|
|
Subscribe / Log in / New account

Bernstein wins, sort of

October 22, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

Not with a bang, but a whimper. That's how Daniel Bernstein's fight with the federal government over cryptography regulations has wound to a close. It is an unsatisfying end to the eight years of court battles over the constitutionality of export restrictions on cryptography.

Bernstein may be better-known to the community as the author of qmail, djbdns, ezmlm and a number of other popular (if not quite free) packages. Bernstein, now an associate professor in the department of Mathematics, Statistics, and Computer Science with the University of Illinois, first filed suit against the Department of State in 1995.

Before the first suit was filed, Bernstein was a PhD candidate working in the field of cryptography at the University of California at Berkeley. Bernstein had produced "Snuffle," a private-key encryption system and requested a decision in June, 1992 from the Department of State as to whether the source code could be published on the "sci.crypt" newsgroups. The response was that Snuffle was a "defense item" and Bernstein would need licenses for export of Snuffle. After additional correspondence over the next three years, Bernstein and the Electronic Frontier Foundation filed suit against the Department of State and a number of individuals. Bernstein argued that the International Traffic In Arms Regulations (ITAR) requiring licensing for export of cryptographic software were unconstitutional.

The Bernstein case produced a landmark ruling that recognized code as a form of speech. The Department of State asked Judge Marilyn Hall Patel to dismiss the case, arguing (among other things) that export controls on encryption software do not constitute a prior restraint of free speech. Patel, in refusing to dismiss the case, issued an opinion in the case that source code is to be protected as speech under the First Amendment:

This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French...Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it...For the purposes of First Amendment analysis, this court finds that source code is speech.

Patel's ruling was the first that recognized source code as speech with regards to consideration under the First Amendment. Courts had previously recognized code as something that could be protected under copyright law, but not as communication to be protected under the First Amendment. Eventually, Bernstein won his case against the Department of State, with Patel agreeing with Bernstein in 1996 that the regulations were unconstitutional.

The victory, however, was short-lived. Regulation of encryption shifted from the Department of State under ITAR to the Commerce Department and a new set of regulations, the Export Administration Regulations (EAR). Bernstein challenged EAR, and Patel also found that the EAR was unconstitutional and enjoined the Department of State and the Commerce Department from enforcing it.

The government appealed and the Ninth Circuit upheld Patel's decision, finding that "encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive."

After failed appeals, the government changed the regulations and the case was remanded back to Patel. Instead of requiring Bernstein or other crypto researchers to acquire a license for every viewer of the information, the government now wanted encryption items sent to the Bureau of Industry and Security (BIS) for export approval. However, the changes in EAR were still not satisfactory to Bernstein or the EFF, and the legal battles continued.

Unfortunately, in the U.S. judicial system, it is apparently not enough to merely show that a particular law may be unconstitutional. One must also show that the law in question may be used against you. Patel dismissed Bernstein's case against the Department of Commerce on July 28 of this year for lack of standing. Patel also dismissed Bernstein's case against the Department of State last week, after the Bush administration said it would not attempt to enforce some of the encryption export regulations.

Though Bernstein seems safe from prosecution, at least at the moment, the problem is that the export regulations remain on the books. There is nothing stopping the government from prosecuting others for violation of EAR at this time. Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.

Since this includes any distribution of software online, and even "technical assistance" with the development of encryption software subject to EAR, the EAR restrictions continue to pose at least a potential threat to open source developers working with encryption in the U.S. Violations of EAR could result in fines of up to $250,000 or ten years in prison, so the threat is not one to be taken lightly.

While it would be nice to believe that the regulations will be unenforced, it would have been a much better result if Bernstein could have succeeded in having them thrown out entirely. For now, we will have to settle for a partial victory.

Index entries for this article
GuestArticlesBrockmeier, Joe

to post comments

overly restrictive reading of the EAR

Posted Oct 23, 2003 2:23 UTC (Thu) by roelofs (guest, #2599) [Link] (4 responses)

Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone.

That's incorrect. Open Source software (including associated binaries) is explicitly exempt from that rule under License Exception TSU, as noted in the 6 June 2002 clarification of section 740.13(e) of the EAR (see Federal Register, vol. 67, no. 109, p. 38857, middle of page):

c. Clarification of when a notification is required. i. Encryption source code that would be considered publicly available, and corresponding object code. This rule simplifies U.S. export treatment of encryption source code that would be considered publicly available, by allowing all such source code (and corresponding object code) to be exported and reexported under License Exception TSU once notification (or a copy of the source code) is provided to BIS, regardless of whether a fee or royalty is charged for the commercial production or sale of products developed using this software. Refer to ยง 740.13(e).

This exception is used by both Debian and Info-ZIP (although I seem to have forgotten to upload the updated notice to the latter site...I'll fix that soon). Note that other portions of the EAR provide the proper contact addresses and so forth. The relevant copy of the Register is available in PDF form from some US government site, but I've forgotten which one (LoC? BIS? check Google for "License Exception TSU" and/or "Federal Register").

Greg Roelofs

overly restrictive reading of the EAR

Posted Oct 23, 2003 7:40 UTC (Thu) by cate (subscriber, #1359) [Link] (2 responses)

IIRC Debian contacted the US government and now every package change (outside non-US section) in Debian will sent a notification to the US government. IIRC it toke time before Debian would be legally able to put criptographic software in main

So, maybe everyone can export open source cryptographic software, but the burocracy is still so high that I whouldn't call freedom.

overly restrictive reading of the EAR

Posted Oct 23, 2003 13:38 UTC (Thu) by zone (guest, #3633) [Link] (1 responses)

http://www.debian.org/legal/cryptoinmain

It appears you can either notify the BXA when you add a program to the archive that incorporates cryptography, or when you add any new program and specify that cryptographic functionality may be added later. So it's more likely Debian only sends notification when new packages are added to the archive, not for every package change.

And I'm not sure what you mean by too much bureaucracy :-).

overly restrictive reading of the EAR

Posted Oct 23, 2003 15:37 UTC (Thu) by cate (subscriber, #1359) [Link]

Ok. I remembered incorrectly :-(. I was wondering how many notification would send the kernel, (one by every commit?). Thanks for the correction!

EAR/TSU links

Posted Oct 23, 2003 17:38 UTC (Thu) by roelofs (guest, #2599) [Link]

I wrote:

This exception is used by both Debian and Info-ZIP (although I seem to have forgotten to upload the updated notice to the latter site...I'll fix that soon). Note that other portions of the EAR provide the proper contact addresses and so forth. The relevant copy of the Register is available in PDF form from some US government site, but I've forgotten which one (LoC? BIS? check Google for "License Exception TSU" and/or "Federal Register").

The BIS notification page is here:

http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html

However, its link to the Federal Register is bogus; the correct one is:

http://w3.access.gpo.gov/bis/fedreg/ear_fedreg02.html#67fr38855

...and it also comes in WordPerfect and plain ASCII formats. I've also updated the Info-ZIP site with the current notification.

Greg Roelofs


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds