Press Releases: February 1995
555 West 57th Street
New York, NY 10019
Dear 60 Minutes,
Your February 26 story on computer security missed the most important point
-- the United States Government requires network providers to keep their
systems easily exploited. Encryption would enable companies to thwart
unwanted intrusion by disguising the content of messages, making the
messages virtually unreadable to anyone who does not possess the decryption
key. Computer intruders would not be able to steal passwords or credit
card information because they would not be able to read the data.
Furthermore, encryption helps authenticate users by making it difficult to
forge information used to identify messages.
But network security poses an interesting threat to U.S. law enforcement.
If the system is secure, how can the National Security Agency intercept the
messages of evil terrorists? Rather than "ramp up" their own law
enforcement techniques, the NSA and others have made a requirement that the
networks "dumb down" to their level. Such antiquated Cold War thinking has
resulted in the State Department refusing to remove encryption from the
U.S. Munitions List, -- where it currently sits right alongside
flamethrowers and B-1 bombers -- severely restricting its legal use on
international networks like the Internet.
The Electronic Frontier Foundation has just filed a lawsuit challenging the
the current Arms Export Control Law on First Amendment grounds. (The press
release is included.) Hopefully, this will open the door for technological
solutions to protecting security that are currently available but remain
Director of Legal Services
First Amendment Protects Information about Privacy Technologies
In a move aimed at expanding the growth and spread of privacy and security technologies, the Electronic Frontier Foundation is sponsoring a federal lawsuit filed today seeking to bar the government from restricting publication of cryptographic documents and software. EFF argues that the export-control laws, both on their face and as applied to users of cryptographic materials, are unconstitutional.
Cryptography, defined as "the science and study of secret writing," concerns the ways in which communications and data can be encoded to prevent disclosure of their contents through eavesdropping or message interception. Although the science of cryptography is very old, the desktop-computer revolution has made it possible for cryptographic techniques to become widely used and accessible to nonexperts.
EFF believes that cryptography is central to the preservation of privacy and security in an increasingly computerized and networked world. Many of the privacy and security violations alleged in the Kevin Mitnick case, such as the theft of credit card numbers, the reading of other people's electronic mail, and the hijacking of other people's computer accounts, could have been prevented by widespread deployment of this technology. The U.S. government has opposed such deployment, fearing that its citizens will be private and secure from the government as well as from other vandals.
The plaintiff in the suit is a graduate student in the Department of Mathematics at the University of California at Berkeley named Daniel J. Bernstein. Bernstein developed an encryption equation, or algorithm, and wishes to publish the algorithm, a mathematical paper that describes and explains the algorithm, and a computer program that runs the algorithm. Bernstein also wishes to discuss these items at mathematical conferences and other open, public meetings.
The problem is that the government currently treats cryptographic software as if it were a physical weapon and highly regulates its dissemination. Any individual or company who wants to export such software -- or to publish on the Internet any "technical data" such as papers describing encryption software or algorithms -- must first obtain a license from the State Department. Under the terms of this license, each recipient of the licensed software or information must be tracked and reported to the government. Penalties can be pretty stiff -- ten years in jail, a million dollarcriminal fine, plus civil fines. This legal scheme effectively prevents individuals from engaging in otherwise legal communications about encryption.
The lawsuit challenges the export-control scheme as an ``impermissible prior restraint on speech, in violation of the First Amendment.'' Software and its associated documentation, the plaintiff contends, are published, not manufactured; they are Constitutionally protected works of human-to-human communication, like a movie, a book, or a telephone conversation. These communications cannot be suppressed by the government except under very narrow conditions -- conditions that are not met by the vague and overbroad export-control laws. In denying people the right to publish such information freely, these laws, regulations, and procedures unconstitutionally abridge the right to speak, to publish, to associate with others, and to engage in academic inquiry and study. They also have the effect of restricting the availability of a means for individuals to protect their privacy, which is also a Constitutionally protected interest.
More specifically, the current export control process:
* allows bureaucrats to restrict publication without ever going to court;
* provides too few procedural safeguards for First Amendment rights;
* requires publishers to register with the government, creating in effect a "licensed press";
* disallows general publication by requiring recipients to be individually identified;
* is sufficiently vague that ordinary people cannot know what conduct is allowed and what conduct is prohibited;
* is overbroad because it prohibits conduct that is clearly protected (such as speaking to foreigners within the United States);
* is applied overbroadly, by prohibiting export of software that contains no cryptography, on the theory that cryptography could be added to it later;
* egregiously violates the First Amendment by prohibiting private speech on cryptography because the government wishes its own opinions on cryptography to guide the public instead; and
* exceeds the authority granted by Congress in the export control laws in many ways, as well as exceeding the authority granted by the Constitution.
