Encryption Technology and Export Regulations, Essays (university) of Cryptography and System Security

The complex issues surrounding the export of encryption technology from the US. It covers the basics and terminology of encryption, current regulations, proposals, and international agreements, the evolution of encryption policy, the regulation of encryption exports, national security concerns, arguments for liberalizing encryption export regulations, and a proposed solution. The document argues for a centralized counter-encryption research and development effort funded through taxation of encryption exports.

Typology: Essays (university)

2021/2022

Uploaded on 05/11/2023

aarti
aarti 🇺🇸

4.5

(8)

224 documents

1 / 34

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
A.
THE ENCRYPTION EXPORT TAX: A PROPOSED
SOLUTION AND REMEDY TO THE ISSUES AND
COSTS ASSOCIATED WITH EXPORTING
ENCRYPTION TECHNOLOGY
John L. Paik*
INTRO DUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
I. ENCRYPTION BASICS AND TERMINOLOG.Y ........ 163
II. CURRENT REGULATIONS, PROPOSALS, AND
INTER
NATIONAL AGRE.EMENTS . . . . . . . . . . . . . . . . . . . . 164
A. EXPORT REGULATIONS.............................. 164
B. LEGISLATIVE PROPOSALS............................ 168
C. INTERNATIONAL AGREEMENTS....................... 169
III. EVOLUTION OF ENCRYPTION POL.IC.Y . . . . . . . . . . . . . 170
A. HISTORICAL PERSPECTIVE . . . . . . . . . . . . . . . . . . . . . . . .
.. . 170
B. THE R1sE AND FALL OF KEY EscRow? .............. 171
IV. REGULATION OF ENCRYPTION EXPORTS PASSES
CONSTITUTIONAL MU STER . . . . . . . . . . . . . . . . . . . . . . . . . 173
A. FIRST AMENDMENT ANALYSIS . . . . . . . . . . . . . . . . . . . . . . . 173
B. FOURTH AMENDMENT ANALYSIS . . . . . . . . . . . . . . . . . . . . 176
V. NATIONAL SECURITY CONC.ERNS
.................. 179
A. THE DILEMMA OF UNBREAKABLE ENCRYPTION . . . . . . . 179
B. DOES THE PROLIFERATION OF STRONG ENCRYPTION
ADVANCE NATIONAL SECURITY INTERESTS?.......... 181
VI. ARGUMENTS FO R LIB.ERAL.IZING ENCRYPTION
EXPORT REGULATIONS ............................. 183
INFEASIBILITY OF RESTRICTING EXPORT OF
ENCRYPTION SoFrWARE AND Goons . . . . . . . . . . . . . . . . 183
B. POTENTIAL ADVERSE ECONOMIC IMPACT OF
RESTRICTIVE ENCRYPTION REGULATIONS............. 185
VII. PROPOSED SO LUTION . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . I86
A. FUNDING OF A CENTRALIZED COUNTER-E.NCRYPTION
RESEARCH AND DEVELOPMENT EFFORT THROUGH
TAXATION OF ENCRYPTION EXPORTS................. 186
B. How WouLD THE PROPOSED TAX OPERATE? . . . . . . . . 191
* B.S., Cornell University, 1994: M.S., University of California, Los Angeles, 1997;
candidate for J.D., Cornell Law School, 2001. I dedicate this Note to my parents and my
sister, Gina.
161
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22

Partial preview of the text

Download Encryption Technology and Export Regulations and more Essays (university) Cryptography and System Security in PDF only on Docsity!

A.

