F.  Administration, Congress, Courts Take Significant Steps To Protect Encrypted Speech

    “Encryption” is the ability to encode information to be sent over computer networks so that it can only be read by the intended receiver.  Encryption was originally the exclusive province of military and intelligence services, and its dissemination was tightly controlled for national security reasons.  Today, however, encryption is widely used to protect privacy and proprietary information stored or transmitted electronically. 

    A wide variety of everyday products, from cell phones to Web browsers, have encryption features built in to ensure that sensitive communications stay private.  Because of its roots in national security and fears that criminals will use encryption to hide information from law enforcement, U.S. law has prevented the export or Internet publication of encryption code.

    The prohibition against publishing encryption code is, of course, a classic prior restraint, which academic cryptographers and privacy advocates have challenged as a violation of the First Amendment.  And the U.S. government’s policies restricting the export of encryption products and technologies outside the United States have in recent years been under increasing pressure from information technology vendors and users.  In 2000, these forces and the growing importance of electronic commerce to the U.S. economy came together to produce a substantial easing of the controls on the export and publication of encryption technology and software. 

    The Commerce Department published two major sets of reforms to the regulations governing exports of encryption products.  The reforms first substantially eased the controls on exports to nearly all destinations and then essentially eliminated the licensing requirements for exports to the 15 European Union countries and to eight other close U.S. allies.  These regulatory reforms have reduced congressional interest in legislation to accomplish the same result, and have also apparently mooted the core of the First Amendment challenges pending in the courts. 

    Several bills to liberalize encryption regulations enjoyed wide support in Congress during 2000, although none passed before lawmakers adjourned.  Meanwhile, the court cases appear to be moribund.  Nonetheless, these legislative efforts, and perhaps the danger of adverse First Amendment decisions in the courts, undoubtedly helped create incentives for the Administration to liberalize its encryption regulations.

Executive Branch Actions:  Substantially Eased Controls. 

    The strength of encryption products is typically measured by the key length, or number of “bits” in the encryption key, which is a string of randomly generated digits used to encrypt or decrypt information.  Although generally accepted security standards demand 128-bit encryption for most applications, until 2000 the Commerce Department’s regulations effectively imposed a 56-bit upper limit for license-free export to destinations other than Canada (which for many years has been exempt from virtually all commercial export-licensing requirements).  

    During 2000, the Commerce Department implemented regulatory changes that substantially eased the controls on exporting encryption products and technology to most destinations, and nearly eliminated all export controls on encryption for the 15 European Union countries and eight other close U.S. allies.  Notwithstanding these changes, U.S. law prohibits exports of virtually all encryption products and technology to countries designated as supporting terrorism, i.e., Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.  (“Export” for these purposes includes posting software on the Internet, and release of source code in electronic form to foreign nationals in the United States or elsewhere.  In addition, reexports of encryption products -- that is, exports of U.S.-origin encryption from one foreign country to another -- are subject to the same licensing requirements.)

    The regulatory changes promulgated by the Commerce Department during 2000 expanded on narrow 1999 exceptions for the export of strong encryption for certain uses (financial and health care) or users (subsidiaries of U.S. companies and online merchants).  The changes are most sweeping for the 15 countries of the European Union and eight other close allies of the United States, which are as follows:

Austria, Australia, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom.

    For these countries, regulatory amendments published in mid-October 2000 permit the license-free export of encryption products of any strength and virtually any type to both government and non-government users.  Prior to shipping, the exporter (or manufacturer) must simply complete a prescribed one-time filing with the Commerce Department disclosing the technical details of the encryption product, so that it can be classified for export-control purposes. 

    In contrast to other destinations, the export can be completed as soon as the complete classification filing is made.  There is no required waiting period and, in contrast to other destinations, no distinction between “government” and “non-government” customers, or between “retail” and “non-retail” encryption products.  (Cryptanalytic products, designed to break or hack encryption, are not eligible for this favorable treatment.)

    Under the 1999 regulations, encryption products of any strength could be exported virtually worldwide for the internal use of subsidiaries of U.S. companies.  The amendments published in October 2000 now authorize export or reexport of encryption products on the same basis to worldwide subsidiaries of companies with headquarters in any of the above-listed countries.  That change puts multinational companies with headquarters in the E.U. or another of the designated countries on essentially the same footing as U.S.-based companies and their subsidiaries, and enables multinational companies to deploy the same strong encryption for globally secure intranet networks. 

    In addition, telecommunications and Internet service providers may use non-retail encryption products to provide services to government-owned entities in the above-listed countries, although they will continue to require a specific license to provide such government services outside those countries.  Finally, products with open cryptographic interfaces (sometimes called “crypto with a hole”) that permit a third party to insert encryption functionality, which are generally not eligible for license-free export, may now be exported permissively to the countries listed above.  In certain circumstances, exporters may be required to file post-export reports with the Commerce Department.

    For destinations outside of the 23 markets listed, a different set of rules applies, pursuant to regulatory amendments published in January 2000.  These rules distinguish between “retail” and “non-retail” encryption products, and between “government” and “non-government” end-users.  In particular, for these markets encryption products that qualify as “retail” products may be exported or reexported with any strength encryption to any user or destination license-free (except countries designated as terrorist-supporting). 

    To be classified as “retail” an encryption product must meet two separate criteria: First, the product must be generally available to the public in tangible form in independent retail outlets or in large volume through any means, including electronic transfers, or it must be specifically designed for individual consumer use.  Second, the product must not require substantial support for installation and use, must have encryption functions that cannot easily be changed, must not be modified or customized to customer specifications, and must not be a “network infrastructure product.”  

