THE DILEMMA FOR FUTURE COMMUNICATION TECHNOLOGIES: How TO CONSTITUTIONALLY DRESS THE CRYPTO-GENIE1
Jason Kerben
"The proliferation of encryption of technology threat- munication.4 This system of communication has ens the ability of law enforcement and national security officials to protect the nation's citizens against ter- been used throughout history. One of the earliest rorists, as well as organized criminals, drug traffickers known examples of cryptography was used by Ju- 2 and other violent criminals." lius Caesar when he sent military messages to his "If the freedom of the press . . . [or freedom of speech] armies.5 Most cryptographic system have two perishes, it will not be by sudden death . . . It will be a 6 long time dying from a debilitating disease caused by a basic functions: encoding and decoding. The en- series of erosive measures, each of which, if examined coding function converts the normal data com- singly, would have a great deal to be said for it."3 monly known as "plaintext" into incompre- The preceding two statements epitomize the hensible data commonly known as "ciphertext."7 enduring struggle that has pitted the law enforce- The decoding function reverses the process, by ment community against those who are con- changing the "ciphertext" back into "plaintext." cerned with protecting their privacy interests. In order to perform these functions, a sequence The expanded use of advanced technologies in of bits, or "keys" must be obtained by the sender communications has propelled the cryptography and receiver of each message.9 The strength of debate into the spotlight. the coded communication is greatly dependent Cryptography uses codes to create secret com- upon the length of the key.' 0 This system is an
I The term "crypto-genie" was apparently first used by au- metric cryptography is for an individual to choose two secret thor Steven Levy in 1994. Philip Elmer-Dwitt, Who Should 100-digit prime numbers and multiply them together. The Keep the Keys?, TIME, Mar. 14, 1994, at 91. 200 digit product reveals the individuals "public key." The 2 Judy Fahys, Cryptic Coding: Export Quarrel Touches Utah private key, the original prime numbers, remain unknown Coding: Conflict About Sales and Spies, SALT LAu TRIB., Jan. 28, and cannot be determined by the knowledge of the public 1996, at F2 (quoting James Cavanaugh, NSA's deputy direc- key. The strength of the keys comes from the fact it is "com- tor of public policy). putationally infeasible" for a modern top-speed supercom- 3 Yale Broad. Co. v. FCC, 478 F.2d 594, 606 (1973) (quot- puter to determine the factors of a 200-digit number in any- ing Lord Devlin). thing less than several centuries. See James Fallows, Open 4 Cryptography is defined as "the science or study of the Secrets, ATLANTIC, June 1994, at 48. An example of the use of techniques of secret writing; especially coded cipher systems, asymmetric cryptography will be discussed in Part I. For a methods and the like." RANDOM HOUSE DICTIONARY OF THE more in-depth discussion of key generation with respect to ENGLISH LANGUAGE 485 (2nd ed. 1987). the different forms of cryptography, see the following publi- 5 The "Caesar Cipher" adds a number to the position of cations. See Mitchell Moore, The Role of Cryptography in Network each letter to the alphabet. If you were to add three to A, the Security, Bus. COMM. REv., Sept. 1995, at 67; Dave Trowbridge, first letter, it would then become D, the fourth letter; C be- Public-key Crypto Gives Pyivacy Power to the People, COMPUTER comes F, and so on. SeeJeff Prosise, How To Keep It A Secret; TECH. REv., Apr. 1995, at 7. Data Encryption Methods And How They Work, PC MAC., July 10 Hoffman, supra note 6. As a recent paper on cryptog- 1994, at 315. The Egyptians and Phoenicians were the first raphy asserts that "[t]he sizes of encryption keys are mea- known groups of people to utilize cryptography. Edward sured in bits and the difficulty of trying all possible keys Radlo, Legal Issues in Cryptography, COMPUTER LAWYER, May grows exponentially with the number of bits used. Adding 1996, at 1. one bit to the key doubles the number of possible keys; ad- 6 Lance Hoffman, CRYPTOGRAPHY- POLICY AND TECHNOL- ding ten increases it by a factor of more than a thousand." oGY TRENDS at 4, (visitedJan. 25, 1997)
125 126 COMMLAW CONSPECTUS [Vol. 5 example of symmetric or conventional key cryp- gan experimenting with the idea of establishing a tography. In order for this system to function computer network to be used for the furtherance properly, both the sender and receiver must know of academic research.15 The concept became re- the key. ality in 1969, when computers at the University of Even though cryptography has been present California of Los Angeles and SRI International in since the time of Caesar, it has been effectively Menlo Park, California were linked and the kept from the American public by the National ARPANET was established.' 6 In 1984, ARPANET Security Agency (NSA)." Officially, the agency split into two networks, one of which is now was charged with the duties of monitoring and de- known as the Internet. 7 As of 1996, there were coding any signal transmission relevant to na- an estimated 30 million users of the Internet tional security.' 2 Soon after its existence, NSA worldwide. Is The impact of this figure is more took substantial steps to control the growth of significant when one realizes the fact that the In- cryptography.3 In fact, NSA went so far as to say ternet is growing at a rate of approximately ten that it had the "sole authority to fund research in percent per month.19 Because of the growing reli- cryptography."' 4 For the most part, the claim, has ance on the Internet for business transactions and proved to be true, although it lacks legal validity. personal communications, the need for a debate That is, up until now. With the advancement and on the open architecture and privacy of the net- growth of the Internet, NSA's claim of sole au- work has become tantamount. thority has become somewhat overshadowed. Currently, a U.S. citizen or U.S. corporation In the mid 1960's, the Department of Defense's may domestically use any form or strength of en- Advanced Research Projects Agency (ARPA) be- cryption it chooses.20 The knowledge of encryp-
Key: Cryptography, the Clipper Chip, and the Constitution, 143 Computer Security Act of 1987 can be found at Pub.L.No. U.Pa.L.Rev. 709, 736 (1995). A 128 bit key has over 40 sextil- 100-235, 101 Stat. 1724. NSA has also been instrumental in lion possible keys. Id. at 889. the development of civilian cryptography and has also at- 11 On October 24, 1952, President Truman sent a memo- tempted to establish universal cryptography standards. See randum to Secretary of State Dean Acheson and Secretary of Renae Angeroth Franks, The National Security Agency and Its Defense Robert Lovatt authorizing the existence of NSA and Interference with Private Sector Computer Security, 72 IOWA L.REv. placing it under the authority of the Secretary of Defense. 1015 (1987). NSA has also "dispatched FBI agents on break- Eleven days later, NSA came into existence. At the time of its in missions to snatch code books from foreign facilities in the creation, there were no press announcements, no news cov- United States and CIA agents to recruit foreign communica- erage and no Congressional debate. The number of people tions clerks to buy their code secrets." Scott Shane, Rigging who work for NSA and the size of its annual budget was and the Game, BALTIMORE SUN, Dec. 10, 1995, at 8A. continues to remain classified. Therefore, the agency was 14 David Burnham, THE RISE OF THE COMPUTER STATE 39 often referred to as the "No Such Agency." A Clipper Primer, (Random House, 1983). In 1975, NSA tried to stop all dis- COMPUTER FRAuD & SECURITY BULL., May 1994, at 13; see also bursing of National Science Foundation grants for cryptogra- Maureen Harrington, Cyber Rebel, DENVER PosT, Mar. 5, 1996, phy research. KennethJ. Pierce, Public Cryptography, Arms Ex- at 24. This publication, without listing its authority, reported port Controls, and the First Amendment: A Need for Legislation, 17 that NSA spends one million dollars an hour and eight bil- CORNELL INT'L L.J. 197, 203 (1984). lion dollars a year on eavesdropping around the world. Id. 15 Marie A. Wright, Protecting Information from Internet 12 John Perry Barlow, Decrypting the Puzzle Palace, COMM. Threats, COMPUTER FRAUD & SECURITY BULL., Mar. 1995, at 7; OF THE ACM,July 1992, at 25. The current deputy director of see also Cheryl Ajluni, Security Techniques Ensure Privacy, ELECT. NSA, William Crowell, has stated in a declaration that the two DESIGN, Apr. 17, 1995, at 83. missions of NSA are: (1) to conduct the signals intelligence 16 Wright, supra note 15. (SIGINT) activities of the United States Government; and (2) 17 Deborah Russel, COMPUTER SECURITY BASICS 211 to carry out the responsibilities of the Secretary of Defense (1991). concerning the security of the United States national security information systems. See Declaration of William Crowell at 2, Is Larry Lange, Net Battleground Awaits Microsoft Salvo, Karn v. United States Dep't of State, 925 F. Supp 1, (D.C. Cir. ELECTRONIc ENGINEERING TIMES, Jan. 8, 1996, at 22. 1996) (No. 95-1812). One former Army intelligence officer 19 Edward Baig, Ready to Cruise the Internet?, Bus. WK., stated that "SIGINT is more valuable than dope because it Mar. 28, 1994, at 180. goes directly to the personal power and prestige of the Presi- 20 However, this use is restricted primarily to domestic dent." David Stipp, Techno-Hero or Public Enemy, FORTUNE, use. The one exception to non-domestic use is contained in Nov. 11, 1996, at 180. a recent amendment to 22 C.F.R. § 123 (1996). The limited 13 NSA has attempted to control the growth of private exception allows for temporary export for personal use, but cryptography by relying on the Computer Security Act, which also establishes that the when the product is not in posses- allows for military intelligence agencies' control of the civil- sion of the exporter that it should be "lock[ed] . . . in a hotel ian cryptography market. See Henry King, Big Brother, The room safe." 22 C.F.R. § 123.27(a) (3) (ii) (A) (1996). The ex- Holding Company: A Review of Key-Escrow Encryption Technology, porter must also provide a "record of that temporary export 21 RUTGERS COMPUTER & TECH. L.J. 224, 248-49 (1995). The and subsequent import." Id. at (b). 1997] FUTURE COMMUNICATIONS TECHNOLOGIES 127 tion technology may also be distributed domesti- private individuals and corporations is clearly de- cally to other U.S. citizens without restriction. fined. Law enforcement is concerned with losing However, if one chooses to export this technology its ability to effectively and timely conduct eaves- then he or she faces serious criminal penalties.2 1 dropping; while individuals are concerned with In the past, a key length of fifty bits is the maxi- privacy, freedom of speech and the potential lost mum one is able to export without a license from revenues. The line between those two is the First the Department of State. 2 2 On January 1, 1997, Amendment. The First Amendment, which states however, this limit will be raised to a maximum of that no law shall be made that abridges the free- fifty-six bits as long as the exporting company dom of speech or of the press,29 holds the "keys" commits "to explicit benchmarks and milestones to resolving this debate. for developing and incorporating key recovery This paper discusses the government's legiti- features into their products and services." 23 At mate concern for national security which has the end of a two-year period, only those compa- been exhibited through its past attempts and con- nies that have established a key recovery system tinues through its future intentions of regulating and have provided a copy of the keys to a trusted the export of cryptography and addresses the con- third party will be permitted to export fifty-six-bit stitutional problems posed by these concerns. key cryptography. 24 Companies and individuals Recognizing this dilemma, this paper presents a that do not participate in the "key recovery" sys- viable solution that meets the needs of all inter- tem will not be permitted to export their crypto- ested parties without compromising a majority of graphic products.25 Violation of these restrictions their ideals and objectives. Part I provides a brief is a criminal offense, punishable by imprison- overview of the modern development and expla- ment.26 nation of the process of encryption. Part II dis- The argument advanced by the government cusses the regulations and policies that govern the and law enforcement officials is that strong en- government's efforts in controlling the growth of cryption export regulations are necessary in order encryption software through export regulations. for law enforcement authorities to adequately ac- Part III discusses the interests and policies of indi- complish their job. Recently, FBI Director Louis viduals and the business community in the en- Freeh testified to a Congressional committee that cryption debate. Part IV examines the three en- "encryption capabilities available to criminals and cryption cases that have challenged the terrorists endanger future usefulness of court-or- government's export regulations on First Amend- dered wiretaps."27 The proposed law enforce- ment grounds. Part V presents a First Amend- ment solution comes in the form of "socially re- ment analysis of encryption source code as sponsible encryption products . . . which permit speech. Finally, in Part VI, this note presents a timely law enforcement and national security ac- possible solution for dealing with the crypto-ge- cess and decryption."2 nie, while at the same time, meeting the needs of The line that separates law enforcement from the law enforcement, individuals, corporations
