This module considers how digital electronic communication is both enabling and yet problematically insecure. The use of strong encryption does three things: (1) ensures confidentiality/privacy of one's message; (2) ensures authenticity of a message; and (3) ensures the integrity of the contents of a message. Strong "public key" encryption may be thought of as a type of electronic "self-help" used to protect the content of electronic communications from unwanted intrusion by governmental entities and private actors alike. For much of the post WW II era, the National Security Agency had an almost complete monopoly on strong encryption methods. However, this monopoly was broken by the development of "public-key" cryptography by Whitfield Diffie and Martin Hellman in 1975. "Public-key" cryptography eventually spurred major controversies in the 1990s, when the U.S. government tried implementing the "Clipper Chip," which would have allowed government access to the key for virtually any and all encrypted digital communications.

This module asks you to analyze a trilogy of cases decided beginning in the mid-1990s: (Karn v. U.S. Dept. of State [decided March 22, 1996 in the District Court for the District of Columbia]; Bernstein v. U.S. Department of Justice [decided May 6, 1999 in the 9^th Circuit]; and Junger v. Daley [decided April 4, 2000 in the 6^th Circuit]). These cases address the problematic limits on the use of extremely strong "public key" cryptographic systems by private actors in the context of the export licensing schemes administered by the State Department and the Commerce Department. These cases have strong first amendment and administrative law components to them, but their implications go beyond those areas of the law to implicate fundamental questions of individual privacy in the digital environment -- who will have presumptive access to strong encryption tools?

This module is organized as a series of questions and answers revolving around the use of encryption to ensure privacy in one's communication. This module looks first at broad notions of privacy, and the common law and constitutional roots of a legal right of privacy within the United States. A brief history of codes and codebreaking follows, covering the Caesar cipher to the German Enigma code machine as well as defining certain basic cryptographic terms and concepts. Next, the post -World War II governmental monopoly on strong cryptography by the National Security Agency (NSA) is described. Finally, this module focuses on the significant advent of public key cryptography first developed by Whitfield Diffie and Martin Hellman in 1975, which made possible a challenge to the NSA's monopoly on strong encryption.

Simultaneous with the refinement of public key cryptographic techniques was the rise and spread of ubiquitous computer network environments. These networks began to enable extensive data communications and thereby threaten the privacy or secrecy of the same transmitted information, especially that of a highly personal or confidential nature. In the late 1970s, the NSA, in concert with the National Institute of Standards and Technology (NIST), released a 56-bit encryption algorithm called Digital Encryption Standard (DES) to be used for electronic transfers of financial and other data. However, almost from the time of its release, DES's ability to protect information began to be outstripped by rapidly advancing decryption technology.

The US Government has repeatedly sought to curtail the spread of strong public key encryption technology in two ways. First, a domestic initiative promoting "key escrow" deposit schemes was promoted. Second, strong public key encryption algorithms were classified as "munitions" and thereby made subject to strict export controls, contingent on obtaining a rarely granted license from the State or Commerce Department. There is a relation between the domestic initiatives and export restrictions on strong cryptographic products. Export controls hinder the spread and development of strong cryptographic tools within the US because software developers are reluctant to incorporate cryptographic tools that might prevent them from selling their products overseas. Government-backed "key escrow" arrangements such as the ill-fated Clipper chip initiative of the mid-1990s ran the risk of seriously harming overseas markets for US products using strong encryption.

This module focuses attention on legal developments occurring in the 1990s over attempts by the Clinton Administration to use State Department regulations, and then Commerce Department regulations, to stop the export of strong public key cryptographic tools. In particular, there have been three cases that have interpreted the relevant government export regulations, one upholding government-attempts to restrict the export of strong cryptography, and two strongly questioning the ability of the government to restrict the use and export of public key cryptographic algorithms on first amendment grounds.

The module opens with a glossary of encryption terms, before moving on to a brief history of privacy law and then to a brief historical backdrop for the Trilogy of Bernstein, Junger & Karn. The module ends with an abbreviated selected bibliography of articles and books on encryption and the law.

While the foundations of the legal recognition of a right to privacy are ancient - the idea that there is a boundary between the public and private realms of social lives at least dates back to Socrates and Aristotle (1) - explicit legal protections for individual privacy did not begin to develop within the US until the late nineteenth century. There were, however, many constitutional and common law antecedents to privacy rights; the norms under-girding privacy rights overlapped with the first amendment freedom of speech. Other sources that protected privacy included the fourth amendment right to be free of unreasonable searches and seizures, the third amendment right to not have troops quartered in one's home and the fifth amendment right against self-incrimination. The common law areas of nuisance and trespass also include implicit norms protecting individual privacy, although they are articulated in the language of property ownership. (2)

Professors Richard Turkington and Anita Allen found the earliest judicial discussion of privacy in the U.S. to be in an 1881 Michigan appellate court opinion in which tort relief was granted a plaintiff who had been observed by the defendant during childbirth and without the plaintiff's permission (3). Turkington and Allen also note that in Judge Thomas Cooley's treatise on torts he discussed the "right to be let alone." (4) This concept was picked up in Samuel Warren and Louis Brandeis' 1890 Harvard Law Review article,"The Right to Privacy," which has traditionally been considered the clearest articulation of the right to privacy. (5)

Finally, in Griswold v. Connecticut, 381 US 479 (1965), the U.S. Supreme Court held that a constitutional right of privacy shielded decisions about the use of contraceptives from state interference. In his decision, Justice William O. Douglas expressly recognized a general constitutional right of privacy independent of the fourth and fifth amendments as well as the common law right of privacy. The question remains, however; do privacy rights deal with limiting/controlling access to data and information about ourselves, or do privacy rights pertain to the ability to make fundamental decisions about oneself in the face of contrary opinions, as exemplified by the rights found in Griswold, Id.

This module focuses on the former, that is, how privacy rights grant us the ability to limit and control access to data and information about ourselves. This definition of privacy rights involves two types of private information: (1) transactional information, i.e., data footprints; and (2) the substantive content of one's communications. The module written by professor Ann Bartow addresses the issue of transactional privacy and "data footprints." This module considers the issue of securing the contents of communications and documents stored and transmitted electronically.

(2) Alan Westin, Privacy and Freedom (1967); David H. Flaherty, Privacy in Colonial New England (1972).

(3) DeMay v. Roberts, 46 Mich. 160, 9 NW 146 (1881).

(4) Richard C. Turkington and Anita L. Allen, Privacy Law: Cases and Materials 23 (1999).

(5) Pavesich v. New England Life Ins. Co., 122 Ga. 190 , 50 SE 68 (1905).

(6) Feinberg, Recent Developments in the Law of Privacy, 48 Colum. L. Rev. 713 (1948).

Writing has been a medium of sharing thoughts and ideas, of enlightenment and understanding, for thousands of years. However, for almost as long as humans have used writing to proliferate ideas, writing has also been used to deliberately conceal messages and meanings from unwanted eyes. This concealment has been achieved through the use ofcodes and ciphers, and examples abound throughout history.

Egyptian hieroglyphics were made deliberately arcane and obscure, and literacy in writing or interpreting a cipher was restricted to ensure that the elite powers of priests and scribes remained secure. Julius Caesar used what came to be known as "Caesar cipher" to ensure that his military and political communications remained safe from prying ears and eyes. Science -fiction writer Bruce Sterling describes how the ancient Assyrians used a form of "funerary cryptography " in which tombs would have odd sets of cryptographic cuneiform symbols written on them. These curious symbols would sometimes cause mystified passersby to utter the translation aloud, thereby inadvertently uttering a blessing for the dead. Consider Paul Revere's famous warning: "one if by land, two if by sea" as a rudimentary, if effective use of a code. The key is the number of lanterns in the Old North Church and the message is effectively concealed from all who do not know the key.

In the 1940s, Alan Turing, British mathematician, cryptographer and namesake of the "Turing Test" for artificial intelligence, was part of a top-secret team of British code-breakers that used electronic machines that might be thought of as predecessors to computers to break Nazi messages that had been encrypted using the German Enigma Code machine. This top-secret breakthrough was significant and had much to do with the ultimate Allied victory, enhancing their ability to track and sink German U-Boats and learn of other strategic maneuvers. England's top-secret triumph meant that at the dawn of the cold war era, cryptography would continue remain a jealously guarded state secret, at least up until the mid 1970s.

An example of this situation is law enforcement's argument for key escrow encryption systems (such as the Clipper Chip) on the grounds that they need to be able to intercept the communications of terrorists, drug dealers and other criminals. Such systems, however, allow for potential invasions of privacy that would compromise the many legitimate reasons and situations where individuals and groups of people may want to conceal information. Companies may possess confidential employee data (medical, salary and other records) that may be susceptible to access by data entry clerks -- encryption protects these records. Employees may share workspaces and equipment with others and may want to ensure the confidentiality of information about projects they are working on. Companies may need to transfer confidential information between branch offices and field agents -- encryption helps keep the information secure from interception. Companies may possess proprietary information and trade secrets, R & D results, product plans, manufacturing processes, legal and financial data, etc. that they want to keep secret from competitors. An individual or company may want to transmit sensitive information on a computer that they would like to keep private from persons who may examine the computer en route. Or two persons may correspond via e-mail and wish to keep the content of their electronic communications private.

Encryption algorithms are described in terms of relative strength. The stronger the protection from a particular algorithm, the harder it is to crack a message that has been encrypted by that algorithm. The length of the key determines an algorithm's relative strength. Key length is described in terms of "bits" (how many numbers are in a particular key). The range of values for a given cryptographic key is called "keyspace". An important characteristic of complex cryptosystems is that the relative strength of different keys is exponential, rather than geometric. This fact means that a 24 -bit algorithm is not three times as hard to break as an 8-bit algorithm, but is over 65,000 times harder to break (65,536, or 2 to the 16^th power) than an 8-bit key.

In the 1960s, IBM developed an encryption program named LUCIFER, a variant of which became the NSA’s Date Encryption Standard (DES). DES is a 56-bit symmetric cryptosystem designated in the 1970s by the then-named National Bureau of Standards (since renamed National Institute for Standards and Technology or NIST). DES was adopted as a federal standard on November 23, 1976 and has continued to be re-certified every five years,

DES is the most widely used symmetric cryptosystem (the encryption and decryption keys are the same), and stands at a NSA regulated 56 bits (bits are the unit by which the strength of cryptographic keys are measured). The process for using a single-key algorithm such as DES involves four steps: (1) agreeing on a security key with the intended receiver or sending her the key, (2) supplying plaintext and using the key to an algorithm to create the ciphertext, (3) sending the ciphertext to the receiver and (4) having the receiver supply the ciphertext and the key to an algorithm to create the plaintext. One cryptography scholar says that, "the original design submitted by IBM permitted all 16 x 48 = 768 bits of key used in the 16 rounds to be selected independently. A U.S. Senate Select Committee ascertained in 1977 that the [NSA] was instrumental in reducing the DES secret key to 56 bits that are each used many times."

Despite ongoing suspicion of DES due to rumors that the NSA had forced IBM to intentionally weaken the system down to 56 bits so that it was easier for the NSA, and no others, to break, up to the early 1990s many banks and financial institutions used DES. However, with the rise of parallel processing (using many computers simultaneously) in the mid-1990s, many encryption experts believe that DES ciphertext is crackable in a matter of hours and that therefore DES has reached the end of its useful life as a cryptographic tool.

The NSA has never affirmed or denied their ability to decipher DES (some people have said that NSA stands for "never say anything" or even "No Such Agency"). Of course, if a method of cracking DES ciphertext was developed, the developer would benefit by keeping that method secret, because if it were widely known people would stop using that cryptosystem and the ability to crack it would become worthless.

The NSA’s cryptographic monopoly came to end in 1975, with the invention of "public-key" cryptography by mathematicians Whitfield Diffie, then at MIT's Artificial Intelligence Lab, and Martin Hellman. During the mid-1960s, individual user files in time-shared mainframe computers, such as those in MIT’s AI Lab, were protected by passwords. However, the system manager had complete access to the passwords of all the users. Diffie was concerned that if law enforcement officers served the system manager with a subpoena, the subpoenaed passwords and user files would go to law enforcement — the system manager had absolutely no incentive to risk a contempt citation for noncompliance with a subpoena. Whitfield Diffie wanted to find a way to eliminate the need for trusted third parties like the system manager, and he realized that the only way to do this was through a decentralized system of password control.

Diffie focused on the age-old problem of key management. As mentioned earlier, Julius Caesar had developed a simple cipher system in order to encode sensitive military messages. What Caesar did was take an original message ("plaintext") and then encrypt it into what appeared to be gibberish ("ciphertext"). The recipient of the gibberish message would use the same key as Caesar and thus would decrypt the message back into plaintext. The big problem in this cryptosystem was protecting the key. Anyone who knew Caesar key would be able to understand the encrypted message. Therefore, to keep his communications secret Caesar would have to change the key often. Changing keys, however, often created a related problem: if you changed the key frequently, how do you inform your spies behind enemy lines what the new key is or even when you're changing it. If you tell them what the new key is using the old code (which may have been intercepted and broken) then your enemies will learn your new code and your secret plans would be for naught.

Whitfield Diffie and Martin Hellman, through the aid of rapidly increasing computing technology, conceptually split the then-unitary cryptographic key in 1975. They envisaged a cryptosystem in which each user had two keys, a "public" key and a "private" key, each unique to an owner. Any message encrypted with one key may be decrypted by the other, and neither key can be used to determine the other. If I send you a message, I first need to obtain your "public" key. It is possible to distribute one's public key without compromising security -- however, possessing someone's "public" key is absolutely no help in deciphering information about what one's "private" key is. If I use your "public" key to encrypt a message to you, my message will be pure gibberish to anyone who may intercept it and only one person in the world can decode it -- you, who hold the other key, your "private" key. If you want to respond to me with a secret message, you would then use my "public" key to encrypt your message and I would use my "private" key to decrypt.

Thus, with the advent of "public key" encryption, instead of using the same key to encrypt and decrypt a message (such as with a symmetric cryptosystem like DES), every user in the system would have both a public key and a private key. The public key can be published or be made available in a key repository and the private key would never be revealed.

With the advent of computer programs that implemented variants of the Diffie-Hellman scheme, the age-old boundaries on cryptography were suddenly vanquished. Once Diffie and Hellman published their ideas in 1975, the de facto NSA monopoly on cryptographic tools was on its way out. In 1977, three MIT mathematicians -- Ronald L. Rivest, Adi Shamir and Leonard M. Adelman -- developed a cryptosystem that put Diffie-Hellman's findings into practice through the use of very large prime numbers. Their RSA algorithm (used in an encryption program such as RIPEM) created encryption keys by multiplying two extremely large prime numbers together. While breaking this code involves only reversing the multiplication process (required to discover the private key), to do so can take a long time even on a powerful computer. These algorithms were seen as a big improvement over the DES. The strength of public key algorithms rest in large part upon how large the key is, or in other words how many bits of information make up the key. The larger the key, the harder it is to break the code. Whereas DES was limited to 56 bits, RSA keys could be any size. Furthermore, the relative strength of different keys are exponential rather than geometric, meaning that a 24 bit algorithm is not three times harder to break than an 8 bit algorithm, but 64,000 times harder.

Needless to say, the prospect that every company/citizen within or without the United States would have access to extraordinarily strong cryptographic tools and techniques of the sort that had formerly ranked alongside advanced missile guidance systems, biological warfare knowledge and nuclear power was the NSA's worst possible nightmare.

There are two general situations in which using strong encryption is desirable. First, there is a need to store information in a location secure from unauthorized persons. Second, there is a need to keep information that is being transmitted from point A to point B safe from interception. In the second situation there is a problem of secure key exchange; the person who will be receiving and decrypting the information will usually not be the person who sent and encrypted the information.

In a traditional symmetric cryptographic system, the same password/algorithm is used to encrypt and decrypt messages. In a public key cryptographic system each user has two keys: one, a "public" key that is widely published and easily available through some type of distribution infrastructure, and two, a "private" key that is never revealed. Any message encrypted with one key may be decrypted with the other, so that someone may use my "public" key to encrypt a message to me, and I can use my "private" key to decrypt the same message. Neither key can be used to determine the other, and public key cryptography allows people who never met or exchanged a key to communicate in a highly private manner.

So, public key cryptography allows users to accomplish three important objectives with their electronic communications. First a user can ensure the confidentiality and privacy of a communication such that only the intended recipient can read the message. Public key cryptography also allows for more efficient authentication, ensuring that the recipient of an encrypted communication can accurately ascertain and verify the identity of the sender of the message. Finally, public key cryptography ensures a message's integrity, reassuring the user that no one tampered with or changed the message en route.

