Download Encryption Technology and Export Regulations and more Essays (university) Cryptography and System Security in PDF only on Docsity!
A.
THE ENCRYPTION EXPORT TAX: A PROPOSED
SOLUTION AND REMEDY TO THE ISSUES AND
COSTS ASSOCIATED WITH EXPORTING
ENCRYPTION TECHNOLOGY
John L. Paik*
INTRODUCTION ... .... ............................... .. ..... 162
I. ENCRYPTION BASICS AND TERMINOLOG.Y ........ 163
I I. CURRENT REGULATIONS, PROPOSALS, AND
INTERNATIONAL AGRE.EMENTS ..... ..... .......... 164
A. EXPORT REGULATIONS.............................. 164
B. L EGISLATIVE P ROPOSALS............................ 168
C. I NTERNATIONAL A GREEMENTS....................... 169
I I I. EVOLUTION OF ENCRYPTION POL.IC.Y ............. 170
A. HISTORICAL P ERSPECTIVE ...................... ..... 170
B. THE R1sE AND FALL OF KEY EscRow? .............. 171
IV. REGULATION OF ENCRYPTION EXPORTS PASSES
CONSTITUTIONAL MUSTER ......................... 173
A. FIRST A MENDMENT A NALYSIS .. ................ ..... 173
B. FOURTH A MENDMENT A NALYSIS ...... .. ... ... .... .. 176
V. NATIONAL SECURITY CONC.ERNS .................. 179
A. THE DILEMMA OF U NBREAKABLE E NCRYPTION ....... 179
B. DOES THE P ROLIFERATION OF STRONG E NCRYPTION
A DVANCE N ATIONAL SECURITY I NTERESTS?.......... 181
V I. ARGUMENTS FOR LIB.ERAL.IZING ENCRYPTION
EXPORT REGULATIONS ............................. 183
I NFEASIBILITY OF RESTRICTING EXPORT OF
E NCRYPTION SoFrWARE AND Goons ... ..... ........ 183
B. P OTENTIAL A DVERSE E CONOMIC I MPACT OF
RESTRICTIVE E NCRYPTION REGULATIONS............. 185
V I I. PROPOSED SOLUTION ............................... I 86
A. FUNDING OF A C ENTRALIZED C OUNTER-E.NCRYPTION
RESEARCH AND DEVELOPMENT E FFORT THROUGH
TAXATION OF E NCRYPTION EXPORTS................. 186
B. How WouLD THE P ROPOSED TAX O PERATE? .... .... 191
- B.S., Cornell University, 1994: M.S., University of California, Los Angeles, 1997; candidate for J.D., Cornell Law School, 2001. I dedicate this Note to my parents and my sister, Gina.
162 CORNELL JOURNAL OF LAw AND PUBLIC POLICY [Vol. 10:
C. WHICH AGENCIES WOULD BE RESPONSIBLE FOR
RUNNING THE FuND? WHERE WouLD THE FUNDS
Go, AND How WouLD THEY BE UsED?............. 191
VIII. CONCLU SION ................. ....................... 192
INTRODUCTION
U.S. regulations on the export of encryption technology ("crypto")
raise numerous complex issues with technical, political, legal, and eco
nomic dimensions. The main argument for regulating and restricting the
export of encryption is that the abuse of this technology by terrorists and
criminals would severely impede the ability of national security and law
enforcement officials to carry out their functions.' The software and
high-tech industries, on the other hand, argue that current export regula
tions put U.S. encryption businesses at a competitive disadvantage rela
tive to foreign companies, and that such regulations violate their First
Amendment free speech rights.^2 Privacy advocates, who are on the same
side of the debate as the high-tech industries, argue that any restrictions
on the accessibility of encryption products infringe on the individual's
right to informational privacy, thus implicating the Fourth Amendment.^3
The government does not deny the importance of strong encryption
to U.S. companies and private citizens alike.^4 Encryption products
both serve to protect proprietary data of U.S. companies
worldwide and have the potential to be an economic
boom in the cryptography software market.... [T]he
problem is reconciling all of these competing interests
and sorting out the extremes, which are numerous, but
without compromising any one interest too much.^5
In order for the U.S. government to reach this middle ground, it must
strike a balance between America's national security interests on one
hand, and commercial and privacy interests on the other: "The govern
ment must meet the responsibility of enhancing public safety and na
tional security, but the requirements that it imposes should not be so
1 See FBI, ENCRYPTION: IMPACT ON LAW ENFORCEMENT (June 3, 1999) at I I hereinafter
FBI REPORT! (stating that "ltlhe law enforcement community. .. is extremely concerned about the serious threat posed by the proliferation and use of robust encryption products that do not allow for the immediate, lawful access to the plaintext of encrypted, criminally related com munications ....").
2 See Jeri Clausing, Concerns Raised Over Encryption Report, N.Y. TIMES, Nov.24,
1999, at CS.
