Now that U.S. crypto export policy is declared unconstitutional, what's next for RSA and Netscape?
Will decision lead to export of high-power cryptography products?
Judge Marilyn Patel ruled here, December 18, that mathematics professor Daniel Bernstein did not have to submit his encryption software to the government for export control, and could continue teaching his class on cryptography techniques at the University of Illinois at Chicago under the provision that computer language source code is protected under the First Amendment.
However, the effects of the ruling on the myriad of software companies which market encryption products, including Netscape Communications Corp. and RSA Data Security Inc., remain murky at best, observers said.
"There is a lot of uncertainty surrounding this case," said David Sobel legal counsel for the Electronic Privacy Information Center in Washington, D.C. "It would be a mistake for anyone to read the decision as a license to export high-power encryption products."
Cindy Cohn, the attorney who represented Daniel Bernstein, is equally reticent about the implications of the case. "All we know for sure is that Daniel can now teach his class," Cohn said. The decision in the Bernstein case by no means enables every small encryption company or computer science student to go ahead and start exporting encryption today, Cohn said. Each case would have to be individually considered in order to give "competent legal advice," she said.
On a legal level, a decision in a federal district court does not hold up across the nation and usually applies only to the case involved, Sobel said. However, since the ruling was on constitutional grounds, similar decisions could be made by other judges in other cases -- but judges are not required to uphold Patel's decision as a regulation, he said.
In fact, six months ago, a similar case was decided by a Washington, D.C. judge that ruled the encryption export laws constitutional. The so-called "Karn case" involved Phil Karn, an author who brought a case against the government when he was forbidden from exporting a book on encryption techniques that came with a disk of source code. Karn lost the case and was permitted only to export the book, but not the diskette, Sobel said.
Under existing U.S. laws, software companies can export encryption with key lengths of up to 56 bits -- but only if they agree to build a technology called "key escrow" into the products. Key escrow is a public key authentication system which stores a key to encrypted data with a trusted third party. Law enforcement officials would have the legal right to get access to these keys should they suspect criminal activity.
Free speech advocates argue that limits on export of encryption and the key escrow system restrict competitiveness of U.S. companies abroad since overseas companies are already making key escrow-free 128-bit encryption available.
"Our greatest concern is that the current proposals will continue to inhibit the export of mass market software with encryption," said Ken Wasch, president of the Software Publishers Association, an industry group that represents the business interests of over 1,200 worldwide software companies, including Microsoft Corp. The SPA has found that more than 500 encryption products are currently being produced in 67 countries.
"As these foreign products increase in number and improve in quality, U.S. companies will forever lose a foothold in this growing market," Wasch said.
The government, however, thinks that unrestricted export of highly-secure cryptography would enable terrorists and criminals to use the technology to threaten national security and commit international crimes.
Companies try to make sense of it all
Meanwhile, software companies are at a standstill when it comes to determining their next moves. Netscape, which has a 128-bit version of its browser encryption software for use within the U.S., is "still gathering information and ironing out all the details of the judge's decision" to figure out how it applies specifically to the export of browser products such as Navigator, said Chris Holten, a spokeswoman for Netscape.
RSA, a Redwood City, CA, encryption company, said it will not market its strongest products overseas until the legal implications of the ruling are cleared up, according to RSA president Jim Bidzos. However, Bidzos did call the ruling "the first rational statement concerning crypto policy to come out of any part of the government" and said he is hopeful the Bernstein case will encourage the government to strongly reconsider its plan.
Some of the complication stems from the wording of Judge Patel's ruling. While she said "source code" is protected under the First Amendment and can therefore not be regulated by the government, Patel did not specify whether "object code" (the executable form of computer programs which source code is automatically translated into) falls under the same realm. Thus, runable programs that contain object code, such as Netscape Navigator, may not be fully protected under the ruling, according to a statement from the Electronic Frontier Foundation, a civil liberties group.
In addition to being confusing on a legal interpretation level, the ruling will almost certainly be appealed by the government, observers said.
"I would expect that the government will be indicating their appeal intentions in the next few days," Sobel said. "This decision could be overturned very quickly and is just the beginning of an overall legal challenge to the export control regulations," he said. Referring to the Karn case, he said "we won one and we lost one, and now we just have to see where the appeals go."
The EFF is staunch on its stance that the ruling does have wide-reaching effects. "Everyone is free to export cryptography now," EFF's John Gilmore said. While only one person filed the case, Judge Patel's ruling makes part of the encryption export law invalid across the board, he said.
The Justice Department is reviewing the decision and will announce definitive plans soon, said Myron Marlin, a spokesman for the Justice Department. Quite the opposite of the EFF, the Justice Department does not see this as "an across-the-board decision at all," Marlin said. "That just isn't the way the federal court system works."
--Kristi Essick, IDG News Service, San Francisco Bureau
If you have technical problems with this magazine, contact firstname.lastname@example.org