THE ENCRYPTION EXPORT TAX: A PROPOSED

SOLUTION AND REMEDY TO THE ISSUES AND

COSTS ASSOCIATED WITH EXPORTING

ENCRYPTION TECHNOLOGY

John L. Paik*

INTRODUCTION ... .... ............................... .. ..... 162

I. ENCRYPTION BASICS AND TERMINOLOG.Y ........ 163

I I. CURRENT REGULATIONS, PROPOSALS, AND

INTERNATIONAL AGRE.EMENTS ..... ..... .......... 164

A. EXPORT REGULATIONS.............................. 164

B. L EGISLATIVE P ROPOSALS............................ 168

C. I NTERNATIONAL A GREEMENTS....................... 169

I I I. EVOLUTION OF ENCRYPTION POL.IC.Y ............. 170

A. HISTORICAL P ERSPECTIVE ...................... ..... 170

B. THE R1sE AND FALL OF KEY EscRow? .............. 171

IV. REGULATION OF ENCRYPTION EXPORTS PASSES

CONSTITUTIONAL MUSTER ......................... 173

A. FIRST A MENDMENT A NALYSIS .. ................ ..... 173

B. FOURTH A MENDMENT A NALYSIS ...... .. ... ... .... .. 176

V. NATIONAL SECURITY CONC.ERNS .................. 179

A. THE DILEMMA OF U NBREAKABLE E NCRYPTION ....... 179

B. DOES THE P ROLIFERATION OF STRONG E NCRYPTION

A DVANCE N ATIONAL SECURITY I NTERESTS?.......... 181

V I. ARGUMENTS FOR LIB.ERAL.IZING ENCRYPTION

EXPORT REGULATIONS ............................. 183

I NFEASIBILITY OF RESTRICTING EXPORT OF

E NCRYPTION SoFrWARE AND Goons ... ..... ........ 183

B. P OTENTIAL A DVERSE E CONOMIC I MPACT OF
RESTRICTIVE E NCRYPTION REGULATIONS............. 185

V I I. PROPOSED SOLUTION ............................... I 86

A. FUNDING OF A C ENTRALIZED C OUNTER-E.NCRYPTION
RESEARCH AND DEVELOPMENT E FFORT THROUGH

TAXATION OF E NCRYPTION EXPORTS................. 186

B. How WouLD THE P ROPOSED TAX O PERATE? .... .... 191

  • B.S., Cornell University, 1994: M.S., University of California, Los Angeles, 1997; candidate for J.D., Cornell Law School, 2001. I dedicate this Note to my parents and my sister, Gina.

162 CORNELL JOURNAL OF LAw AND PUBLIC POLICY [Vol. 10:

C. WHICH AGENCIES WOULD BE RESPONSIBLE FOR

RUNNING THE FuND? WHERE WouLD THE FUNDS

Go, AND How WouLD THEY BE UsED?............. 191

VIII. CONCLU SION ................. ....................... 192

INTRODUCTION

U.S. regulations on the export of encryption technology ("crypto")

raise numerous complex issues with technical, political, legal, and eco

nomic dimensions. The main argument for regulating and restricting the

export of encryption is that the abuse of this technology by terrorists and

criminals would severely impede the ability of national security and law

enforcement officials to carry out their functions.' The software and

high-tech industries, on the other hand, argue that current export regula

tions put U.S. encryption businesses at a competitive disadvantage rela

tive to foreign companies, and that such regulations violate their First

Amendment free speech rights.^2 Privacy advocates, who are on the same

side of the debate as the high-tech industries, argue that any restrictions

on the accessibility of encryption products infringe on the individual's

right to informational privacy, thus implicating the Fourth Amendment.^3

The government does not deny the importance of strong encryption

to U.S. companies and private citizens alike.^4 Encryption products

both serve to protect proprietary data of U.S. companies

worldwide and have the potential to be an economic

boom in the cryptography software market.... [T]he

problem is reconciling all of these competing interests

and sorting out the extremes, which are numerous, but

without compromising any one interest too much.^5

In order for the U.S. government to reach this middle ground, it must

strike a balance between America's national security interests on one

hand, and commercial and privacy interests on the other: "The govern

ment must meet the responsibility of enhancing public safety and na

tional security, but the requirements that it imposes should not be so

1 See FBI, ENCRYPTION: IMPACT ON LAW ENFORCEMENT (June 3, 1999) at I I hereinafter

FBI REPORT! (stating that "ltlhe law enforcement community. .. is extremely concerned about the serious threat posed by the proliferation and use of robust encryption products that do not allow for the immediate, lawful access to the plaintext of encrypted, criminally related com munications ....").

2 See Jeri Clausing, Concerns Raised Over Encryption Report, N.Y. TIMES, Nov.24,

1999, at CS.

3 See generally Americans for Computer Privacy !hereinafter ACPJ at http://

www .computerprivacy.org (last visited Feb.23, 2000).

4 See FBI REPORT, supra note I.

5 J.Ten-ence Stender, Too Many Secrets: Challenges to the Comrol of Strong Crypto

and the National Security Perspective, 30 CASE W.REs. J. INT'L L. 287, 321 (1998)._

164 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 10: 16 1

the process of converting ciphertext back into plaintext.^12 Cryptographic

systems generally utilize a cryptologic algorithm, "a set of rules or series

of mathematical steps," in conjunction with a key.e^13 The key is usually a

string of bits and is functionally analogous to a key that unlocks a door -

it "unlocks" or decrypts the message so that the intended recipient can

read it. 14

There are two main types of key-based algorithms: secret-key (sym

metric) and public-key (asymmetric). 15 In secret-key cryptographic sys

tems, both the encryption key and decryption key are the same so that

everyone who needs to decrypt the message must have the key distrib

uted to them.^16 The inherent weakness in a secret-key system is "the

problem of finding a trusted method to distribute the key, and moreover,

protecting the key while in custody." 17 This type of scheme, however, is

not practical for widespread commercial or personal use.^18

In public-key cryptographic systems, the key used for encryption is

different from the key used for decryption. 19 Consequently, this type of

system "allows users to openly publish one key in the phone-book like

directory (the 'public key'), while keeping the other key private (the 'pri

vate key')."^20 Public-key encryption "allows parties to exchange en

crypted messages by using and revealing only their public keys, without

ever having to exchange private keys."^21 As long as the recipient him

self keeps secret the private key that matches the public key, only he can

read messages encrypted with the public key."^22

II. CURRENT REGULATIONS, PROPOSALS, AND

INTERNATIONAL AGREEMENTS

A. EXPORT REGULATIONS

Currently, all exports from the United States are regulated under

either the Arms Expo11 Control Act ("AECA")2^3 or the Export Adminis-

(^12) Id. t:l Id. (^14) See BAKER & HuRsT, supra note 8, at 4. (^15) See Stender, supra note 5, at 295. (^16) See id. (^17) Id. (^18) This is because where there is no secure channel for exchanging the secret keys. Thus, the key exchange is subject to easy interception. See Ira S. Rubenstein, Export Comro/s 011 £11cryptio11 Software, in COPING W1TH U.S. EXPORT CONTROLS 1994, at 183 (PLI Com. L. & Practice Course, Handbook Series No. A-705, 1994). (^19) See Stender, supra note 5, at 296. 2o Rubenstein, supra note I 8, at 183. 21 Stender, supra note 5, at 296. 22 .BAKER & HURST, supra note 8, at 2. 23 22 U.S.C. §§ 2571-2794 (1994 & Supp. V. 1999).