3 See generally Americans for Computer Privacy !hereinafter ACPJ at http://
www .computerprivacy.org (last visited Feb.23, 2000).
4 See FBI REPORT, supra note I.
5 J.Ten-ence Stender, Too Many Secrets: Challenges to the Comrol of Strong Crypto
and the National Security Perspective, 30 CASE W.REs. J. INT'L L. 287, 321 (1998)._
164 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 10: 16 1
the process of converting ciphertext back into plaintext.^12 Cryptographic
systems generally utilize a cryptologic algorithm, "a set of rules or series
of mathematical steps," in conjunction with a key.e^13 The key is usually a
string of bits and is functionally analogous to a key that unlocks a door -
it "unlocks" or decrypts the message so that the intended recipient can
read it. 14
There are two main types of key-based algorithms: secret-key (sym
metric) and public-key (asymmetric). 15 In secret-key cryptographic sys
tems, both the encryption key and decryption key are the same so that
everyone who needs to decrypt the message must have the key distrib
uted to them.^16 The inherent weakness in a secret-key system is "the
problem of finding a trusted method to distribute the key, and moreover,
protecting the key while in custody." 17 This type of scheme, however, is
not practical for widespread commercial or personal use.^18
In public-key cryptographic systems, the key used for encryption is
different from the key used for decryption. 19 Consequently, this type of
system "allows users to openly publish one key in the phone-book like
directory (the 'public key'), while keeping the other key private (the 'pri
vate key')."^20 Public-key encryption "allows parties to exchange en
crypted messages by using and revealing only their public keys, without
ever having to exchange private keys."^21 As long as the recipient him
self keeps secret the private key that matches the public key, only he can
read messages encrypted with the public key."^22
II. CURRENT REGULATIONS, PROPOSALS, AND
INTERNATIONAL AGREEMENTS
A. EXPORT REGULATIONS
Currently, all exports from the United States are regulated under
either the Arms Expo11 Control Act ("AECA")2^3 or the Export Adminis-
(^12) Id. t:l Id. (^14) See BAKER & HuRsT, supra note 8, at 4. (^15) See Stender, supra note 5, at 295. (^16) See id. (^17) Id. (^18) This is because where there is no secure channel for exchanging the secret keys. Thus, the key exchange is subject to easy interception. See Ira S. Rubenstein, Export Comro/s 011 £11cryptio11 Software, in COPING W1TH U.S. EXPORT CONTROLS 1994, at 183 (PLI Com. L. & Practice Course, Handbook Series No. A-705, 1994). (^19) See Stender, supra note 5, at 296. 2o Rubenstein, supra note I 8, at 183. 21 Stender, supra note 5, at 296. 22 .BAKER & HURST, supra note 8, at 2. 23 22 U.S.C. §§ 2571-2794 (1994 & Supp. V. 1999).
2000] ENCRYPTION EXPORT TAX 165
tration Act ("EAA").^24 The AECA confers on the State Department the
authority to regulate the export of anything it deems to be a munition,
which it defines as "a weapon of war."^25 Items classified as munitions
require individually approved export licenses which designate the cus
tomer, the application, and conditions for the handling or redeployment
of the item.^2 (, If the State Department decides that an item is dual-use, a
category that includes commercial products with military applications, it
transfers jurisdiction over the item's export to the Department of Com
merce ("DOC").^27 The DOC, under the EAA, now regulates the export
of all encryption devices and software, except for those that are specifi
cally designed or modified for military use.^2
The DOC's Export Administration Reguiations ("EAR")^29 define
export as "an actual shipment or transmission of items subject to the
EAR out of the United States, or release of technology or software sub
ject to the EAR to a foreign national in the United States."^30 The EAR
additionally define "exportation of encryption source code and object
code"^3 1 as "[d]ownloading, or causing the downloading of, such software
to locations... outside the U.S., or making such software available for
transfer outside the U.S.,. .. including transfers from electronic bulletin
boards, Internet file transfer protocol and World Wide Web sites."^32
The Clinton administration initially instituted a restrictive encryp
tion export policy over the objection of encryption software developers,
who argued that such restraints would place an unnecessary burden on
their ability to compete in the international encryption market.^33 How
ever, on September 16, 1999, the Clinton administration announced that
24 50 U.S.C. app. §§ 2401-2420 (1994 & Supp. V. 1999).
25 Id.
(^26) See BAKER & HURST, supra note 8, at 106.
27 Id. Prior to December 30, 1996, the State Department was responsible for regulating
the export of most encryption products from the United States under the AECA and the Inter
national Traffic in Arms Regulations ("ITAR"). Id. at 23. Jurisdiction over commercial en
cryption products was officially transferred from the State Department to the Commerce
pursuant to Executive Order No. 13026 (Nov. 15, 1996). Id.