On one hand, the strength of public key cryptosystems may also be a weakness: the extremely large prime number keys used by "public key" encryption systems take much longer for the intended recipient to decrypt than with a single key system such as DES. On the other hand, ironically, as strong (and as slow to decrypt) as public-key systems may be in comparison to traditional symmetric cryptosystems, they are not invulnerable. For example, in 1977, Rivest, Shamir and Adelman issued a challenge to the world in an article in Martin Gardner's column in Scientific American. A single phrase was encrypted using the RSA 129-bit algorithm and readers of Scientific American were challenged to find the plaintext. Using 1977 computing technology as a benchmark, Gardner estimated it would take millions of years to decrypt the RSA encoded ciphertext. However, an MIT student using almost 2,000 computers worldwide hooked together into a network to undertake the necessary calculations decrypted the RSA-129 message after 16 years and 8 months on April 16, 1994. Therefore, as computing technology advances the first drawback to public key cryptosystems will likely be reduced, while the second is increased.

Another disadvantage of public key systems is that there may be a key validation problem. When you wish to send encrypted data to someone, without the required key-validation protocol, how can you be sure that the public key that you have obtained for the receiver is indeed truly his/her public key? A knowledgeable encryption specialist could publish a public key in the receiver’s name, and then proceed to intercept any message you send using that key. Establishing an appropriate key-distribution and validation system is a significant cost to implementing an effective public key cryptosystem.

Another drawback of public key encryption isn't technical, but rather intrinsic to the use of strong cryptography. Cheap, easy-to-use extremely strong cryptography unfortunately shields both the law abiding and legitimate and lawless alike. Take the following remark from FBI agent Jim Kallstrom as quoted in an article by Steven Levy in the New York Times Sunday Magazine: "Sure, we want those new steel doors ourselves, to protect our banks, to protect the American corporation trade secrets, patents rights, technology. But people operating in legitimate business are not violating the laws -- it becomes a different ball of wax when we have probable cause and we have to get into that domain. Do we want a digital superhighway where not only the commerce of the nation can take place but where major criminals can operate impervious to the legal process?" (1)

While the debates in this area have been heated and controversial, they arenot the primary focus of this module. However, one should note that throughout much of the 1990s there has been an ongoing debate over whether the government, and its law enforcement agencies such as the FBI, should have access under certain circumstances to an electronic "backdoor"( via an Escrowed Encryption Standard such as the Clipper Chip or some other key escrow scheme).

The U.S. government has been trying to prevent the proliferation of strong cryptography domestically and, similarly, to prevent the export of such cryptography. Attempted domestic control has focused on trying to adopt key escrow standards, while exporting strong cryptography has been controlled via stringent export licensing schemes.

On the domestic front there have been several government initiatives to have either mandatory or voluntary key EES or key escrow schemes adopted by the computing and communications industry. In the late 1980s and early 1990s the NSA and NIST proposed replacing the increasing vulnerable DES algorithm with a new algorithm they named Skipjack, which was purported to be over 16 million times stronger than DES. The Skipjack encryption algorithm was integrated into a system using what was called the Law Enforcement Access Field (LEAF) that added a signal to an encrypted message that directed a potential wiretapper (theoretically from a government law enforcement agency) to the appropriate key to decipher the message. The Skipjack algorithm and the LEAF system were integrated into the Capstone Chip that could handle phone communications, computer data and digital signatures.

In the early 1990s the NSA proposed the "Clipper Chip" to the Bush Administration. The Clipper Chip is a stripped down version of the Capstone chip incorporating both the Skipjack algorithm and the LEAF system's escrow key. While the Bush Administration failed to act on this proposal, the Clinton Administration picked up the Clipper Chip proposal within two months of taking office and aggressively pushed to implement it as soon as possible. In early 1993, NIST was ordered to consider using the Clipper Chip as the new encryption standard. Later that year NIST published the proposed Clipper Chip Key Escrow standard in the Federal Register, and allowed 60 days for public comment. NIST received 320 responses, only 2 positive. The ensuing heated public debates have focused on how to reconcile two fundamentally opposed interests: individual privacy and public safety. In 1994, Michael R. Nelson, a White House Technology Consultant, said that the Clipper Chip proposal was "the Bosnia of Telecommunications." (2)

In addition to aggressively pushing for domestic use of the Clipper Chip, the Clinton Administration aimed to implement stringent export restrictions and licenses on cryptographic products with algorithms stronger than 40-bits. This is the other front of the cryptographic policy debates and the subject of the trilogy of crypto cases that conclude this module.

By the beginning of the 1990s, RSA Data Security, Inc. (the company formed by Rivest, Shamir and Adelman) public key encryption technology was in the process of being adopted by companies such as Apple, AT & T, Lotus, Microsoft and Novell. However, the NSA believed that extremely strong cryptographic techniques incorporating cryptosystems like PGP should be treated like a munition and therefore needed an export license. Despite arguments from U.S. companies that they wouldn't be able to compete in a global market if they were forced to 'water-down' their computer products (by incorporating less than 40-bit cryptography), Congress was sympathetic to the NSA's national security arguments and began working on regulations that required export licensing of products incorporating strong cryptography.

In 1993, AT & T approached the NSA seeking an export license for the Surity 3600 phone security system designed to use the nonexportable DES algorithm. Aware of the high degree of market penetration AT & T possessed with regard to telecommunications devices, the NSA suggested that an export license would not be a problem provided AT & T use a Clipper Chip in their products. If AT & T incorporated the Clipper Chip, it would receive two valuable things. First, AT & T would receive a contract with the U.S. government to buy tens of thousands of phones (with no export ban). Second, AT & T would also sell a lot more phones to private parties because companies would need to use Clipper Chip-equipped devices to communicate with government Clipper Chip phones. Both of these "gains," however, furthered the Clinton Administration's goal of including mandatory key escrow encryption systems in all computers manufactured within, and thus exported from, the U.S.

In 1991, Philip R. Zimmerman, a software engineer and cryptographic consultant, put together a public key encryption program he called Pretty Good Privacy (PGP) for computer data and e-mail use. PGP at the time used a military-grade 128-bit key. Zimmerman literally gave a small number of programs away for free. Sensing that the government was getting very interested in cryptography, Zimmerman wanted to get free copies of PGP in circulation before a possible government ban on strong encryption tools. One of the people that Zimmerman had given a copy of PGP installed it on a computer attached to the Internet it on a computer attached to the Net the day after Zimmerman's free release and within days, thousands of people had copies of military-strength PGP. Partially to avoid violating the ITAR and being charged with munitions trafficking (see below), the second upgrade of PGP was made from New Zealand. While ITAR (and later EAR) controls exports passing out of the U.S., it is much more difficult restricting imports passing into the U.S. from another country. Since Zimmerman's release of PGP in 1991, it has been through several upgrades and revisions, and PGP 6.5.1 is available as freeware downloadable from the MIT distribution site at http://web.mit.edu/network/pgp.html.

In early 1993, Philip Zimmerman received a visit from US Customs Service Agents wanting to know how PGP found its way overseas without an export license from the State Department. Beginning in fall 1993, Zimmerman was targeted by grand jury investigation in San Jose, California. The investigation dragged on for more than three years and eventually dropped the case because of the difficulty in obtaining injunctive relief outside of the U.S.

While no charges were ultimate brought, Zimmerman's situation was a foreshadowing of the disputes that Philip Karn, Peter Junger and Daniel Bernstein would encounter when they challenged the ability of the U.S. Government to use export-licensing regimes to prevent the placing of strong encryption programs on Internet-accessible computers.

(1) Steven Levy, The Cypherpunks vs. Uncle Sam: Battle of the Clipper Chip, New York Times Sunday Magazine, June 12, 1994, at 48

(2) Steven Levy, The Cypherpunks vs. Uncle Sam: Battle of the Clipper Chip, New York Times Sunday Magazine, June 12, 1994, at 51

This module now shifts from question and answer mode into a brief chronology and outline of Export restrictions on strong encryption in the 1990s.

On November 15, 1996 President Clinton transferred jurisdiction over regulated cryptographic tools from the State Department to the Commerce Department in Executive Order No. 13026. The Clinton Administration never formally acknowledged that this shift was in response to the Bernstein II decision in the Northern District of California, released October 24, 1996. However, in the Bernstein II opinion Judge Marilyn Patel found the ITAR regulations an unconstitutional prior restraint as applied to Professor Bernstein's SNUFFLE encryption program, implicating the importance of the jurisdiction shift as the groundwork for the Bernstein III and Bernstein IV opinions.

In order to understand the current Export Administration Regulations that are administered by the Commerce Department, you must also have an understanding of the pre-1996 regulatory scheme, which played a big part in bringing the controversies over strong encryption to where they are today.

