Charles Oriez

Computer Law

March 15, 1999

 

Encryption Technology and Export Issues Related to it

 

 

 

Why

Concern for data security preceded the internet. And compromise of insecure communications, and data, also preceded the internet. In the early 1970's, Soviet agents routinely monitored telephone voice traffic on IBM's private microwave network.

An Alaskan oil company kept losing leasing bids by small amounts to competitors. The line between a computer in the Alaska office and one at the home base in Texas was being tapped, and a competitor was intercepting pricing advice transmitted from the Texas office. And employees at British Airways read Virgin Atlantic Airlines' passenger records. From that information the employees carried on systematic efforts to induce Virgin's travelers to switch their flights to British Air.

Deceptive communications can be as big of a problem as intercepted communications. For example, a group of students at the University of Wisconsin forged an E-mail letter of resignation from the Director of Housing to the Chancellor of the University.

However, interest in cryptography predated even modern ages. The first book on cryptology was written by Johannes Trithemius, a Benedictine monk, in 1499 (the Gutenberg bible was written in 1454). The book was Polygraphiae. And Thomas Jefferson jointly developed a private crypto system with James Madison, and invented a 'wheel cypher' which was ahead of its time.

For these and other reasons, secure communications are essential to modern American business. My client, MCI Worldcom, routinely transmits employee information, including social security numbers, to third party vendors for purposes such as managing health benefits. To ensure the en route security of that information, we encrypt the data using Pretty Good Privacy (PGP).

Whether you are a business protecting trade secrets or employee records, or a third world human rights activist alerting Human Rights Watch of government atrocities in your own country, secure communications are essential.

 

How

          This paper is not intended to make anyone an expert in the technical aspects of cryptography. However, some brief definitions are in order. Cryptography is the process of turning plain text into something unreadable by third parties, turning an intelligible message into gibberish. Most cryptography today uses an algorithm--a mathematical transformation from plaintext to ciphertext or from ciphertext to plaintext or both--and a key (analogous to a password). In general, the security of a message depends on the algorithm and the strength of the key. The algorithms themselves, while mathematically complicated, are fairly short and easy to code. Reportedly, the main algorithm at issue in one of the cases, as coded in perl, is three lines long:

 

#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj

$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1

lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

The most popular mass marketed encryption package available today, PGP (Pretty Good Privacy, by Phil Zimmerman) uses algorithms to create two keys for each user. One key, known as your public key, is made widely and publicly available to your correspondents. My various public keys are published on my web page, registered with the MIT and MCI public key servers, and e-mailed to anyone who asks for it. My separate private key is known only to me. My would be correspondent encrypts the message or file they intend to send me using my public key and their own private key. I then decrypt the file on my end using my own private key. This also serves to validate the transmission by comparing the text to the digital signature of the sender, which includes a hash total of some sort to verify that the text has been unaltered in transmission. This digital signature feature can also serve to verify unencrypted text. As an example, I will digitally sign this paragraph. Had I transmitted this paper electronically, and you had my public key, you could verify that this paragraph was written by me and unaltered after signing.

-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.5.2

 

iQA/AwUBNuakGzCXbcnOuELIEQI1swCfTvf1VqcaIcGzyMN4g3o/EWotLy4AnjgR

5d05dSI8gk0FmN5/FFkkK/IZ

=svLn

-----END PGP SIGNATURE-----

 

You would then run that paragraph through your own copy of PGP that would compare the message and signature to my public key, and confirm that it really came from me.

 

The Underlying Law

 

Arms Export Control Act (AECA) 22 U.S.C. §§ 2751-2796d (1994) and

International Trafficking in Arms Regulations (ITAR) 22 C.F.R. §§ 120-130 (1996)

 

This is a comprehensive licensing scheme designed to control the export of non-military technology, software and commodities under the Export Administration Act of 1979. When the EAA lapsed on August 24, 1994, the President extended it by executive order. Initially administration of the program was within the jurisdiction of the Department of Commerce, but in late 1996 this responsibility was transferred to the State Department.

The EAR is structured around the Commodity Control List ("CCL"), which lists items subject to export control. Encryption software is defined under the EAR as "computer programs that provide capability of encryption functions or confidentiality of information" and "is classified as a Encryption Item ("EI")."