2 8^ Id. at 24. Other agencies, including the Departments of Justice, State, and Defense,
also have a say in decisions concerning commercial encryption exports. Id. The NSA, a divi
sion of the Department of Defense, has the most expertise in encryption matters. Id. Conse
quently, other agencies have usually deferred to the agency of the NSA on encryption export
decisions. Id.
2 9 15 C.F.R. pts. 730- 774 (2000).
3<> Id. § 734.2(b)( I) (2000).
3 I Source code refers to the text of a computer program written in a high-level program ming language, such as C or Pascal. A computer cannot make use of source code until its has been translated into a lower-level, machine language, known as objecr code. 32 15 C.F.R. § 734.2(b )(9)(ii) (2000). 33 See Mai-Tram B. Dinh, The U.S. E11cryprio11 Exporr Policy: Taking rhe Byre Ow of rhe Debare, 7 MINN. J. GLOBAL TRADE 375, 375 (1998) (The U.S. government has traditionally imposed restrictions on the export of encryption software in order to protect national security.).
2000] ENCRYPTION EXPORT TAX 167
On January 1 4, 2000 the Clinton administration formally liberalized
its licensing requirements on the export of encryption software prod
ucts.39 The new regulations^40 "allow United States companies to ship
any retai l encryption4 1^ products around the world to commercial con
cerns, individuals and other nongovernment users after a one-time tech
nical revi ew by an interagency panel."^42 In addition, the rules allow the
export, without licenses, of most types of source code (the computer
code used to create programs).^43 The only exceptions to these rules
would be to nations on the State Department's list of seven terrorist sup
porting countries, which are Cuba, Iran, Iraq, Li bya, North Korea, Sudan,
and Syria.^44
The new regulations amend the EAR to allow export of any encryp
tion software or commodity to individuals, commercial firms, and other
non-governmental end-users i n all destinations, while more liberally al
lowing exports of retail encryption commodities and software to all end
users in all destinations.^45 In essence, the amended regulations imple
ment the encryption policy announced by the White House on September
16, 1999, which rested on three principles: ( I ) technical review of en
cryption products in advance of sale, (2) a streamlined post-export re
porting system, and (3) a process that permits the government to review
export of strong encryption to foreign governments.^46 Cisco Systems,
one of the largest producers of routers that form the backbone of the
Internet, expressed modest enthusiasm for the new rules.^4 7 While Cisco
many bank executives, must have keys that are 128-bits long." Edmund Andrews, U.S. Re strictions on Exports Aid German Software Maker, N.Y. TIMES, Apr. 7, 1997, at D I.
39 See David E. Sanger & Jeri Clausing, U.S. Removes More Limits on Enc1:vption, N.Y.
TIMES, Jan. 1 3, 2000, at C I. (^40) The new regulations essentially eliminate licensing requirements for strong encryp tion. But most products will still be subject to a one-time government review and companies are supposed to track and report their sales. Id.
4 1 Retail encryption commodities and software are ''those which are widely available and
can be exported and re-exported to any end-user (including any Internet and telecommunica tions service provider) to provide products and services (e.g. e-commerce, client-server appli cations, or software subscriptions) to any end-user." Revisions to Encryption Items, 65 Fed. Reg. 2493 (2000) (interim final rule at 1 5 C.F.R. pts. 734, 740, et al.) !hereinafter Encryption ltemsJ. The criteria for determining whether something qualifies as a retail product includes functionality, sales volume, distributions methods, ability to modify products and requirements for substantial support by the supplier.... Finance-specific, 56-bit non-mass market products with a key exchange greater than 5 1 2 bits and up to I 024 bits, network-based applications and other products which are functionally equivalent to retail products are considered retail products. Id.
42 Sanger & Clausing, supra note 39, at C l.
43 Id.
(^44) Id.; see also Encryption Items, supra note 4 1 , at 2492. (^45) See Encryption Items, supra note 4 1 , at 2492.