21 The violation of the Arms Export Control Act (AECA) Reg. 58,767 (1996). or the International Traffic in Arms Regulation (ITAR) is 23 Statement of the Vice President, Al Gore, CONGRES- punishable by a fine up to $1,000,000, or imprisonment of SIONAL PREss RELEASE, Oct. 1, 1996. A key recovery system up to ten years, or both. See 22 U.S.C. § 2778(c) (1994); 22 would allow "a trusted [third] party to recover the user's con- C.F.R. § 127.3 (1996). Any person that knowingly violates fidentiality key for the user or for law enforcement officials the Export Administration Act (EAA) or the regulations of, is acting under proper authority." subject to a fine of up to five times the value of the exports 24 Exec. Order No. 13,026, 61 Fed. Reg. 58,767 (1996). involved or $50,000 whichever is greater, or imprisonment of 25 Id. or both. 50 U.S.C. § 2410(a) (1994). Any up to five years 26 See supra note 21. person that willfully violates the EAA or the regulations of, is 27 Wayne Madsen, Securing Access and subject to five times the value of the exports up to $1,000,000 Privacy on the In- ($250,000 for an individual), or up to ten years of imprison- ternet, COMPUTER FRAUD & SECuRrrY BULL.,Jan. 1, 1996, at 12. ment, or both. 50 U.S.C. § 2410(b) (1) (A) (B). The applica- The Director made the statement on May 3, 1995 to the tion of these regulations will be discussed in some detail in House Judiciary Committee. the text. 28 Impact of Encryption on Law Enforcement and Public Safety, 22 See 57 Fed. Reg. 32,148 (1992); see also Dorothy Den- Hearings on S. 1587 Before the Comm. on Commerce, Sci- ning, DecodingEncryption Policy, SECURrIY MGMT., Feb. 1996, at ence and Transportation, 104th Cong. (1996) (statement of 59. Note that Executive Order 13026 gives jurisdiction to the Louis Freeh, Director of Federal Bureau of Investigation). Commerce Department. Exec. Order No. 13,026, 61 Fed. 29 U.S. CONST. amend. 1. 128 COMMLAW CONSPECTUS [Vol. 5 and most importantly the First Amendment of the chance he wishes to communicate with another Constitution. party besides Ruth.3 3 These key problems of the symmetric system, together with NSA's domina- tion of the development of encryption technolo- I. THE CRYPTO-GENIE AWAKENS gies, created an environment where the use of en- As previously discussed, symmetric encryption cryption was underutilized. has been around since the time of Caesar.30 This In 1975, Whitfield Diffie made a historic discov- system provides a means to communicate in se- ery that forever changed how encryption is cret, but it also creates several problems. One of viewed. Whitfield, a computer scientist and cryp- these problems is key management. To best ex- tographer, has always been "concerned about in- plain the obstacles that are experienced by using dividuals, an individual's privacy as opposed to this system, the next section will provide an exam- Government secrecy."3 4 Diffie's discovery made ple involving two fictitious individuals who wish to was necessitated by his realization that a perfect communicate by using encryption techniques.31 system would eliminate the need for a trusted Sam (the sender) wishes to send his friend third party.35 Diffie developed a way to secure the Ruth (the receiver) a personal message. Sam message using two mathematical keys by splitting types his message into the computer as plaintext up the cryptographic key. The system known as and then uses a previously agreed upon key to en- public key cryptography or asymmetric cryptogra- code the message into ciphertext. Sam then phy utilizes a public key and a private key.3 6 Each sends the message to Ruth. Once Ruth receives party, has a private key which only the owner the message in ciphertext form, she uses the pre- knows and a public key which everyone knows. viously agreed upon key to decode the message Whatever is scrambled by one key, can be un- into plaintext. At this point, Ruth is able to read scrambled by the other key. For an explanation her personal message. on how this system functions, we will revisit Sam One traditional problem that exists with this and Ruth. system is the uncertainty as to whether the sender Sam completes a message to Ruth in plaintext is actually the person he says he is. Applied to this form. Upon completion, Sam encodes the specific example, how does Ruth in fact know the message with Ruth's public key. When Ruth re- message is from Sam and not from someone act- ceives the message in ciphertext from Sam, she ing as Sam? Once the key becomes known to any uses her private key to decode the message into other party, the entire security of any message plaintext. To send a message back to Sam, Ruth utilizing the key will be compromised.32 The encodes her message with the use of Sam's public other problem this system poses is key manage- key. Sam then uses his private key to decode the ment. If this was the first communication be- message. The knowledge of one half of a key does tween the two parties, how does Sam tell Ruth not in any way compromise the identity of the what the key is without compromising the security other half.3 7 Therefore, the problem of key man- of future messages? Even if Sam is successful, by agement is resolved, eliminating the need for the telling her in person, the problem still exists if he trusted third party. wishes to change the key in the future or if by The problem of key identification was also elim-
30 Edward Radlo, supra note 5, at 1. nicating the key, other than personally contacting the party. 31 Variations of this example have been used to explain 34 Steven Levy, Battle of the Clipper Chip, N.Y. TIMES, June the inner-workings of cryptography. See Froomkin, supra 12, 1994, at 47. note 10, at 890-91. 35 Id. The "trusted third party" that Whitfield Diffie re- 32 This problem is known as key identity or authentica- ferred to was an individual or service utilized in symmetric tion. One method that has dealt with this problem in the encryption systems whom provided key management to send- past is by distributing the keys by physically secure means. ers and receivers by providing them with the keys. In the An example would be a bonded courier. This example illus- earlier example of Sam and Ruth, a trusted third party would trates the geographic problems that exist with the use of a provide Ruth with a secure key to decode messages from worldwide network. See Moore, supra note 9, at 71. Sam. Whitfield Diffie was concerned that if the trusted third 33 With this system of encryption Sam is limited in his party was served with a subpoena they would simply "sell you freedom to change his keys with Ruth or developing a system out." Id. with future parties. In either the case of a key that has been 36 Id. at 47-48. compromised with an existing party or the establishment of 37 See Hoffman, supra note 6. a key with a new party, Sam has no secure means of commu- 1997] FUTURE COMMUNICATIONS TECHNOLOGIES 129 inated by the asymmetrical process.38 The pro- tively unknown to a vast majority of the public un- cess of authentication or digital signatures could til Phil Zimmerman appeared in 1991. The Sen- be achieved by reversing the process of encoding. ate was proposing an anti-crime bill that included Once again, Sam and Ruth will serve as an exam- a provision that would require manufacturers to ple of how the process of authentication works. insert "trap doors"43 in their products to enable In the previous message, Sam encodes a part of the government to read encrypted messages.4 the message he wishes to serve as authentication Phil Zimmerman, an information privacy advo- of his identity with the use of his private key. He cate, had recently created an encryption program then encodes the rest of the message with Ruth's called Pretty Good Privacy (PGP) that was, and public key. Upon receiving the message, Ruth be- still is, considered a significant obstacle to law en- gins by decoding the message using her private forcement code-cracking efforts. 45 The program key to decode the entire message. She then uses uses several encryption methods, including RSA, Sam's public key to decode the section of the and uses 512-bit, 1,024-bit, 1,280-bit or 2,048-bit message in order to prove the authentication of keys. 4 6 In a recent study, it was concluded that if Sam as the sender. At no time throughout this 100 million personal computers with an operating process have either of the private keys been com- system of 100 Mhz with eight megabytes of RAM, promised. were devoted to decrypting a PGP-encrypted In 1977, three inventors Ronald Rivest, Adi message using the 1,024-bit key it would take Shamir and Leonard Adleman (known as R.S.A.) 280,000 years to crack the code.4 7 Originally, developed a system which utilized Whitfield Dif- Zimmerman intended to market his product, but fie's process of encryption.39 The R.S.A. system is due to a growing concern of possible government based on prime number generation, since it is intervention that might eliminate any market for computationally much more difficult to factor two his new product, he changed his plans. Zimmer- large prime numbers than multiplying them. 40 man quickly gave a number of free copies to his Some of the companies that utilize RSA technol- friends. 48 "The important thing, reasoned Zim- ogy include: Apple, AT&T, DEC, IBM, Lotus, merman, "was to get PGP out there while it was Microsoft, Northern Telecom and Novell.41 As of still legal for people to get a copy - to inoculate January 1994, over two million instantiations of the body politic."49 RSA have been distributed in the United States, Upon receiving PGP, one of Zimmerman's and that number is expected to double by the end friends commenced driving around for two hours of 1995.42 with a laptop and a modem and uploaded PGP The use of public key cryptography was rela- from public phones to bulletin boards with In-
38 Asymmetric is defined as "not identical on both sides 1995, at A3. of a central line, unsymmetrical; lacking symmetry." RANDOM 45 John Markoff, Federal Inquiry on Software Examines P-i- HOUSE DICTIONARY OF THE ENGLISH LANGUAGE at 129 (2nd vacy Programs, N.Y. TIMES, Sept. 21, 1993, D3. The use of en- ed. 1987). cryption by a pedophile hampered the efforts of law enforce- 39 Anthony Watts, Cryptography is Key to Securing Proprietary ment in a recent case in California. See Timothy Lennon, The Information, EDN, July 6, 1995, at 101. Fourth Amendment's Prohibition on Encryption Limitation: Will 40 See Id. The. author provides an example of the mathe- 1995 be Like 1984?, 83 GEO. L.J. 1849, 1852 n.6 (1995). How- matical equation. First, you select two very large prime num- ever, it is unclear whether NSA is unable to crack PGP be- bers, P& Q and another number d which is relatively prime cause of the secrecy that surrounds NSA. to (P-1) * (Q-1). Second you calculate e from the equation 46 Al Berg, Securing E-mail with Encryption, LAN TIMES, e*d'=1 [mod ((P-1) * (Q-1))]. The pair of numbers (e, N) Sept. 25, 1995, at 142; Douglas Marden, The Three Cs to Im- where N is congruent to P*Q is the encryption key; the pair proving UNIX System Security, ENT. Sys. J., Mar. 1995, at 90. of numbers (d, N) is the decryption key. 47 Trowbridge, supra note 9, at 10. 41 Susan Landau, Crypto Policy Perspectives, COMM. OF THE 48 Homes, supra note 44. ACM, Aug. 1994, at 116. 49 Id. Zimmerman and other civil libertarians are quick 42 Hoffman, supra note 6. to point out that PGP has been utilized on at least two occa- 4s Traps doors have a weakness in the key part of the en- sions against oppressive governments. The first occasion oc- cryption algorithm which allows for the holder of such infor- curred when Burmese freedom fighters used PGP to keep mation to use "computational shortcuts to break the code." documents hidden from their government. The second oc- Froomkin, supra note 10, at 736-37. One example is allowing casion took place when Zimmerman received a message from for the holder of the information to simply multiply large an individual in Latvia that stated, "Let it never be, but if dic- prime numbers together verses factoring a large number who tatorship takes over Russia, your PGP is widespread from Bal- can only be factored by two numbers. Id. at n.112. tic to Far East now and will help democratic people if neces- 44 Stanley Holmes, Pretty Good Predicament,PC WK., July 3, sary." See Levy, supra note 34, at 50. 180 0 ' COMMLAW CONSPECTUS [Vol. 5 ternet connections.5 0 The fact that the encryp- Department of Justice is investigating the mat- tion program was now on the Internet meant that ter.57 it was readily accessible to foreigners or exporta- 5 ble without a license. ' What occurred next was a II. THE GOVERNMENT'S (POROUS) AIR fifteen month investigation led by the Depart- TIGHT BOTTLE ment of Justice in order to determine if Zimmer- man should be indicted on federal charges. 5 2 As Up until October 1, 1996, cryptographic sys- a result of the Zimmerman affair, the govern- tems and equipment were considered a muni- ment's policy on Internet distribution remained tion.5 8 As a munition, cryptography was subject to unclear. A statement by an assistant attorney gen- the Arms Control Export Act (ACEA) which gives eral that there is "no change in the law, no the President the authority to designate certain change in policy. If you're planning on making items as defense articles or defense services.59 encryption available over the Internet, or other The export of these designated items is controlled means, better check with the State Department by regulations under the International Traffic in 53 first," did nothing but cloud the issue further. Arms Regulations (ITAR) .6o The United States Zimmerman, undaunted by the government's Munitions List then forms the index of the items efforts, recently developed a program entitled designated as "defense articles."6 1 Defense serv- PGPphone, which uses the Blowfish algorithm. 54 ices are defined as the "furnishing of assistance With the development of the technology to make (including training) to foreign persons, whether voice phone calls over the modem, this program in the United States or abroad. . ."62and the "fur- encodes or rearranges the digital version of the nishing to foreign persons of any technical data phone conversation and then decodes it on the controlled under this subchapter, whether in the other end.55 This program, has been available on U.S. or abroad."6 3 Encryption software was classi- the Internet for downloading and at publication, fied as technical data because of its capability of 64 56 there have been no announcements that the maintaining secrecy, and also for its ability con-
50 Andrew Brown, Kings of the Wired Frontier, THE IN- (Mar. 4, 1996). DEPENDENT, Apr. 30, 1995, at 16. Zimmerman has repeatedly 56 See Wendy Grossman, Innovations: Secretly Does It, DAILY denied that he placed his program on the Internet. TELEGRAPH, Apr. 2, 1996, at 26 (for further explanation of 51 The program is readily available outside the United PGPphone). Stateswithout the approval of the U.S. Government. A Nor- 57 At publication, there were no announced Department wegian web site, (visited Jan. 25, 1997)
65 22 C.F.R. § 120.10(2) (1996). from the Operating Committee to determine whether the 66 Exec. Order 13,026, 61 Fed. Reg. 58,767 (1996). item is exportable. All other items must only be ruled on 67 Id. solely by the Operating Committee's Chairperson, the Secre- 68 The initial determination that cryptography was a tary of Commerce. Id. This procedure is important to note dual-use technology was made in 1991 by the Coordinating when one examines the defense oriented membership of the Committee on Multilateral Export Controls. See Susan Lan- Operating Committee. The Committee is composed of rep- dau, Codes, Keys and Conflicts: Issues in U.S. Crypto Policy chap. resentatives of the Departments of Commerce, State, De- 8 (visited Jan. 25, 1996)
