Slashdot Mirror
US Crypto Export Laws Ruled Unconsitutional
An anonymous reader sent us a story over at news.com
that proclaims some joyous news: The a US appeals court has ruled
Export Laws Unconstitutional.
Excellent.
← Back to Stories (view on slashdot.org)
The public reason was that, supposedly, American-developed crypto was the best in the world, and letting it get into the hands of the "enemy" (which changed, depending on when and who you were talking to), was a Bad Thing. Since crypto developed outside the U.S. has gotten to be as good, that explanation has gotten incredibly weak. Many people put it up to inertia that the rules haven't changed. There's probably also an element of "We know what's best for you" from the government, and hiding things from the government is perceived to be bad (by the government, anyway).
I have also heard, with little support, that the gvmnt is worried that strong crypto will be used to enhance the underground economy, making it harder for the gvmnt to track (and presumably tax) money flows.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
This is a wonderful result. Source code is a method of communication - of expression - and thus protected by the 1st ammendment. The compiled binary is a tool, serving simply a funtional purpose. My reading is that the source code can now be exported but binaries can't. If this holds, any company wanting to export strong crypto must do so in source form. And the source form must be readable and understandable by other people, in other words, it can't be obfuscated code. This is not only a big win for cryto and free speech, but also for OSS.
...Linux!
Andrew
--
"You never know when some crazed rodent with cold feet might be running loose in your pants."
-Calvin
"Besides which, maybe exporting strong crypto isn't that great of an idea in the first place. Anybody care to comment?"
I'm not sure that the issue is *solely* one of exporting crypto, per se.
If strong crypto was truly considered to be a national security issue, it would be illegal to publish the source code in a paper book, as well. It is not so much the that encryption is or is not a national security issue, though, but that the laws regarding the export of strong encryption are oxymoronic and effectively unenforcable. Since nothing prevent someone from printing the source code to an encryption routine and then mailing it overseas, there is, essentially, no real restriction at all. If someone really wants to use that routine, having to type it in by hand is only a minor inconvenience.
That bit aside, there are at least two reasons offhand why I consider these export restrictions to be a bad idea.
1. The US does not have any kind of unique position with regards to strong encryption. It is possible (and very easy) to acquire encryption tools at least as strong as any available within the US. If someone wants strong encryption, they will get it somewhere, whether the US likes it or not.
2. As a result of (1), the US is placed in the position of being unable to effectively compete on an international arena where any strong encryption is concerned.
Nunc Tutus Exitus Computarus.
Their arguments against the export:
First, it is not at all obvious that the government's view
reflects a proper understanding of source code. As noted ear-
lier, the distinguishing feature of source code is that it is
meant to be read and understood by humans, and that it
cannot be used to control directly the functioning of a com-
puter. While source code, when properly prepared, can be eas-
ily compiled into object code by a user, ignoring the
distinction between source and object code obscures the
important fact that source code is not meant solely for the
computer, but is rather written in a language intended also for
human analysis and understanding.
Second, and more importantly, the government's argu-
ment, distilled to its essence, suggests that even one drop of
"direct functionality" overwhelms any constitutional protec-
tions that expression might otherwise enjoy. This cannot be so.16
The distinction urged on us by the government would prove
too much in this era of rapidly evolving computer capabilities.
The fact that computers will soon be able to respond directly
to spoken commands, for example, should not confer on the
government the unfettered power to impose prior restraints on
speech in an effort to control its "functional " aspects. The
First Amendment is concerned with expression, and we reject
the notion that the admixture of functionality necessarily puts
expression beyond the protections of the Constitution.
First of all, there is the inevitable appeal to the U.S. Supreme Court which (IHMO and IANAL) has generally been sensitive to national security concerns in such a way that a conservative ruling is more likely than the (again, IMHO) liberal ruling of the appellate court.
Secondarily, following the unsafe assumption that the Supreme Court would uphold the appeals court decision, if Congress could still pass a more specific law as to when crypto software can and cannot be exported , using the previous court judgement to refine the law. If the Free Speech == crypto exports lawsuit is brought up again, it would then need to again go through the whole process of trial and appeals all over again.
...(momentary pause -- I'm putting on my asbestos underwear)...
Besides which, maybe exporting strong crypto isn't that great of an idea in the first place. Anybody care to comment?
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
What's the bet that the US government knew that the export laws could be appealed on constitutional grounds, but went ahead and got all these countries (including my own, Australia) to sign the Wassenar agreement.
:P :)
So... now the US can quite legimately claim that it can't honour the agreement because of the constitutional appeal, giving US software companies an advantage over all the poor countries that were duped into signing over their rights (and most of us don't have those sort of clauses in our own constitution).
Thanks, guys!