46 Id.
47 See Sanger & Clausing, supra note 39, at C l.
168 CORNELL JOURNAL OF LA w AND PUBLIC POLICY fVol. 1 0: 16 1
and numerous other high-tech compani es vi ewed the new regulations as
a step in the right direction and "as delivering on Vice President Al
Gore's promises to eliminate cumbersome licensing rules on exporting
software, civil libertarians say they fail to fix the constitutional questions
at the heart of pending court cases."^48
B. LEGISLATIVE PROPOSALS
There have been three bills relating to the issue of encryption intro
duced during the I 06th^ Congress, but only two of the bills specifically
propose amendments to government regulation of encryption exports.^49
The Security and Freedom Through Encryption Act ("SAFE"),^50 pro
poses a less restrictive approach to export regulations that would allow
U.S. companies to export strong encryption products if comparable prod
. ucts were already avai lable overseas.5 1^ SAFE would remove existing
export controls on hardware and software encryption products that are of
comparable strength to those that are commercially available from a for
ei gn supplier, regardless of any adverse i mpact on national security.^52
SAFE would also place a prohibition on an y type of mandatory key re
covery encryption by the government, but includes a provision that might
make it criminal to use encryption in furtherance of a criminal act.^53 At
the time of this bill's introduction, it enj oyed over 200 bipartisan co
sponsors.^5 4 The number of co-sponsors has grown to over 250 sin ce that
time.^55 As of late July 1 999, the House Rules Committee was preparing
to decide which version of SAFE should be sent to the House for a floor
vote.^56
The other congressional bill that addresses encryption export regula
tions is S.798, entitled the Promote Reliable On-Line Transactions to En
courage Commerce and Trade Act of 1 999 ("PROTECT"), introduced by
(^48) Id.
49 FB I REPORT, supra note 1 , at 1 0- 1 3. The Electronic Rights (E-Rights) for the 2 1 't
Century Act (S'.854), introduced Senator Leahy (D-VT) on Apri l 2 1 , 1 999, proposes to "pro tect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to location information,... to affirm the rights of Ameri cans to use and sell encryption as a tool for protecting their online privacy... ." Id.
50 H.R. 850, 1 Cl61h^ Cong. ( 1 999). This bill was introduced Representative Robert Good
latte (R-V A) on February 25, 1 999. See FBI REPORT, supra note I , at I 0.
5 1 The computer industry, seeking an open world market for its encryption products, has
long complained that such export restrictions are pointless because terrorists can simply buy
powerful encryption products from other countries, such as Canada. I srael, or Ireland. See
Demos to Prez: 'Use SAFE Text.' at http://www.wired.com/news/news/politics/story/
2 1 744.html (last visited Ma�ch 1 7, 200 1 ).
52 See FBI R EPORT, supra note I , at 1 1.
53 See id.
54 See id.
55 See id.
56 See id.
170 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 1 0: 16 1
trols to support its efforts to extend its levels of control on the export of
cryptography.^67
Prior to the January 14, 2000 amendment to the encryption export
regulations, the American Electronics Association ("AEA"), an industry
group representing 3,000 plus U.S.-based technology companies, sup
ported "the Clinton administration' s decision to align the U.S. export
regulations with the new Wassenaar requirements and to deregulate
products up to 56-bits, but [felt] the response [was] inadequate."^68 The
AEA pointed out the foll y of arbitrary line drawing since law enforce
ment and intelligence agencies find it no more difficult to break 65-bit
than 64-bit encryption.^69 Critics suggested that the government recon
sider whether its export policy can actually achieve its stated goals
before trying to appease both the software industry and law enforcement
officials by merely tinkering with the numbers and details.^70 The fact
that the most recent encryption regulations impose no encryption key
length limit for retail encryption products suggests that these critics' sug
gestions did not fall on deaf ears.7 1
III. EVOLUTION OF ENCRYPTION POLICY
A. HISTORICAL PERSPECTIVE
In assessing the arguments for and against the widespread availabil
ity of cryptography that would result from unregulated export, it helps to
examine the development and application of cryptography. World War I
was the first war to be fought in the era of radio, which made it possible
to transmit and receive human voices over long distances.^72 The solution
to the ubiquitous nature of radio reception, which enabled anybody with
the right equipment and know-how to listen in, was cryptography. After
WWI, the United States continued to develop its capacity for signals in
telligence and merged this responsibility with the development of codes
to protect U.S. military communications.^73 World War II was a triumph
for American communications intelligence, which made important con-
browsers, e-mail applications, electronic commerce servers, and telephone scram bling devices.... I Member countries I also re-imposed controls on other mass market products with strengths over 64-bits, such as personal computer operating systems, word processing, and data base programs.
Id.
(^67) Sa McNulty, supra note 66, at 436.
68 Id. at 436-37.
69 See id. at 437.
(^70) See 1 44 Cong. Rec. S12,15.1 at 12,152 (Oct. 9, 1998). 7 l See Encryption Items, supra note 4 1, at 2492. 72 See WHITFIELD DtFFIE & SUSAN LANDAU, PRIVACY ON THE LINE: THE POLITICS OF WIRETAPPING AND ENCRYPTION 49 ( 1998). 7J See id. at 52.