AECA: The Arms Export Control Act, which is the Congressional statutory authorization for the International Traffic in Arms Regulations (ITAR).

BXA: Bureau of Export Administration, the federal agency that controls most exports from the U.S.

U.S. Department of State: the Cabinet Department that initially held jurisdiction over the export of cryptographic items under the AECA and the ITAR.

ITAR: The International Traffic in Arms Regulations. Regulation that controlled the import, export and manufacture of items on the United States Munitions List (USML). To be found at 22 C.F.R. Sections 120-130.

ODTC: Office of Defense Trade Controls. Prior to the end of 1996, the ODTC was the federal agency responsible for determining whether an item qualified as a controlled item, and therefore required an export license, under the USML and the ITAR.

USML: The United States Munitions List was created under the AECA as the list of "defense articles and defense services," which were almost all weapons, explosives, and military vehicles. Items listed on the USML required a munition dealer license before they could be exported or imported. Until the end of 1996, cryptographic items were controlled under Category XIII (b)(1) of the list. To be found at 22 C.F.R. Section 121.1.

Prior to 1996, the International Traffic In Arms Regulations ("ITAR") and the Arms Export Control Act ("AECA") were used by the U.S. Department of State to regulate the export of products using encryption. ITAR concerned primarily explosives, weapons and military vehicles. Until November 15, 1996, ITAR also included cryptographic systems "including key management systems, equipment, assemblies modules, integrated circuits, components or software with the capability of maintaining secrecy or confidentiality of information or information systems…". (1) Generally, any product incorporating an encryption algorithm stronger than 40-bits required an export license. Except for financial and banking institutions, licenses for export of products containing 56-bit DES were restricted and virtually never granted.

ITAR allowed the U.S. State department to directly control items listed on the USML as well as "technical data" about a listed item. Thus, if 40-bit plus encryption software was listed on the USML, then "technical data" related to encryption software, i.e., documentation of encrypted algorithms, was also subject to export license restrictions. The 40-bit line was drawn so that, theoretically, the NSA would be able to crack any encryption shipped abroad. In reality, however, extremely strong cryptography without any "backdoor" escrowed key was widely available during the 1990's from numerous foreign sites in countries such as Finland, making the rationale of preserving the NSA's ability to crack foreign codes implausible. For example, U.S. Law Professor Peter Junger was unable to remain in compliance with ITAR after posting his computer source code on an internet discussion list in response to a virtually identical encryption algorithm already posted by a British national.

ITAR was created by the ACEA, which was enacted in the early 1990s in response to Congressional concerns over military security threats to U.S. interests in the Persian Gulf region due to an overproliferation of munitions. Willful violation of the ITAR was a criminal offense (with fines of up to $1 million and imprisonment of up to 10 years), to be investigated and

In the event of unclear coverage, a party had the option to submit a "commodity jurisdiction" request to the ODTC, which would then make a determination of whether or not the product is covered by the USML. Once such a designation was made, it was not subject to judicial review except on constitutional grounds. (3) This is the type of application that Professor Bernstein made in 1992, under the ITAR, so that he could post his strong encryption algorithm SNUFFLE on the Internet for his students to access and download.

An "export" for purposes of the ITAR included sending outside of the U.S. and "[d] isclosing (including oral or visual disclosure) or transferring of technical data to a foreign person, whether in the U.S. or abroad, (4) " and thus could easily include the posting of source or object code on an Internet USENET newsgroup that discussed cryptography such as "sci.crypt."

CCL: The Commerce Control List. Analogous to the USML for non-military items. Anyone wishing to export items listed on the CCL must obtain a license from the BXA. To be found at 15 C.F.R. Section 774.

U.S. Department of Commerce: Cabinet agency given jurisdiction over export of cryptographic items after 1996 by the Clinton Administration Jurisdictional Transfer. The Commerce Department is responsible for issuing the EAR amendments.

EAR: Export Administration Regulations. The regulations controlling the import and export of items found on the CCL. Analogous to the ITAR under the old regulations. To be found at 50 U.S.C. Sections 2401 et seq.

EAR Amendments: New rules promulgated by the Commerce Department to control cryptographic items per President Clinton's Jurisdictional Transfer order. To be found at 51 Fed. Reg. 68572-587.

Jurisdictional Transfer: Executive Order 13026, to be found at 61 Fed. Reg. 58768 (issued November 15, 1996), in which President Clinton transferred jurisdiction over most cryptographic items from the State Department to the Commerce Department.

On November 15, 1996 President Clinton issued Executive Order 13026 transferring jurisdiction over regulated cryptographic tools from the U.S. State Department to the U.S. Commerce Department, citing concern for the increasing use of encryption tools in nonmilitary contexts.

This meant that all encryption tools formerly listed on the USML and regulated under ITAR via the AECA were now placed on the Commerce Control List (CCL), created by the Export Administration Act of 1969. It was this act which allowed the Bureau of Export Administration (BXA) to issue the 1997 Export Administration Regulations (the "EAR" amendments). Anyone seeking to export an item listed on the CCL needed a prior license from BXA. In his Executive Order, President Clinton explicitly retained the non-judicial review provisions regarding licensing and listing determinations. Also, Clinton's Executive Order required that "export" for purposes of encryption tools meant all forms of Internet access.

The Commerce Department officially assumed jurisdiction on December 30, 1996, when it issued the rapidly drafted interim EAR amendments. Under the definition of encryption items, the three new subcategories added to the CCL were: (1) encryption commodities, (2) software and (3) technology containing encryption features.

One distinction between the ITAR and the EAR was that the EAR amendments allowed licensing exemptions after BXA review for software already possessing key escrow and recovery, such as the Clipper Chip. The EAR amendments also allowed export licensing for 56-bit encryption on the condition that if an applicant "makes satisfactory commitments to build and/or market recoverable encryption items and to help build the supporting international infrastructure." (5) The EAR amendments also provided for an expedited 15-day review for "mass market software" as long as it incorporated government-approved algorithms and contains key lengths no longer than 40-bits.

Note however that the EAR Amendments prohibit any person without an export license from "providing technical assistance (including training) to foreign persons with the intent to aid a foreign person in the DEVELOPMENT OR MANUFACTURE OUTSIDE THE UNITED STATES of encryption commodities and software that, if of United State origin, would be controlled." (6) The ITAR did not have this language which probably led to Philip Zimmerman's investigation being dropped, however, had this language been in place at the time, Zimmerman would have been in direct violation when the second update/release of PGP was made over the Internet from a site in New Zealand.

This is the administrative and regulatory backdrop that was in place in the mid-1990s when the trilogy of crypto cases arose.

(1) 22 CFR § 121.1 (1994), Category XIII (b) (1).

(2) 22 U.S.C. § 2778(a)(1).

(3) 22 U.S.C. § 2778(h).

(4) 22 U.S.C. § 120.17.

(5) 61 Fed. Reg. 68,572 (1996).

(6) 15 CFGR Section 744.9(a)(1997).

Bernstein I: Bernstein v. U.S. Department of State, 922 F. Supp. 1426 (N.D. Cal. 1996)(Judge Marilyn Patel refused to dismiss Daniel Bernstein's complaint and held that source code was speech for purposes of a First Amendment challenge to the ITAR) (decided February 1996)

Bernstein II: Bernstein v. U.S. Department of State, 945 F. Supp. 1279 (N.D. Cal. 1996) (Judge Patel declared that the ITAR and AECA were an unconstitutional prior restraint licensing scheme with regard to cryptographic items) (opinion issued on October 24, 1996)

Bernstein III: Bernstein v. U.S. Department of Commerce, 974 F. Supp. 1288 (N.D. Cal. 1997)((Judge Patel reprised her prior ITAR ruling with respect to the CCL and the EAR amendments)(opinion issued on August 25, 1997)

Bernstein IV: Bernstein v. U.S. Department of Justice, 176 F. 3d 1132 (9^th Cir. 1999) (opinion issued May 6, 1999) (Judge Betty Fletcher affirmed the District Court's finding that the EAR regulations were facially invalid as a prior restraint on speech; but note Judge T.G. Nelson's strong dissent arguing that encryption source code is not expression but a functional tool)

Karn v. U.S. Department of State, 925 F. Supp. 1 (D.D.C. 1996)(Judge Charles Richey granting U.S. Gov't Summary Judgement motion on Karn's claims); Karn v. U.S. Department of State, 107 F.3d 923 (D.C. Cir. 1997)(refusal to consider merits or constitutional issues and remand to District Court to consider reviewability of Karn's claims under the Administrative Procedures Act)

Junger v. Daley, 8 F. Supp. 2d 708 (N.D. Ohio 1998) (U.S. Gov't Summary Judgement motion granted by Judge James Gwin) (note that as of March 10, 1999, Professor Junger has appealed this decision to the Sixth Circuit and the government has responded with a countermotion. The briefs are available at: http://samsara.LAW.CWRU.Edu/comp_law/jvd; Junger v. Daley (opinion filed April 4, 2000, 6^th Circuit)

* * * * * * * * * * * * * * * * * * * * * * * * * * *

Q: Are attempts to control the spread of strong encryption by the U.S. Government attempts to control "speech" or "conduct"?

