COURT DECLARES CRYPTO RESTRICTIONS UNCONSTITUTIONAL Free Speech Trumps Clinton Wiretap Plan December 19, 1996, 16:50 Pacific time. Electronic Frontier Foundation Contacts: Shari Steele, Staff Attorney 301/375-8856, ssteele@eff.org John Gilmore, Founding Board Member 415/221-6524, gnu@toad.com Cindy Cohn, McGlashan & Sarrail 415/341-2585, cindy@mcglashan.com San Francisco - On Monday, Judge Marilyn Hall Patel struck down Cold War export restrictions on the privacy technology called cryptography. Her decision knocks out a major part of the Clinton Administration's effort to force companies to build "wiretap-ready" computers, set-top boxes, telephones, and consumer electronics. The decision is a victory for free speech, academic freedom, and the prevention of crime. American scientists and engineers will now be free to collaborate with their peers in the United States and in other countries. This will enable them to build a new generation of tools for protecting the privacy and security of communications. The Clinton Administration has been using the export restrictions to goad companies into building wiretap-ready "key recovery" technology. In a November Executive Order, President Clinton offered limited administrative exemptions from these restrictions to companies which agree to undermine the privacy of their customers. Federal District Judge Patel's ruling knocks both the carrot and the stick out of Clinton's hand, because the restrictions were unconstitutional in the first place. The Cold War law and regulations at issue in the case prevented American researchers and companies from exporting cryptographic software and hardware. Export is normally thought of as the physical carrying of an object across a national border. However, the regulations define "export" to include simple publication in the U.S., as well as discussions with foreigners inside the U.S. They also define "software" to include printed English-language descriptions and diagrams, as well as the traditional machine-readable object code and human-readable source code. The secretive National Security Agency has built up an arcane web of complex and confusing laws, regulations, standards, and secret interpretations for years. These are used to force, persuade, or confuse individuals, companies, and government departments into making it easy for NSA to wiretap and decode all kinds of communications. Their tendrils reach deep into the White House, into numerous Federal agencies, and into the Congressional Intelligence Committees. In recent years this web is unraveling in the face of increasing visibility, vocal public disagreement with the spy agency's goals, commercial and political pressure, and judicial scrutiny. Civil libertarians have long argued that encryption should be widely deployed on the Internet and throughout society to protect privacy, prove the authenticity of transactions, and improve computer security. Industry has argued that the restrictions hobble them in building secure products, both for U.S. and worldwide use, risking America's current dominant position in computer technology. Government officials in the FBI and NSA argue that the technology is too dangerous to permit citizens to use it, because it provides privacy to criminals as well as ordinary citizens. "We're pleased that Judge Patel understands that our national security requires protecting our basic rights of free speech and privacy," said John Gilmore, co-founder of the Electronic Frontier Foundation, which backed the suit. "There's no sense in `burning the Constitution in order to save it'. The secretive bureaucrats who have restricted these rights for decades in the name of national security must come to a larger understanding of how to support and preserve our democracy." Reactions to the decision "This is a positive sign in the crypto wars -- the first rational statement concerning crypto policy to come out of any part of the government," said Jim Bidzos, President of RSA Data Security, one of the companies most affected by crypto policy. "It's nice to see that the executive branch does not get to decide whether we have the right of free speech," said Philip Zimmermann, Chairman of PGP, Inc. "It shows that my own common sense interpretation of the constitution was correct five years ago when I thought it was safe to publish my own software, PGP. If only US Customs had seen it that way." Mr. Zimmermann is a civil libertarian who was investigated by the government under these laws when he wrote and gave away a program for protecting the privacy of e-mail. His "Pretty Good Privacy" program is used by human rights activists worldwide to protect their workers and informants from torture and murder by their own countries' secret police. "Judge Patel's decision furthers our efforts to enable secure electronic commerce," said Asim Abdullah, executive director of CommerceNet. Jerry Berman, Executive Director of the Center for Democracy and Technology, a Washington-based Internet advocacy group, hailed the victory. "The Bernstein ruling illustrates that the Administration continues to embrace an encryption policy that is not only unwise, but also unconstitutional. We congratulate Dan Bernstein, the Electronic Frontier Foundation, and all of the supporters who made this victory for free speech and privacy on the Internet possible." "The ability to publish is required in any vibrant academic discipline," This ruling re-affirming our obvious academic right will help American researchers publish without worrying," said Bruce Schneier, author of the popular textbook _Applied Cryptography_, and a director of the International Association for Cryptologic Research, a professional organization of cryptographers. Kevin McCurley, President of the International Association for Cryptologic Research, said, "Basic research to further the understanding of fundamental notions in information should be welcomed by our society. The expression