2000] ENCRYPTION EXPORT TAX 1 7 1
tributions to victories in both the Atlantic and Pacific:^74 "The Allies'
ability to understand German and Japanese communications, even when
they were encoded with the enemies' best cryptographic systems, is
widely seen as having been crucial to the course of World War 11."^75
In 1 952, President Harry Truman signed a secret presidential order
creating the National Security Agency ("NSA"), whose objective was to
"capture control of all cryptographic and cryptanalytic work within the
United States. "^76 During the 1 970s, the NSA recognized that implemen
tation of federal laws like the Family Educational and Privacy Rights Act
of 1 974,^77 combined with the increasing use of computers and digital
communications by the federal government, would require that it share
its cryptographic equipment with a wider range of government users.^78
Any cryptographic equipment that was to be put in the hands of users
who did not undergo security clearance would have to utilize unclassified
cryptographic algorithms.^79 The NSA feared that making any of its algo
rithms public would reveal information about its design philosophy and
approach, which could conceivably compromise its other equipment.^80
During the late 1 970s and 1 980s, the NSA took notice of increased civil
ian research in cryptography and tried unsuccessfully to limit civilian
development and application of this technology. 8 1^ In the early 1 990s, the
FBI "formulated a policy that included shoring up its ability to perform
electronic surveillance,... and preventing the establishment of unbreak
able cryptography in the public sector."^82 The FBI ' s initial efforts in
support of this policy were embodied in the concept known as key
escrow.
B. THE R1sE AND FALL oF KEY EscRow?
Key escrow, later euphemistically renamed key recovery and key
management in order to appease the fears of privacy advocates, is a sys
tem by which users of cryptographic equipment are able to protect their
privacy against most intruders while allowing the government to keep a
set of "spare keys" with which it can decipher and read the communica-
7 4 See id. at 53.
75 Id. at 6. During WWI and WWII the U.S. primarily implemented mechanical crypto
graphic systems, devices utilizing physical moving parts rather than electronic and magnetic
components. See id. at 19-29. Since the 1 940s, the U.S. has converted to purely electronic
encryption. See id.
76 Id. at 55.
77 20 U .S.C. § 1 232g ( 1 994 & Supp. V. 1 999).
7K DIFFIE & LANDAU, supra note 72, at 59.
7 9 See id.
80 See id.
8 1 See id. at 60-76.
82 Id. at 76.
2000] ENCRYPTION EXPORT TAX 173
time technical review.9^2 For example, under Encryption Licensing Ar
rangements ("ELAs"), distributors can export encryption goods "as long
as they comply with restri ctions contained in the ELA."^93 It appears that
ELAs will vary on a case-by-case technical review basis, which suggests
that there is no longer a uniform mandate requiring all encryption export
ers to participate in any key recovery system.
IV. REGULATION OF ENCRYPTION EXPORTS PASSES
CONSTITUTIONAL MUSTER
A. FIRST AMENDM ENT ANALYSIS
In assessing whether governmental regulation of the export of en
cryption software raises First Amendment concerns, it is necessary. to
address two sub-issues. The first sub-issue is whether encryption
software source code qualifies as "speech" for First Amendment pur
poses.94^ The second sub-issue is whether current U.S. export regulations
are a prior restraint on speech.^95
Of the two cases that have addressed the issue of whether source
code is "speech," Bernstein v. U.S. Dept. of Justice ( "Bernstein Ill" ), 96
has received the most extensive judicial review.^ The three-judge panel
of the Ninth Circuit ruled 2- 1 in May 1999 that encryption program
source codes contain expressions of i deas that cannot be suppressed by
government officials.^97 Bernstein, a mathematics professor, sought to
export to the international academic and scientific communities an en
cryption method, which he had developed during his days as a graduate
9 2^ Id. See also Christopher R. Wall & Thomas M. DeButts, Encryption Export Controls, in COPING WITH U.S. EXPORT CONTROLS 1999 at 549,o55o1 (PLI Com. L. & Practice Course, Handbook Series No. A0-002Q, 1999). Certain '"encryption items," as defined in EAR, 15 C.F.R. pt. 772, may be exported under License Exception KM! (15 C.F.R § 740.8) after a one time technical review by BXA. Id. Commodities and software eligible for the this License Exception K M! include '"those for which companies had developed schemes for U.S. Govern ment key recovery or deposit of keys with a key escrow agent under earlier encryption export control regimes. Id. However, recoverable commodities and software, as defined in EAR, 15 C.F.R. pt. 772, may also be exported pursuant to an encryption licensing arrangement ("ELA") when License Exception K M ] cannot be used. 15 C.F.R. §§ 742.o15(b)(2), 740.8. The effect of these licensing exceptions is to allow encryption commodities and software of any key length to be exported under a license exception to non-government end users in any country, except one of the seven designated terrorist countries. Wall & DeButts, supra. In addition, retail encryption commodities and software of any key length may be exported under a license exception to any country except the seven designated terrorist countries after a one-time tech nical review. Id. 93 Encryption Items, supra note 41, at 2492. 94 See ;:enera/ly U.S. CoNsT. amend. I. 9� See Bernstein v. U.S. Dept. of Justice, 176 F.3d 1 132, 1138 (9'h Circ. 1999) I hereinaf
ter Bernstein /Ill (pointing out that '"any prior restraint on expression comes... with a heavy
presumption against its constitutional validity"). 96 Id. (^97) Id.