Q: What does the idea that in cyberspace the First Amendment is a local ordinance mean for regulating strong cryptography?

Q.: What does the idea that some Cyberpundits have floated out that the Internet interprets censorship as damage and routes around it likewise mean for regulating strong cryptography?

Q: Is Object Code considered outside first amendment protection? Should it be? Source Code?

Q: Are communication and functionality mutually exclusive?

Q.: The EAR amendments make distinctions between printed source code (such as you would find in a book) and source code within electronic media -- should the choice of medium affect the scope of first amendment protection?

Q.: If the problem of geographic containment of Strong encryption technology on the Internet can only be solved by forbidding the posting of such encryption on a computer connected to the Internet, are "ample alternatives" available to the foreclosed communicative outlets to UseNet, and are they really adequate substitutes?

Q.: What does the notion of strong cryptography as a form of privacy "self-help" mean when we talk about copyright management schemes that may be used to encrypt uncopyrightable materials as well as legal regimes that make it a crime to tamper with such copyright management systems?

Q.: What, if any, metaphors are helpful (or harmful) when discussing the Internet?

B. Brief Background on the Bernstein I, II, & III cases.

In 1992, a then-Berkeley graduate mathematics student, Daniel Bernstein came up with a public key encryption algorithm he named named "Snuffle." He prepared the "Snuffle" materials in two formats: one, a paper for publication and second, computer source code that he wanted to post on the UseNet newsgroup "sci.crypt, " a group devoted to discussions of cryptographic techniques. However, Bernstein also knew that he ran a risk of violating the ITAR if he made such a posting and so he submitted a Commodity Jurisdiction Request in June 1992, as required by ITAR, to the Office of Defense Trade Controls. The ODTC responded that they considered both his paper and the source code for "Snuffle" as defense items as defined by Category XIII of the USML, and as such, were subject to licensing by the U.S. State Department. Bernstein corresponded inconclusively with the ODTC about their rationale for this classification for a year.

In 1993, Bernstein, in an attempt to clarify exactly what was and wasn't classified as a defense item and therefore subject to export licensing, submitted five Commodity Jurisdictions to the ODTC for: (1) his paper, entitled, "The Snuffle Encryption System;" (2) "the computer source code for the encryption program "Snuffle.c"; (3) the computer source code for the decryption program "Unsnuffle.c"; (4) a set of plain English instructions on how to use "Snuffle"; and (5) instructions on how to program a computer to use "Snuffle." The ODTC determined all five items were defense items and therefore subject to export licensing.

1. Bernstein v. U.S. Department of State, 922 F. Supp. 1426 (N.D. Cal. 1996) (Bernstein I)

In September 1992, Bernstein appealed the ODTC's Commodity Jurisdiction within the agency, but because he hadn't received a response in over a year, he sued for declaratory and injunctive relief against the ODTC enforcing ACEA and ITAR enforcement. Bernstein's claims were limited to Constitutional claims since the ACEA foreclosed judicial review of administrative classifications. Bernstein claimed the ITAR constituted (1) an impermissible content-based speech restriction; (2) that the export restrictions constituted an invalid prior restraint scheme; (3) that the ACEA/ITAR scheme was unconstitutionally vague and overbroad; and (4) that the way the ITAR had been administered constituted an "abuse of discretion" under the Administrative Procedure Act.

Judge Marilyn Patel, writing for the Northern District of California, rejected the government's motion to dismiss and ruled that Bernstein indeed had a colorable constitutional claim. She also rejected the government argument that computer source code was conduct, not speech, and as such, was not protected by the first amendment. Importantly, Judge Patel found that while source code may be functional (a set of instructions to a computer) it was also a language, and therefore expressive and protected under the first amendment.

2. Bernstein v. U.S. Department of State, 945 F. Supp. 1279 (N.D. Cal. 1996) (Bernstein II)

3. Bernstein v. U.S. Department of Justice, 974 F. Supp. 1288 (N.D. Cal. 1997)(Bernstein III)

Three weeks after the Bernstein II was released, the Clinton Administration shifted jurisdiction over encryption products from the U.S. State Department and ITAR to the U.S. Commerce Department with directions to draft interim EAR amendments. This sudden jurisdiction shift had the effect of rendering Bernstein II instantly moot: the source code for Snuffle, no longer enmeshed by ITAR, was now subject to the EAR amendments. Judge Patel allowed Daniel Bernstein to amend his complaint to include the Commerce Department and the EAR amendments.

On August 25, 1997, almost 5 years since Daniel Bernstein first began to consider posting "Snuffle" to UseNet, Bernstein III was released by the District Court.

Judge Patel began the Bernstein III opinion by noting that there were few differences between ITAR and EAR —both sets of regulations relied on national security and foreign policy interests to justify or bypass first amendment considerations. Both ITAR and EAR acted as unconstitutional prior restraint/licensing schemes aimed at protected first amendment speech without important procedural safeguards. Citing the Lakewood v. Plain Dealer Publishing Co. (2) case, Judge Patel was concerned with the type of standardless discretion with regard to national security and foreign policy that the EAR amendments conferred on the BXA. (3) She also was concerned about the EAR amendments' "teaching exception" and that the explicit bar to providing technical assistance (including training) to foreign persons could also include activities such as teaching or discussing cryptography in an academic setting thereby making "the most common expressive activities of scholars — teaching a class, publishing their ideas, speaking at conferences, or writing to colleagues over the Internet — . . . subject to a prior restraint . . . when they involve cryptographic source code or computer programs." (4) Additionally, she found the printed matter exception (that allowed source code that was printed on paper to move without restriction, the same source code on a computer disk or posted electronically would trigger the export restrictions) in the EAR amendments "so irrational and administratively unreliable that it may well serve to exacerbate the potential for self-censorship." (5) Additionally, Judge Patel found the distinction between print and electronic media in the EAR amendments untenable, particularly after the Supreme Court's opinion in Reno v. ACLU, (6) "Thus, the dramatically different treatment of the same materials depending on the medium by which they are conveyed is not only irrational, it may be impermissible under traditional First Amendment analysis." (7)

The U.S. Department of Justice appealed the Bernstein III case into the 9^th Circuit, arguments were heard in December 1997, and the 9^th Circuit released the Bernstein IV opinion.

(1) 380 U.S. 51, 58 (1965) (The Freedman test asks whether a licensing scheme such as ITAR is constitutional: (1) the licensing agency has to make its decision within a specific and reasonable period of time; (2) prompt judicial review must be available; and (3) the licensing agency/censor must bear the burden of justifying the denial of a license.)

(2) 486 U.S. 750 (1988) (striking down a city ordinance that granted the mayor the power to grant or deny permits for newspaper racks located on public property without an criteria to guide the decisionmaking process)

(3) Bernstein III, at 1308.

(4) Bernstein III, at 1305.

(5) Bernstein III, at 1306. But note the seemingly opposite holding in the Karn v. U.S. Department of State case, supra.

(6) Reno v. ACLU, 117 S. Ct. 2329, 2344 (1997) ("our cases provide no basis for qualifying the level of First Amendment scrutiny that should be applied to this medium")

(7) Bernstein III, at 1307.

1. Bernstein v. Department of Justice (Bernstein IV) (opinion filed May 6, 1999, 9^th Circuit)

2. Junger v. Daley (opinion filed April 4, 2000, 6^th Circuit)

3. Karn v. U.S. Department of State (opinion filed March 22, 1996, District Ct. for the District of Columbia)

JUDGES: Before: Myron H. Bright (Senior United States Circuit Judge for the Eighth Circuit, sitting by designation), Betty B. Fletcher, and Thomas G. Nelson, Circuit Judges. Opinion by Judge B. Fletcher; Concurrence by Judge Bright; Dissent by Judge T.G. Nelson.