ent of the article or service.73 graphic information might meet first amendment In 1978, a Department ofJustice r~iemorandut standards if the "necessary procedural safeguards" was written to a science advisor of President were put into existence. 80 This memorandum Carter, reporting on the constitutional concerns was affirmed by the Department of Justice as re- of the ITAR regulations.74 It was asserted that the cently as 1984.81 The 1984 memorandum also ITAR prohibitions on cryptographic ideas and in- warned that ITAR's prohibitions of "communica- formation "amounted to an unconstitutional tions of unclassified information by a technical prior restraint." 75 The two fatal flaws that the au- lecturer at a university or to the conversation of a thor cites are "the standards governing the issu- United States engineer who meets with foreign ance or denial of licenses are not sufficiently pre- friends at home to discuss matters of a theoretical cise to guard against arbitrary and inconsistent interest," were forms of unconstitutional prior re- administrative action; second, there is no mecha- straint. *82 nism established to provide prompt judicial re- Under the EAA, all regulated commodities are view of State Department decisions barring disclo- placed on the Commerce Control List (CCL). "3 sure."76 The author also asserts that the argument Items or technology is identified by the Secretary that the ITAR regulates conduct not speech,77 is of Defense in concurrence with Secretary of Com- misplaced because "even a cursory reading of the merce as subject to export controls via the CLL. 84 technical data provisions reveals that those por- The CCL indicates whether and to what extent, a tions of the ITAR are directed at communica- commodity is controlled. Controls may be imple- tion." 78 mented for national security, foreign policy, short Interestingly enough, current members of the supply and other purposes. 85 Concerning na- Justice Department have ignored this point and tional security, there are three possible options instead have argued that O'Brien does apply.79 In available for the Secretary of Commerce to summary, the memorandum asserted that the re- choose from when designating an commodity on quirement of a "prepublication review" of crypto- the CCL.8 6 In regards to foreign policy, there are
73 In addition to the requirement of supplying the name 80 Memorandum from John M. Harmon, supra note 74 at of each particular recipient, the applicant must also have the 17-18. following statement upon the bill of lading and invoice; 81 "We remain of the opinion ... the ITAR still present "[t]hese commodities are authorized by the U.S. Govern- some areas of potentially unconstitutional application, and, ment for export only to [country of ultimate destination] for moreover, that we cannot be certain whether existing case use by [end-user]. They may not be transferred, transshipped law would be sufficient to narrow the range of application to on a non-continuous voyage, or otherwise be disposed of in a constitutionally sufficient extent." Memorandum from any other country, either in their original form or after being Larry L. Simms, Deputy Assistant Attorney General, Office of incorporated into other end-items, without the prior written Legal Counsel, Department of Justice to Davis R. Robinson, approval of the U.S. Department of State." 22 C.F.R. Legal Advisor, Department of State at 14 (July 5, 1984). A § 123.9(b) (1996). 1981 DOJ memorandum also concluded that the ITAR regu- 74 Memorandum from John M. Harmon, Assistant Attor- lations were an unconstitutional form of prior restraint. ney General, Office of Legal Counsel, Department of Justice Memorandum from Theodore Olson, Assistant Attorney to Dr. Frank Press, Science Advisor to President Carter (May General, Office of Legal Counsel, U.S. Dep't ofJustice to Wil- 11, 1978) (on file with the Department of Justice). liam B. Robinson, Office of Munitions Control, U.S. Dep't of 75 Id. at 5. State at 202 (July 1, 1981). 76 Id. at 10. 82 Memorandum from Larry L. Simms, supra note 81. 77 If the regulation affected speech, then the application This statement clearly reflects the issues surrounding Bern- of the O'Brien test would be necessary. The O'Brien test arises stein. Bernstein, 922 F. Supp. 1426. In this civil action, which from a Supreme Court case that established a four part test will be discussed later in greater depth, the plaintiff is a grad- for determining when conduct reaches the level of speech, uate student (has now since graduated and wishes to teach) and as such, is protectable by the First Amendment. O'Brien in mathematics, wishes to publish a mathematical paper on v. United States, 391 U.S. 367 (1968). algorithms. The State Department has denied all of his re- 78 Memorandum from John M. Harmon, supra note 74 at quests to export his paper. Bernstein is currently suing the 11, n.16. government on First Amendment grounds. 79 The government argued that O'Brien applied in both 83 50 U.S.C.S. § 2404(c) (1) (Law Co-op. 1996). the Bernstein and Karn cases. Memorandum of Points and 84 Id. at (c) (2). Failure to act byteither the Secretary of Authorities in Support of Defendants' Motion for Summary Defense or President, within 20 days, leads to an affirmation Judgment at 12-14, Bernstein v. United States Dep't of State, of the Secretary of Commerce's determination concerning 922 F. Supp. 1426 (C.D.Cal. 1996); Memorandum of Points the item or technology. Id. and Authorities in Support of Defendants' Motion to Dis- 85 15 C.F.R. § 799.1(d)(1)(iii) (1996). miss, or in the Alternative, for Summary Judgment at 17-20, 86 Validated licenses are required based on national se- Karn v. U.S. Dep't of State, 925 F. Supp. 1 (D.C. Cir. 1996). curity when: 1997] FUTURE COMMUNICATIONS TECHNOLOGIES 133
five options that the President, after consulting Commerce who either affirms or vacates the deci- Congress, 7 may choose from when imposing ex- sion.95 This ineffective judicial review combined port controls under the CCL.8" An applicant with ithe fact that all functions exercised under wishing to export a commodity contained on the the EAA are explicitly excluded from judicial re- CCL must apply for a validated license.89 The ap- view and the protections of the Administrative plication requires extensive documentation"o and Act,9 6 causes ample concern of the possibility of is reviewed on a case-by-case basis.91 Within sixty arbitrary and inconsistent administrative action. days after receipt of the license application, the One provision that could be easily abused in the Secretary of Commerce shall formally issue or implementation of export controls of crypto- 9 deny the license. 2 If a license for application is graphic systems is the foreign availability excep- denied the Secretary must state the statutory basis tion.97 This exception allows the President to 93 and the policies that are furthered by the denial. place export restrictions on goods or technology Unlike the ITAR, the EAA establishes provides that are "available without restriction from other an appeal process where license denials may be sources outside the United States . . . [if] . . . the reviewed by an administrative law judge.94 How- absence of such controls would prove detrimental ever, all determinations made by the administra- to the foreign policy or national security of the tive law judge are reviewed by the Secretary of United States."9 8 The Director of the FBI and a
(1) the export of such goods or technology is restricted communities does not exceed the benefit to United pursuant to a multilateral agreement, formal or infor- States foreign policy objectives; and (5) the United mal, to which the United States is a party and, under the States has the ability to enforce the proposed controls terms of such multilateral agreement, such export re- effectively. quires the specific approval of the parties to such multi- 50 U.S.C.S. § 2405(b)(1)(A)-(E) (1996). lateral agreement; (2) with respect to such goods or 89 Id. § 2403. technology, other nations do not possess capabilities 90 15 C.F.R. § 772 (Supp. 1) (1996). Some of the infor- comparable to those possessed by the United States; or mation that must be submitted include the ultimate con- (3) the United States is seeking the agreement of other signee in the country of ultimate destination, an intermedi- suppliers to apply comparable controls to such goods or ate consignee in any intermediary in a foreign country who technology and, in the judgment of the Secretary, participates as an agent, description for the end-use intended United States export controls on such goods or technol- by the ultimate consignee and computer performance as cal- ogy, by means of such license, are necessary pending the culated in Composite Theoretical Performance. Id. conclusion of such agreement. 91 50 U.S.C.S. § 2409(b) (1996). 50 U.S.C.S. § 2404(e)(2)(A)-(C) (Law Co-op. 1996). 92 Id. § 2409(f)(1). 87 50 U.S.C.S. § 2405(f)(1)(2) (Law Co-op. 1996) (stat- 93 Id. § 2409(f) (3) (A)-(C). ing that the President must consult specifically with the Com- 94 Id. § 2412(e). The ITAR expressly states that designa- mittee on Foreign Affairs of the House of Representatives tion of items as defense articles or services is not subject to and the Committee on Banking, Housing, and Urban Affairs judicial review.. 22 U.S.C.S. § 2778(h) (1996). of the Senate before he may impose, expand or extend ex- 95 50 U.S.C.S. § 2412(e) (1996). As a result, the so-called port controls). "judicial review" appears like simple window dressing. The 88 The five options are: statute clearly states that the Secretary's decision is "final," (1) such controls are likely to achieve the intended for- leaving little doubt as to the weight of the administrative law eign policy purpose, in light of other factors, including judge's determination. the availability from other countries of the goods or 96 50 U.S.C.S. § 2412(a) (Law Co-op. 1996). technology proposed for such controls, and that foreign 97 50 U.S.C.S. § 2403(c) (Law Co-op. 1996). However, as policy purpose cannot be achieved through negotiations was with the case with other items recently transferred from or other alternative means; (2) the proposed controls the United States Munitions List to the Commerce Control are compatible with the foreign policy objectives of the List, the foreign availability exception will not be applied to United States and with overall United States policy to- cryptography. This will undoubtedly present an even greater ward the country to which exports are to be subject to threat to an individual's liberties. The export determination, the proposed controls; (3) the reaction of other coun- made by a defense oriented Operating Committee, will be tries to the imposition, extension, or expansion of such guided solely by the determination of whether it is consistent export controls by the United States is not likely to with U.S. national security and foreign policy interests, re- render the controls ineffective in achieving the intended gardless of the availability of the item elsewhere. foreign policy purpose or to be counterproductive to 98 Id. One concern shared within the intelligence com- United States foreign policy interests; (4) the effect of munity is that this exception will demand for their agencies the proposed controls on the export performance of the to provide sensitive information in order to refute claims of United States, the competitive position of the United foreign availability or overriding national security concerns States in the international economy, the international thereby exposing the abilities and objectives of highly classi- reputation of the United States as a supplier of goods fied missions. One example of this would be the case where and technology, or on the economic well-being of indi- an applicant wishes to export a 90 bit key program to India. vidual United States companies and their employees and The applicant asserts that India has 90 bit key generally avail- 134 ' COMMLAW CONSPECTUS [Vol. 5 number of other intelligence officials contend asserted later, the limitation of export cryptogra- that the President would not be hard pressed to phy is a violation of one's First Amendment utilize this exception.99 rights. Therefore, the lack of a "meaningful re- Regardless of the preclusion of judicial review, view" in the case of controlling the export of cryp- the courts have recognized that "colorable consti- tographic systems will not pass constitutional mus- tutional claims may be reviewed by the courts."100 ter under existing EAA regulations. Therefore, if licenses were denied on the basis of As the new procedures governing the control of "impermissible reasons" or in excess of the Secre- export of cryptographic systems are developed it tary's authority, the action would be reviewable by is tantamount for the government to recognize the court.10 ' Another legal tool may also exist for the widespread dissemination of encryption prod- cryptographic exporters by relying on a prior de- ucts throughout the world. A study conducted in cision. Ordinarily, "where a determination made June of 1996 identified 532 foreign encryption in an administrative proceeding is to play a criti- products originating from twenty-eight foreign 105 cal role in the subsequent imposition of a crimi- countries. The Internet, a worldwide accessible nal sanction, there must be some meaningful re- system, has over thirty-five cryptographic pro- view of the administrative proceeding."' 0 2 grams available for download, all of which are 106 However, the 9th Circuit refused to apply this over the exportable limit of "40-bit keys." In an principle in regard to the EAA because the deci- attempt to demonstrate the absurdity in the sion to control a commodity "does not involve the United States export restrictions, a witness, who defendant's individual rights and is not an ele- later testified before Congress, recently 0 7 ment of the criminal offense in the pending downloaded of these programs from a FTP site. case."10 3 This analysis applied to export control The abundance of encryption products is evi- of cryptographic systems, which involves first denced by the fact that for as little as five dollars, amendment rights, most certainly promises a dif- one can buy a "U.S. export restricted" encryption ferent result. program on the streets of Saint Petersburg, Rus- 108 The classification of goods or technology on sia. the CCL is precluded from review, which if vio- lated, will subject the individual to criminal sanc- A. An Attempt to Plug the Leaks tions. The EAA's functions are explicitly ex- cluded from judicial review and the protections of On November 16, the Clinton Administration, the Administrative Procedures Act. 0 4 As shall be in an attempt to appease the needs of the com-