If this suit is successful in its challenge of the export-control laws, it will clear the way for cryptographic software to be treated like any other kind of software. This will allow companies such as Microsoft, Apple, IBM, and Sun to build high-quality security and privacy protection into their operating systems. It will also allow computer and network users, including those who use the Internet, much more freedom to build and exchange their own solutions to these problems, such as the freely available PGP encryption program. And it will enable the next generation of Internet protocols to come with built-in cryptographic security and privacy, replacing a sagging part of today's Internet infrastructure.
Lead attorney on the case is Cindy Cohn, of McGlashan and Sarrail in San Mateo, CA, who is offering her services pro-bono. Major assistance has been provided by Shari Steele, EFF staff; John Gilmore, EFF Board; and Lee Tien, counsel to John Gilmore. EFF is organizing and supporting the case and paying the expenses.
Civil Action No. C95-0582-MHP was filed today in Federal District Court for the Northern District of California. EFF anticipates that the case will take several years to win. If the past is any guide, the government will use every trick and every procedural delaying tactic available to avoid having a court look at the real issues. Nevertheless, EFF remains firmly committed to this long term project. We are confident that, once a court examines the issues on the merits, the government will be shown to be violating the Constitution, and that its attempts to restrict both freedom of speech and privacy will be shown to have no place in an open society.
Full text of the lawsuit and other paperwork filed in the case is available from the EFF's online archives. The exhibits which contain cryptographic information are not available online, because making them publicly available on the Internet could be considered an illegal export until the law is struck down. The non-cryptographic exhibits and other documents including the complaint, as well as a series of letters between Bernstein and various government people regarding crypto export are available at:
Press contact: Shari Steele, EFF: firstname.lastname@example.org, +1 202 861 7700.
For further reading, we suggest:
The Government's Classification of Private Ideas: Hearings Before a
Subcomm. of the House Comm. on Government Operations, 96th Cong., 2d
John Harmon, Assistant Attorney General, Office of Legal Counsel,
Department of Justice, Memorandum to Dr. Frank Press, Science Advisor to
the President, Re: Constitutionality Under the First Amendment of ITAR
Restrictions on Public Cryptography (May 11, 1978). [Included in the
above Hearings; also online as http://www.eff.org/pub/EFF/Policy/Crypto/
Alexander, Preserving High-Tech Secrets: National Security Controls on
University Research and Teaching, 15 Law & Policy in Int'l Business 173
Cheh, Government Control of Private Ideas-Striking a Balance Between
Scientific Freedom and National Security, 23 Jurimetrics J. 1 (1982)
Funk, National Security Controls on the Dissemination of Privately
Generated Scientific Information, 30 U.C.L.A. L. Rev. 405 (1982)
Pierce, Public Cryptography, Arms Export Controls, and the First
Amendment: A Need for Legislation, 17 Cornell Int'l L. J. 197 (1984)
Rindskopf and Brown, Jr., Scientific and Technological Information and
the Exigencies of Our Period, 26 Wm. & Mary L. Rev. 909 (1985)
Ramirez, The Balance of Interests Between National Security Controls and
First Amendment Interests in Academic Freedom, 13 J. Coll. & U. Law 179
Shinn, The First Amendment and the Export Laws: Free Speech on
Scientific and Technical Matters, 58 Geo. W. L. Rev. 368 (1990)
Neuborne and Shapiro, The Nylon Curtain: America's National Border and
the Free Flow of Ideas, 26 Wm. & Mary L. Rev. 719 (1985)
Greenstein, National Security Controls on Scientific Information, 23
Jurimetrics J. 50 (1982)
Sullivan and Bader, The Application of Export Control Laws to Scientific
Research at Universities, 9 J. Coll. & U. Law 451 (1982)
Wilson, National Security Control of Technological Information, 25
Jurimetrics J. 109 (1985)
Kahn, The Codebreakers: The Story of Secret Writing. New York:
Macmillan (1967) [Great background on cryptography
and its history.]
Relyea, Silencing Science: national security controls and scientific
communication, Congressional Research Service. Norwood, NJ:
Ablex Publishing Corp. (1994)
John Gilmore, Crypto Export Control Archives, online at