B. FLETCHER, Circuit Judge:

The government defendants appeal the grant of summary judgment to the plaintiff, Professor Daniel J. Bernstein ("Bernstein"), enjoining the enforcement of certain Export Administration Regulations ("EAR") that limit Bernstein's ability to distribute encryption software. We find that the EAR regulations (1) operate as a prepublication licensing scheme that burdens scientific expression, (2) vest boundless discretion in government officials, and (3) lack adequate procedural safeguards. Consequently, we hold that the challenged regulations constitute a prior restraint on speech that offends the First Amendment. Although we employ a somewhat narrower rationale than did the district court, its judgment is accordingly affirmed.

The parties and amici urge a number of theories on us. We limit our attention here, for the most part, to only one: whether the EAR restrictions on the export of encryption software in source code form constitute a prior restraint in violation of the First Amendment. We review de novo the district court's affirmative answer to this question. See Roulette v. Seattle, 97 F.3d 300, 302 (9th Cir. 1996).

It is axiomatic that "prior restraints on speech and publication are the most serious and least tolerable infringement on First Amendment rights." Nebraska Press Ass'n v. Stuart, 427 U.S. 539, 559, 49 L. Ed. 2d 683, 96 S. Ct. 2791 (1976). Indeed, the Supreme Court has opined that "it is the chief purpose of the [First Amendment] guaranty to prevent previous restraints upon publication." Near v. Minnesota, 283 U.S. 697, 713, 75 L. Ed. 1357, 51 S. Ct. 625 (1931). Accordingly, "any prior restraint on expression comes ... with a 'heavy presumption' against its constitutional validity." Organization for a Better Austin v. Keefe, 402 U.S. 415, 419, 29 L. Ed. 2d 1, 91 S. Ct. 1575 (1971). At the same time, the Supreme Court has cautioned that "the phrase 'prior restraint' is not a self-wielding sword. Nor can it serve as a talismanic test." Kingsley Books, Inc. v. Brown, 354 U.S. 436, 441, 1 L. Ed. 2d 1469, 77 S. Ct. 1325 (1957). We accordingly turn from "the generalization that prior restraint is particularly obnoxious" to a "more particularistic analysis." Id. at 442. The Supreme Court has treated licensing schemes that act as prior restraints on speech with suspicion because such restraints run the twin risks of encouraging self-censorship and concealing illegitimate abuses of censorial power. See Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 759, 100 L. Ed. 2d 771, 108 S. Ct. 2138 (1988). As a result, "even if the government may constitutionally impose content-neutral prohibitions on a particular manner of speech, it may not condition that speech on obtaining a license or permit from a government official in that official's boundless discretion." Id. at 764 (emphasis in original). We follow the lead of the Supreme Court and divide the appropriate analysis into two parts. The threshold question is whether Bernstein is entitled to bring a facial challenge against the EAR regulations. See 486 U.S. at 755. If he is so entitled, we proceed to the second question: whether the regulations constitute an impermissible prior restraint on speech. See id. at 769.

A licensing regime is always subject to facial challenge (1) as a prior restraint where it "gives a government official or agency substantial power to discriminate based on the content or viewpoint of speech by suppressing disfavored speech or disliked speakers," and has "a close enough nexus to expression, or to conduct commonly associated with expression, to pose a real and substantial threat of ... censorship risks." Id. at 759.

The EAR regulations at issue plainly satisfy the first requirement - "the determination of who may speak and who may not is left to the unbridled discretion of a government official." 486 U.S. at 763. BXA administrators are empowered to deny licenses whenever export might be inconsistent with "U.S. national security and foreign policy interests." 15 C.F.R. § 742.15(b). No more specific guidance is provided. Obviously, this constraint on official discretion is little better than no constraint at all. See Lakewood, 486 U.S. at 769-70 (a standard requiring that license denial be in the "public interest" is an "illusory" standard that "renders the guarantee against censorship little more than a high-sounding ideal."). The government's assurances that BXA administrators will not, in fact, discriminate on the basis of content are beside the point. See id. at 770 (presumption that official will act in good faith "is the very presumption that the doctrine forbidding unbridled discretion disallows."). After all, "the mere existence of the licensor's unfettered discretion, coupled with the power of prior restraint, intimidates parties into censoring their own speech, even if the discretion and power are never actually abused." Id. at 757.

The more difficult issue arises in relation to the second requirement - that the challenged regulations exhibit "a close enough nexus to expression." We are called on to determine whether encryption source code is expression for First Amendment purposes. (2)

We begin by explaining what source code is. (3) "Source code," at least as currently understood by computer programmers, refers to the text of a program written in a "high-level" programming language, such as "PASCAL" or "C." The distinguishing feature of source code is that it is meant to be read and understood by humans and that it can be used to express an idea or a method. A computer, in fact, can make no direct use of source code until it has been translated ("compiled") into a "low-level" or "machine" language, resulting in computer-executable "object code." That source code is meant for human eyes and understanding, however, does not mean that an untutored layperson can understand it. Because source code is destined for the maw of an automated, ruthlessly literal translator - the compiler - a programmer must follow stringent grammatical, syntactical, formatting, and punctuation conventions. As a result, only those trained in programming can easily understand source code. (4)

Also important for our purposes is an understanding of how source code is used in the field of cryptography. Bernstein has submitted numerous declarations from cryptographers and computer programmers explaining that cryptographic ideas and algorithms are conveniently expressed in source code. (5) That this should be so is, on reflection, not surprising. As noted earlier, the chief task for cryptographers is the development of secure methods of encryption. While the articulation of such a system in layman's English or in general mathematical terms may be useful, the devil is, at least for cryptographers, often in the algorithmic details. By utilizing source code, a cryptographer can express algorithmic ideas with precision and methodological rigor that is otherwise difficult to achieve. This has the added benefit of facilitating peer review - by compiling the source code, a cryptographer can create a working model subject to rigorous security tests. The need for precisely articulated hypotheses and formal empirical testing, of course, is not unique to the science of cryptography; it appears, however, that in this field, source code is the preferred means to these ends.

Thus, cryptographers use source code to express their scientific ideas in much the same way that mathematicians use equations or economists use graphs. Of course, both mathematical equations and graphs are used in other fields for many purposes, not all of which are expressive. But mathematicians and economists have adopted these modes of expression in order to facilitate the precise and rigorous expression of complex scientific ideas. (6) Similarly, the undisputed record here makes it clear that cryptographers utilize source code in the same fashion. (7)

In light of these considerations, we conclude that encryption software, in its source code form (8) and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes, and thus is entitled to the protections of the prior restraint doctrine. If the government required that mathematicians obtain a prepublication license prior to publishing material that included mathematical equations, we have no doubt that such a regime would be subject to scrutiny as a prior restraint. The availability of alternate means of expression, moreover, does not diminish the censorial power of such a restraint - that Adam Smith wrote Wealth of Nations without resorting to equations or graphs surely would not justify governmental prepublication review of economics literature that contain these modes of expression.

The government, in fact, does not seriously dispute that source code is used by cryptographers for expressive purposes. Rather, the government maintains that source code is different from other forms of expression (such as blueprints, recipes, and "how-to" manuals) because it can be used to control directly the operation of a computer without conveying information to the user. In the government's view, by targeting this unique functional aspect of source code, rather than the content of the ideas that may be expressed therein, the export regulations manage to skirt entirely the concerns of the First Amendment. This argument is flawed for at least two reasons.

First, it is not at all obvious that the government's view reflects a proper understanding of source code. As noted earlier, the distinguishing feature of source code is that it is meant to be read and understood by humans, and that it cannot be used to control directly the functioning of a computer. While source code, when properly prepared, can be easily compiled into object code by a user, ignoring the distinction between source and object code obscures the important fact that source code is not meant solely for the computer, but is rather written in a language intended also for human analysis and understanding.

Second, and more importantly, the government's argument, distilled to its essence, suggests that even one drop of "direct functionality" overwhelms any constitutional protections that expression might otherwise enjoy. This cannot be so. (9) The distinction urged on us by the government would prove too much in this era of rapidly evolving computer capabilities. The fact that computers will soon be able to respond directly to spoken commands, for example, should not confer on the government the unfettered power to impose prior restraints on speech in an effort to control its "functional" aspects. The First Amendment is concerned with expression, and we reject the notion that the admixture of functionality necessarily puts expression beyond the protections of the Constitution.

The government also contends that the challenged regulations are immune from prior restraint analysis because they are "laws of general application" rather than being "directed narrowly and specifically at expression." Lakewood, 486 U.S. at 760-61. We cannot agree. Because we conclude that source code is utilized by those in the cryptography field as a means of expression, and because the regulations apply to encryption source code, it necessarily follows that the regulations burden a particular form of expression directly.