1 74 CORNELL JouRNAL OF LAW AND Puauc Poucy [Vol. 10: 16 1
student.^98 The State Department classified the software, which utilized
his encryption scheme, as a munition and told Bernstein that he would
need a license to export the computer program.9^9 In granting summary
judgment for Bernstein, the district court found that the program's source
code to be "speech" protected by the First Amendment. 1 00
In December l 996, President Clinton shifted licensing authority for
non military encryption commodities and technologies from the State De
partment to the Department of Commerce, which promulgated the EAR
to govern the export of crypto.e^1 01 Bernstein amended his complain t by
adding the Department of Commerce as a defendant and advanced the
same constitutional objections. I0 2 The district court again granted sum
mary judgment for B ernstein, finding the EAR to be facially invalid as a
prior restraint on speech.e^103
In affirming Bernstein I ande//, the Ninth Circuit reasoned that cryp
tographers use source code to express their scientific ideas in the same
way that mathematicians use equations or economists use graphs to ex
press their findings or ideas.e^1114 The court seemed to emphasize the fact
that source code, w^5 unlike object code, rn^6 "is not meant solely for the
computer, but is rather written in a language intended also for human
analysis and understanding."^107 The circuit court's emphasis on the dis
tinction between object code and source code is overly simplistic because
source code is not necessarily intended for others to analyze or under
stand. Programmers who intend their source code to be understood by
others usually include annotations and remarks throughout the program,
whereas programmers who are more interested in the functionality or
efficiency of their source code will be less inclined to include such de
scriptive annotations.
According to the standard set forth by the Supreme Court of the
United States, the dispositive factor in determining "speech" for First
98 Bernstein argued he wanted to export his encryption methods for purely academic
rather than commercial purposes. See id. at 1136. Bernstein's motive exporting encryption,
however, is not dispositive on the issue of whether or not encryption software source code 4ualifies as "speech" under the First Amendment. 99 Id. at 1 136.
1 oo See Bernstein v. U.S. Dept. of State, 922 F.Supp. 1426, 1434-36 (N.D. Cal 1996)
I hereinafter Bernstein fl.
IO I See Bernstein II/, 176 F.3d. at 1136.
102 See id.
103 See id.
1 04 See id. at 114 1.
I 05^ Source code refers to "text of a program written in a 'high-level' programming lan guage, such as 'PASCAL' or 'C. "' Id. at 1140. (^106) Object code refers to "lower-level"' or "machine" language, which gives instruction to
the computer. See id.
1.o7 (^) Id. at 1142.
1 76 CORNELL JouRNAL OF LA w AND PuBi.Jc Poucv [Vol. I O: 1 6 1
expressive to merit First Amendment protection. I^ I^6 The district court
reasoned that "speech" is protected not simply because it is written in a
language but rather because it expresses ideas. I^ I^7 Encryption source
code is rarely expressive, and in the limited instances it may communi
cate some idea, it is unintelligible to most people. That exporting source
code may occasionally be expressive "does not necessarily extend First
Amendment protection to it." I I^8
According to Karn v. U.S. Department of State, even if one were to
assume that encryption software source code qualifies as speech, export
regulation of this software does not necessarily constitute a prior restraint
on speech. I^ I9^ In order for an export licensing law to be invalidated by a
prior restraint facial challenge, it "must have a close enough nexus to
expression, or to conduct commonly associated with expression, to pose
a real and substantial threat of... censorship risks." 120 If the export
regulations are content-neutral I 2 I^ and aimed at preventing software ex
porters from making it easier for foreign intelligence sources to encrypt
their communications, the government may justify such regulation if it:
( I ) is within the constitutional power of government, (2) furthers an im
portant or substantial government interest, and (3) is narrowly tailored to
the governmental interest. 1 22 Both the J unger and Karn courts applied
this three-part test and concluded that U.S. export regulations were not a
prior restraint on speech. As the lunger and Karn decisions and Judge
Nelson's dissenting opinion in Bernstein Ill suggest, the First Amend
ment analysis weighs in favor of regulating the export of encryption
software because its source code lacks substantial expressive value, and
thus is not "speech" for First Amendment purposes.
B. FOURTH AMENDMENT ANALYSIS
The notion of informational privacy is implicit in the Fourth
Amendment, which asserts "the right of the people to be secure in their
1 16 Id.
1 1 7 Id. at 7 1 7.
1 1 8 Id.; see also City of Dallas v. Stranglin, 490 U.S. 1 2, 25 ( 1 989).