"...software is considered language, and therefore the export limits violated Bernstein's free speech under the First Amendment."
If that interpretation is upheld and accepted as precedent, it could have HUGE implications for people who write software in the U.S.
For example, if your state government passed a law prohibiting the writing of malicious code (i.e. virus, worm, trojan), First Amendment protection could make the law unconstitutional. The act of distributing the virus/worm/trojan could probably be prohibited, though.
IANAL and this post is all conjecture on my part, but I am VERY interested in seeing how this plays out.
Save the whales. Feed the hungry. Free the mallocs.
The text of the opinion is now available at the 9th Circuit website.
Agreed this is a remarkable and exciting result. agreed that this is quite likely to go up, given the stakes involved. For now, however, I will withhold further comment until I have had a chance to study the opinion.
It is important to note the narrow scope of the holding, despite all the yummy language:
"We emphasize the narrowness of our First Amendment holding. We do not hold that all software is expressive. Much of it surely is not. Nor need we resolve whether the challenged regulations constitute content-based restrictions, subject to the strictest constitutional scrutiny, or whether they are, instead, content-neutral restrictions meriting less exacting scrutiny. We hold merely that because the prepublication licensing regime challenged here applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint on speech."
Slip Opinion at 4241.
The significance of this limiting language should not be overlooked. While the court did, in dicta (non-precedential commentary) reach out into the nether areas of whether government may try to slow the use of encryption, that was not the limited holding which is the crux (and legally binding effect) of the opinion.
Indeed, there is some risk that the opinion might be understood as a roadmap for drafting revised regulations or legislation that would permit the particular conduct encouraged by Bernstein (scientific inquiry) as a sort of "fair use," but preclude any other uses of encryption, which is among the Government's principal goals. [Replacing the prior restraint licensing, for example, with severe penalties for improper disclosure after the fact, with narrow exceptions for "academic and scientific" expression. Indeed, limiting regulation to use and transmission of object code and non-expressive transmission of source code might go a long way to slamming down much of what the government wants to slam while passing muster, perhaps, even with this court.]
Many roads before this will be over with: possible en banc review before the entire 9th Circuit, possible appeal to the Supreme Court. Possible dumping of the statute for more technically acceptable, yet equally egregious legislation.
But it is nice to see that we are no longer spitting into the wind, legally speaking. Dicta or no dicta, this opinion gives counsel for prospective cypherpunks a lot with which to go to bat. I am also encouraged with the hints that the Fourth Amendment is also implicated by crypto regulation!
By the way, some people commented earlier that the court's "liberal" opinion would be disregarded by the Supreme Court. I think not, at least not by lockstep ideology (although they might reverse). Arguably the most conservative voice on the bench, Justice Antonin Scalia is a powerfully strong First Amendment advocate, almost to the point of being absolutist. Don't forget that this is the same conservative court that twice shut down Flag Burning statutes.
> Down under in Australia, we were recently
... first of all, the issue is not whether crypto should be exported; the issue is whether we should have it at all. The export thing is just a dodge; the FBI/NSA would love to restrict domestic crypto, it's just politically infeasible. We can easily see that there are plenty of threats within the US. Also, there can be no hedging over key length or cipher type; allowing "weak" crypto is equivalent to not allowing it at all. Computers, algorithms and money all change over time; we have to assume that if someone can break a code, others can too.
> treated to a leaked report from ASIO ( our
> equivelent of the FBI ) that flatly stated that
> there was no point in passing laws to prevent
> criminals from using encryption technology,
> since being criminals, they don't obey the law
> anyway.
I read the report, but unfortunately I don't remember exactly what it said. However, the situation is not QUITE as simple as this. On the face of it, this argument could be used against any law whatsoever.
The idea of these laws is not to simply say "thou shalt not use crypto", but actually make it harder to get access to good crypto. In the age of the Internet, however, this is not effective. (This is where the situation starts to diverge from the analogous situation of gun control laws.)
Clearly the NSA knows this. I think (and I'm not alone) that the real purpose of the export laws is to simply slow down the adoption of cryptography everywhere (including domestically), so that for as long as possible the NSA will be able to monitor the general populace. Obviously serious terrorists, foreign governments etc have already secured themselves.
As for whether exporting crypto is good
Given that, the prospect of people using crypto to, e.g., anonymously publish designs for cheapo biological, chemical and nuclear weapons terrifies me. However, without crypto, "information warfare" attacks on computers and infrastructure also terrify me, and so does the potential for the Internet as the ultimate surveillance tool. Pick your poison. Personally, I think that if we get to the point where readily available technology poses a threat to the future of the human race, then we can transition to a total police state. There is no point in getting there ahead of time.
BTW, I spent quite a bit of time in Australia working on TTSSH. Good thing their export regime leaks like a sieve.