The Supreme Court in Lakewood explored what it means to be a "law of general application" for prior restraint purposes. In that case, the Court cited a law requiring building permits as a "law of general application" that would not be subject to a facial attack as a prior restraint, reasoning that such a law carried "little danger of censorship," even if it could be used to retaliate against a disfavored newspaper seeking to build a printing plant. Id. at 761. In the Court's view, "such laws provide too blunt a censorship instrument to warrant judicial intervention prior to an allegation of actual misuse." Id. Unlike a building permit ordinance, which would afford government officials only intermittent and unpredictable opportunities to exercise unrestrained discretion over expression, the challenged EAR regulations explicitly apply to expression and place scientific expression under the censor's eye on a regular basis. In fact, there is ample evidence in the record establishing that some in the cryptography field have already begun censoring themselves, for fear that their statements might influence the disposition of future licensing applications. See, e.g., National Research Council, Cryptography's Role in Securing the Information Society 158 (1996) ("Vendors contended that since they are effectively at the mercy of the export control regulators, they have considerable incentive to suppress any public expression of dissatisfaction with thecurrent process."). In these circumstances, we cannot conclude that the export control regime at issue is a "law of general application" immune from prior restraint analysis. (10)

Because the prepublication licensing scheme challenged here vests unbridled discretion in government officials, and because it directly jeopardizes scientific expression, we are satisfied that Bernstein may properly bring a facial challenge against the regulations. (11) We accordingly turn to the merits.

"The protection even as to previous restraint is not absolutely unlimited." Near, 283 U.S. at 716. The Supreme Court has suggested that the "heavy presumption" against prior restraints may be overcome where official discretion is bounded by stringent procedural safeguards. See FW/PBS, 493 U.S. at 227 (plurality opinion of O'Connor, J.); Freedman v. Maryland, 380 U.S. 51, 58-59, 13 L. Ed. 2d 649, 85 S. Ct. 734 (1965); Kingsley Books, 354 U.S. at 442-43; 11126 Baltimore Blvd. v. Prince George's County, 58 F.3d 988, 995 (4th Cir. 1995) (en banc). As our analysis above suggests, the challenged regulations do not qualify for this First Amendment safe harbor. (12) In Freedman v. Maryland, the Supreme Court set out three factors for determining the validity of licensing schemes that impose a prior restraint on speech: (1) any restraint must be for a specified brief period of time; (2) there must be expeditious judicial review; and (3) the censor must bear the burden of going to court to suppress the speech in question and must bear the burden of proof. (13) See 380 U.S. at 58-60. The district court found that the procedural protections provided by the EAR regulations are "woefully inadequate" when measured against these requirements. Bernstein III, 974 F. Supp. at 1308. We agree.

Although the regulations require that license applications be resolved or referred to the President within 90 days, see 15 C.F.R. § 750.4(a), there is no time limit once an application is referred to the President. Thus, the 90-day limit can be rendered meaningless by referral. Moreover, if the license application is denied, no firm time limit governs the internal appeals process. See 15 C.F.R. § 756.2(c)(1) (Under Secretary "shall decide an appeal within a reasonable time after receipt of the appeal."). Accordingly, the EAR regulations do not satisfy the first Freedman requirement that a licensing decision be made within a reasonably short, specified period of time. See FW/PBS, 493 U.S. at 226 (finding that "a prior restraint that fails to place time limits on the time within which the decisionmaker must issue the license is impermissible"); Riley v. National Fed. of the Blind, 487 U.S. 781, 802, 101 L. Ed. 2d 669, 108 S. Ct. 2667 (1988) (licensing scheme that permits "delay without limit" is impermissible); Vance v. Universal Amusement Co., 445 U.S. 308, 315-17, 63 L. Ed. 2d 413, 100 S. Ct. 1156 (1980) (prior restraint of indefinite duration is impermissible). The EAR regulatory regime further offends Freedman's procedural requirements insofar as it denies a disappointed applicant the opportunity for judicial review. (14) See 15 C.F.R. § 756.2(c)(2); FW/PBS, 493 U.S. at 229 (plurality opinion of O'Connor, J.) (finding failure to provide "prompt" judicial review violates Freedman); Freedman, 380 U.S. at 59 (licensing procedure must assure a prompt final judicial decision).

We conclude that the challenged regulations allow the government to restrain speech indefinitely with no clear criteria for review. As a result, Bernstein and other scientists have been effectively chilled from engaging in valuable scientific expression. Bernstein's experience itself demonstrates the enormous uncertainty that exists over the scope of the regulations and the potential for the chilling of scientific expression. In short, because the challenged regulations grant boundless discretion to government officials, and because they lack the required procedural protections set forth in Freedman, we find that they operate as an unconstitutional prior restraint on speech. (15) See Lakewood, 486 U.S. at 769-772 (holding that newsrack licensing ordinance was an impermissible prior restraint because it conferred unbounded discretion and lacked adequate procedural safeguards).

We emphasize the narrowness of our First Amendment holding. We do not hold that all software is expressive. Much of it surely is not. Nor need we resolve whether the challenged regulations constitute content-based restrictions, subject to the strictest constitutional scrutiny, or whether they are, instead, content-neutral restrictions meriting less exacting scrutiny. We hold merely that because the prepublication licensing regime challenged here applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint on speech.

We will, however, comment on two issues that are entwined with the underlying merits of Bernstein's constitutional claims. First, we note that insofar as the EAR regulations on encryption software were intended to slow the spread of secure encryption methods to foreign nations, the government is intentionally retarding the progress of the flourishing science of cryptography. To the extent the government's efforts are aimed at interdicting the flow of scientific ideas (whether expressed in source code or otherwise), as distinguished from encryption products, these efforts would appear to strike deep into the heartland of the First Amendment. In this regard, the EAR regulations are very different from content-neutral time, place and manner restrictions that may have an incidental effect on expression while aiming at secondary effects.

Second, we note that the government's efforts to regulate and control the spread of knowledge relating to encryption may implicate more than the First Amendment rights of cryptographers. In this increasingly electronic age, we are all required in our everyday lives to rely on modern technology to communicate with one another. This reliance on electronic communication, however, has brought with it a dramatic diminution in our ability to communicate privately. Cellular phones are subject to monitoring, email is easily intercepted, and transactions over the internet are often less than secure. Something as commonplace as furnishing our credit card number, social security number, or bank account number puts each of us at risk. Moreover, when we employ electronic methods of communication, we often leave electronic "fingerprints" behind, fingerprints that can be traced back to us. Whether we are surveilled by our government, by criminals, or by our neighbors, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb. The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. Viewed from this perspective, the government's efforts to retard progress in cryptography may implicate the Fourth Amendment, as well as the right to speak anonymously, see McIntyre v. Ohio Elections Comm'n, 514 U.S. 334, 115 S. Ct. 1511, 1524, 131 L. Ed. 2d 426 (1995), the right against compelled speech, see Wooley v. Maynard, 430 U.S. 705, 714, 51 L. Ed. 2d 752, 97 S. Ct. 1428 (1977), and the right to informational privacy, see Whalen v. Roe, 429 U.S. 589, 599-600, 51 L. Ed. 2d 64, 97 S. Ct. 869 (1977). While we leave for another day the resolution of these difficult issues, it is important to point out that Bernstein's is a suit not merely concerning a small group of scientists laboring in an esoteric field, but also touches on the public interest broadly defined.

Because the prepublication licensing regime challenged by Bernstein applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, we hold that it constitutes an impermissible prior restraint on speech. We decline the invitation to line edit the regulations in an attempt to rescue them from constitutional infirmity, and thus endorse the declaratory relief granted by the district court.

AFFIRMED.

BRIGHT, Circuit Judge, separately concurring.

I join Judge Fletcher's opinion. I do so because the speech aspects of encryption source code represent communication between computer programmers. I do, however, recognize the validity of Judge Nelson's view that encryption source code also has the functional purpose of controlling computers and in that regard does not command protection under the First Amendment. The importance of this case suggests that it may be appropriate for review by the United States Supreme Court.

T.G. NELSON, Circuit Judge, Dissenting:

Bernstein was not entitled to bring a facial First Amendment challenge to the EAR, and the district court improperly granted an injunction on the basis of a facial challenge. I therefore respectfully dissent.