able in this particular country. The intelligence community Before the House Judiciary Comm. 104th Cong. (Sept. 26, would be forced to present evidence that India does or does 1996) (statement of William Crowell, Deputy Director of not have this capability, which may result in the release of NSA). highly sensitive intelligence information. Interview with an 100 United States v. Bozarov, 974 F.2d 1037, 1044 (9th anonymous intelligence government official, in Washington, Cir. 1992), citing Webster v. Doe, 486 U.S. 592, 602-05 (1988) D.C. (Oct. 11, 1996) (notes on file with ComMLAW CONSPEG- (recognizing that if the Secretary abused his authority by de- TUS). nying licenses arbitrarily, judicial review would not be pre- 99 Director Freeh testified to Congress that the use of en- cluded.) cryption products "by a vast array of criminals and terrorists 101 Bozarov, 974 F.2d at 1044-45. to conceal their criminal communications and information 102 Estep v. United States, 327 U.S. 114, 121-22 (1946). poses an extremely serious and, in my view, unacceptable 103 United States v. Mandel, 914 F.2d 1215, 1221 (9th threat to public safety." And without the ability to promptly Cir. 1990). the Director stated that decrypt encrypted communication 104 50 U.S.C.S. § 2412(a) (Law Co-op. 1996). "[the Bureau] will not be able to effectively fulfill our mission 105 David Balenson, Representative of Trusted Infor- of protecting the American public." Impact of Encryption mation Systems Inc., Remarks at the Annual International on Law Enforcement and Public Safety: Hearings on S. 1587 Cryptography Institute Conference (Oct. 26, 1996) (discuss- Before the Comm. on Commerce, Science and Transporta- report issued by the Software Publishers Association). tion, 104th Cong. (July 25, 1996) (statement of Louis Freeh, ing Director of Federal Bureau of Investigation) (visited Sept. 30, 106 John Black, The Internet Export Control Gap - The Real- 1996) (available at
puter industry, "unilaterally" 09 proposed a new the proposal. In fact, the chief executive of RSA initiative to replace previous Clipper proposals.o10 Data Security Inc., called the government's an- The initiative, Clipper III, specifies that for the nouncement "disastrous."11 6 The manufacturer next two years, industry will be permitted to ex- of the most popular Internet browser, Netscape port encryption products of up to fifty-six-bit key, Communications Corp., also warned that the plan provided the industry makes a commitment to "would hinder the industry's ability to compete in- work towards "developing and incorporating key ternationally."" 7 The Business Software Alliance recovery features into their products and serv- also pointed out that several issues have yet to be ices.""' The key recovery features allow for a resolved, including the definition of key recovery trusted third party to recover the user confiden- system. 18 tial key for the user or law enforcement with the The carrot and stick approach taken by the gov- proper authorization." 2 At the end of the two ernment is seen by some industry officials as "ex- year time period, with a completion of a key re- tortion."' 19 For the companies that abide by the covery infrastructure,' 13 export of fifty-six-bit key government's wishes of developing a key recovery products not supporting the key recovery system infrastructure, they will be allowed to export at will not be permitted." 4 their convenience; whereas companies that do After the Clipper III proposal was announced, not take part in the development of a key recovery eleven companies formed an alliance to develop a system will be prohibited for exporting their en- "worldwide approach to strong encryption" that cryption products. 20 Individuals who wish to ex- would utilize a key recovery system." 5 Although port encryption software, are completely ignored the alliance was quick to form, it does not appear by the government's proposal. Under the propo- as if all the members of the alliance fully support sal, at the end of the two year period, a student or
109 Both Senator Leahy and Senator Burns expressed dis- anonymous source was quoted as saying that if the Clipper pleasure with the fact that the administration had not con- had been compromised then "the whole thing's over, and we sulted with Congress before announcing the new initiative. have to start from scratch." Id. Government officials that See Statement by Senator Leahy on Administration'sEncryption Ini- were questioned about the meeting, neither confirmed nor tiative, U.S. NEWSWIRE, Oct. 2, 1996, at NI; Burns Cautious on denied its existence. Id. Encryption Plan, CONGRESSIONAL PRESs RELEASES, Oct. 1, 1996. I1 Statement of the Vice President, Al Gore, CONG. 110 The initiative has been touted as "new" by the admin- PRESs RELEASE, Oct. 1, 1996. istration, but one House Commerce Committee staff mem- 112 Id. The data recovery feature of the key recovery sys- ber stated that the initiative was "key escrow warmed over, tem for the specific user is unnecessary and superfluous and that's it." White House to Revive "Clipper" Wiretap Plan, based on the fact that "data recovery can be done indepen- Bus. WIRE, May 18, 1996. The original Clipper proposal was dently ... and in a more secure manner." Center for Democ- a NSA-developed, hardware-oriented, cryptographic device racy and Technology, Preliminary Analysis of "Clipper III" En- that utilizes a symmetric encryption and decryption al- cryption Proposal (visited Jan. 25, 1997)
121 See Encryption and Indecency; Administration Acts on 2 26, 1996) (statement of William Crowell, Deputy Director of On-Line Fronts, supra note 118. the National Security Agency. 122 See Impact of Encryption on Law Enforcement and Public 125 Id. Safety, supra note 28. However, this argument is less convinc- 126 James Aley, How Not to Help High Tech, FORTUNE, May ing when applied to terrorists who survive in large part from 16, 1994, at 100 (statement by Louis Freeh, Director of Fed- isolating and hiding from all legal aspects of society. eral Bureau of Investigation). 128 The examples listed by the Director of the FBI were: 127 Electronic Communications Privacy Act of 1986, Pub. (1) In the Aldrich Ames spy case, where Ames was told L. No. 90-351, tit. III, § 802, 82 Stat. 197, 211-25, reprinted in by his Soviet handlers to encrypt computer file informa- 1968 U.S.C.C.A.N. 237, 253 (codified at 18 U.S.C. § 2510 tion to them; (2) In a child pornography case, where (1994). one of the subjects used encryption in transmitting ob- 128 Denning, supra note 110. However, this might be at- scene and pornographic images of children over the In- tributed to the higher requirments required of law enforce- ternet; (3) In a major drug-trafficking case, where one of ment in applying for a wiretap. the subjects of one of the court-ordered wiretaps used a 129 Robin Hanson, Can Wiretaps Remain Cost Effective?, telephone encryption device which frustrated the sur- COMM. OF THE ACM, Dec. 1994, at 15. veillance; (4) Some of the anti-Government Militia 130 Scott Shane, National Security Agency: Catching Ameri- groups are now advocating the use of encryption as a cans in NSA's Net, BALTIMORE SUN, Dec. 12, 1995, at 15A. In means of preventing law enforcement from properly in- this type of instance the intelligence agency must gain ap- vestigating them. proval from the Foreign Intelligence Surveillance Court, Impact of Encryption on Law Enforcement and Public Safety, supra which is solely composed of seven federal judges, appointed note 28. to seven-year terms by the chief justice of the United States 124 Security and Freedom through Encryption Act: Hearings on Supreme Court. Of the 576 requests, all were granted by the H.R. 3011 Before the HouseJudiciary Comm. 104th Cong. (Sept. court. Id. Clearly when a message is encrypted above the 1997} FUTURE COMMUNICATIONS TECHNOLOGIES 137
surveillance from 1985 to 1991, has led to 7,324 encryption criteria is required."137 These memo- convictions. 3 1 This last figure must be given lim- randa have substantial support in a number of the ited value because it only serves as a rough esti- actions taken by the government. It is no secret mate, since it assumes that these convictions that the United States government has an enor- would have been impossible without the wiretaps. mous market power that could be used to influ- The average cost of conducting a wiretap, as of ence the development or implementation of 1993 was $57,256.132 According to a recent FBI products. 3 8 For example, shortly before the in- study, the costs will soon increase seventeen troduction of the Clipper I initiative, AT&T had times 33 due to advances in technology, such as developed a new, low cost secure phone that was 34 fiber-optic cable and advanced call forwarding.1 designed with a nonexportable encryption al- As criminals and terrorists develop more sophisti- gorithm.139 After some consultations with NSA, cated illegal activities, through the use of ad- AT&T refitted their phones with the Clipper chip. vanced technologies, the continued effectiveness Immediately thereafter, the Justice Department of law enforcement's efforts to eavesdrop be- placed an eight-million dollar order with AT&T comes critical. for Clipper-based encoding devices. 140 The De- With the expansion of the Internet, the govern- fense Department is also believed to have ordered ment has sought to protect their law enforcement 20,000 chips.1 4 ' Just this year, AT&T announced abilities by advancing particular cryptography that it has developed a security chip to protect standards and influencing the debate.13 5 One ini- data stored on computer disks, in cellular phones, tiative advanced by the government, the Clipper, and television set-top boxes all of which will utilize has continually been asserted as "voluntary." the Clipper chip. 142 With the simplicity of an Ex- However, in a recently declassified secret FBI doc- ecutive Order, the President could strongly rec- ument entitled "Impact of Emerging Telecommu- ommend for all executive agencies to conduct nications Technologies on Law Enforcement," it communications utilizing a key recovery system. was stated that a necessary goal was to "prohibit Any secure communication with a government cryptography that cannot meet the Government agency would then have to be conducted utilizing standard. An exception will, of course, exist for the government accessible key recovery system. the protection of classified, national defense in- This saturation would allow the government man- formation." 3 6 dated key recovery system to become the de-facto Another recent declassified document pre- standard and destroy the concept of independent pared by the FBI, NSA and DOJ stated that encryption that does not support key recovery. In "[tiechnical solutions, such as they are, will only fact, the former General Counsel of NSA recently work if they are incorporated into all encryption admitted that "l[t] he [government's] concern . . . products. To ensure that this occurs, legislation is the prospect that in five years . . . every phone mandating the use of Government-approved en- you buy that costs $75 or more will have an en- cryption products or adherence to Government crypt button on it that will interoperate with every
maximum limit and communicated to another country or Law Enforcement (visited Jan. 25, 1997)
other phone in the country . . ."14 The question this test, scientists had asserted that a 129 bit key then truly becomes, is voluntary really voluntary? was uncrackable for forty quadrillion years.149 A recent study conducted by cryptographers also concluded that "uncrackable" keys did not ex- III. THE OTHER SIDE: INDIVIDUAL AND iSt.1 5 0 With the use of a $200 Field Programmable INDUSTRY'S INTEREST IN THE Gate Array (FPGA) chip, an individual could CRYPTO DEBATE crack a 40 bit key in 5 hours.' 5' With the re- sources of $10 million, a 56 bit key could be pene- Unbreakable encryption is of interest to anyone trated in six minutes; with $300 million it would who uses the Internet to conduct affairs. A only take twelve seconds. 152 The authors also number of recent events have attributed to a wave point out that these figures are not static since of concern over the lack of secure communica- computing power doubles every eighteen tions. In September 1994, a group of hackers months.153 Therefore, in the two year time pe- penetrated the National Weather Service com- riod established by the Clipper III proposal, this puter network in Maryland, but were stopped figure will have more than doubled. At first damage was done.' 44 If the hackers before any glance, these dollar figures might seem enor- had caused the weather service's computer to shut mous, but to many corporations and govern- then all commercial airlines, who are de- down, ments, they represent only a drop in the bucket. upon its information, would have been pendent The report concludes that in order to have ade- grounded as a result.' 45 In October 1994, a six- quate protection for the next twenty years, a sys- teen year-old hacker was arrested after breaking 5 tem should use a key at least ninety bits long. 1 4 into over 100 networked systems, including the All of these cases illustrate the fragility of existing South Korean Atomic Energy Research Institute, electronic networks. Yet, the government contin- where it was acknowledged that he may have ac- ues to advocate the voluntary implementation of a some secret nuclear data.14 c Also, in Au- cessed de-facto standard of encryption technology based gust 1996, hackers altered the Justice Depart- on key recovery in order to protect its law enforce- so that it read: "United States ment's web site ment capabilities. Department of Injustice" and placed several swas- tikas placed on the page.14 7 Legal testing of the protection afforded by en- A. Past Abuses in the Name of National cryption devices also creates alarm. In early 1994, Security after only eight months, a team led by Bell Labs, working with 600 volunteers in twenty-four coun- Critics of governmental control of the encryp- tries cracked a 129 bit key.148 Before the results of tion debate also express concern about the poten-
143 Stuart Baker, General Counsel of NSA, Remarks at (transcript on file with ComMLAw CONSPECTUS). the Fourth Annual Conference on Computers, Freedom and 147 Vandals Show justice's Vulnerability, DAYrON DAILY Privacy, session entitled "Data Encryption: Who Holds the NEWS, Aug. 24, 1996, at 11A. Keys?" at the John Marshall Law School, Chicago (Mar. 24, 148 Ellen Messmer, Bellcore Leads Team Effort to Crack RSA 1994) (visitedJan. 25, 1997)
155 See generally, Froomkin, supra note 10. VACY IN NETWORK ENVIRONMENTS, OTA-TCT-606 (Washing- 156 Id. at 732 (quoting S. REP. No. 94-755, pt. 2, at 4 ton, D.C.: U.S. Gov't Printing Office, Sept. 1994) at 3. (1976)). 161 Net Profits, ECONOMIST, July 1, 1995, at 12. 157 Id. 162 Ken R. Wells, Transactions Over the Internet Safe Despite 158 Susan Landau, Crypto Policy Perspectives, COMM. OF THE Publicized Thievery, SAN DIEGO Bus. J., Feb. 5, 1996, at 15. ACM, Aug. 1994, at 115, 119. 163 Nightline: Law and Order on the Information Superhigh- '59 Timothy Lennon, The Fourth Amendment's Prohibitions way (ABC television broadcast, May 2, 1994) (report concern- on Encryption Limitation: Will 1995 be Like 1984?, 58 ALB. L. ing David LaMacchia, who established a computer bulletin REv. 467, 475 (1994) (quoting David Wise, The American Police board which contained copyrighted software available for State: The Government Against the People at 66 (1978)). download) (transcript on file with COMMLAW CONSPECTUS). 160 Saul Hansell, U.S. Workers Stole Data on 11,000, Agency 164 Carolina Saez, Enforcing Copyrights in the Age of Mul- Says, N.Y. TIMES, Apr. 6, 1996, at A6. Another example of timedia, 21 RUTGERS COMPUTER& TECH. L.J. 351, 381-82 abuse occurred when in October 1992, over three hundred (1995). employees of the Internal Revenue Service were identified as 165 See generally, Dale J. Ream, Copyrighted Works & Com- using one of the computers to issue fraudulent refunds and puter Networks: Is ProtectionPossible?, 4 KANSASJ.L. & PUB. PoL'Y to browse through taxpayer accounts. U.S. CONGREss, OFFICE 115 (1995); Kenneth D. Susan, Tapping to the Beat of a Digital OF Ti-CHNO.oGY ASSESSMENT, INFORMATION SECURITY AND PRI- Drummer, 59 ALB. L. REv. 789 (1995). 140 COMILAW CONSPECTUS [Vol. 5
