 | |
| |
TechnologyDaily Mobile
Encryption Policy Makes Strange Bedfellows
Proponents of the free export of powerful encryption software found an accidental ally earlier this year: part of the same Clinton Administration that wants the technology strictly controlled.
As part of its charge to help the research community develop an advanced encryption standard, the National Institute of Standards and Technology recently hosted an international cryptography conference, complete with scholarly papers posted on its Web site. The only problem: one of the foreign papers posted on the web site included an appendix containing programming code for strong cryptography — a violation of the law that its sister Commerce Department agency, the Bureau of Export Administration, is responsible for policing.
Cryptography experts chuckled when NIST, realizing its mistake, quickly removed the offending material from where it could have been seen by anyone in the world — and thus exported. But in a more serious vein the experts insist that the incident highlighted the absurdity of current Clinton Administration policy on the subject.
The absurdity that could play well into the hands of professors and activists challenging those restrictions in court.
"As we have seen, it makes no sense to separate code from research, and this just shows it," said Bruce Schneier, CEO of Counterpane Systems and author of the textbook Applied Cryptography.
In three separate cases currently before different district and appeals courts, mathematics professor Daniel Bernstein, law professor Peter Junger, and software engineer Philip Karn are each challenging the law on constitutional grounds. They claim that keeping them from doing the same thing that NIST inadvertently did — posting strong cryptographic algorithms on Web sites — is a restriction on their rights to freedom of speech.
"We believe the publication of encryption source code is essential to the exposition and dissemination of ideas," said Gino Scarselli, associate legal director for the American Civil Liberties Union, which is representing Junger, a professor at Case Western Reserve University law school. "They are technical and specific ideas, but ideas protected by the First Amendment nonetheless."
Although the use of strong cryptography (defined as cryptographic codes with "key" lengths greater than 56-bits) is widespread around the world, current U.S. laws forbids the export of software or source code describing them. The government has ruled that posting such techniques on the Web constitutes "export."
Scarselli argued that the restrictions that keep Junger from publishing on the web are not "imposed on the printed word, and we don't believe that it can be imposed on a forum that the Supreme Court has called the most participatory form of mass speech that we have every known."
"I find it very frustrating, because it messed up my efforts to teach computing and law," said Junger. "Of all my course, that is the one I wanted to get material up on the Web server, and not being able to is quite upsetting."
Bernstein and Karn made similar arguments about the burden on their personal freedom of speech. But each also noted that should either of them prove successful, "all this talk about liberalizing encryption goes out the window, because at that point, such restrictions would be dead," said Junger.
It is difficult to find defenders of the encryption restrictions in the academic community and even among many technologists in the government who realize the vital need to replace the aging and easily-cracked data encryption standard (DES). But the Bureau of Export Administration said that the cases were about more than just free speech.
"Encryption is code, and code is product, and product is controllable," said spokeswoman Sue Hofer, who declined further comment, noting that the Justice Department is actively litigating each of the cases.
Of the three, Bernstein vs. U.S. Department of State has gone the furthest. The former University of California at Berkeley graduate student of mathematics argued that the restriction kept him from publishing his "Snuffle" and "Unsnuffle" encryption code on the Internet. After Bernstein won in U.S. District Court in 1997, the government appealed the case, which was argued almost a year and half ago in the Ninth Circuit Court of Appeals.
"The entire export restrictions are pretty dicey when it comes to speech," said Cindy Cohn, an attorney for Bernstein, who is now a professor at the University of Illinois. "They may lose ability to maintain encryption, but still have export controls on every good and service."
Arguing that while national security arguments made by the government do carry weight in court, valid constitutional arguments trump those, she said pointing to the Supreme Court's Pentagon Papers decision.
"Sometimes they win and sometimes they don't," Cohn said. "Even when they do win, they have to prove a national security problem, not just posit one."
The Ninth Circuit is based in San Francisco, and any ruling there would be applicable to the concentration of technology companies based on the West Coast. So Cohn said it was not surprising that the Court of Appeals was taking its time on what could be a "landmark" decision — and one that the government would almost certainly appeal to the Supreme Court.
Junger and the ACLU, on the other hand, lost their first round of Junger vs. Daley in Ohio federal district court. They had argued for Junger's right to post course material — freely available in paper-text format — on the Web. Appealing to the Sixth Circuit Court of Appeals, attorneys hope to point to what they say are inconsistencies in the lower court decision.
"While the judge said there were expressive elements of source code, he didn't consider it a fundamental part of the ideas," said Raymond Vasvari, lead attorney for Junger. "It was something like obscenity" in setting out a gray area of less-protected speech, he said.
The third case, Karn vs. U.S. Department of State, is an appeal of a 1994 ruling by the State Department before the Administration transferred that responsibility to the Department of Commerce in 1996. Unlike the Bernstein and Junger cases, in which the arguments are made purely on First Amendment grounds, Qualcomm engineer Philip Karn argued that his Fifth Amendment rights were violated by a ruling that held it was legal to export a copy of Schneier's book — which includes high-powered cryptographic algorithms — but illegal to put the same information on floppy disk.
"What is the validity of treating source code on Mylar different from paper?" said Karn attorney Ken Bass of Venable, Baetjer, Howard and Civiletti. But he was heartened by a February ruling by Washington federal district judge Louis Oberdorfer holding that Karn was entitled to an evidentiary hearing.
"I hope that there will be an opportunity to have judicial examination of the rationality of the government's restrictions and their claims of adverse impact to the national security that would follow if cryptography were unregulated," said Bass. "If we are able to get the evidence of the availability of equally strong cryptography available around the world that we know is there, I think we will be able to punch holes" in the government's case.
—by Drew Clark
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