Under the EAA, software was included within the definition of "technology," which was defined as "information and know-how . . . that can be used to design, produce, manufacture, utilize, or reconstruct goods, including computer software and technical data, but not the goods themselves. All software, except encryption software, is treated like technology. However, encryption software is treated in the same manner as encryption hardware, which means that the exemptions for education, scientific research, or due to previous public availability overseas do not apply.

The EAR defines "export" as the "actual shipment or transmission of items subject to the EAR out of the United States," but also includes the "release" of technology or software to foreign persons in the United States. The definition of "export" for encryption software also includes publication on the Internet. The release to foreign persons within the United States is a key issue in the Junger case, where he seeks to distribute encryption code electronically to students in his classes, including students here on F1 student visas. By the same token, a company in the United States which installs the domestic strong encryption versions of Netscape or Explorer on work stations which are then used by workers here on H1 visas is also in violation of the Act. It has been suggested that the provision related to H1 workers has never been and never will be enforced. However, the statute and accompanying regulations are on the books with that provision. If the government wishes to stipulate that some part of the regulations are so unreasonable as to be unenforceable, then perhaps the regulations should be modified or repealed.

There is one exception to the bar on export. When a particular encryption tool includes key escrow capability, the government will license the export of software that exceeds the 40 bit limit, up to 64 bits. This exception is discussed in more detail in the section of the paper on key escrow.

 

Current Litigation

 

Karn v. US Dept of State

Some of the source code in the book Applied Cryptography, by Bruce Schneier is at stake in this case. Mr. Schneier is generally recognized as one of the country's foremost authorities on encryption and his book is one of the definitive texts on the subject. Approximately 50 pages of that book include the C language source code for some 14 encryption algorithms. Under ITAR, the book can be exported because it is in hard copy format, and in Fact Phil Karn applied for and received an export license for the book. However, 3 1/2" inch diskettes containing verbatim copies of the printed source code were a "defense article under category XIII(b)(1) of the United States Munitions List" and thus barred from export. After more than a year of administrative appeals, starting in February, 1994, Mr. Karn filed suit in September, 1995, alleging that the denial of an export license for the electronic copy of the code, after approving export of the written copy, was arbitrary and capricious. To illustrate the capriciousness, his complaint detailed the steps that could be taken to make use of the printed, and exportable, source code. His hardware specifications included a standard office photocopier, used in conjunction with "a McIntosh Quadra 610 computer system equipped with an HP ScanJet II flatbed scanner and OmniPage Professional optical character recognition (OCR) software." The complaint then went on to note that by "using only the Book, a photocopier, a computer scanning system, a text editor and a compiler, and even with printing and scanning errors, one can generate a file containing correct DES encryption codes that is exactly equivalent in every significant way to that stored on the Diskette in the total time of approximately four hours". The scanner and other hardware described in his complaint are easily available overseas through normal consumer channels. He also went on to note that one of the codes whose export was prohibited under ITAR was in fact the Enigma code developed by the Germans in World War II and broken by the Allies at that time.

He also asserted the denial to be an infringement on his first amendment right to free speech, as well as prior restraint, as well as asserting that the denial violates his fifth amendment right to due process.

The government's summary motion for dismissal was granted in March, 1996, appealed by Karn to the United States Court of Appeals for the District of Columbia, and oral arguments were heard in January, 1997. Meanwhile, jurisdiction over ITAR was transferred from the Department of State to the Department of Commerce. The Appeals Court remanded the case to the district court to determine what if any changes would occur because of the jurisdictional change. Both parties agreed to withdraw the suit, refile the commodity jurisdiction request, act promptly, and then refile the case after the new round of applications and appeals was completed. While all this was occurring, the original district judge died of cancer.

The case was then reopened in January, 1998 through the filing of an amended complaint, and in February, 1999, Judge Oberdorfer ordered evidentiary hearings on the sole question of whether there are material differences between the code on the diskette and the code in the printed copy of the book. They are now waiting on the scheduling of the evidentiary hearings following completion of discovery.

 

Bernstein v. US Dept of State

        Bernstein at the time the case was filed was a PhD candidate in mathematics at the University of California - Berkeley. He wrote the Snuffles encryption code. Bernstein wanted to publish his code on the internet for the purposes of peer review. The arguments in Karn and Bernstein are virtually identical, except that Bernstein also alleged unconstitutional vagueness in the regulations, and noted that the government was not complying with its own time table for responses to application requests. The case was brought in 1995, was won on a summary judgement motion at the District Court level in August 1997, and immediately appealed by the government to the Ninth Circuit. Oral arguments were heard in December 1997, but no decision has been announced yet. An unofficial transcript of the oral arguments found in his case files includes the following questions:

        From Appeals Court Judge Bright: "Well then what's the big deal about putting the source code on computers?"

