Welcome back to our series on the history of the internet. In Part 17, we covered an overview of the period between 1969 and 1989 and studied examples of technological advancement intersecting with differing political ideologies and their social effects. A key battle was over the degree to which the U.S. government controlled computer encryption, giving it the means to protect its own communications but also the ability to spy on others, including its own citizens.
In this episode, we look at how this issue played out in court, with a series of court cases led by professor Bernstein against the United States government over the encryption export regulations.
Pretty Good Privacy
Phil Zimmermann is a United States citizen who created the first version of the free encryption tool Pretty Good Privacy (PGP) in 1991. PGP used keys of at least 128 bits, making it almost impossible to break at the time, and was considered to be a munition within the definition of the U.S. export regulations. Zimmermann was aware of the export regulations but largely unaware of how the internet worked. In 2001 he explained:
“I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as ’US only.’ … It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a ‘US only’ tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn’t even have a clear idea what a newsgroup was.”
PGP quickly spread to other countries around the world, and by 1993 Zimmermann became the formal target of a criminal investigation. He responded by publishing the entire source code in the hardback book PGP Source Code and Internals, safe in the knowledge that this was protected by the First Amendment of the U.S. Constitution (which grants citizens the right to free speech).
This effectively undermined the entire basis for the classification of encryption as a munition. After several years, the criminal investigation was closed without any criminal charges being filed.
By 1995, Schneier assessed PGP to be “the closest you’re likely to get to military-grade encryption.”
Although there was ultimately no prosecution for Zimmermann, it remained the government’s position that the Arms Export Control Act of 1976 and ITAR regulations meant anyone wanting to publish encryption software must register as an arms dealer and seek a licence from the State Department ahead of publication on the internet.
Bernstein v. United States
As part of his work toward gaining a Ph.D. in mathematics, Daniel Bernstein developed an encryption method that he described as “a zero-delay private-key stream encryptor based upon a one-way hash function” and named “Snuffle.”
Bernstein wrote a paper containing the analysis and mathematical equations and implemented the algorithms in the C programming language (naming the files snuffle.c and unsnuffle.c). Bernstein later wrote a set of detailed instructions in English explaining how to program a computer to encrypt and decrypt using his method.
Bernstein first wrote to the State Department in 1992, asking for permission to present his work, stating, “I would like to publish these items in a widely read international electronic conference known as ‘sci.crypt’ for discussion by the worldwide academic community.”
He explained the relatively simple and benign nature of his work:
“the portions of snuffle.c and unsnuffle.c which actually perform encryption and decryption contain just 15 lines each of C code with no cryptographic technology per se. All the work is done by the one-way hash function code. Similarly, the description of Snuffle is short; the system itself does not contain appreciable complexity. In effect what I want to export is a description of a way to use existing technology in a more effective manner. I do not foresee military or commercial use of Snuffle by anyone who does not already have access to the cryptographic technology contained in, e.g., the Xerox Secure Hash Function.”
Weapons of Mass Encryption
The State Department responded that his work was a munition, and that Bernstein would need to register as an arms dealer and request a license to “export” either the source code or his instructions.
Letters sent to James Demberger show further examples of the State Department’s policy. After posting a prototype encryption program on a newsgroup, the State Department wrote that he had violated arms regulations.
Demberger argued that he was merely posting an idea in the public domain based on principles that had long existed there, but the State Department replied that the “public domain” exemption of the ITAR only applies to technical data.
Bernstein believed encryption programs were constitutionally protected works of human-to-human communication, like a movie, a book, or a telephone conversation.
While Bernstein’s dispute with the State Department continued, the 42nd President of the United States was sworn into office.
Clinton’s advisers urged him to take further action on encryption systems. In June 1994, he declared a national emergency, stating that. “unrestricted access of foreign parties to U.S. goods, technology, and technical data” represented an extraordinary threat to national security. On Aug. 19, 1994, Clinton rescinded this but simultaneously declared a new national emergency based on the same threat.
Neither national emergency persuaded Bernstein, who sued the government in 1995, claiming the export-control scheme was an “impermissible prior restraint on speech, in violation of the First Amendment.”
The government argued that since Bernstein’s ideas were expressed, in part, in a computer language, they were not protected by the First Amendment, but on April 15, 1996, Judge Marilyn Hall Patel rejected that argument and held for the first time that computer source code is protected speech for purposes of the First Amendment.
Back at the White House, on Nov. 15, 1996, Clinton declared Executive Order 13026, stating works such as Snuffle “could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States, and that facts and questions concerning the foreign availability of such encryption products cannot be made subject to public disclosure or judicial review without revealing or implicating classified information.”
The order created a new Commerce Control List for encryption software, and the new Commerce Department regulations were published over the Christmas holidays. It contained the same restrictions that had already been judged unconstitutional.