2000] ENCRYPTION EXPORT TAX 165

tration Act ("EAA").^24 The AECA confers on the State Department the

authority to regulate the export of anything it deems to be a munition,

which it defines as "a weapon of war."^25 Items classified as munitions

require individually approved export licenses which designate the cus

tomer, the application, and conditions for the handling or redeployment

of the item.^2 (, If the State Department decides that an item is dual-use, a

category that includes commercial products with military applications, it

transfers jurisdiction over the item's export to the Department of Com

merce ("DOC").^27 The DOC, under the EAA, now regulates the export

of all encryption devices and software, except for those that are specifi

cally designed or modified for military use.^2

The DOC's Export Administration Reguiations ("EAR")^29 define

export as "an actual shipment or transmission of items subject to the

EAR out of the United States, or release of technology or software sub

ject to the EAR to a foreign national in the United States."^30 The EAR

additionally define "exportation of encryption source code and object

code"^3 1 as "[d]ownloading, or causing the downloading of, such software

to locations... outside the U.S., or making such software available for

transfer outside the U.S.,. .. including transfers from electronic bulletin

boards, Internet file transfer protocol and World Wide Web sites."^32

The Clinton administration initially instituted a restrictive encryp

tion export policy over the objection of encryption software developers,

who argued that such restraints would place an unnecessary burden on

their ability to compete in the international encryption market.^33 How

ever, on September 16, 1999, the Clinton administration announced that

24 50 U.S.C. app. §§ 2401-2420 (1994 & Supp. V. 1999).

25 Id.

(^26) See BAKER & HURST, supra note 8, at 106.

27 Id. Prior to December 30, 1996, the State Department was responsible for regulating

the export of most encryption products from the United States under the AECA and the Inter

national Traffic in Arms Regulations ("ITAR"). Id. at 23. Jurisdiction over commercial en

cryption products was officially transferred from the State Department to the Commerce

pursuant to Executive Order No. 13026 (Nov. 15, 1996). Id.

2 8^ Id. at 24. Other agencies, including the Departments of Justice, State, and Defense,

also have a say in decisions concerning commercial encryption exports. Id. The NSA, a divi

sion of the Department of Defense, has the most expertise in encryption matters. Id. Conse

quently, other agencies have usually deferred to the agency of the NSA on encryption export

decisions. Id.

2 9 15 C.F.R. pts. 730- 774 (2000).

3<> Id. § 734.2(b)( I) (2000).

3 I Source code refers to the text of a computer program written in a high-level program ming language, such as C or Pascal. A computer cannot make use of source code until its has been translated into a lower-level, machine language, known as objecr code. 32 15 C.F.R. § 734.2(b )(9)(ii) (2000). 33 See Mai-Tram B. Dinh, The U.S. E11cryprio11 Exporr Policy: Taking rhe Byre Ow of rhe Debare, 7 MINN. J. GLOBAL TRADE 375, 375 (1998) (The U.S. government has traditionally imposed restrictions on the export of encryption software in order to protect national security.).

2000] ENCRYPTION EXPORT TAX 167

On January 1 4, 2000 the Clinton administration formally liberalized

its licensing requirements on the export of encryption software prod

ucts.39 The new regulations^40 "allow United States companies to ship

any retai l encryption4 1^ products around the world to commercial con

cerns, individuals and other nongovernment users after a one-time tech

nical revi ew by an interagency panel."^42 In addition, the rules allow the

export, without licenses, of most types of source code (the computer

code used to create programs).^43 The only exceptions to these rules

would be to nations on the State Department's list of seven terrorist sup

porting countries, which are Cuba, Iran, Iraq, Li bya, North Korea, Sudan,

and Syria.^44

The new regulations amend the EAR to allow export of any encryp

tion software or commodity to individuals, commercial firms, and other

non-governmental end-users i n all destinations, while more liberally al

lowing exports of retail encryption commodities and software to all end

users in all destinations.^45 In essence, the amended regulations imple

ment the encryption policy announced by the White House on September

16, 1999, which rested on three principles: ( I ) technical review of en

cryption products in advance of sale, (2) a streamlined post-export re

porting system, and (3) a process that permits the government to review

export of strong encryption to foreign governments.^46 Cisco Systems,

one of the largest producers of routers that form the backbone of the

Internet, expressed modest enthusiasm for the new rules.^4 7 While Cisco

many bank executives, must have keys that are 128-bits long." Edmund Andrews, U.S. Re strictions on Exports Aid German Software Maker, N.Y. TIMES, Apr. 7, 1997, at D I.

