Last Thursday the U.S. Court of Appeals for the Ninth Circuit agreed with them.
The case is far from over; an appeal is bound to follow. But what has happened so far is a remarkable story of outsiders who ignored long odds because they were convinced that the law, not to mention morality, was on their side. In the process, the government is facing the possibility of losing its most effective means of keeping strong privacy codes out of the mainstream.
It all began in 1990, when Bernstein, then a New York University undergraduate, heard about a paradox. It was well known that the United States forbids export of strong encryption programs (which protect information by scrambling messages so eavesdroppers–and wiretappers–can’t read them ), correctly assuming that since software companies rely on foreign sales, they won’t include the restricted stuff in their products. This ensures that strong encryption won’t be built into ubiquitous products like e-mail software; the government is then happy because it can read the mail of potential terrorists and foes. But Bernstein also learned that the government permitted the export of a similar class of programs that don’t perform actual encryption. To prove the silliness of the regulation, he wrote Snuffle, a program that transformed those programs to encryption programs. “Then I got worried,” he said. “The government might not be happy with this.” He put the program aside.
In 1992 as a grad student at Berkeley, however, Bernstein decided to seek official permission to publish Snuffle on the Net, which of course reaches a global audience. But as he dealt with bureaucrats from State to the National Security Agency, he found only frustration. Apparently his only recourse was to register as a munitions dealer and apply for an export license… and probably be turned down.
Then he hooked up with Gilmore, an early supporter of the Electronic Frontier Foundation. Gilmore had been waiting for someone to challenge the export regulations. Bernstein, who had carefully documented his Alice-in-Wonderland experiences with the export cops, “was the perfect plaintiff,” says Gilmore. Cohn, a Gilmore friend interested in free-speech issues, agreed to take the case pro bono. (The legal effort, coordinated by the EFF, would come to include other lawyers, civil-liberties and industry groups and interested individuals.) In 1995 they filed with District Court Judge Marilyn Patel. At the center of their case was the contention that computer source code was constitutionally protected speech that should not be blocked by a convoluted bureaucratic process. The government filed for a dismissal and had every reason to believe it would be granted. Since the regulations ostensibly protected national security–officials insisted that if bad guys used codes, we’d be at risk–neither the courts nor Congress had dared to demand their demise.
But Patel rejected the government request, affirming that computer code could be speech. And in 1997 she ruled in favor of Daniel Bernstein (who by then was a Ph.D. teaching at the University of Illinois in Chicago).
Experts yawned. This was but a single judge–in northern California, no less. The appeals court would be a harder test. But in oral arguments, the judges listened carefully to Cindy Cohn, who forcefully cited the recent Supreme Court decision determining that the Internet–where Dan Bernstein wanted to publish Snuffle–was entitled to the highest degree of speech protection. Still, who knew if the three Ninth Circuit judges would buck the government on a national-security issue?
Not only did they do so (by a 2-1 margin), but they released a broad, powerful opinion. Cryptography, it said, should be not merely a state secret, but also a protector of the people’s privacy. In an age when our communications are committed to bits flashing by where snoops can grab them, folks need crypto to secure their records, their business plans and their intimate thoughts. “Government attempts to control encryption…,” wrote Judge Betty Fletcher, “may well implicate not only First Amendment rights of cryptographers… but also the constitutional rights of each of us as potential recipients of encryption’s bounty.”
Those opposing the crypto export regs are exuberant. They have long contended that since strong codes are available overseas anyway, the rules punish only American software firms that want to sell security to their customers–and citizens who want privacy built into their systems. “The dam is breaking,” crows Wes Wasson of Network Associates, which distributes the PGP crypto program. The government’s best recourse may be a full explanation, with supporting evidence, of why these complicated export laws are indeed essential to the national security. So far such concrete justification has not been required. Now it is. The lawyer, the hacker and the student have made it so.