1 1 9 See Karn v. U.S. Dep't of State, 925 F.Supp. I (D.C. 1 996) (holding that designation
of the disk containing the encryption source codes as a ''defense article" was not subject to
judicial review; that export regulations did not violate Karn's First Amendment rights; and that
export restrictions did not violate due process). This decision has subsequently been remanded
to the district court to consider the constitutional effect of the transfer of jurisdiction of export
controls from the State Department to the Commerce Department. See 1 07 F.3d 923 (D.C.
Circ. 1 997). However, it is unlikely that the First Amendment holding will be altered as a
result of the change in governmental jurisdiction.
120 City of Lakewood v. Plain Dealer Publ 'g Co., 486 U.S. 750, 759 ( 1 988).
1 2 1 Content neutral regulations do not take into consideration what is expressed by the
content of the regulated article or good. See id.
1 22 See United States v. O'Brien, 39 1 U .S. 367 ( 1 968) (upholding the government's proh i
bition against burning draft cards and establishing the elements of prior restraint test).
2000] ENCRYPTION EXPORT TAX 177
persons, houses, papers, and effects." 1 23^ Certain lobbying groups, such
as Americans for Computer Privacy, favor lifting all controls on the ex
port of encryption on the basis that government regulations and restric
ti ons on encryption software will compromise the ability of individuals
to secure the privacy of their e-mail. 1 24^ Proponents for reducing encryp
tion export restrictions also argue that the spread of stronger encryption
tools will encourage worldwi de adoption of more secure standards for
ensuring privacy of communi cati ons. For example, busi nesses and their
customers would have less fear that their credit card numbers or other
private communications would be intercepted by third parties over the
Internet. These privacy concerns, however, do not implicate the Fourth
Amendment unless: ( I ) the consumer or end-user of the exported
software has standing to bring suit against the United States for violating
her Fourth Amendment privacy protections, and (2) the export regula
tions violate the consumer's reasonable expectati on of privacy.e^125
The end-user of exported U.S. encryption goods will usually be an
alien on foreign soil.e1 26^ The Bill of Ri ghts provisions of the U.S. Consti
tution, however, do not always extend to aliens, particularly when they
are on foreign soil. The Fourth Amendment, for example, does not apply
to searches or seizures conducted on foreign soil, even if the search in
volves agents of the U.S. government. 1 27^ In other words, evidence ob
tained by foreign or U.S. officials from searches conducted i n a foreign
country is admissible in U.S. federal courts regardless of whether the
search complied with the Fourth Amendment. The Fourth Amendment
was not "understood by contemporaries of the Framers to appl y to activi
ties of the United States directed against aliens in foreign territory or in
international waters." 1 28
In the case of encryption export regulations, one might make the
argument that violation of an end-user's expectation of privacy is vio
lated within the U.S., in which case an alien end-user might have stand
ing to bring suit against the U.S. It is difficult to pinpoint exactl y where
viol ation of the end-user's expectation of privacy occurs, assuming that
1 23 See U.S.CoNsT. amend.IV; Katz v.United States, 389 U.S. 347 (1967) (holding that
citizens are entitled to a reasonable expectation of privacy)..
1 24 See Jeri Clausing, Concerns Raised Over £11c,:vption Report, N.Y. TIMES, Nov. 24,
1999, at CS.
1 25 See Terry v.Ohio, 392 U.S. I (1967) (adopting a sliding-scale reasonableness test for
the individual's expectation of privacy). 1 2 (^6) An alien within the U.S. who wants to purchase encryption goods is not subject to
EAR. See Encryption Items, supra note 4 1. Similarly, U.S.citizens and business wanting to
use U.S.encryption devices are generally not subject to EAR. Id.
1 27 See United States v. Verdugo-Urquidez, 494 U.S.259 (1990): United States v. Behety,
32 F.3d 503, 5 10 ( I I th^ Cir. 1994); United States v. Cardenas, 9 F.3d 1139, I I57 n.8 (5th^ Cir. 1993).
1 28 Verdul{o-Urquidez, 494 U .S. at 267.
2000] ENCRYPTION EXPORT TAX 179
necessary for law enforcement. 135 The Terry approach to the Fourth
Amendment has subsequently been expanded and applied to situations
outside stop and frisk. 136
Even if one were to assume that the end-user of the exported
software has standing to bring a constitutionally-based suit against the
United States, it would make little sense to apply the Terry analysis to
encryption export regulations. The Fourth Amendment protects an indi
vidual' s privacy from affirmative intrusions by the government, gener
ally in the context of law enforcement activities.e^137 The effect of an
invasion upon a citizen's reasonable expectation of privacy is exclusion
of the tainted evidence. 138 The exclusionary rule is intended to force law
enforcement to disgorge evidence it has unlawfully obtained. In the con
text of crypto, protection of a consumer's Fourth Amendment privacy
interest does not mandate in favor of wide dissemination of encryption
technology since the consumer's Fourth Amendment privacy interest is
not impli cated until the government has affirmatively breached her rea
sonable expectation of privacy. Thus, even if the end-user or consumer
of exported encryption has standing, refusing to allow exports of encryp
tion technology does not constitute an invasion of this individual' s ex
pectation of privacy that would trigger Fourth Amendment analysis.