39 See David E. Sanger & Jeri Clausing, U.S. Removes More Limits on Enc1:vption, N.Y.

TIMES, Jan. 1 3, 2000, at C I. (^40) The new regulations essentially eliminate licensing requirements for strong encryp tion. But most products will still be subject to a one-time government review and companies are supposed to track and report their sales. Id.

4 1 Retail encryption commodities and software are ''those which are widely available and

can be exported and re-exported to any end-user (including any Internet and telecommunica tions service provider) to provide products and services (e.g. e-commerce, client-server appli cations, or software subscriptions) to any end-user." Revisions to Encryption Items, 65 Fed. Reg. 2493 (2000) (interim final rule at 1 5 C.F.R. pts. 734, 740, et al.) !hereinafter Encryption ltemsJ. The criteria for determining whether something qualifies as a retail product includes functionality, sales volume, distributions methods, ability to modify products and requirements for substantial support by the supplier.... Finance-specific, 56-bit non-mass market products with a key exchange greater than 5 1 2 bits and up to I 024 bits, network-based applications and other products which are functionally equivalent to retail products are considered retail products. Id.

42 Sanger & Clausing, supra note 39, at C l.

43 Id.

(^44) Id.; see also Encryption Items, supra note 4 1 , at 2492. (^45) See Encryption Items, supra note 4 1 , at 2492.

46 Id.

47 See Sanger & Clausing, supra note 39, at C l.

168 CORNELL JOURNAL OF LA w AND PUBLIC POLICY fVol. 1 0: 16 1

and numerous other high-tech compani es vi ewed the new regulations as

a step in the right direction and "as delivering on Vice President Al

Gore's promises to eliminate cumbersome licensing rules on exporting

software, civil libertarians say they fail to fix the constitutional questions

at the heart of pending court cases."^48

B. LEGISLATIVE PROPOSALS

There have been three bills relating to the issue of encryption intro

duced during the I 06th^ Congress, but only two of the bills specifically

propose amendments to government regulation of encryption exports.^49

The Security and Freedom Through Encryption Act ("SAFE"),^50 pro

poses a less restrictive approach to export regulations that would allow

U.S. companies to export strong encryption products if comparable prod

. ucts were already avai lable overseas.5 1^ SAFE would remove existing

export controls on hardware and software encryption products that are of

comparable strength to those that are commercially available from a for

ei gn supplier, regardless of any adverse i mpact on national security.^52

SAFE would also place a prohibition on an y type of mandatory key re

covery encryption by the government, but includes a provision that might

make it criminal to use encryption in furtherance of a criminal act.^53 At

the time of this bill's introduction, it enj oyed over 200 bipartisan co

sponsors.^5 4 The number of co-sponsors has grown to over 250 sin ce that

time.^55 As of late July 1 999, the House Rules Committee was preparing

to decide which version of SAFE should be sent to the House for a floor

vote.^56

The other congressional bill that addresses encryption export regula

tions is S.798, entitled the Promote Reliable On-Line Transactions to En

courage Commerce and Trade Act of 1 999 ("PROTECT"), introduced by

(^48) Id.

49 FB I REPORT, supra note 1 , at 1 0- 1 3. The Electronic Rights (E-Rights) for the 2 1 't

Century Act (S'.854), introduced Senator Leahy (D-VT) on Apri l 2 1 , 1 999, proposes to "pro tect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to location information,... to affirm the rights of Ameri cans to use and sell encryption as a tool for protecting their online privacy... ." Id.

50 H.R. 850, 1 Cl61h^ Cong. ( 1 999). This bill was introduced Representative Robert Good

latte (R-V A) on February 25, 1 999. See FBI REPORT, supra note I , at I 0.

5 1 The computer industry, seeking an open world market for its encryption products, has

long complained that such export restrictions are pointless because terrorists can simply buy

powerful encryption products from other countries, such as Canada. I srael, or Ireland. See

Demos to Prez: 'Use SAFE Text.' at http://www.wired.com/news/news/politics/story/

2 1 744.html (last visited Ma�ch 1 7, 200 1 ).

52 See FBI R EPORT, supra note I , at 1 1.

53 See id.

54 See id.

55 See id.

56 See id.

170 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 1 0: 16 1

trols to support its efforts to extend its levels of control on the export of

cryptography.^67

Prior to the January 14, 2000 amendment to the encryption export

regulations, the American Electronics Association ("AEA"), an industry

group representing 3,000 plus U.S.-based technology companies, sup

ported "the Clinton administration' s decision to align the U.S. export

regulations with the new Wassenaar requirements and to deregulate

products up to 56-bits, but [felt] the response [was] inadequate."^68 The

AEA pointed out the foll y of arbitrary line drawing since law enforce

ment and intelligence agencies find it no more difficult to break 65-bit

than 64-bit encryption.^69 Critics suggested that the government recon

sider whether its export policy can actually achieve its stated goals

before trying to appease both the software industry and law enforcement

officials by merely tinkering with the numbers and details.^70 The fact

that the most recent encryption regulations impose no encryption key

length limit for retail encryption products suggests that these critics' sug

gestions did not fall on deaf ears.7 1

III. EVOLUTION OF ENCRYPTION POLICY

A. HISTORICAL PERSPECTIVE

In assessing the arguments for and against the widespread availabil

ity of cryptography that would result from unregulated export, it helps to

examine the development and application of cryptography. World War I

was the first war to be fought in the era of radio, which made it possible

to transmit and receive human voices over long distances.^72 The solution

to the ubiquitous nature of radio reception, which enabled anybody with

the right equipment and know-how to listen in, was cryptography. After

WWI, the United States continued to develop its capacity for signals in

telligence and merged this responsibility with the development of codes

to protect U.S. military communications.^73 World War II was a triumph

for American communications intelligence, which made important con-

browsers, e-mail applications, electronic commerce servers, and telephone scram bling devices.... I Member countries I also re-imposed controls on other mass market products with strengths over 64-bits, such as personal computer operating systems, word processing, and data base programs.