From Appeals Court Judge Fletcher: "This, this is a very puzzling case, at least to my mind. If you can put it all down on paper and all that's involved is a lot of hard work to put it into software or hardware, why does the government do this?"

Those questions go to the heart of the case in the opinion of many people.

        There is also an interesting side issue in this case brought out by a question from Judge Nelson and the response from one of the government's attorneys. I intend to travel to England in a few years, and work. The development and use of strong encryption is legal in England, and in fact last Friday the British government abandoned their support of key escrow (the "Trusted Third Party" concept) or any other type of encryption regulation. However, the government attorney in the Bernstein case contends that should I participate in the development of strong encryption while present in Britain, I would be in violation of ITAR.

 

Junger v. Daley

        Peter Junger is a law professor at Case Western Reserve University, who teaches a course similar to the one that we're taking right now. As part of that course, he wants to publish materials, including encryption software, on his web page. ITAR prohibits him from that publication, because it is considered a form of export.

         In summer of 1997 he filed suit on first amendment grounds, represented by an attorney who later became head of the ACLU of Ohio, who then assumed responsibility for the case. In July, 1998, Judge James Gwin granted a summary motion for dismissal for the government, making several points in doing so.

1. Source code is functional rather than literary in nature
2. Very few people can read and comprehend source code, and therefor it is not protected expression.
3. The restrictions are content-neutral

Professor Junger then appealed to the 6^th Circuit Court of Appeals.

 

On March 8, 1999 EPIC (Electronic Privacy Information Center), joined by the Association of Information Technology Professionals and numerous other organizations, filed an amicus brief supporting Mr. Junger. The original brief ran afoul of a 6^th circuit 7000 words limitation, so not all points in our draft ended up in the final. However, several points were raised.

We noted that the restrictions applied only to encryption source code, because it was encryption, directly disputing the allegation that the regulations were content neutral.

We noted for the record that more people in the United States read and comprehend the C programming language (which most encryption programs are written in) than read or comprehend either Navajo or Finnish. It will be interesting to see if the government attorneys attempt to defend the proposition that Navajo speakers should therefor be denied their First Amendment rights. Defending that position in court will quite likely find them defending it in the media a few days later.

Our initial draft brief also made two other important points. First, we cited Apple v. Franklin's opinion that source code was literary as well as functional (a point I made separately to the NY Times technology reporter). His ruling could be just as much a danger to software authors seeking copyrights as it is to Navajos seeking to express themselves in their native tongue, if it isn't overturned.

In addition, we made the point that the regulations are devoid of common sense. In the original brief, we noted that of 840 known companies producing encryption packages, 440 are outside of the United States. I have since discovered material indicating that there may in fact have been 497 foreign companies producing encryption software outside of the United States as of 1995.

We could just as easily have listed the overseas locations to obtain "official" copies of PGP, which is just one of the many encryption packages covered by ITAR (and subject of a criminal investigation since abandoned). Recommended locations to obtain PGP include download sites in Norway, Austria, Brazil, Czechia, Denmark, Finland, Germany, Japan, Korea, Netherlands, Poland, Russia, Spain, Sweden, and Switzerland. This doesn't include unofficial sources at 143 separate additional sites in numerous additional countries in all parts of the world, including South Africa, each of the Baltic states, most of the states formerly in Yugoslavia, as well as most of the former Warsaw Pact countries.

A final argument that we could have made involved the new AES (Advanced Encryption Standard). In 1975, IBM wrote DES, the standard encryption software used throughout industry until the current day. In recent years, there have been demonstrated vulnerabilities in that package, and some people have demonstrated the ability to force decrypt it under controlled circumstances. Because of that, the National Institutes of Standards and Technology (NIST) advertised for a replacement standard. 15 candidate algorithms were initially selected in August, 1998, and will be further winnowed this month, at a conference in Rome, Italy. The 15 algorithms came from a total of 12 countries, destroying the contention implicit in ITAR that we have a monopoly on the technology.