of such work is closely related to one of the fundamental values of our society, namely freedom of speech." Background on the case The plaintiff in the case, Daniel J. Bernstein, Research Assistant Professor at the University of Illinois at Chicago, developed an "encryption algorithm" (a recipe or set of instructions) that he wanted to publish in printed journals as well as on the Internet. Bernstein sued the government, claiming that the government's requirements that he register as an arms dealer and seek government permission before publication was a violation of his First Amendment right of free speech. This is required by the Arms Export Control Act and its implementing regulations, the International Traffic in Arms Regulations. In the first phase of this litigation, the government argued that since Bernstein's ideas were expressed, in part, in computer language (source code), they were not protected by the First Amendment. On April 15, 1996, Judge Patel rejected that argument and held for the first time that computer source code is protected speech for purposes of the First Amendment. Details of Monday's Decision Judge Patel ruled that the Arms Export Control Act is a prior restraint on speech, because it requires Bernstein to apply for and obtain from the government a license to publish his ideas. Using the Pentagon Papers case as precedent, she ruled that the government's "interest of national security alone does not justify a prior restraint." Judge Patel also held that the government's required licensing procedure fails to provide adequate procedural safeguards. When the Government acts legally to suppress protected speech, it must reduce the chance of illegal censorship by the bureacrats involved -- in this case, the State Department's Office of Defense Trade Controls. Her decision states, "Because the ITAR licensing scheme fails to provide for a time limit on the licensing decision, for prompt judicial review and for a duty on the part of the ODTC to go to court and defend a denial of a license, the ITAR licensing scheme as applied to Category XIII(b) acts as an unconstitutional prior restraint in violation of the First Amendment." Professor Bernstein is now free to publish his ideas without asking the government's permission first. She also ruled that the export controls restrict speech based on the content of the speech, not for any other reason. "Category XIII(b) is directed very specifically at applied scientific research and speech on the topic of encryption." The Government had argued that it restricts the speech because of its function, not its content. The judge also found that the ITAR is vague, because it does not adequately define how information that is available to the public "through fundamental research in science and engineering" is exempt from the export restrictions. "This subsection ... does not give people ... a reasonable opportunity to know what is prohibited." The failure to precisely define what objects and actions are being regulated creates confusion and a chilling effect. Bernstein has been unable to publish his encryption algorithm for over four years. Many other cryptographers and ordinary programmers have also been restrained from publishing because of the vagueness of the ITAR. Brian Behlendorf, a maintainer of the popular public domain "Apache" web server program, stated, "No cryptographic source code was ever distributed by the Apache project. Despite this, the Apache server code was deemed by the NSA to violate the ITAR." Judge Patel also adopted a narrower definition of the term "defense article" in order to save it from unconstitutional vagueness. The immediate effect of this decision is that Bernstein now is free to teach his January 13th cryptography class in his usual way. He can post his class materials on the Internet, and discuss the upcoming class's materials with other professors, without being held in violation of the ITAR. "I'm very pleased," Bernstein said. "Now I won't have to tell my students to burn their notebooks." It is unclear exactly where Judge Patel's decision applies -- in the Northern District of California (containing San Francisco and Silicon Valley) or throughout the country. Check with your own lawyer if you contemplate taking action based on the decision. It is not yet clear from the decision whether the export controls on object code (the executable form of computer programs which source code is automatically translated into) have been overturned. It may be that existing export controls will continue to apply to runnable software products, such as Netscape's browser, until another court case challenges that part of the restrictions. ABOUT THE ATTORNEYS Lead counsel on the case is Cindy Cohn of the San Mateo law firm of McGlashan & Sarrail, who is offering her services pro bono. Major additional pro bono legal assistance is being provided by Lee Tien of Berkeley; M. Edward Ross of the San Francisco law firm of Steefel, Levitt & Weiss; James Wheaton and Elizabeth Pritzker of the First Amendment Project in Oakland; and Robert Corn-Revere, Julia Kogan, and Jeremy Miller of the Washington, DC, law firm of Hogan & Hartson. ABOUT THE ELECTRONIC FRONTIER FOUNDATION The Electronic Frontier Foundation (EFF) is a nonprofit civil liberties organization working in the public interest to protect privacy, free expression, and access to online resources and information. EFF is a primary sponsor of the Bernstein case. EFF helped to find Bernstein pro bono counsel, is a member of the Bernstein legal team, and helped collect members of the academic community and computer industry to support this case. Full text of the lawsuit and other paperwork filed in the case is available from EFF's online archives at: http://www.eff.org/pub/Privacy/ITAR_export/Bernstein_case/ The full text of Monday's decision is available at: http://www.eff.org/pub/Privacy/ITAR_export/ Bernstein_case/Legal/961206.decision