Id.

(^67) Sa McNulty, supra note 66, at 436.

68 Id. at 436-37.

69 See id. at 437.

(^70) See 1 44 Cong. Rec. S12,15.1 at 12,152 (Oct. 9, 1998). 7 l See Encryption Items, supra note 4 1, at 2492. 72 See WHITFIELD DtFFIE & SUSAN LANDAU, PRIVACY ON THE LINE: THE POLITICS OF WIRETAPPING AND ENCRYPTION 49 ( 1998). 7J See id. at 52.

2000] ENCRYPTION EXPORT TAX 1 7 1

tributions to victories in both the Atlantic and Pacific:^74 "The Allies'

ability to understand German and Japanese communications, even when

they were encoded with the enemies' best cryptographic systems, is

widely seen as having been crucial to the course of World War 11."^75

In 1 952, President Harry Truman signed a secret presidential order

creating the National Security Agency ("NSA"), whose objective was to

"capture control of all cryptographic and cryptanalytic work within the

United States. "^76 During the 1 970s, the NSA recognized that implemen

tation of federal laws like the Family Educational and Privacy Rights Act

of 1 974,^77 combined with the increasing use of computers and digital

communications by the federal government, would require that it share

its cryptographic equipment with a wider range of government users.^78

Any cryptographic equipment that was to be put in the hands of users

who did not undergo security clearance would have to utilize unclassified

cryptographic algorithms.^79 The NSA feared that making any of its algo

rithms public would reveal information about its design philosophy and

approach, which could conceivably compromise its other equipment.^80

During the late 1 970s and 1 980s, the NSA took notice of increased civil

ian research in cryptography and tried unsuccessfully to limit civilian

development and application of this technology. 8 1^ In the early 1 990s, the

FBI "formulated a policy that included shoring up its ability to perform

electronic surveillance,... and preventing the establishment of unbreak

able cryptography in the public sector."^82 The FBI ' s initial efforts in

support of this policy were embodied in the concept known as key

escrow.

B. THE R1sE AND FALL oF KEY EscRow?

Key escrow, later euphemistically renamed key recovery and key

management in order to appease the fears of privacy advocates, is a sys

tem by which users of cryptographic equipment are able to protect their

privacy against most intruders while allowing the government to keep a

set of "spare keys" with which it can decipher and read the communica-

7 4 See id. at 53.

75 Id. at 6. During WWI and WWII the U.S. primarily implemented mechanical crypto

graphic systems, devices utilizing physical moving parts rather than electronic and magnetic

components. See id. at 19-29. Since the 1 940s, the U.S. has converted to purely electronic

encryption. See id.

76 Id. at 55.

77 20 U .S.C. § 1 232g ( 1 994 & Supp. V. 1 999).

7K DIFFIE & LANDAU, supra note 72, at 59.

7 9 See id.

80 See id.

8 1 See id. at 60-76.

82 Id. at 76.

2000] ENCRYPTION EXPORT TAX 173

time technical review.9^2 For example, under Encryption Licensing Ar

rangements ("ELAs"), distributors can export encryption goods "as long

as they comply with restri ctions contained in the ELA."^93 It appears that

ELAs will vary on a case-by-case technical review basis, which suggests

that there is no longer a uniform mandate requiring all encryption export

ers to participate in any key recovery system.