And we also asserted a fourth amendment issue, comparing encryption to locks, and asserting that developing stronger encryption was identical to developing stronger locks. Our logic is that in order to develop it, you must discuss it with your peers. To quote from the brief, "The Supreme Court has explained that when the government seeks to impinge upon private communications in the name of national security, the "convergence of First and Fourth Amendment values" must guide the Court's interpretation of the reasonableness of the government's interference. United States v. United States District Court, 407 U.S. 297, 313 (1972) ("Keith"). The Fourth Amendment shields private communications from unreasonable governmental interference or surveillance. See, e.g., Keith, 407 U.S. 297; Katz v. United States, 389 U.S. 347 (1967). In particular, "governmental incursions into conversational privacy" via electronic means "necessitate the application of Fourth Amendment safeguards." Keith, 407 U.S. at 313; see also Olmstead v. United States, 277 U.S. 438, 472-75 (1928) (Brandeis, J., dissenting) (fearing government's eventual use of "subtler and more far-reaching means of invading privacy [furnished through] the progress of science.")." In light of documentary evidence that encryption technology is now globally available, the interference is clearly illogical, and therefor unreasonable. As such, Junger must win his appeal.

 

Legislation

The US Congress seems to have realized that the requirements as written are not reasonable. Legislation has been introduced again this year by Representative Goodlatte (R-Virginia) liberalizing export of encryption software. Co-sponsors this year include 210 members of the House of Representatives as of March 13, including Majority Leader Richard Armey (R-TX), Minority Leader Richard Gephardt (D-MO), Majority Whip Tom Delay (R-TX), Minority Whip David Bonior (D-MI), House Republican Conference Chairman J.C. Watts (R-OK), House Policy Committee Chairman Chris Cox (R-CA), Rules Committee Chairman David Dreier (R-CA), and Democratic Caucus Chairman Martin Frost (D-TX). The bill passed its first subcommittee vote by voice vote, apparently unanimously, on March 11.

During the previous session, a bill relaxing controls (HR 695) was sponsored by a majority of the members of the House, and made it through the committee process only to die in the Rules Committee due to the opposition of the Rules chair, Gerald Solomon. Mr. Solomon retired at the end of 1998.

Senator Burns (R-Mt) intends to introduce identical legislation in the Senate, as he did during the last two sessions of Congress. Initially, he had indicated an intention to introduce legislation in February, and had a draft bill up on his web site. He seems to have delayed, most likely in an attempt to build consensus, and the draft is no longer easily found on his web page. It should be noted that Senator Leahy (D-Vt) introduced a similar bill last year, and is widely expected to support a bill consistent with those principles this year. Introduction of a Burns-Leahy bill on the topic can not be excluded as a possibility in this session of the Congress.

 

Key Escrow

 

The Clinton administration has proposed key escrow, and offered as a carrot a relaxation of export controls for any package that makes use of it. The NSA of course supports it because it makes the encrypted communications of foreigners available to them, or so it is assumed. They do offer some interesting and perhaps valid points. The most telling was the question of internal data being encrypted and held for ransom within a corporation. Although not mentioned in their presentation on the issue, the specter would be that discussed in Mahru v. Superior Court, only made worse by unbreakable encryption. In fact, that was the only issue that I found troubling in light of my predisposition in the other direction. However, I am not convinced that remedies don't exist for that problem, including a Mahru style prosecution. The discussion by Mr. Baker of the NSA did however substantiate the theory advanced in class that the great fear is not really easy export, but rather the day that encryption becomes the default, or is an easy pull-down plug-in feature of all e-mail clients.

The history of key escrow in the United States revolves around Clipper, and its descendents. Clipper I was a hardware chip, not software, designed by the NSA using a top secret algorithm reviewed and pronounced secure by Dorothy Denning and others. Unfortunately for them, an AT&T scientist, Matt Blaze, discovered a flaw that permitted abuse that permitted use of the chip in a way that thwarted eves-droppers. The other objection was the cost ($1200 for a clipper-enabled phone). Clipper II was then proposed in September, 1995, which abandoned hardware implementation, Trusted Third Parties rather than government escrow (the approach recently abandoned by Britain), and keys up to 64 bits long (my PGP key is 2048 bits by comparison). Once again, the market rejected the proposal. My own immediate reaction was to question the need to limit the key to 64 bits if in fact the data recovery component exists in escrow. So finally, a white paper proposing 'Clipper III' was released in May, 1996, which included self-escrow. That is where we stand today, although the tide in both Congress and the courts seems to be moving away from escrow, with even Bob Dole siding with the 'crypto-anarchists'.