1996, that figure is estimated to climb to $946 mil- A CEO of a computer company put it best when lion.166 This figure is properly analyzed when he responded to a question concerning the Clip- taken in conjunction with the fact that this ac- per by stating, "Why would an international com- counts for less than fifty percent of the total pany want the U.S. government to be able to worldwide encryption market.16 7 American man- eavesdrop on them?" 174 The irony of the situa- ufacturers place primary blame for the sizable for- tion is further exemplified by the fact that three eign-market share on the existence of the restric- out of ten Fortune 500 companies already rely on tive export regulations placed upon U.S. stronger foreign encryption products.' 7 5 technology. Other countries, such as Japan, Rus- Economic espionage resulting in the theft of sia, Germany, France and the U.K, produce and technology and trade secrets has become one of export encryption of a fifty-six-bit key strength the biggest concerns among the business industry. 16 and higher. 3 Senator Leahy recently stated that, A former CIA Director called this form of spying "U.S. companies are not allowed to market glob- "the hottest current topic in intelligence."17 6 Ex- ally the one encryption method that's used perts estimate that anywhere between $20 to $30 around the world."1 69 Therefore, U.S. software billion a year is lost by American business as a re- companies, must choose between what type of sult of foreign and domestic spying.17 7 Out of the lines to produce. A company could produce one twenty foreign governments that are often cited as line at forty key bits which is exportable or a com- supporting campaign of economic espionage pany could produce two different lines of the against the U.S. business community, the most fre- same product, one which is exportable and the quently mentioned are France and Japan.17 8 In other not. Due to the cost prohibitive nature of the spring of 1993, the CIA obtained a list of tech- maintaining two different lines of the same prod- nologies allegedly sought by France, naming forty- uct, most U.S. companies opt to produce one nine manufacturers and twenty-six financial firms weakly encrypted exportable line. The effects of and U.S. government laboratories and agen- this policy have proven financially disastrous. cies.' 7" Also in 1993, the FBI reported that its This backwards standard will cost U.S. software caseload of industrial espionage increased from companies $6 billion to $9 billion in annual reve- ten to five hundred in a period of nine months. 0 nues.17 0 This figure is expected to rise to $60 bil- NSA and other U.S. intelligence agencies have lion in annual revenues by the year 2000.171 been slow in taking any form of affirmative action One computer company reported that it lost against the foreign governments, let alone ac- sales of $70 million because it was not able to pro- knowledging the existence of the problem. This vide the encryption that its customers wanted.1 72 inaction stems from the fact that the U.S. intelli- For the companies that choose to market two dif- gence agencies conduct many of the same activi- ferent lines, the results are the same. An example ties, and wish to continue doing so. As a result, of this occurred in France where a hacker using U.S. businesses are being asked to continue mak- two supercomputers and 120 workstations was ing sacrifices for the betterment of various law en- able to crack the non-U.S. version of Netscape.' 7 3 forcement and intelligence agencies.181
166 Hoffman, supra note 6. POST, June 27, 1993, at C2. 167 Id. 177 Roderick P. Deighen, Welcome to Cold War II, CHIEF 168 Id. EXECUTIVE, Jan./Feb. 1993, at 42. 169 National Information Infrastructure Copyright Pro- 178 France is considered the most "brazen perpetrator," tection Act of 1995: joint Hearing Before the Subcomm. on Courts by breaking into Paris hotel rooms of foreign executives and and Intellectual Property of the House Comm. on the Judiciay and bugging first-class cabin, on Air France. Japan's efforts are the Senate Comm. on the Judiciary, H.R. 2441 and S. 1284, 104 largely coordinated by the Ministry of International Trade Cong., 72 (1995) (statement of Sen. Leahy). and Industry, which obtains and analyzes vast amounts of 170 Fahys, supra note 2, at Fl. publicly-accessible commercial information for Japanese 171 Christine Hudgins-Bonafield, Will Spies Hold Your companies. Omestad, supra note 176, at C2. One report esti- Keys, NETWORK COMPUTING, Mar. 15, 1996, at 78, 79. mated that the Ministry's Trade Organization files a total of 172 Aley, supra note 126, at 101. 10,000 pages a day on the companies, governments and 173 Jeff Prosise, The Netscape Security Breach, PC MAG., Apr. economies of the target countries as a "part of their normal 23, 1996, at 199, 200. business routine." Deighen, supra note 177, at 45. "4 Aley, supra note 126, at 100. 179 Omestad, supra note 176, at C2. 175 Hudgins-Bonafield, supra note 171, at 82. 180 Id. 176 Thomas Omestad, Cloak and Dagger as R&D, WASH. 181 The export restriction placed upon industry does 1997] FUTURE COMMUNICATIONS TECHNOLOGIES 141
IV. THE THREE CRUSADERS FOR port the book.185 One month later, a reply to the CONSTITUTIONALLY PROTECTED CJ Request stated that the book was not subject to ENCRYPTION the "licensing jurisdiction of the Department of the State since the item is in the public do- Just within the last few years the judicial branch main."186 Since that time, the book has sold emerged as the forum for the cryptography de- 25,000 copies in the United States and abroad. 8 7 bate. Three individuals, who wished only to share On March 9, 1994, just seven days after ob- their encryption programs and ideas with the rest taining approval from the State Department for of the world, have brought the government to export of the book, Karn wrote to the State De- court. Their arguments are based primarily on partment to ask whether a license was required to the assertion that the source code used for en- export a computer disk version of the same cryption constitutes speech and therefore, should book.'8 s The disk contained, line for line, the be afforded First Amendment protections. The same source code listed in the book.' 89 Two government's response revolves around national months later, the Office of Defense Trade Con- security concerns. The Director of FBI Counter trols concluded that the computer disk was sub- Intelligence, Edward Apell, recently stated that ject to the licensing jurisdiction of the State De- the wide distribution of encryption in either the partment since it was determined that the 18 2 form of a book or computer disk is a threat. computer disk was a defense article.190 The same However, this statement appears to be contradic- individual that made the decision regarding the tory to the government's position in Karn v. export of the book stated that, "[t]he text files on 3 United States Dep't of State.' the subject disk are not an exact representation of what is found in 'Applied Cryptography.' Each A. Phil Karn source code listing has been partitioned into its own file and has the capability of being easily In 1994, Bruce Schneier wrote a book entitled compiled into an executable subroutine." 91 The "Applied Cryptography," which contained expla- distinction between the material in a book format nations of how to build cryptography into prod- versus an electronic format was further justified ucts, illustrates cryptographic techniques, evalu- by the fact that it was of an "added value to the ates algorithms and provides examples of some end-user that wishes to incorporate encryption algorithms. 1 8 4 On February 12, 1994, a friend of into a product."192 Schneier by the name Phil Karn, a San Diego The initial ODTC decision was subsequently ap- software developer, wrote to the State Depart- pealed to the Secretary for Export Controls.'93 ment to ask whether a license-was required to ex- have some exceptions. DES, 56 key bit encryption, is avail- VOORHEEs REPORT, Dec. 9, 1994, at 3. This letter and all able for some banking and medical services. See King, supra other relevant letters and pleadings related to this proceed- note 13 at 231. Recently, Health Online Service, was ing can be located at Phil Karn's web site: (visited Jan. 25, awarded an export license of a 786 character encryption key 1997) Karn argued that the alleged "added value" was a the court was "precluded from second guess- flawed argument. He asserted that through the ing."2 0 1 The government further contended that use of optical character recognition (OCR) tech- the encryption program could not be viewed as nology by scanning the text of chapter five of the "convey[ing] a particularized message," and as book onto a computer, the same material in the such the First Amendment claim must fail. 202 As- exportable book was produced onto the suming that the conduct was "expressive con- unexportable computer disk. The only difference duct," which was afforded constitutional protec- being the medium on which the material was tion, the government argued that the O'Brien test presented.19 4 Earn's arguments, however fell on should be applied.203 In applying the O'Brien test, deaf ears and the initial decision was affirmed.'9 5 the government argued that the disk was not reg- Karn then appealed the decision to the Bureau of ulated for its "informational or expressive value Political-Military Affairs at the Department of ... but because of its functional use." 2 0 4 The gov- State, where it was again affirmed.19 6 , ernment asserted that the well-defined distinction On September 21, 1995, Karn advanced the ar- between the book and the computer disk, was in gument that "the prior licensing requirement of its "function" or "the capability to provide to the ITAR operates as a prior restraint on Plain- whomever obtains it."205 Yet at the same time, in tiffs disclosure of ideas and information in viola- what would appear to be a contradictory argu- tion of his First Amendment rights (sic) to free ment, the government concluded that the fact speech" in a United States District Court.'9 7 He that the encryption source codes may be scanned reiterated the argument that there was no differ- onto a computer disk may "compel reconsidera- ence between the information on the book and tion of the status of the printed source codes the information on the computer disk, other then .... "206 It appears the government's attorneys ne- the medium itself.'98 Karn pointed out that the glected to confer with the Director of FBI computer disk also contained "comments" that Counter Intelligence before reaching this conclu- were not involved in the functioning program, in sion. addition to the source code, which was further ev- On March 22, 1996, the court granted the De- idence of its "communicative purpose."' 99 fendant's Motion for Summary Judgment in part . The government contended that "designation with respect to the plaintiffs First Amendment of encryption software on the USML is unrelated claims. 2 07 The court held that the defendants to any expressive value" 20 0 and the "crucial" gov- were not regulating the export of the disk because ernmental interest of "national security," which of the "expressive content of the comments and 194 Id. the constitutional power of the Government, (2) it furthers 195 ODTC Case: 081-94, Reply Letter from Dr. Martha an important or substantial government interest, (3) the Harris, Deputy Assistant Secretary for Export Controls, De- governmental interest is unrelated to the suppression of free partment of State, to Phil Karn (Oct. 7, 1994) expression, (4) the incidental restriction on the alleged First 196 ODTC Case: 081-94, Letter from Kenneth C. Bass, III Amendment freedoms is no greater than is essential to the and ThomasJ. Cooper, representing Phil Karn, to Thomas E. furtherance of that interest. United States v. O'Brien, 391 McNamara, Assistant Secretary of the Bureau of Political-Mili- U.S. 367, 377 (1968). tary Affairs, Department of State (Dec. 5, 1994). The deci- 204 Memorandum of Points and Authorities in Support sion was, ODTC Case: 081-94, Reply Letter from Thomas of Defendants' Motion to Dismiss or, In the Alternative, for McNamara, Assistant Secretary of the Bureau of Political-Mili- SummaryJudgment at 27, Kan, 925 F. Supp. 1. tary Affairs, Department of State, to Phil Karn (June 13, 205 Id. at 3. 1995). 206 Id. at 28. The government contended, due to the 197 Complaint at 7, Karn v. United States Dep't of State, lack of perfection of OCR technology, it did not yet produce 925 F. Supp 1, (D.C. Cir. 1996). error-free reproductions. Any errors that were made would 198 Id. at 5. necessitate the need for an individual with knowledge to 199 Plaintiffs Opposition to Defendants' Motion to Dis- remedy the situation. In the case of a preprogrammed com- miss or, in the Alternative, for SummaryJudgment at 10, 925 puter disk, very little knowledge of the encryption technology F. Supp. is needed. Concerning the technology of OCR, a recent 200 Memorandum of Points and Authorities in Support newspaper article reported that there are currently a number of Defendants' Motion to Dismiss or in the Alternative, for of businesses in the Pacific Rim and other Asian countries Summary Judgment at 34, Kan, 925 F. Supp. 1 (quoting that specialize in scanning vast amounts of text onto com- Texas v. Johnson, 491 U.S. 397, 403 (1989). puters. See Sheppard, supra note 187. 201 Id. at 4. 207 Kan, 925 F. Supp. 1, appeal docketed, No. 96-5121 202 Id. at 19-20. (D.C. Cir. Sept. 20, 1996). 203 Id. at 20. The four-part O'Brien test is: (1) it is within 1997]1 FUTURE COMMUNICATIONS TECHNOLOGIES 143 or source code, but instead are regulating [it] be- sion group called "sci.crypt." Aware of the export cause of the belief that the combination of en- restrictions, Bernstein filed a request with the cryption source code on machine readable media State Department so that he would be able to ex- will make it easier for foreign intelligence sources port his paper and computer disk. 213 The State to encode their communications." 208 Therefore, Department responded that he would need a li- the court concluded that the regulation was "con- cense. 214 However, in an attempt to allow the gov- tent neutral" and the O'Brien test should be ap- ernment to separately consider each item, Bern- plied.209 Relative to whether the regulation is stein filed five separate requests with the State within the power of the government and whether Department.215 The State Department responded it furthers a significant governmental interest, the by consolidating the items into one request and court stated that it "will not scrutinize the President's summarily asserting that a license was needed. 