IV. REGULATION OF ENCRYPTION EXPORTS PASSES

CONSTITUTIONAL MUSTER

A. FIRST AMENDM ENT ANALYSIS

In assessing whether governmental regulation of the export of en

cryption software raises First Amendment concerns, it is necessary. to

address two sub-issues. The first sub-issue is whether encryption

software source code qualifies as "speech" for First Amendment pur

poses.94^ The second sub-issue is whether current U.S. export regulations

are a prior restraint on speech.^95

Of the two cases that have addressed the issue of whether source

code is "speech," Bernstein v. U.S. Dept. of Justice ( "Bernstein Ill" ), 96

has received the most extensive judicial review.^ The three-judge panel

of the Ninth Circuit ruled 2- 1 in May 1999 that encryption program

source codes contain expressions of i deas that cannot be suppressed by

government officials.^97 Bernstein, a mathematics professor, sought to

export to the international academic and scientific communities an en

cryption method, which he had developed during his days as a graduate

9 2^ Id. See also Christopher R. Wall & Thomas M. DeButts, Encryption Export Controls, in COPING WITH U.S. EXPORT CONTROLS 1999 at 549,o55o1 (PLI Com. L. & Practice Course, Handbook Series No. A0-002Q, 1999). Certain '"encryption items," as defined in EAR, 15 C.F.R. pt. 772, may be exported under License Exception KM! (15 C.F.R § 740.8) after a one time technical review by BXA. Id. Commodities and software eligible for the this License Exception K M! include '"those for which companies had developed schemes for U.S. Govern ment key recovery or deposit of keys with a key escrow agent under earlier encryption export control regimes. Id. However, recoverable commodities and software, as defined in EAR, 15 C.F.R. pt. 772, may also be exported pursuant to an encryption licensing arrangement ("ELA") when License Exception K M ] cannot be used. 15 C.F.R. §§ 742.o15(b)(2), 740.8. The effect of these licensing exceptions is to allow encryption commodities and software of any key length to be exported under a license exception to non-government end users in any country, except one of the seven designated terrorist countries. Wall & DeButts, supra. In addition, retail encryption commodities and software of any key length may be exported under a license exception to any country except the seven designated terrorist countries after a one-time tech nical review. Id. 93 Encryption Items, supra note 41, at 2492. 94 See ;:enera/ly U.S. CoNsT. amend. I. 9� See Bernstein v. U.S. Dept. of Justice, 176 F.3d 1 132, 1138 (9'h Circ. 1999) I hereinaf

ter Bernstein /Ill (pointing out that '"any prior restraint on expression comes... with a heavy

presumption against its constitutional validity"). 96 Id. (^97) Id.

1 74 CORNELL JouRNAL OF LAW AND Puauc Poucy [Vol. 10: 16 1

student.^98 The State Department classified the software, which utilized

his encryption scheme, as a munition and told Bernstein that he would

need a license to export the computer program.9^9 In granting summary

judgment for Bernstein, the district court found that the program's source

code to be "speech" protected by the First Amendment. 1 00

In December l 996, President Clinton shifted licensing authority for

non military encryption commodities and technologies from the State De

partment to the Department of Commerce, which promulgated the EAR

to govern the export of crypto.e^1 01 Bernstein amended his complain t by

adding the Department of Commerce as a defendant and advanced the

same constitutional objections. I0 2 The district court again granted sum

mary judgment for B ernstein, finding the EAR to be facially invalid as a

prior restraint on speech.e^103

In affirming Bernstein I ande//, the Ninth Circuit reasoned that cryp

tographers use source code to express their scientific ideas in the same

way that mathematicians use equations or economists use graphs to ex

press their findings or ideas.e^1114 The court seemed to emphasize the fact

that source code, w^5 unlike object code, rn^6 "is not meant solely for the

computer, but is rather written in a language intended also for human

analysis and understanding."^107 The circuit court's emphasis on the dis

tinction between object code and source code is overly simplistic because

source code is not necessarily intended for others to analyze or under

stand. Programmers who intend their source code to be understood by

others usually include annotations and remarks throughout the program,

whereas programmers who are more interested in the functionality or

efficiency of their source code will be less inclined to include such de

scriptive annotations.

According to the standard set forth by the Supreme Court of the

United States, the dispositive factor in determining "speech" for First

98 Bernstein argued he wanted to export his encryption methods for purely academic

rather than commercial purposes. See id. at 1136. Bernstein's motive exporting encryption,

however, is not dispositive on the issue of whether or not encryption software source code 4ualifies as "speech" under the First Amendment. 99 Id. at 1 136.

1 oo See Bernstein v. U.S. Dept. of State, 922 F.Supp. 1426, 1434-36 (N.D. Cal 1996)

I hereinafter Bernstein fl.

IO I See Bernstein II/, 176 F.3d. at 1136.

102 See id.

103 See id.

1 04 See id. at 114 1.

I 05^ Source code refers to "text of a program written in a 'high-level' programming lan guage, such as 'PASCAL' or 'C. "' Id. at 1140. (^106) Object code refers to "lower-level"' or "machine" language, which gives instruction to

the computer. See id.

1.o7 (^) Id. at 1142.

1 76 CORNELL JouRNAL OF LA w AND PuBi.Jc Poucv [Vol. I O: 1 6 1

expressive to merit First Amendment protection. I^ I^6 The district court

reasoned that "speech" is protected not simply because it is written in a

language but rather because it expresses ideas. I^ I^7 Encryption source

code is rarely expressive, and in the limited instances it may communi

cate some idea, it is unintelligible to most people. That exporting source

code may occasionally be expressive "does not necessarily extend First

Amendment protection to it." I I^8

According to Karn v. U.S. Department of State, even if one were to

assume that encryption software source code qualifies as speech, export

regulation of this software does not necessarily constitute a prior restraint

on speech. I^ I9^ In order for an export licensing law to be invalidated by a

prior restraint facial challenge, it "must have a close enough nexus to

expression, or to conduct commonly associated with expression, to pose

a real and substantial threat of... censorship risks." 120 If the export

regulations are content-neutral I 2 I^ and aimed at preventing software ex

porters from making it easier for foreign intelligence sources to encrypt

their communications, the government may justify such regulation if it:

( I ) is within the constitutional power of government, (2) furthers an im

portant or substantial government interest, and (3) is narrowly tailored to

the governmental interest. 1 22 Both the J unger and Karn courts applied

this three-part test and concluded that U.S. export regulations were not a

prior restraint on speech. As the lunger and Karn decisions and Judge

Nelson's dissenting opinion in Bernstein Ill suggest, the First Amend

ment analysis weighs in favor of regulating the export of encryption

software because its source code lacks substantial expressive value, and

thus is not "speech" for First Amendment purposes.