    “Non-retail” products may be exported or reexported with any strength encryption to non-government entities license-free (except in terrorist-supporting countries).  Exports or reexports to governments of non-retail encryption that is stronger than 64 bits (a relatively weak level of encryption) require specific licensing, however.  “Government end-user” is defined as any foreign government department (central or local) performing government functions, and international government organizations. 

    Ineligible “government end-users” do not include government-owned telecommunications, broadcast, or entertainment companies, or utilities, banks, educational organizations, civil health organizations, transportation, or retail companies.  Government-owned manufacturing and industrial entities are excluded from non-retail exports only if they are engaged in the manufacture or distribution of certain munitions-related items or services.  Exporters are required to make periodic post-export reports concerning exports of encryption stronger than 64 bits.

    Before any encryption product is eligible for export, the technical details must be disclosed to the Commerce Department for a one-time technical review, which will classify the product as “retail” or “non-retail.”  Exporters may proceed with shipments to non-governmental end-users after waiting for 30 days after filing a complete classification request.  Exports to government users, however, are authorized only after the U.S. exporter receives affirmative notice from the Commerce Department that the product has been classified as “retail,” or, if it is not, only after receipt of a specific license for the export.

    The 2000 regulatory amendments also helped resolve an important controversy over the Internet publication or other dissemination of encryption programming code (“source code”) and of functioning “open source” software.  Until 2000, source code for strong encryption generally could not lawfully be posted on the Internet or otherwise made available for electronic transfer or downloading by foreign parties without stringent and burdensome access-control precautions.  These limitations seemed to ignore the growing importance of “open source” software, for which developers publish all of the source code to the world, typically by posting on the Internet, so that others can build upon it and improve it, as well as develop compatible products.

    Under the January 2000 amendments, publicly available encryption source code, including publicly available commercial source code subject to a licensing fee or royalty arrangement, may now be published by posting on the Internet without any of the onerous precautions against unauthorized transfers that would ordinarily be required, or be otherwise exported without any prior BXA classification review or licensing.  The exporter must only provide the Commerce Department with a copy of the code or an Internet address at which it can be downloaded.  In October 2000, the rules were expanded to include exports of so-called “freeware” (available for use and downloading without charge) as well as object code that is compiled from publicly available source code, but for which a commercial fee or royalty is charged.

    While these exemptions are undoubtedly aimed at removing obstacles to “open source” development, they also appear to be deliberately crafted to avoid any further court challenges to the encryption regulations under the First Amendment, as described below.

The Courts: First Amendment Challenges

    The long-standing restrictions on encryption source code have also been under attack in the courts on constitutional grounds.  In three separate lawsuits, academic cryptographers have argued that the requirement to obtain a government license before publishing encryption source code on the Internet or by other electronic means is nothing more than a prior restraint on free speech that is contrary to the First Amendment.  These scientists maintain that source code is a medium of communication, in fact the preferred medium of communication among computer scientists, and is thus protected speech.  The government has defended the regulations by maintaining that source code is functional, not speech, and that it is regulated for what it does, and not for any ideas it may communicate.

     The results have been mixed and no significant decisions were issued during 2000.  The district court in the Bernstein case held that source code was protected speech, and struck down the export regulations as an unconstitutional prior restraint.  Bernstein v. Dep’t of State, 922 F. Supp. 1426 (N.D. Cal. 1996); 945 F. Supp. 1279 (N.D. Cal. 1996); 974 F. Supp. 1288 (N.D. Cal. 1997).  A Ninth Circuit panel upheld the district court (see 176 F.3d 1132 (9th Cir. 1999)), but that opinion has been withdrawn and the case set for rehearing en banc. 

    The district courts in two other cases rejected the professors’ challenges and upheld the government’s regulations.  Junger v. Daley, 8 F. Supp. 2d 709 (N.D. Ohio 1998); Karn v. Dep’t of State, 925 F. Supp. 1, 9-10 (D.D.C. 1996).  The Karn case was appealed to the D.C. Circuit, then remanded to the district court (and a new judge) for further proceedings.  The Junger case is on appeal to the Sixth Circuit. 

    The failure of courts to move quickly on these cases during 2000 seems to confirm that the new encryption regulations have substantially narrowed the claims at issue in these cases (as they were apparently designed to do), and may indeed have made the cases moot.  The new regulations allow encryption source code to be published on the Internet or otherwise exported without prior licensing to virtually all destinations. 

    The new regulations arguably eliminate any prior restraints, since the exporter (publisher) is free to disseminate source code with no more than notification of the Internet address or copy of the code to the Commerce Department by the time of export or publication.  Exporters or publishers continue to be prohibited from “knowingly” exporting to the seven terrorist-supporting destinations or their nationals, but the amendments provide that the mere act of posting the source code on the Internet where it is accessible to nationals in those countries does not by itself establish knowledge of a prohibited export.

    It is not clear whether these changes have in fact made the professors’ First Amendment claims entirely moot.  For instance, the requirements for notice and disclosure to the government prior to publication would be unusual, to say the least, if applied to traditional publications such as newspapers.  Such requirements for Internet publication likely would not pass constitutional muster.  In any case, further consideration of the professors’ claims in light of the new regulations is likely to require remand to the trial courts for further proceedings, so that final decisions do not seem likely soon.

The author wishes to thank Peter Flanagan, an associate at Covington & Burling, for his assistance in the preparation of this chapter.