Encryption Export Policy

Victor H. BouganimWCL, American University

What is encryption?What is encryption?

Encryption is the art or science of transforming a message to a hidden script using ciphers, so unwanted persons cannot read the message.

Encryption can vary in complexity from the easily-cracked to the practically impossible to crack.

Encryption methods can be traced back to ancient history, including some references in the Bible. For instance, Julius Caesar used encryption to hide his

military messages. Caesar’s Cipher: Go four letters ahead of the actual letter

you want to encrypt.For example, LAW becomes ODZ.

Encryption Terminology

plaintext cyphertextEncryption

Key orAlgorithm

Encryption

Decryption

Public Key Encryption

This method of encryption is a critical technology

in electronic commerce - digital signature.

Purposes of Encryption

Ensures confidentiality/privacy of one’s message.

Ensures authenticity of a message.Ensures the integrity of the contents

of a message.Protects access and use of software

and networks.

Balance of Interests

Privacy

Law Enforcement

National Security

E-Commerce Promotion

Governmental Motivations

Collect evidence of crimes

Protect National Security

Monitor radical factions

Class DiscussionClass Discussion

Should government surveillance devices be so far advanced of commercial technologies?

To what extent should encryption technology be controlled by the government?

ITAR

International Traffic in Arms Regulations, 22 U.SC. 120 et. seq.

Section 124, U.S. Munitions List, prohibits the exporting of encryption technologies without State Dept. approval.

According to new rules, effective from 1997, the regulatory authority of non-military encryption technologies is now the Commerce Dept. - Bureau of Export Administration.

AECA

Arms Export Control Act, 22 U.S.C 2778.Also treats encryption technology in the

same way as physical weapons, i.e., export is prohibited without authorization.

New regulations released on January 2000 relaxed the licensing requirements for most encryption technologies.

However, the new regulations still restrict some types of encryption methods.

Encryption Export Control

All encryption products are presumed controlled for export.

Exporters may not "self-classify" encryption products.

Exporters must obtain a formal classification determination for encryption products from BXA.

Exporters should obtain a ruling that the encryption products are not controlled.

Encryption Export ControlNew US Policy, Jan 2000

Certain products with encryption features are released from control: Products in which the encryption features are limited to

authentication and digital signatures "Retail" encryption products are widely exportable to all

but certain "terrorist" nations

Encryption products with less than 64-bits are freely exportable.

Notice to the government and review by BXA are still valid in most cases.

New US Policy, Jan 2000

The new regulations do not de-control encryption or remove complex requirements.

Some types of encryption are still restricted.

Concerns: these requirements may prove daunting to many individuals and businesses.

Encryption Cases

Karn, 1996 – 1999 Programmer who wrote software based on a book

and requested to export it.

Bernstein, 1996 – 2000 Mathematician who wrote software as part of an

academic work and requested putting it on his website.

Junger, 1998 – 2000 Law teacher who requested inclusion of encryption

software on a website as part of a course.

Encryption Cases - Issues

Is the control of encryption by government an unconstitutional restraint on freedom of speech?

Different treatment of print and electronic forms: Is it justified?

Does putting materials on a website constitute an act of exportation?

Is it effective, in the current global exchange of information, to achieve control over encryption?

Phil Zimmerman Case

In 1976, a new kind of cryptography was invented – Public Key Encryption.

One can encode a message with the recipient's public key so that only they can decode it with their private key.

Zimmerman wrote a shareware program known as PGP (Pretty Good Privacy).

Zimmerman was prosecuted by the U.S. Customs Dept. for uploading his encryption program to the Internet without a license.

Bernstein Case - 1

In 1990, Daniel J. Bernstein, a graduate student in mathematics at the University of California at Berkeley, designed Snuffle, an encryption system.

Bernstein wanted to publish a paper regarding his inventions, together with software implementing his methods, but was told he needed State Dept. approval.

Brought his case against the State Dept. Court granted an injunction against prosecution of

Bernstein or any other person for discussing/exporting Snuffle source code, but denied the broader injunction requested.

Bernstein Case - 2

176 F.3d 1132 (9th Cir. 1999)Judge Fletcher affirmed the District

Court’s finding that the EAR regulations were facially invalid as a prior restraint on speech.

But note Judge Nelson’s strong dissent arguing that encryption source code is not expression but a functional tool.

Junger v. Daley

Opinion filed April 4, 2000, 6th Cir. Junger is a professor at Case Western School of Law. Junger maintains sites on the Web. He wants to

publish encryption source code on his site to demonstrate how computers work.

Such a posting is defined as an export under the regulations.

Junger claims encryption source code is protectable speech under the 1st Amendment.

Summary judgment for government reversed, remanded to District Court to determine constitutional challenge.

Class DiscussionClass Discussion

The EAR amendments make distinctions between printed source code and source code within electronic media – should the medium matter?

Should the government have all the keys to private encryption technologies?

Is encryption protectable free speech, or is it purely functional?

Can government control the flow of encryption worldwide?

International Encryption Policy

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-use Goods and Technologies.

Established to promote transparency, exchange of views and information, and greater responsibility in transfers of sensitive technologies.

33 co-founding countries including: US, EU countries, Japan, Canada, Australia …

Began operations in September 1996.Agreed international policy on encryption.