B. FOURTH AMENDMENT ANALYSIS

The notion of informational privacy is implicit in the Fourth

Amendment, which asserts "the right of the people to be secure in their

1 16 Id.

1 1 7 Id. at 7 1 7.

1 1 8 Id.; see also City of Dallas v. Stranglin, 490 U.S. 1 2, 25 ( 1 989).

1 1 9 See Karn v. U.S. Dep't of State, 925 F.Supp. I (D.C. 1 996) (holding that designation

of the disk containing the encryption source codes as a ''defense article" was not subject to

judicial review; that export regulations did not violate Karn's First Amendment rights; and that

export restrictions did not violate due process). This decision has subsequently been remanded

to the district court to consider the constitutional effect of the transfer of jurisdiction of export

controls from the State Department to the Commerce Department. See 1 07 F.3d 923 (D.C.

Circ. 1 997). However, it is unlikely that the First Amendment holding will be altered as a

result of the change in governmental jurisdiction.

120 City of Lakewood v. Plain Dealer Publ 'g Co., 486 U.S. 750, 759 ( 1 988).

1 2 1 Content neutral regulations do not take into consideration what is expressed by the

content of the regulated article or good. See id.

1 22 See United States v. O'Brien, 39 1 U .S. 367 ( 1 968) (upholding the government's proh i

bition against burning draft cards and establishing the elements of prior restraint test).

2000] ENCRYPTION EXPORT TAX 177

persons, houses, papers, and effects." 1 23^ Certain lobbying groups, such

as Americans for Computer Privacy, favor lifting all controls on the ex

port of encryption on the basis that government regulations and restric

ti ons on encryption software will compromise the ability of individuals

to secure the privacy of their e-mail. 1 24^ Proponents for reducing encryp

tion export restrictions also argue that the spread of stronger encryption

tools will encourage worldwi de adoption of more secure standards for

ensuring privacy of communi cati ons. For example, busi nesses and their

customers would have less fear that their credit card numbers or other

private communications would be intercepted by third parties over the

Internet. These privacy concerns, however, do not implicate the Fourth

Amendment unless: ( I ) the consumer or end-user of the exported

software has standing to bring suit against the United States for violating

her Fourth Amendment privacy protections, and (2) the export regula

tions violate the consumer's reasonable expectati on of privacy.e^125

The end-user of exported U.S. encryption goods will usually be an

alien on foreign soil.e1 26^ The Bill of Ri ghts provisions of the U.S. Consti

tution, however, do not always extend to aliens, particularly when they

are on foreign soil. The Fourth Amendment, for example, does not apply

to searches or seizures conducted on foreign soil, even if the search in

volves agents of the U.S. government. 1 27^ In other words, evidence ob

tained by foreign or U.S. officials from searches conducted i n a foreign

country is admissible in U.S. federal courts regardless of whether the

search complied with the Fourth Amendment. The Fourth Amendment

was not "understood by contemporaries of the Framers to appl y to activi

ties of the United States directed against aliens in foreign territory or in

international waters." 1 28

In the case of encryption export regulations, one might make the

argument that violation of an end-user's expectation of privacy is vio

lated within the U.S., in which case an alien end-user might have stand

ing to bring suit against the U.S. It is difficult to pinpoint exactl y where

viol ation of the end-user's expectation of privacy occurs, assuming that

1 23 See U.S.CoNsT. amend.IV; Katz v.United States, 389 U.S. 347 (1967) (holding that

citizens are entitled to a reasonable expectation of privacy)..

1 24 See Jeri Clausing, Concerns Raised Over £11c,:vption Report, N.Y. TIMES, Nov. 24,

1999, at CS.

1 25 See Terry v.Ohio, 392 U.S. I (1967) (adopting a sliding-scale reasonableness test for

the individual's expectation of privacy). 1 2 (^6) An alien within the U.S. who wants to purchase encryption goods is not subject to

EAR. See Encryption Items, supra note 4 1. Similarly, U.S.citizens and business wanting to

use U.S.encryption devices are generally not subject to EAR. Id.

1 27 See United States v. Verdugo-Urquidez, 494 U.S.259 (1990): United States v. Behety,

32 F.3d 503, 5 10 ( I I th^ Cir. 1994); United States v. Cardenas, 9 F.3d 1139, I I57 n.8 (5th^ Cir. 1993).

1 28 Verdul{o-Urquidez, 494 U .S. at 267.

2000] ENCRYPTION EXPORT TAX 179

necessary for law enforcement. 135 The Terry approach to the Fourth

Amendment has subsequently been expanded and applied to situations

outside stop and frisk. 136

Even if one were to assume that the end-user of the exported

software has standing to bring a constitutionally-based suit against the

United States, it would make little sense to apply the Terry analysis to

encryption export regulations. The Fourth Amendment protects an indi

vidual' s privacy from affirmative intrusions by the government, gener

ally in the context of law enforcement activities.e^137 The effect of an

invasion upon a citizen's reasonable expectation of privacy is exclusion

of the tainted evidence. 138 The exclusionary rule is intended to force law

enforcement to disgorge evidence it has unlawfully obtained. In the con

text of crypto, protection of a consumer's Fourth Amendment privacy

interest does not mandate in favor of wide dissemination of encryption

technology since the consumer's Fourth Amendment privacy interest is

not impli cated until the government has affirmatively breached her rea

sonable expectation of privacy. Thus, even if the end-user or consumer

of exported encryption has standing, refusing to allow exports of encryp

tion technology does not constitute an invasion of this individual' s ex

pectation of privacy that would trigger Fourth Amendment analysis.

