Encryption Regulation

5 May 2000
On January 14, 2000, the Bureau of Export Administration (the "BXA") published new regulations updating the U.S. export policy on encryption software. It was long overdue.

Encryption software maintains the secrecy of confidential information by scrambling and encoding messages. Generally, when you encrypt (scramble) your communication, only your recipient can decrypt (unscramble) it.

Government Regulation

The ability to encrypt and send confidential information overseas over the Net has never sat well with the U.S. government. It was concerned that this technology could be used by foreign national terrorists and terrorist countries to threaten our security.

In fact, our leaders were so worried about the potential uses of this technology that they actually regulated the export of such encryption technology under the Arms Export Control Act. Yep-the government has traditionally treated encryption software as munitions, like airplanes and tanks. You know, "It's a bird. It's a plane. No, it's encryption."

By regulating encryption technology as munitions, the U.S. government required exporters to obtain a license from the Office of Munitions Control before exportation of such software. Failure to obtain a license could result in potential fines or imprisonment, or both.

In 1996, however, the government realized that foreign terrorist governments and military forces weren't the principal users of encryption technology. The U.S. transferred the export licensing of commercial encryption products from the Department of State's Munitions List to the Department of Commerce's Dual-List.

This classification change emphasized the government's decision that strong encryption was no longer something used primarily by governments or military forces, but was an accepted part of normal commercial activity.

As e-commerce began to blossom, the U.S. realized that digital commerce would eventually become a linchpin of the U.S. economy. Without strong security measures, e-commerce could never work for industries that deal with sensitive, personal, and highly confidential information, like the financial, healthcare and banking industries.

Businesses and individuals need encrypted products to protect sensitive commercial information from fraud and industrial espionage and to preserve privacy. If American companies are to grow in a global marketplace, our export control policies have to allow American companies to take advantage of their strengths in information technology.

These considerations and others resulted in the recent relaxation of export regulations of strong encryption products. The government based its new regulatory scheme on three principles: a technical review of encryption products in advance of sale, a streamlined post-export reporting system, and a process that permits the government to review exports of strong encryption to foreign governments.

The new regulations do several things. They eliminate some export rules, enlarge the scope of export licensing exceptions, and implement the changes agreed to in the Wassenaar Arrangement in December 1998. The Wassenaar Arrangement is a group of 33 countries, which have common controls on exports, including encryption. In addition, the Department of Commerce created new license exception provisions for certain types of encryption, such as source code (source code is computer code that mere humans can read) and toolkits.

However, in an effort to protect national security, the new regulations do not ease the restrictions on the export of encryption to terrorist supporting states (Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria), their nationals, and other sanctioned entities. Now, U.S. companies may export any encryption commodity or software to individuals, commercial firms, and other non-government end-users without a license. In addition, companies can now export "retail" encryption products that are widely available in the market to any end-user including foreign governments. In most cases, however, a one-time product review by the BXA continues to be required. The Department of Commerce also streamlined post-reporting requirements to track industry business models.

Companies can now export commercial encryption source code to any end-user without a technical review. However, at the time of export, the exporter must submit to the BXA a copy of the source code, or a written notification of its Internet address.

The regulations further streamline requirements for U.S. companies by permitting exports of any encryption item to their foreign subsidiaries without a prior review and foreign employees of U.S. companies working in the United States no longer need an export license to work on encryption.

By implementing agreements reached by the Wassenaar Arrangement, the very strong encryption tools (64-bit mass-market products, 56-bit encryption items, and 512-bit key management products) may be exported too. For the non-techs, the higher the number, the harder it is to break the code. In formulating the new regulations, the government struggled to strike a balance between law enforcement and national security on the one hand, and privacy and international commerce on the other. This struggle is far from over.

The government has contemplated several regulatory alternatives based on a key management system. A key management system would allow the government to recover a key (just like it sounds, you use a "key" to decrypt a code) under certain circumstances. The government has contemplated both voluntary and mandatory participation by software exporters in a key escrow system.

In some cases, corporations would hold their own keys if they agreed to abide by law enforcement requirements. In other cases, users might choose to use key recovery services by third party private entities. Access to keys would be provided only to the owners where they have lost or damaged their own keys or to law enforcement officials acting with due authority.

To date, Congress has considered, but failed to adopt, legislation addressing a federal mandatory key escrow policy.

First Amendment

While the Legislature has failed to adopt legislation concerning mandatory key escrow, the Judiciary has been entertaining some heated debates about encryption export regulations.

For example, in a well-publicized case sponsored by the Electronic Frontier Foundation, mathematician Daniel Bernstein challenged the export control laws on encryption on First Amendment grounds. Professor Bernstein claimed that his right to publish his own encryption software and share his research results with others over the Internet was being unconstitutionally restricted by the government's export controls.

Bernstein won his case at the trial level and won an appeal in the Ninth Circuit Court of Appeals. Federal District Court Judge Patel held that computer programs are speech protected by the First Amendment. Since then, and based on a request from the Court of Appeals that ruled in Professor Bernstein's favor, both Professor Bernstein and the U.S. Government have filed briefs advising the panel that, in light of the new interim encryption export regulations issued in January, the case should be sent back to the original District Court for further review.

In a private advisory letter sent in February, the U.S. Commerce Department confirmed that the new encryption export policy permitted Bernstein to post his encryption source code on the Internet.

In another lawsuit brought by a professor, the 6th Circuit Court of Appeals found that "computer source code is an express means for the exchange of information and ideas about computer programming" and is thus protected by the First Amendment. This decision served to overturn the decision of Judge Gwin of the United States District Court of the Northern District of Ohio who held that computer programs are not writings protected by the Constitution because they are "inherently functional."

The suit was brought by Professor Junger, a law professor at Case Western Reserve University in Cleveland, to enjoin the enforcement of export regulations on encryption software. He claimed that the regulations prevented him from publishing his class materials and articles for his course in Computing and Law on the Internet because they contained some encryption programs. Junger claimed in his suit that those encryption programs were writings that were entitled to the full protection of the First Amendment.

He said, "...I need to be able to publish them...to explain to lawyers and law students how computers work and how the law should be applied to computing."

In this case, while the court reached the conclusion that the source code is protected by the First Amendment, the court remanded the case back to the district court to determine whether posting of the source code would violate the new encryption export regulations. Since the government has eliminated some of the bureaucratic requirements concerning encryption technology export, U.S. companies' world-wide sales of encryption products should flourish and the international exchange of information should foster further technological development. However, as long as the government's regulatory maze is in place, a threat to privacy rights and free speech, and a damper on technological innovation will linger.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.