        A recent (1996) study showed 29 proposals and/or commercial products that included key recovery or escrow. They run the gamut of software, hardware, firmware, and some combination thereof. They frequently included trusted third parties as escrow agents. Some of these packages, such as the TIS Commercial Key Escrow package, have been submitted to the government and approved for export.

        However, some of the top cryptologists in the United States, Canada, and England studied key escrow and identified significant problems with it. There conclusions were that key recovery systems are inherently less secure, more costly, and more difficult to use than similar systems without a recovery feature. These difficulties are viewed as a function of the basic government access requirements, irrespective of any other consideration. A particular concern is that highly sensitive and highly available keys must be maintained in a secure manner over an extended time period, yet must be readily available to law enforcement agents without notification to the key holder. They conclude that these requirements make the problem of key recovery both too costly and potentially insecure.

        The government requirements for global key recovery do tend to support the view of the working group:

 

       Third-party/government access without notice or consent of the user, with even "self-escrow" systems having sufficient insulation to prevent key owners from being aware that recovery agents have acquired the keys, regardless of whether those recovery agents are legitimate law enforcement agents or hackers.

       Ubiquitous international adoption. This makes apparent European abandonment of key escrow a show-stopper in the view of the US Government.

       High-availability 7x24 access to plain text. Law enforcement standards call for access to the data within 2 hours of it being sought. Commercial encryption users seldom if ever need the ability to recover lost keys around the clock, or on such short notice. The expense of this added feature will be solely for the benefit of government agents.

       Access to encrypted communications traffic, not just stored data. To the extent that there is a commercial demand for key recovery, that demand will be related to stored data, and seldom if ever communications traffic. Again, this requirement and expense is solely for the benefit of government agents.

 

With these criteria, it is difficult to imagine any wide spread use of key escrow in the foreseeable future.

 

Europe

European regulations are in a state of flux. As previously mentioned, Britain appears to have abandoned all pretext of regulating encryption export or use, as of March 5. France has also recently liberalized its rules. The litmus test is theoretically where a country stands on the "Bonn Declaration" which is portrayed as pro-export, or the Wassanaar Arrangement, which is supposedly pro-control, though I have heard from more than one European that the US interpretation of Wassanaar is as much wishful thinking as it is reality. Unfortunately, many countries have seen fit to endorse both. Rumors persist that the Europeans are currently considering a further weakening of their restrictions. The recent British actions support the likely accuracy of those rumors. However, it should be noted that some point to the working document used to propose the alleged British 'backdown' on Trusted Third Party escrow, and appear less confident that the British government has truly backed away from that support. This view is seemingly caused by the position expressed in the document summary that the British government wants industry to come up with an alternative proposal for permitting government agencies involved in fighting serious crime to have access to unencrypted versions of documents.

A detailed study of encryption usage and export policy around the world seems to indicate that the preponderance of European countries already are in favor of de facto open export. It is reasonable to expect that a failure on the part of the US government to convince the European Union to adopt ITAR-style controls will eventually defeat them here.

 

Predictions

The opposition of the Clinton administration will probably doom legislative action in the 106^th Congress. However, the questions of the three appeals judges in the Bernstein case demonstrate a clear hostility and skepticism towards the government's arguments. Meanwhile, the evidentiary hearing decision in Karn indicates some receptivity on the part of that judge. And finally, the district court decision in Junger is so internally inconsistent and illogical that it couldn't possibly survive the appeal. I expect a win in the 9^th, remand in the 6^th to a hostile judge who will look for reasons to support the government, and unknown results in the District of Columbia with a slight tilt in favor of Karn if I had to bet the bank on it. The ultimate result will be a Supreme Court hearing, especially if either of the other cases disagrees with Bernstein. Unfortunately, the Supreme Court does not seem to lend itself to easy prognostication in this case. There are a number of cases related to privacy and due process as they pertain to gay rights cases (eg - Romer v. Evans), but I could not find any directly applicable precedent. Even the Pentagon Papers case didn't speak directly to the same issues while addressing prior restraint. However, I am not confident as to the extent that my belief that the Supreme Court will rule in favor of Bernstein and the others is based on an objective reading of the precedents and how much it is based on my own bias. I finally decided not to guess.