V. NATIONAL SECURITY CONCERNS

A. THE DILEMMA OF UNBREAKABLE ENCRYPTION

While the national security and law enforcement communities ac

knowledge that encryption has beneficial and legitimate uses, they are

concerned "about the serious threat posed by the proliferation and use of

robust encryption products that do not allow for the immediate, lawful

access to the plaintext of encrypted, criminally-related communications

and electronically stored data in accordance with strict legal require

ments and procedures."^139 The rationale for the limits imposed by the

Commerce Department on the export of strong encryption products is

that such products might be used by hostile nationals or terrorists to hide

135 See Terry, 392 U.S. at 20.

I: l6 Dena Klopfenstein, Comment, Deciphering the Encryption Debate: A Constitutional

Analysis of Current Regulations and a Prediction for the Future, 48 E MORY L.J. 765, 801

(1999);^ see, e.g., United States v. Mendenhall, 466 U.S. 544 (1980) (holding that persons

suspected of carrying drugs could be stopped at the airport based only upon reasonable suspicion).

1 3 7 See, e.g., United States v. White, 401 U.S. 745 (1971) (holding that a radio transmitter

concealed on an informant to record and monitor conversations with defendant, without war rant, at defendant' s home violated defendant's Fourth Amendment right to be secure against unreasonable searches and seizures); Katz v. United States, 389 U.S. 347 (1967).

138 See Mapp v. Ohio, 367 U.S. 643, 655-56 (1961) (articulating the exclusionary rule).

139 FBI REPORT, supra note I , at I.

1 80 CORNELL JOURNAL OF LA w AND PUBLIC POLICY [Vol. 1 0: 16 1

their communications from U.S. intelligence agencies.e1 40^ According to

the FBI, "law enforcement continues to experience an increase i n the

number of encounters with, and the subsequent damaging and detrimen

tal effects of, the use of commercially-avai lable encryption by criminals,

terrorists and in hostile intelligence activities throughout the United

States and across international borders."1 4 1

The Clinton administration asserted that "[t]imely action against ter

rorists, drug dealers, or ki dnappers may require rapid access to electronic

inforn1ation that must not be thwarted by encryption."1 42^ Rather than

taking on the unnecessary and impossible task of eradicating strong

crypto, the government has made i t its objective to "prevent unbreakable

encryption form becoming routine."1 43^ In a world where unbreakable

encryption is commonplace, "[a]ll communications on the information

highway would be i mmune from lawful interception. In a world

threatened by international organized crime, terrorism, and rogue govern

ments, this would be folly." 1 44

According to Louis J. Freeh, Director of the FBI, the potential ad

verse impact on public safety and national security resulting from a "wait

and see" approach is "too great to justify catering to the narrow i nterest

of computer software companies." 1 45

Even reducing the decoding time to days or weeks may not be suffi

ci ent to prevent the types of crime the export policy targets. Legally

authorized wiretaps generally provide crucial information just before a

crime is to occur; similarly, a nearly i nstantaneous ability to decode

messages is necessary to prevent crimes on the Internet. Effective law

enforcement depends on electronic surveillance and search and

seizure.e1 46

1 40 See generally id.

1 4 1 FBI REPORT, suiira note I , at 6 (The Aldrich Ames and Ramzi Yousef cases are often

cited to illustrate use of encryption technology by criminals to conceal their activity.); see

White, supra note 6, at 198. In the Aldrich Ames spy case, "Ames was told by his Soviet

handlers to encrypt computer file information to be passed to them." FBI REPORT, supra note

I , at 5. Similarly, Ramzi Yousef's terrorist plan to blow up eleven U.S. owned airlines in the

Far East was found in encrypted computer files in Manila after his arrest. Id. Incidentally,

Yousef was also the mastermind behind the bombing of the World Trade Center. Id.

1 4 2 CESA, supra note 35, at I.

1 4 3 Steven Levy, The Cyphe17mnks vs. Uncle Sam, N.Y. T1 MES, June 1 2, 1994, § 6 (Maga

zine), at 43.

1 44 Dorothy E. Denning, The Clipper Chip Will Block Crime, NEWSDAY, Feb. 22, 1 994, at

  1. Denning is a Georgetown University computer scientist who regularly contributes to the encryption debate.

1 45 The Encryprion Dehare: Criminals, Terrorisr.�. and rhe Securiry Needs of Business and

lndusrry: Hearing Before rhe Subcomm. on Tech., Terrorism , and Gov·r Info. r?f rhe Senare

Comm. on rhe .Judiciary, J05th^ Cong. 43-46 (1997) (statement of Louis J. Freeh, Director,

Federal Bureau of Investigation).

1 46 Dinh, supra note 33, at 392-93.