2 1 6 foreign policy decision" and the court 'neither has The supporting rationale was that the "referenced the'aptitude, facilities, nor responsibility' to make items contain cryptographic source code for data a judicial decision of this kind.210 The last test, encryption and are used in a stand-alone crypto- whether the regulation is "narrowly tailored to the graphic product."2 1 7 goal of limiting the proliferation of cryptographic Two years later, on February 21, 1995, Bern- products," was dismissed by the court because of stein brought suit against the federal government. the plaintiffs failure to "articulate any present The complaint asserted that the export regula- barrier to the spreading of information on cryp- tions in question are "unlawful prior restraints tography 'by any other means,' other than those depriving them [Bernstein and other academics] containing encryption source code on machine- of their federal constitutional rights to speak, to 21 1 readable media." Interestingly enough, this publish, to assemble, to receive information and last argument addressed by the court is one of the to engage in academic study, inquiry and publica- very issues in dispute in the next two cases. tion, guaranteed by the First Amendment."218 In particular, Bernstein argued that the three step li- B. Daniel Bernstein censing process and the approval process effec- tively "prevents general publication." 219 Bernstein I In 1992, Daniel Bernstein, then a graduate stu- contended that as a student of science, the lack of dent of the mathematics department at the Uni- an exchange of information or ideas infringed on versity of California at Berkeley, developed an en- his "right of academic freedom." 2 20 He also ar- cryption algorithm named "Snuffle." 2 12 In an gued that computer software is simply another effort to continue his research, Bernstein wished language and the Court should not allow the gov- to publish his discovery in a paper and a com- ernment "to force him [Bernstein] to publish it puter program which implements the algorithm. only in the languages they [the government] He also sought to post his encryption program choose (English, as opposed to computer lan- and related documents upon an Internet discus- guages) "221 208 Id. at 10. State, 922 F. Supp. 1426 (N.D.Cal. 1996); The five requests 209 Id. included: (1) a scientific paper entitled "The Snuffle Encryp- 210 Id. at 11 (quoting Chicago & Southern Air Lines v. tion System;" (2) source code for the encryption component Waterman SS. Corp., 333 U.S. 103, 111 (1948) (emphasis ad- of Snuffle; (3) source code for the decryption component of ded)). Snuffle; (4) a description of how to encrypt using Snuffle; (5) 211 Id. at 12. instructions for programming a computer.to use Snuffle. Id. 212 Bicoastal Court Challenges: Tackling Export Controls on 216 ODTC Case: 214-93, Reply Letter from William Robin- Encryption, LEGAL TIMES, Oct. 30, 1995, at 2. son, Director of Office of Defense Trade Controls, Depart- 1993). 213 See ODTC Case: 191-92, Letter from Daniel ment of State, to Daniel Bernstein (Oct. 5, Bernstein, 217 to Office of Defense Trade Controls, Department of State Id. 218 Complaint at 25, Bernstein, 922 F. Supp. 1426 (N.D. (June 30, 1992). All documents related to Bernstein's re- quests and subsequent litigation are at: (visited Jan. 25, 1997) Cal. 1996). 219 Plaintiffs Opposition to Motion to Dismiss at 9, Bern- The government promptly filed a motion to dis- ance." 2 28 miss where it was argued that the issue was the "exportation of actual cryptographic software" C. Peter Junger and not the "academic discussion about its under- lying theory."222 It was contended that the source The third case to question the constitutionality code is not speech but simply "mathematical ideas of the restrictions on the export of encryption was expressed in computer language." 223 The fact filed by a law professor from Case Western Uni- that these ideas provide a recipient with all of the versity Law School by the name of PeterJunger. 2 2 9 necessary facilities to "function [ly]" encrypt data The subject of the dispute revolves around Profes- makes them distinct from an explanation or dis- sor Junger's class entitled "Computers and the cussion about the "science of cryptology." There- Law." 230 In May 1993, Prof. Junger wrote an en- fore, the government argues that the court may cryption program that he wished to present to his not "second guess" the USML designation of cryp- class. 23 1 Concerned of the implications of distrib- tographic software.2 24 uting the program and related information to for- On April of 1996, U.S. District Judge Marilyn eign students, Prof. Junger contacted the Depart- Hall Patel denied the government's motion to dis- ment of Commerce, Department of State, the miss. 22 5 In dismissing the government's motion, ODTC and NSA in hopes of determining whether 232 the court was the first court to ever hold that the his program was subject to export regulations. source code is protected as speech under the First After numerous contacts with the various agen- Amendment. It was asserted that there "was no cies, he was unable to obtain a determinative an- meaningful difference between computer lan- swer.23 3 Three years later, Prof.Junger filed a fed- guage. . .and German or French."226 Concerning eral suit against the State Department and the functionality aspect of the source code, the National Security Agency. court held that it "does not remove it from the Professor Junger's main contention is that the realm of speech . . . [i]nstruction, do-it-yourself "[ITAR] regulations are unconstitutional because manuals, recipes and even technical information they constitute a blatant system of overbroad and about hydrogen bomb construction . . . are often vague prior restraints that violate rights of aca- purely functional: they are also speech."227 The demic freedoin of association."2 3 4 As a result of final outcome of this case has the opportunity of the restrictions, Prof. Junger argues that he must establishing original precedent in an area that is, chose "between petitioning the government and as one former Justice Department official re- allowing foreign students in his class."2 35 It is fur- marked, of "huge significance because the gov- ther asserted that the ITAR serves as a "prepubli- ernment's ability to police its borders for control cation licensing scheme" and as such, the law de- 6 of export of high-tech munitions hangs in the bal- mands that procedural safeguards be in place.2 3 222 Reply Memorandum of Points and Authorities in Fur- obtain a definitive answer from the ODTC, he responded by ther Support of Defendants' Motion to Dismiss at 11-12, Bern- stating that it "would not be practical; because he has a lot of stein, 922 F. Supp. 1426. information that he wishes to distribute . . . and he would 223 Id. at 12. end up spending all of his time filling out CJ requests. In 224 Id. at 6. addition, we don't have to get a permit to make a First 225 Bernstein, 922 F. Supp. 1426. Amendment claim." Telephone Interview with Gino Scar- 226 Id. at 1435. selli, Attorney for ProfessorJunger (Oct. 10, 1996). It is fore- 227 Id. seeable that the government may use this information to ar- 228 LEGAL TIMES, supra note 212. gue that Prof. Junger's claim is not ripe because no request 229 Junger v. Christopher, (No. 96 CV 1723) (N.D. Ohio was ever made and as a result, there may be no issue to dis- Aug. 7, 1996). All documents and pleadings concerning this pute. As support for the government's contention the case can be found at: (visited Jan. 25, 1997) Another key argument raised in the brief is that ment asserts that the software "enables a com- First Amendment protection should be afforded puter to perform a cryptographic function" and to Prof. Junger's program because "even execut- the regulation therefore only goes to the "func- 2 4 able programs in machine code, are afforded tionality" of the software. 5 copyright protection."2 3 7 Undoubtedly, this argu- Even with the recent announcement of the ment was based in part on the fact that Judge Clipper III initiative and the transfer of export Patel in the Bernstein litigation had subscribed to control over to the Commerce Department, these the same reasoning when she asserted that "the three cases still present First Amendment issues expression of an idea" is afforded copyright pro- that remain unresolved. Until such time that the tection. 2 3 8 Therefore, Judge Patel reasoned that administration or the courts recognize that en- "[a]n encryption program expressed in source cryption is speech and afford it speech status with code communicates to other programmers and the appropriate First Amendment protections, ultimately to the computer itself how to make the these cases represent the only hope for the future encryption algorithm (the idea) functional" and of encryption-speech. as a result, "copyright law does lend support to the conclusion that source code is a means of 2 39 V. ANALYSIS OF FIRST AMENDMENT original expression. " IMPLICATIONS In the Jungercase, the government reaffirms its argument that the "controls are expressly linked Regardless of the outcome and implementation to the capability of the product, not the content of of the Clipper III initiative, it can be argued the ideas or speech." 2 4 0 As a result, the government government has failed to recognize that source contends that the court should examine the regu- code is speech and should be afforded the first lations as content neutral.24 ' However, one can amendment protections. As a result, the ongoing infer quite the contrary, when the government, litigation of the three aforementioned cases are several paragraphs later, states the purpose of the necessary in order to confront the administra- export controls is to limit the spread of a product tion's attempt to window-dress key escrow as key that can encrypt data. 2 4 2 recovery. Only after source code has been held to The government also asserts that the "broad be speech will the future forms and mediums of public exchange of information . . . [through] communication be protected. The next section [a]cadmeic teaching, publication, research and will present an analysis of the constitutional issues symposia" serves as evidence that the government and questions raised by recognizing that encryp- is not interested in the spread of ideas at home, tion and specifically, source code is speech under but at the spread of encryption software over- the First Amendment. seas. 2 4 3 In regards to the software itself, the gov- ernment contends that it "is not merely 'know A. Source Code is Speech how' that explains how cryptography works, or a description of scientific ideas or information re- As previously discussed, source code is used in lated to cryptography." 2 4 4 Rather, the govern- the process of encrypting and decrypting commu- 237 Brief in Support of Plaintiffs Motion for Preliminary This statement seems to suggest that, in reality, the govern- Injunction at 18-19, Junger, (No. 96 CV 1723) (N.D. Ohio ment's desire to control the "spreading" of a product that has Aug. 7, 1996). the capability to encrypt, is in actuality an agenda to control 238 Bernstein v. United States Dep't of State, 922 F. the content of the program that allows the product to per- Supp. 1426, 1436 (N.D. Cal. 1996). form the task. Therefore, the government's contention that 239 Id. the regulation is content neutral is a misplaced attempt to 240 Defendants Memorandum of Point and Authorities force the court to examine the form and not the substance of in Opposition to Plaintiffs Motion for a Preliminary Injunc- the encryption product. tion and in Support of Defendant's Motion to Dismiss or in 243 Id. at 13. the Alternative, for Summary Judgment at 19, Junger v. 244 Id. at 22. Christopher, (No. 96 CV 1723) (N.D. Ohio Aug. 7, 1996) 245 Id. at 22-23. The government's assertion, by singly (emphasis added). concentrating on one character of the software, blindly ig- 241 Id. at n.24. See Turner Broad. Sys., Inc. v. FCC, 512 nores all of the other different aspects of the software. It U.S. 622 (1994); City Council v. Taxpayers for Vincent, 466 should be noted that all of these additional qualities that the U.S. 789, 810 (1984). government has chosen to ignore go directly to the content 242 Defendant's Memorandum supra note 240, at 20. of the software. 146 COMMLAW CONSPECTUS [Vol. 5 nication. In order to determine if source code is sage. "251 However, it should be argued that en- protected under the First Amendment, it must cryption algorithms are no different from a chem- first be determined whether source code is speech ical equation, genetic code or even a nuclear within a first amendment context.246 From its in- fission equation.252 All of these particular sub- ception to present day, the First Amendment has jects would most likely be unintelligible to those been applied to a variety of different mediums. that are not completely familiar with them, but Newspapers, leaflets, pamphlets, films, and broad- that in itself does not strip them of any character- casting have all been recognized by the Supreme istics of protected speech. Court as qualifying for first amendment protec- Source code can also be compared to the pro- tion. 247 In analyzing the many different mediums, tection afforded foreign languages. The Supreme the Court has held that, "[t] he press in its historic Court has held that the First Amendment prohib- connotation comprehends every sort of publica- its the government from restricting languages tion which affords a vehicle of information and taught or used.25 3 In Yniguez, the Court stated opinion."248 The freedom to express one's ideas that "[s]peech in any language is still speech has long been recognized as one of the founding .... "254 Therefore, the use of the computer lan- principles for the existence of the First Amend- guage as a form of expression of ideas and infor- ment.2 49 This "marketplace of ideas" allows for mation should be afforded the First Amendment the scholarly exchange of beliefs and ideas to sep- protection that every other "foreign" language is arate the truth from the falsity. The Court recog- afforded. nized that academics serve an instrumental role in this process when it stated that, "[t] o impose any strait jacket upon the intellectual leaders in our B. Government's Argument for Expressive colleges and universities would imperil the future Conduct 25 of our Nation." 0 Cryptography is a recognized science of mathe- The government has also advanced the argu- matics that is taught at many educational institu- ment that source code is not speech but rather tions throughout the country. It is the science of "expressive conduct."25 5 The contention is that using mathematical equations to create another the algorithm contains non-speech elements form of communication, namely algorithms. A which are combined with incidental speech ele- counter argument often asserted is that cryptogra- ments and as such, a different test, the O'Brien phy is not speech, because it provides a "function" test, should be applied.256 This argument was rec- and does not "convey a particularized mes- ognized as flawed in Yniguez, where the court as- 246 Although neither Karn nor Bernstein reached a final 500 (1926); Farrington v. Tokushige, 273 U.S. 284 (1927). disposition, each have arrived at a different conclusion re- 254 Yniguez v. Arizonans, 69 F.3d 920, 936 (9th. Cir. garding this issue. 