V. NATIONAL SECURITY CONCERNS
A. THE DILEMMA OF UNBREAKABLE ENCRYPTION
While the national security and law enforcement communities ac
knowledge that encryption has beneficial and legitimate uses, they are
concerned "about the serious threat posed by the proliferation and use of
robust encryption products that do not allow for the immediate, lawful
access to the plaintext of encrypted, criminally-related communications
and electronically stored data in accordance with strict legal require
ments and procedures."^139 The rationale for the limits imposed by the
Commerce Department on the export of strong encryption products is
that such products might be used by hostile nationals or terrorists to hide
135 See Terry, 392 U.S. at 20.
I: l6 Dena Klopfenstein, Comment, Deciphering the Encryption Debate: A Constitutional
Analysis of Current Regulations and a Prediction for the Future, 48 E MORY L.J. 765, 801
(1999);^ see, e.g., United States v. Mendenhall, 466 U.S. 544 (1980) (holding that persons
suspected of carrying drugs could be stopped at the airport based only upon reasonable suspicion).
1 3 7 See, e.g., United States v. White, 401 U.S. 745 (1971) (holding that a radio transmitter
concealed on an informant to record and monitor conversations with defendant, without war rant, at defendant' s home violated defendant's Fourth Amendment right to be secure against unreasonable searches and seizures); Katz v. United States, 389 U.S. 347 (1967).
138 See Mapp v. Ohio, 367 U.S. 643, 655-56 (1961) (articulating the exclusionary rule).
139 FBI REPORT, supra note I , at I.
1 80 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 1 0: 16 1
their communications from U.S. intelligence agencies.e1 40^ According to
the FBI, "law enforcement continues to experience an increase i n the
number of encounters with, and the subsequent damaging and detrimen
tal effects of, the use of commercially-avai lable encryption by criminals,
terrorists and in hostile intelligence activities throughout the United
States and across international borders."1 4 1
The Clinton administration asserted that "[t]imely action against ter
rorists, drug dealers, or ki dnappers may require rapid access to electronic
inforn1ation that must not be thwarted by encryption."1 42^ Rather than
taking on the unnecessary and impossible task of eradicating strong
crypto, the government has made i t its objective to "prevent unbreakable
encryption form becoming routine."1 43^ In a world where unbreakable
encryption is commonplace, "[a]ll communications on the information
highway would be i mmune from lawful interception. In a world
threatened by international organized crime, terrorism, and rogue govern
ments, this would be folly." 1 44
According to Louis J. Freeh, Director of the FBI, the potential ad
verse impact on public safety and national security resulting from a "wait
and see" approach is "too great to justify catering to the narrow i nterest
of computer software companies." 1 45
Even reducing the decoding time to days or weeks may not be suffi
ci ent to prevent the types of crime the export policy targets. Legally
authorized wiretaps generally provide crucial information just before a
crime is to occur; similarly, a nearly i nstantaneous ability to decode
messages is necessary to prevent crimes on the Internet. Effective law
enforcement depends on electronic surveillance and search and
seizure.e1 46
1 40 See generally id.
1 4 1 FBI REPORT, suiira note I , at 6 (The Aldrich Ames and Ramzi Yousef cases are often
cited to illustrate use of encryption technology by criminals to conceal their activity.); see
White, supra note 6, at 198. In the Aldrich Ames spy case, "Ames was told by his Soviet
handlers to encrypt computer file information to be passed to them." FBI REPORT, supra note
I , at 5. Similarly, Ramzi Yousef's terrorist plan to blow up eleven U.S. owned airlines in the
Far East was found in encrypted computer files in Manila after his arrest. Id. Incidentally,
Yousef was also the mastermind behind the bombing of the World Trade Center. Id.
1 4 2 CESA, supra note 35, at I.
1 4 3 Steven Levy, The Cyphe17mnks vs. Uncle Sam, N.Y. T1 MES, June 1 2, 1994, § 6 (Maga
zine), at 43.
1 44 Dorothy E. Denning, The Clipper Chip Will Block Crime, NEWSDAY, Feb. 22, 1 994, at
- Denning is a Georgetown University computer scientist who regularly contributes to the encryption debate.
1 45 The Encryprion Dehare: Criminals, Terrorisr.�. and rhe Securiry Needs of Business and
lndusrry: Hearing Before rhe Subcomm. on Tech., Terrorism , and Gov·r Info. r?f rhe Senare
Comm. on rhe .Judiciary, J05th^ Cong. 43-46 (1997) (statement of Louis J. Freeh, Director,
Federal Bureau of Investigation).
1 46 Dinh, supra note 33, at 392-93.