Free-speech advocates say revised encryption regulations fall short

Thursday, January 20, 2000

Three leading civil liberties groups claim that new encryption rules unveiled by federal regulators last week continue to infringe on the rights of cryptographers to develop and distribute the source code that scrambles electronic information.

“The rules are a step forward, but they are still too complex and leave too many questions unanswered,” said Barry Steinhardt, associate director for the American Civil Liberties Union, which joined the Electronic Frontier Foundation and the Electronic Privacy Information Center in a statement rebuking of the new rules.

“Now that the administration has tacitly admitted that it can't and shouldn't control the use of encryption, it should have announced a simple deregulation, rather than a regulatory maze,” he said.

Encryption experts contend that federal regulations violate their privacy and First Amendment free-expression rights to produce, use and distribute such messages.

But in the past government officials said they must restrict the distribution of strong encryption to prevent its export to other countries. They also have argued that encryption is merely a tool for scrambling electronic messages and not a means of expression.

Last week, the Clinton administration unveiled its revamped regulations overning the distribution of such data-scrambling software. The new rules removed nearly all restrictions on companies that sell encryption, even if some of their most powerful programs made their way overseas.

The technology industry praised the effort by the Commerce Department's Bureau of Export Administration, saying the changes should encourage widespread use of encryption. In hearings before Congress last year, industry officials testified that federal regulations forced U.S. companies to develop only weak encryption, since the online distribution of strong encryption might violate federal export laws.

Encryption pioneer Phil Zimmermann, creator of “Pretty Good Privacy” software or PGP, on Jan. 18 celebrated the new regulations by posting his popular program online. For years, computer users circulated PGP using the Internet, arguably a violation of federal export laws since its strength exceeded federal limits.

The Center for Democracy and Technology, which sponsored the Zimmermann event, agrees that the new regulations should improve the distribution of strong encryption. But group officials warned that many limits remain and that some of the new guidelines may be confusing.

“The bad news is that the regulations remain very complicated, and people still need to take care before sending strong encryption products abroad,” said Alan Davidson, staff counsel for the nonprofit group.

But the ACLU, EFF and EPIC in their joint statement contend the regulations are more than confusing. The regulations might encourage arbitrary licensing and enforcement, they say.

Specifically, the three groups say the regulations impose special restrictions on Internet speech, a violation of the U.S. Supreme Court's ruling in the 1997 case Reno v. ACLU, which said online speech enjoys a high level of protection. They note that the same information restricted online may be legally distributed here and abroad on a piece of paper or in a book.

The groups also contend that the regulations still leave programmers uncertain about whether they may post programming online.

For example, the new rules say: “You may not knowingly export or re-export source code or products developed with this source code to Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria.”

Although the rules further state that the mere posting of encryption software on a Web site that might be accessible by people in a restricted country doesn't constitute a violation, the groups say programmers can't be so certain.

They note that the rules continue to ban online instruction concerning the development or use of encryption.

That means the court case of Daley v. Junger, in which Ohio law professor Peter Junger is challenging restrictions barring his posting of encryption for a class he teaches, would be unaffected. The case is pending in the 6th U.S. Circuit Court of Appeals after a district judge ruled that source code is a tool not speech.

In another pending encryption case, the full 9th U.S. Circuit Court of Appeals is to hear Bernstein v. U.S. Department of Justice this spring.

Daniel Bernstein, a mathematician who challenged federal encryption laws, won at the trial level and a subsequent appeal.

David Sobel, general counsel for EPIC, said the revisions should improve distribution of encryption, but they leave much control in government hands “to the detriment of efforts to create a truly secure Internet.”

“It's time to remove the bureaucratic requirements and permit the free exchange of encryption.”

Eugene Cottilli, a spokesman for the Commerce Department, last week said in a telephone interview that officials weren't prepared to discuss whether the new regulations infringe on the First Amendment. Cottilli didn't return several calls to his office.

Phillip Taylor, a reporter for the Daily Press in Newport News, Va., is a free-lance correspondent for the First Amendment Center.