1995), cert granted 116 S.Ct. 2495 (1996). 247 CBS v. Democratic Nat'l Comm., 412 U.S. 94 (1973) 255 Id. supra note 204, at 20. (broadcasting); Joseph Burstyn, Inc. v. Wilson, 343 U.S. 495 256 Memorandum of Points and Authorities in Support (1952) (motion pictures); United States v. Paramount Pic- of Defendants' Motion to Dismiss or, In the Alternative, for tures, Inc., 334 U.S. 131 (1948) (motion pictures, newspa- Summary Judgment at 27, Karn v. United States Dep't of pers, radio); Lovell v. City of Griffin, 303 U.S. 444 (1938) State, 925 F. Supp 1, (D.C. Cir. 1996) (laying out the test). (pamphlets and leaflets). The government has also argued that a First Amendment at- 248 Lovell, 303 U.S. at 452. ,tack is precluded based upon a 9th Circuit decision. Defend- 249 Abrams v. United States, 250 U.S. 616, 625 (1919) ant's Memorandum of Point and Authorities in Support of (Holmes J., dissenting). Defendant's Motion for Summary judgement at 7, Bernstein 250 Sweezy v. New Hampshire, 354 U.S. 234, 250 (1957) v. United States Dept' of State, 922 F. Supp. 1426 (N.D. Cal. (noting the importance of protecting scholarship and aca- 1996) (citing United States v. Edler Indus., 579 F.2d 516 (9th demic inquiry); see also Kleindienst v. Mandel, 408 U.S. 753, Cir. 1978)). The Bernstein court dismissed the defendant's 762-63 (1972) (recognizing that the First Amendment pro- argument "that if Edler allows the government to legitimately tects the right to receive information and ideas). restrict the export of technical data relating to a defense arti- 251 Texas v. Johnson, 491 U.S. 397, 404 (1989). cle, it can certainly restrict the defense article itself." Bern- 252 Compare United States v. Progressive Inc., 467 F. stein, 922 F. Supp. at 1437. The court reasoned that the de- Supp. 990 (W.D. Wis. 1979) (holding that prior restraint was fendant's argument was an extension of the of the Edler allowed on technical information about hydrogen bomb con- decision that the court was "unwilling to adopt" based on the struction). fact that the "validity of the scope of the munitions list was 253 Meyer v. Nebraska, 262 U.S. 390 (1923); Bartels v. simply not an issue in that case." Id. Iowa, 262 U.S. 404 (1923); Yu Cong Eng v. Trinidad, 271 U.S. 1997]1 FUTURE COMMUNICATIONS TECHNOLOGIES 147 serted that all speech has elements of expressive ited knowledge necessary to operate the com- conduct. puter format. Therefore, the government's inter- speech in any language consists of the 'expres- est in preventing the "functional use" is literally a sive conduct' of vibrating one's vocal chords, mov- government interest in preventing the advantages ing one's mouth and thereby making sounds, or of the information from being readily available in of putting pen to paper, or hand to keyboard. Yet a format where an understanding of the informa- the fact that such 'conduct' is shaped by a lan- tion is not necessary. Limiting the extent of guage - that is, a sophisticated and complex sys- broadening one's knowledge has been held by the tem of understood meanings - is what makes it Supreme Court as "inconceivable" to "serv[ing] speech. Language is by definition speech, and the public welfare or add[ing] substantially to the the regulation of any language is the regulation of security of life, liberty or the pursuit of happi- speech.257 ness."25 9 The government's reasoning can not be However, if the court should accept the argu- supported and the only rational government in- ment that source code is not speech but rather terest is the suppression of free expression. As a only expressive conduct, then the court must ap- result, the government fails the O'Brien test. ply the O'Brien test. The first prong of the four If the court should nevertheless accept that the part test is whether the government's interest is government's interest as unrelated to the suppres- unrelated to the suppression of free expres- sion of free expression, the government must still sion. 2 5 8 One government argument advanced is meet the second prong of the O'Brien test, which that their interest is only the "functional use" and states that the regulation must further an impor- not the scientific ideas. Applying this reasoning, tant or substantial governmental interest. 26 0 The the government argues that a book containing the government has asserted that its interest is in same information as a computer disk is not as "protect[ing] critical foreign intelligence gather- functional. This argument fails to' acknowledge ing functions"26' and "controll[ing] the foreign that the functionality of something is based upon availability of a commodity that can . . . en- the knowledge of the reader. For instance, if a crypt."2 6 2 The government has based its conclu- graduate student studying cryptography at a uni- sion upon information from NSA, which asserts versity in Berkeley received a copy of an algorithm that, "the proliferation of such products will make in a textual format, its functional value would be it easier for foreign intelligence targets to deny identical to the same information in a computer the United States access to information vital to na- 2 format. The same analogy can be applied to any tional security interests." 6s The courts have also other subject of information. If a political scien- held "that no government interest is more com- tist received statistical information in textual for- pelling than the security of the Nation."2 6 4 mat, its functional value would be identical to the It should be argued that in order to conduct a same information compiled on a computer disk. proper analysis of this prong of the O'Brien test, For one with a limited knowledge of a subject, the arguments advanced by the government, one the different formats, in either a book or com- must focus on the word "furthers." The govern- puter disk, would make absolutely no difference ment alleges that controlling the increase of en- to their functional values. It is argued that if an cryption is art important interest; yet the existence individual without the requisite knowledge comes of hundreds of encryption products in foreign across a problem while utilizing the textual format countries has not brought about any modifica- of the source code, it will be more of a formidable tions to the U.S. domestic encryption policy. This task to remedy the situation, compared to the lim- approach has created a process where foreign cor- 257 Yniguez, 69 F.3d at 934-35. stein v. United States Dep't of State, 922 F. Supp. 1426 258 O'Brien v. United States, 391 U.S. 367, 377 (1968). (N.D.Cal. 1996). 259 Meyer v. Nebraska, 262 U.S. 390, 390 (1923). 263 Memorandum of Points and Authorities, supra note 260 O'Brien, 391 U.S. at 377. 261, at 23. 261 Memorandum of Points and Authorities in Support 264 Haig v. Agree, 453 U.S. 280, 307 (1981) (upholding of Defendants' Motion to Dismiss or, In the Alternative, for passport revocation over a first amendment challenge); but Summary Judgment at 21, Karn v. United States Dep't of cf United States v. Robel, 389 U.S. 258, 264 (1967) (holding State, 925 F. Supp. 1 (D.C. Cir. 1996). that "even the war power does not remove constitutional lim- 262 Reply Memorandum of Points and Authorities in Fur- itations safeguarding individual liberties"). ther Support of Defendants' Motion to Dismiss at 12, Bern- 148 COMMIAW CONSPECTUS [Vol. 5 porations are supplying the U.S. domestic market functions to authenticate data, is not encom- 0 with encryption products. In fact, the number of passed in the strict export regulations. 27 foreign distributors has steadily increased and is It can be argued that the regulations do not expected to continue to rise if export regulations provide for ample alternative channels for the remain in place. 265 Therefore, it can be con- communication of cryptographic subjects. The cluded that the export regulations do not control limitation of distribution on the Internet because the proliferation or availability of encryption the government believes that "making software products, rather the regulations serve to deny available abroad has nothing to do with teaching only U.S. corporations wishing to distribute en- a class" 271 is a grave misconception. In order for cryption products access to the worldwide market. any theory to be properly tested, one must be af- As a result, the government argument should fail forded the opportunity to confirm his or her hy- the second prong of the O'Brien test. pothesis. The hypothesis in the study of cryptog- If the court should nevertheless accept that the raphy is that the source code, which is the heart of government regulation does further an important any algorithm, is effective at maintaining the in- or substantial interest, the government must still tegrity of the confidentiality of a communication. meet the third prong of the O'Brien test, which In order for this hypothesis to be effectively states that the "incidental restriction on alleged tested, one must be able to use the tools, the only First Amendment freedom [s] is no greater than is tools which will allow the tests to be performed. essential to the furtherance of that interest."266 The courts have held that the alternatives must be The government asserts that this element is satis- "sufficiently similar to the method foreclosed by fied because the export of the software does not the regulation." 2 7 2 The hypothesis must be scruti- "preclude individuals from otherwise publishing nized by many within the academic community or discussing scientific ideas related to . . . crypto- before the hypothesis is considered factual and graphic algorithms."2 67 However, the govern- worthy of application. When the ability to effec- ment does point out that the distribution of en- tively communicate is threatened, the regulation 275 cryption on the Internet without "reasonable may be constitutionally inadequate. The gov- steps to confine the distribution of software to In- ernment's quashing of any substantive formula- ternet sites within the United States" will result in tion of hypothesis, in effect, destroys the entire a violation of the law.268 As stated earlier, the gov- science of cryptography. As result, the govern- ernment's only concern is with the functionality ment's policy is saying that you can study cryptog- of the source code and not the scientific ideas. raphy all you want, just don't produce any results. Therefore, the government contends that "ample Therefore, based on the fact that the regulations alternative channels of communication" remain remove ample alternatives to the study of cryptog- available. 269 The government also contends that raphy, the government's arguments fail the third cryptographic software that does not function to prong of the O'Brien test. maintain secrecy, an example being software that The fourth element of the O'Bien test whether 265 David Judson, Senators Want to Open Export Market for (1989). The government has consistently argued that nu- Security Software, GANNETT NEWS SERv., Mar. 5, 1996, at 1. merous channels currently exist. The existence of "courses 266 O'Brien v. United States, 391 U.S. 367, 377 (1968). on cryptography . . . routinely taught at dozens of colleges 267 Defendant's Memorandum of Points and Authorities and universities . . . and several textbooks on cryptography In Support of Defendant's Motion to Dismiss, or In the Alter- [which] have been published over the years" serve as support native, For Summary Judgment at 33, Karn v. United States for their assertion. Defendant's Opposition to Plaintiffs Mo- Dep't of State, 925 F. Supp. 1 (D.C. Cir. 1996). tion for a Preliminary Injunction at 12, Bernstein v. United 268 Defendants Memorandum of Point and Authorities States Dep't of State, 922 F. Supp. 1426 (N.D. Cal. 1996). 270 See 22 C.F.R. in Opposition to Plaintiffs Motion for a Preliminary Injunc- § 167 (1996); 22 C.F.R. § 121.1 tion and in Support of Defendant's Motion to Dismiss or in XIII(b)(1)(vi) (1996). the Alternative, for Summary Judgment at 33, Junger v. 271 Defendant's Opposition to Plaintiffs Motion for a Christopher, No. 96 CV 1723 (N.D. Ohio Aug. 7, 1996). The Preliminary Injunction at 1, Bernstein v. United States Dept of brief relies on the Declaration of WilliamJ. Lowell, the Direc- State, 922 F. Supp. 1426 (N.D. Cal. 1996). tor of the Office of Defense Trade Controls, Bureau of Polit- 272 Chesapeake & Potomac Tel. Co. v. United States, 42 ical-Military Affairs, United States Department of State. It is F.3d 181, 203 (4th. Cir. 1994) vacated and remanded on other important to note that the brief does not suggest what those grounds, 116 S.Ct. 1036 (1996). "reasonable steps" are. 273 See City Council v. Taxpayers for Vincent, 466 U.S. 269 Ward v. Rock Against Racism, 491 U.S. 781, 802 789, 812 (1984). 1997] FUTURE COMMUNICATIONS TECHNOLOGIES 149 the regulation is within the constitutional power ment regulation must be concerned with the com- does not warrant any deliberation. 274 The Arms municative impact of the alleged "substantive Control Export Act (ACEA) 275 and the Interna- evil." 2 8 2 In the Karn, Bernstein and Junger,the gov- tional Traffic in Arms Regulations (ITAR) 2 7 6 ernment's interest is focused upon the ability of clearly establishes that the President has been del- the recipient of the encryption source code to al- egated the authority under the law2 7 7 and the Ex- ter plaintext to ciphertext. This governmental in- port Administration Act (EAA) establishes that terest is clearly a content-based regulation. The the Secretary has authority under the law.2 78 Court has held that content-based restriction "will Therefore, the ITAR regulations and EAA regu- be upheld only if narrowly drawn to accomplish a lations that govern the export of encryption compelling governmental interest."28 3 Therefore, software, specifically source code, should be not a regulation pertaining to a listener's or a reader's be examined as governing "expressive conduct" behavior from the communicative impact of the based on the fact that the regulations do not meet speech, receives a standard of review of the "most three of the four prongs of the O'Brien test. As a exacting scrutiny."2 8 4 result, source code should be analyzed as speech. A content-based restriction that is based upon a governmental licensing scheme is a form of prior 28 5 C. The Constitutionality of Regulating Source restraint. The ITAR regulations that govern Code as Speech the export of encryption software serves to pre- vent publication of encryption source code, which Once it has been determined that source code refers to a particular part of a computer language. is speech, the next analysis demands a determina- The EAA also establishes a licensing scheme tion whether the restriction is content-based or a which restricts the export of items that do not time, place and manner restriction. A time, place meet particular requirements. The source code or manner restriction may not have any reference may be published when governmental approval is to the content of the speech or stated by the granted and a license is issued.286 Governmental courts is content neutral.279 The standard for a licensing comes with a heavy presumption against time, place or manner restriction has been recog- its constitutional validity.2 8 7 The court established nized by the court in Community for Creative Non- in New York Times, that the "disclosure . . . will Violence, as being very similar in nature to the surely result in direct, immediate, and irreparable O'Brien test.28 0 Therefore, based upon the earlier damage to out Nation or its people."28 8 A restric- conclusions of the O'Brien tests, if the restrictions tion of this type will not be upheld if based solely were found to be content neutral they would fail a upon an "undifferentiated fear or apprehension time, place or manner test. of disturbance."28 9 The measuring stick that all A content-based restriction relates to whether content prior restraint cases are evaluated against the application of the restriction turns on the sub- is whether the speech presents a danger equal to stance or content of the speech. 