebooks."
It is unclear exactly where Judge Patel's decision applies -- in the
Northern District of California (containing San Francisco and Silicon
Valley) or throughout the country. Check with your own lawyer if you
contemplate taking action based on the decision.
It is not yet clear from the decision whether the export controls on
object code (the executable form of computer programs which source
code is automatically translated into) have been overturned. It may be
that existing export controls will continue to apply to runnable
software products, such as Netscape's broswer, until another court
case challenges that part of the restrictions.
ABOUT THE ATTORNEYS
Lead counsel on the case is Cindy Cohn of the San Mateo law firm of
McGlashan & Sarrail, who is offering her services pro bono. Major
additional pro bono legal assistance is being provided by Lee Tien of
Berkeley; M. Edward Ross of the San Francisco law firm of Steefel,
Levitt & Weiss; James Wheaton and Elizabeth Pritzker of the First
Amendment Project in Oakland; and Robert Corn-Revere, Julia Kogan, and
Jeremy Miller of the Washington, DC, law firm of Hogan & Hartson.
ABOUT THE ELECTRONIC FRONTIER FOUNDATION
The Electronic Frontier Foundation (EFF) is a nonprofit civil
liberties organization working in the public interest to protect
privacy, free expression, and access to online resources and
information. EFF is a primary sponsor of the Bernstein case. EFF
helped to find Bernstein pro bono counsel, is a member of the
Bernstein legal team, and helped collect members of the academic
community and computer industry to support this case.
Full text of the lawsuit and other paperwork filed in the case is
available from EFF's online archives at:
The full text of Monday's decision is available at:
Submissions for this group: <URL:mailto:email@example.com>
Comments about this group: <URL:mailto:firstname.lastname@example.org>
Guidelines for submssion are posted weekly to the newsgroup.
The PGP FAQ is at <URL:http://www.pgp.net/pgpnet/pgp-faq/>