Bernstein’s lead attorney, Cindy Cohn, retorted: “The government apparently decided to ignore Judge Patel’s findings. Instead of listening to Judge Patel’s analysis and attempting to fix the regulations, they simply issued new ones with the same problems. We are giving them a chance to fix this before we bring the issue up in court.”
The matter did go back to court, with Judge Patel agreeing on Aug. 26, 1997, that the same restrictions under different authority were still a violation of the First Amendment. The Electronic Frontier Foundation (EFF) commented: “The decision knocks out a major part of the Clinton administration’s effort to force companies to design government surveillance into computers, telephones, and consumer electronics.”
A press release from the Department of Justice acknowledged that encryption had many positive benefits: “Businesses can protect trade secrets, hospitals can safeguard medical records,” but it warned that legal proceedings were continuing and “[u]ntil this issue is resolved, export controls on encryption software remain in place.”
United States Court of Appeals for the Ninth Circuit
The legal case proceeded to the Ninth Circuit Court of Appeals in 1997, with Bernstein challenging the opinions of the government departments of Justice, Commerce, Defense, and Energy, as well as the NSA and CIA agencies.
Cindy Cohn argued that the Export Administration Regulations were inconsistent because if encryption source code were contained in printed materials (e.g., Zimmermann’s PGP book) rather than machine-readable media, they are no longer subject to the regulations.
On May 6, 1999, Circuit Judge Fletcher decided the government regulations “constitutes an impermissible prior restraint on speech.” While Judge Bright concurred with this view, Judge Nelson dissented, arguing the court had failed “to fully recognize that the basic function of encryption source code is to act as a method of controlling computers” and that “encryption source code is more like conduct than speech.”
EFF co-founder John Gilmore commented: “The US government has wielded these export controls to deliberately eliminate privacy for ordinary people. The controls created wireless phones that scanners can hear, e-mail that’s easy to intercept, and unsecured national infrastructures that leave us all vulnerable. Misguided national security bureaucracies use these controls everyday, to damage the nation they are sworn to protect, and to undermine the constitution they are sworn to uphold. Today’s ruling is a giant step toward a sane policy.”
However, a press release by the Department of Justice downplayed the significance of the ruling, stating “the regulations controlling the export of encryption products currently remain in full effect.”
The following month, the Justice Department announced that it had filed a petition for a rehearing of the case, and on Sep. 30, 1999, the court agreed to rehear the case in front of all 21 members of the court. But the Department of Commerce then requested a delay while it worked on new changes to the export regulations, and the hearing was rescheduled.
In January 2000, the government modified the Export Administration Regulations to allow publication of cryptographic software of any strength.
District Court for the Northern District of California
The new regulations did not satisfy Bernstein, and legal proceedings continued.
Bernstein hired San Francisco-based attorney Karl Olson to lead his case and positioned himself as an “established researcher helping protect the Internet against attack.” Olson wrote to the court:
“Ten years ago, the government censored Prof. Bernstein’s ‘Snuffle.’ The government appeared to believe that Snuffle might allow terrorists and other criminals to communicate in secret.
However, the tragic history of terrorist attacks over the past two decades demonstrates that criminals were already capable of communicating in secret. Unbreakable cryptographic systems, suitable for communication among small groups of people, have been widely known for years. The government’s regulations were hurting scientists and legitimate users, while doing nothing to stop terrorists.”
Bernstein wrote to the court, explaining the security work that he did and that the current regulations “despite the January 2000 improvements, still prohibits my desired activities” at scientific conferences and with private email and web publications. He noted that the law prohibited him from writing programs in any assembly language and prevented him from answering security questions from people outside the United States.
A couple of famous names provided statements to the court in San Francisco in support of Bernstein’s motion.
Timothy O’Reilly, CEO of O’Reilly & Associates (now O’Reilly Media), explained his business and the pricing strategy for its publications.
Security technologist Bruce Schneier gave a statement to the court on mathematically unbreakable encryption systems and stated that this information had been present in textbooks for many years.
The Department of Commerce argued that the notice requirement “serves the significant governmental interest in preparing to deal with different forms of encryption that might be encountered in the collection of foreign intelligence.”
The director of policy at the National Security Agency (NSA), Louis F. Giles III, argued “there is an important national security interest in receiving notice of encryption items, including software, that are being exported” and that “the increasing global availability of encryption products and services presents significant challenges for the United States.”
On Oct. 18, 2002, the Department of Justice attorney Tony Coppolino told the court that the government would not enforce some of the regulations:
“I can assure you that the regulatory authority does not want [researchers who are collaborating at conferences] sending us an email every time they change something in an algorithm.” The Justice Department also said commercial book publishers and assembly-language publishers did not need to obtain licenses.
At the end of a court case in 2003, Bernstein commented: “I hope the government sticks to its promises and leaves me alone, but if they change their mind and start harassing Internet-security researchers, I’ll be back.”
The entire list of documents relating to the Bernstein case is available on Dr. Bernstein’s crypto site.