In a court decision that could have sweeping effects on the computer industry, a federal judge has handed down a ruling declaring the Clinton administration's policy on limiting the export of certain types of encryption software unconstitutional. But already, the US government is expected to fight back.
Based on the fact that computer programming code is a type of language and protected under the free speech clause of the Constitution, U.S. District Judge Marilyn Hall Patel ruled that plaintiff Daniel Berstein did not have to follow the government's restrictions for exporting his encryption software worldwide. Berstein, a mathematics professor at the University of Illinois, Chicago, sued the government early in 1996, claiming that its requirements that he register as an arms dealer and seek federal permission before distributing his software over the Internet violated his First Amendment rights.
Under current law, U.S. software companies are allowed to export encryption with key lengths of up to 56 bits if they agree to build a "key escrow" system into their products, which allows law enforcement officials to access data when criminal activity is suspect. Companies overseas already have products on the market with key lengths up to 128 bits that don't require the use of key escrow and are constantly developing new technologies, says John Gilmore, a founding board member of the Electronic Frontier Foundation, a civil liberties organization that backed the Berstein suit.
U.S. companies and civil liberties organizations claim that these restrictions hobble competition of U.S. companies in foreign markets because more secure products can be bought from non-U.S. firms. The government - including the FBI and the National Security Agency - argues that strong encryption will fall into the hands of terrorists and criminals and could be used to threaten national security.
A January 1996 report issued by encryption experts and the industry group the Business Software Alliance found that 56-bit encryption can be broken by the U.S. government in a matter of minutes, while 128-bit encryption can take months or even years to break. The report concluded that a minimum of 75 bits is needed to ensure privacy.
While yesterday's decision technically applies only to the Bernstein case, a federal "unconstitutional" ruling of this kind on government policy usually has a wide-reaching effect, Gilmore said.
"Everyone is free to export cryptography now," Gilmore says. While only one person filed the case, Judge Patel's ruling makes part of the encryption export law invalid across the board, he says.
But while the EFF may feel confident that the ruling is a victory for U.S. software companies who are racing to keep up with foreign competition in the 128-bit encryption realm, other industry observers - and the companies themselves - are a bit more wary.
"There is still a lot of confusion regarding whether people can just go and export products freely after this ruling," says Alan Davidson, staff counsel for the Washington, D.C.-based Center for Democracy and Technology. "While a federal ruling from such a highly-regarded judge as Marilyn Patel is certainly significant and influential, it isn't a precedent until the U.S. Supreme Court hands down a similar ruling."
Netscape Communications has a 128-bit version of its browser encryption software that has been restricted from exporting overseas. Company officials are unsure how the ruling will affect the company's policies. While Netscape has been at the forefront of efforts to challenge the Clinton administration's current plan, officials are "still gathering information and ironing out all the details of the judge's decision" to figure out how it applies specifically to the export of browser products such as Navigator, said Chris Holten, a spokeswoman for Netscape.
In addition, it remains unclear exactly what parts of a software program are protected under the First Amendment. Judge Patel did not confirm whether the ruling applies to object code (the executable form of computer programs which source code is automatically translated into) in addition to source code. Thus, runnable programs that contain object code, such as Netscape Navigator, may not be fully protected under the ruling, according to the EFF.
Most importantly, however, the Bernstein case shows that there are serious constitutional problems with the administration's approach to limiting encryption export, Davidson says.
The Clinton administration knew earlier this year that it had a slim chance of winning the Bernstein case when Patel refused to throw it out of court, citing First Amendment rights. Nonetheless, the government is "disappointed" about the outcome, says Ginny Terzano, a spokeswoman in the Vice President Gore's office.
The Justice Department and the U.S. Department of Commerce - which now has authority over export controls - have not publicly stated whether they will appeal the decision or not. However, most observers feel that the government will take action to protect current regulations.
"The government will fight this," Gilmore says.
But along with government appeals, many other software companies and individuals may decide to sue under the same First Amendment right now that they know they will have a good chance of winning, Davidson said.
"We're pleased that Judge Patel understands that our national security requires protecting our basic rights of free speech and privacy," Gilmore said in a statement. "There's no sense in burning the Constitution in order to save it."
The immediate effect of the decision is that Professor Bernstein will be able to teach his Jan. 13 cryptography class and post his software on the Internet without restrictions. While he could not be reached for comment, Berstein told the EFF he is "very pleased" with Judge Patel's decision. "Now I won't have to tell my students to burn their notebooks," he said.