281 The govern- "publication of sailing dates of transports or 274 See O'Brien test, supra note 203. (1971) (per curiam). 275 22 U.S.C. § 2778 (1994). 286 The proces that an encryption export application 276 22 C.F.R. § 120 (1996). goes through isrfurther support that the regulation is con- 277 22 U.S.C. § 2778(a) (1) (1994). tent-based. As each license application is reviewed by NSA 278 50 U.S.C.S. § 2409(a) (1) (1996) and other relevant agencies, they review the "content of the 279 Ward v. Rock Against Racism, 491 U.S. 781, 791 software to determine whether it is harmless . . . or danger- (1989). ous . . . and "the decision hinges entirely on what the re- 280 Clark v. Community for Creative Non-Violence, 468 viewer concludes about the content of the speech." Appeal U.S. 288, 298 (1984) (noting that the O'Brien test differs little Brief of the Appellant at 31, Karn v. United States Dep't of from the standard applied to time, place, or manner restric- State, appeal docketed, No. 96-5121 (D.C. Cir. Sep. 20, 1996). tions). 287 Carroll v. President & Comm'rs of Town of Princess 281 United States v. Kokinda, 497 U.S. 720, 754 (1990) Anne, 393 U.S. 175, 181 (1968). (Brennan J., dissenting). 288 New York Times, 403 U.S. at 730 (Stewart J., concur- 282 Schenck v. United States, 249 U.S. 47, 52 (1919). ring). 283 United States v. Grace, 461 U.S. 171, 177 (1983). 289 Cohen v. California, 403 U.S. 15, 23 (1971) (quoting 284 Boos v. Barry, 485 U.S. 312, 321 (1988). Tinker v. Des Moines Indep. Community Sch. Dist., 393 U.S. 285 New York Times Co. v. United States, 403 U.S. 713 503, 508 (1969)). 150 COM1ILAW CONSPECTUS [Vol. 5 number and location of troops."290 VI. ONE POSSIBLE WAY TO DEAL WITH The arguments advanced by the government in THE CRYPTO-GENIE the Karn case suggest that the restriction is based only upon a speculative fear. The assertion that There is no denying the fact that the Crypto- Mr. Karn's book "can be expected to result in far genie is out of the bottle and flourishing through- more actual use of encryption overseas, and out the world. The U.S. government's attempts, thereby complicate even more the signals intelli- up to this point, have fallen short. A quasi- gence mission of the United States" is based on mandatory program implemented on the In- two assumptions.29 ' The first assumption is that ternet, a worldwide network with no central inter- actual use of encryption overseas will not increase face, is doomed to a certain failure. But, by the without the export of U.S. encryption products. same token, a completely unguided and unregu- As advanced earlier, the number of foreign read- lated encryption policy is just as short-sighted. ily available encryption software products have The interests of law enforcement are tanta- risen sieadily and appear to be unaffected by the mount to the survival of any society. The poten- restrictions in the United States. The second as- tial for injury has only increased with the emer- sumption is that government's efforts will be fur- gence and growth of computer technology. What ther complicated by an increase in encryption was impossible to steal a few years ago, is now use. As of late 1994, the FBI was unable to point feasable with just a keystroke. Within a blink of to a single case where encryption had hampered an eye, a file cabinet worth of national security in- an investigation.29 2 The assumption is also based formation is in the hands of an adversary. How- on the conclusion that the law enforcement's ever, the effectiveness of law enforcement's efforts technology will not advance in step with the crimi- should not be based upon the yielding of one's nal technology. A former General Counsel for individual rights. If law enforcement was not re- NSA recently acknowledged that there were few strained to abide by one's personal rights, then institutions other then the government that had practices such as warrantless searches and non-evi- the energy and resources to make efficient en- dentiary hearings would be routine. This would cryption software and products.2"3 With the capa- undoubtedly bring about more "effective" law en- bilities and resources of no other private institu- forcement, but also at an enormous cost. tion, it is highly unlikely that the government's The solution must come in incremental stages efforts will be complicated now or in the forsee- to ensure success. The U.S. Government must re- able future. alize that in order for any long term encryption Therefore, based on the fact that the govern- policy to be successful, it must advance proposals ment's rationale for the licensing of encryption that recognize the structure of the Internet. At- software for export is founded purely on an undif- tempts to govern the Internet through multina- ferentiated fear, this form of prior restraint must tional agreements are inappropriate.294 The In- be found unconstitutional. ternet does not recognize borders or countries. 290 Near v. Minnesota, 283 U.S. 697, 716 (1931) (holding best interest. A recent example in France serves as an ample that the danger of war allows for limitations upon certain warning. During the administration of Francois Mitterrand, content of speech). over 1,500 people were illegally wiretapped. Yves LeRoux, 291 Reply Memorandum in Further Support of Defend- Representative from French Office of Digital Equipment, Re- ants' Motion to Dismiss, or in the Alternative, for Summary marks at the Annual International Cryptography Institute Judgment at 6, Karn v. United States Dep't of State, 925 F. Conference (Oct. 26, 1996). Some of the illegal wiretaps in- Supp. 1 (D.C. Cir. 1996). cluded Edqy Plenel, a journalist who broke the story that 292 Hoffman, supra note 6, at 5.1. French agents were responsible for the bombing of the Greenpeace ship Rainbow Warrior in New Zealand in 1986. 293 Stuart Baker, General Counsel of NSA, Remarks at Another unsuspecting individual was Franois Froment- the Fourth Annual Conference on Computers, Freedom and Meurice, the deputy leader of the opposition party. See Dave Privacy, session entitled "Data Encryption: Who Holds the Banisar, French Wiretapping Scandal Leads 4o Electorial Defeat, Keys?" at the John Marshall Law School, Chicago (Mar. 24, (visited Oct. 20, 1996) Therefore, unless every country that has access to search Council, "[are] not appropriate at this the Internet is able to agree upon the standards, time" and "[are] likely to have a significant impact the U.S. government must advocate a predomi- on the natural development of applications." 2 9 5 nately domestic agenda with regards to control- Lastly, from a strictly policy perspective, advocat- ling the ill effects of encryption. ing the control of society's technology when the The first stage is to establish a truly voluntary key capabilities of law enforcement are limited as a re- escrow system with limited governmental involve- sult of its growth is simply unwarranted. One of ment. The finite governmental involvement law enforcement's primary responsibilities is to should be in the form of advocating the establish- keep up with the criminal element in our society, ment of standards and nothing else. This open- and this should not be achieved by expecting the ended program will allow for the encryption in- rest of society to become technologically stagnant. dustry to explore a variety of different concepts At this point, it is critical to emphasize that it is and eventually produce encryption systems that absolutely fundamental that law enforcement con- will be compatible with any type of product. Un- tinues to use all of its available resources to neu- doubtedly, the business community will be more tralize criminal activities. These resources can receptive to the products because of the unintru- come in the form of continued research and im- sive nature of governmental involvement and the provement of encryption capabilities or the im- ease of compatibility promises the least amount of provement of other areas of intelligence methods. lost revenue. As a result, as the business commu- Long-range bugging devices, satellite imaging and nity embraces the open-ended encryption prod- relay devices are only a few of the devices that pro- ucts, individuals within society will have no choice vide some of the same information, without the but to accept what the market has produced. This enormous costs upon one's individual rights. 296 It will also be extremely advantageous to the law en- has also long been recognized that signal intelli- forcement community since it will not need to un- gence, who talks to whom, is in itself of significant derstand a number of different systems and prod- value.2 9 7 The capabilities of existing technolo- ucts. gies, integrated services digital network (ISDN), At first blush, this proposal may appear to be provides information about who called whom, quite similar to the current initiative proposed by when and how long the communication took the White House. However, it is in fact, quite dis- place.29 8 Therefore, just as we should, not be similar. First, research and development would asked to use weaker locks on our doors, we should be conducted completely independent of govern- not be expected to use weaker encryption on our mental control. This would allow for industry to communications. focus its efforts and precious resources on estab- Stage two will comprise the development of a lishing a secure form of communication, instead law enforcement structure to effectively combat of focusing on the development of a key recovery criminal aspects of our society that utilize encryp- system that allows government to have access com- tion but preserving the rights afforded by the First munications. Second, would be the sizable differ- Amendment. ence in the rate of penetration of encryption tech- A possible remedy to the Crypto-genie is deal- nology absent governmental involvement. Based ing with it in the same manner law enforcement in part on some of the aforementioned incidents currently deals with obtaining a warrant for a involving governmental abuse, the general public wiretap or searching one's house. In the case of is quite suspicious of programs that involve the an encrypted computer communication, the of- government and "national security." Governmen- ficer would obtain independent evidence that par- tal involvement, through programs like key es- ticular conversations between two parties were of crow or key recovery, as stated by the National Re- a criminal nature. Upon court authorization, the 295 National Research Council, Report on Cryptography's 297 Peter Coffee, Privacy Defies Digital Designers, PC WK., Role in Securing the Information Society, (Pre-publication copy, July 3, 1995, at 56. Nat'l. Acad. Press 1996). 298 See generally, The Administration's Clipper Chip Key 296 Michael Johnson, Data Encryption Software and Techni- Escrow Encryption Program: Hearings on S. J-103-55, Before cal Data Controls in the United States of America (visited Jan. 25, the Subcomm. on Technology and the Law at 40, 103rd 1997) officer would be granted permission to super en- that some degree of centralization to exist on the crypt or encrypt on top any messages between the Internet, which will inevitably lead to abuse.299 two alleged parties. The super encryption would This approach serves as a realistic solution to a cause the message to be unreadable by the either problem that can never be totally controlled. party of the communication. Either party to the New and innovative technology is developed eve- communication would then be given the opportu- ryday which will restructure this debate for many nity to contest the seizure within a prescribed pe- years to come. An example is a software product riod of time. If the seizure is contested, the party called Power One-Time Pad (POTP), which pro- to the communication would have to prove by a vides for encryption without the use of any minimal standard that the communication was keys.300 It synchronizes random processes on two not of a criminal nature. The procedure could be computers as they communicate. Each sequence done in camera, to protect any privacy concerns. of communication is encrypted with a different Should the moving party be unable to meet his or set of random processes. This system also her burden, the officer would be able to use any removes any need for knowledge of another's and all available means to decrypt the communi- keys. However, as stated a number of times cation. This procedure would allow parties to before, this product like so many other new prod- communicate without the fear that any particular ucts because of its high key bit length, is in viola- message could be intercepted and read without tion of export regulations and as a result this tech- any notice and opportunity of a hearing. nology will be kept from the public. This Unfortunately, this recommendation does suf- products serve as only one example of how tech- fer from the inability of providing law enforce- nology dictates the policy concerning cryptogra- ment with "real-time" access. However, the utiliza- phy. In conclusion, one can only hope that the tion of doors, locks and alarm systems have also debate will continually be guided by the words of contributed to law enforcement's inability to have Justice Brandeis who stated that, " [t] he right to be "real-time" access, but we have not limited how so- left alone - the most comprehensive of rights ciety may utilize these devices to protect their and the most valued by civilized men."o3 0 rights. Further, to rely upon a certification sys- tem, as proposed by the government, demands 299 SeeJohn Gilmore, Clipper III Analysis (visited Jan. 25, stead decision the Supreme Court held that wiretapping evi- 1997)