The basic error which sets the majority and the district court adrift is the failure to fully recognize that the basic function of encryption source code is to act as a method of controlling computers. As defined in the EAR regulations, encryption source code is "[a] precise set of operating instructions to a computer, that when compiled, allows for the execution of an encryption function on a computer." 15 C.F.R. pt. 722. Software engineers generally do not create software in object code - the series of binary digits (1's and 0's) - which tells a computer what to do because it would be enormously difficult, cumbersome and time-consuming. Instead, software engineers use high-level computer programming languages such as "C" or "Basic" to create source code as a shorthand method for telling the computer to perform a desired function. In this respect, lines of source code are the building blocks or the tools used to create an encryption machine. See e.g., Patrick Ian Ross, Bernstein v. United States Department of State, 13 Berkeley Tech. L.J. 405, 410-11 (1998) ("Electronic source code that is ready to compile merely needs a few keystrokes to generate object code - the equivalent of flipping an 'on' switch. Code used for this purpose can fairly easily be characterized as 'essentially functional.'"); Pamela Samuelson et al., A Manifesto Concerning Legal Protection of Computer Programs, 94 Colum. L. Rev. 2308, 2315-30 (1994) ("Programs are, in fact, machines (entities that bring about useful results, i.e., behavior) that have been constructed in the medium of text (source code and object code)."). Encryption source code, once compiled, works to make computer communication and transactions secret; it creates a lockbox of sorts around a message that can only be unlocked by someone with a key. It is the function or task that encryption source code performs which creates its value in most cases. This functional aspect of encryption source code contains no expression; it is merely the tool used to build the encryption machine.

This is not to say that this very same source code is not used expressively in some cases. Academics, such as Bernstein, seek to convey and discuss their ideas concerning computer encryption. As noted by the majority, Bernstein must actually use his source code textually in order to discuss or teach cryptology. In such circumstances, source code serves to express Bernstein's scientific methods and ideas.

While it is conceptually difficult to categorize encryption source code under our First Amendment framework, I am still inevitably led to conclude that encryption source code is more like conduct than speech. Encryption source code is a building tool. Academics and computer programmers can convey this source code to each other in order to reveal the encryption machine they have built. But, the ultimate purpose of encryption code is, as its name suggests, to perform the function of encrypting messages. Thus, while encryption source code may occasionally be used in an expressive manner, it is inherently a functional device.

We are not the first to examine the nature of encryption source code in terms of First Amendment protection. Judge Gwin of the United States District Court for the Northern District of Ohio also explored the function versus expression conundrum of encryption source code at some length in Junger v. Daley, 8 F. Supp. 2d 708 (N.D. Ohio 1998). Junger, like Bernstein, is a professor, albeit a law professor, who wished to publish in various forms his work on computers, including a textbook, Computers and the Law. The book was determined by the Government to be subject to export without a license, but his software programs were determined to come within the licensing provisions of the EAR. In the course of rejecting Junger's claims, the court said:

Like much computer software, encryption source code is inherently functional; it is designed to enable a computer to do a designated task. Encryption source code does not merely explain a cryptographic theory or describe how the software functions. More than describing encryption, the software carries out the function of encryption. The software is essential to carry out the function of encryption. In doing this function, the encryption software is indistinguishable from dedicated computer hardware that does encryption.

In the overwhelming majority of circumstances, encryption source code is exported to transfer functions, not to communicate ideas. In exporting functioning capability, encryption source code is like other encryption devices. For the broad majority of persons receiving such source code, the value comes from the function the source code does. Id. at 716.

The Junger decision [overruled by the Sixth Circuit in April 2000] thus adds considerable support for the propositions that encryption source code cannot be categorized as pure speech and that the functional aspects of encryption source code cannot be easily ignored or put aside.

Both the district court and the majority hold that because source code can be used expressively in some circumstances, Bernstein was entitled to bring a facial challenge to the EAR. Such an approach ignores the basic tenet that facial challenges are inappropriate "unless, at a minimum, the challenged statute 'is directed narrowly and specifically at expression or conduct commonly associated with expression.'" Roulette v. City of Seattle, 97 F.3d 300, 305 (9th Cir. 1996) (quoting City of Lakewood v. Plain Dealer Publishing Co., 486 U.S. 750, 760, 100 L. Ed. 2d 771, 108 S. Ct. 2138 (1988)). That encryption source code may on occasion be used expressively does not mean that its export is "conduct commonly associated with expression" or that the EAR regulations are directed at expressive conduct. See 97 F.3d at 303 ("The fact that sitting can possibly be expressive, however, isn't enough to sustain plaintiffs' facial challenge."); see also Junger, 8 F. Supp. 2d at 718 ("The prior restraint doctrine is not implicated simply because an activity may on occasion be expressive.").

The activity or conduct at issue here is the export of encryption source code. As I noted above, thebasic nature of encryption source code lies in its functional capacity as a method to build an encryption device. Export of encryption source code is not conduct commonly associated with expression. Rather, it is conduct that is normally associated with providing other persons with the means to make their computer messages secret. The overwhelming majority of people do not want to talk about the source code and are not interested in any recondite message that may be contained in encryption source code. Only a few people can actually understand what a line of source code would direct a computer to do. Most people simply want to use the encryption source code to protect their computer communications. Export of encryption source code simply does not fall within the bounds of conduct commonly associated with expression such as picketing or handbilling. See Roulette, 97 F.3d at 303-04.

Further, the EAR regulates the export of encryption technology generally, whether it is software or hardware. See 15 C.F.R. § 742.15; Junger, 8 F. Supp. 2d at 718 ("The Export Regulations do not single out encryption software."). These regulations are directed at preventing the functional capacity of any encryption device, including its source code, from being exported without a government license. The EAR is not specifically directed towards stifling the expressive nature of source code or Bernstein's academic discussions about cryptography. This is demonstrated by the fact that the regulations do not object to publication in printed form of learned articles containing source code. See 15 C.F.R. § 734.3. Thus, the EAR is generally directed at non-expressive conduct - the export of source code as a tool to make messages secret and impervious to government eavesdropping capabilities.

Because this is a law of general application focused at conduct, Bernstein is not entitled to bring a facial challenge. The district court's injunction based upon the finding of a facial prior restraint is thus impermissible. This is not to say that Bernstein's activities would not be entitled to First Amendment protection, but that the legal path chosen to get that protection must be the correct one. We should be careful to "entertain[ ] facial freedom-of-expression challenges only against statutes that, 'by their terms,' sought to regulate 'spoken words,' or patently 'expressive or communicative conduct.'" Roulette, 97 F.3d at 303 (citing Broadrick v. Oklahoma, 413 U.S. 601, 612-13, 37 L. Ed. 2d 830, 93 S.Ct. 2908 (1973)). Bernstein may very well have a claim under an as-applied First Amendment analysis; however, such a claim must be left to the district court's determination in the first instance. Here, the district court did not rule on Bernstein's as-applied claims. I would therefore vacate the district court's injunction and remand for consideration of Bernstein's as-applied challenges to the EAR. Accordingly, I respectfully dissent.

(1) In using the term "facial challenge" in the prior restraint context, the Supreme Court has meant two distinct things. First, if entitled to bring a facial challenge, a plaintiff need not apply for a license before challenging the licensing regime. See Lakewood, 486 U.S. at 755-56. This is a question of standing. Second, a litigant challenging an enactment on its face champions the rights of those not before the court and thus may attack the statute "whether or not his conduct could be proscribed by a properly drawn statute." Freedman v. Maryland, 380 U.S. 51, 56, 13 L. Ed. 2d 649, 85 S. Ct. 734 (1965); see also Secretary of State of Md. v. J. H. Munson Co., 467 U.S. 947, 957, 81 L. Ed. 2d 786, 104 S. Ct. 2839 (1984); Roulette, 97 F.3d at 303 n.3. This goes to the scope of the constitutional challenge.

(2) As an initial matter, we note that the fact that the regulations reach only "exports" does not reduce the burden on Bernstein's First Amendment rights. It is Bernstein's right to speak, not the rights of foreign listeners to hear, that we are concerned with here. The government does not argue, nor could it, that being cut off from a foreign audience, as distinguished from a domestic one, does not implicate First Amendment concerns. See Bullfrog Films, Inc. v. Wick, 847 F.2d 502, 509 n.9 (9th Cir. 1988). In addition, because the regulations define "export" to include the use of internet fora that may be accessible by foreign nationals, as well as domestic communications with foreign nationals, we think it plain that the regulations potentially limit Bernstein's freedom of speech in a variety of both domestic and foreign contexts. See Reno v. American Civ. Lib. Union, 521 U.S. 844, 117 S. Ct. 2329, 2348-49, 138 L. Ed. 2d 874 (1997) (rejecting government argument that restriction of expression on the internet is justified because ample alternative channels of communication exist).

(3) In undertaking this task, we are mindful that computer technology, and the lexicon of terms that accompanies it, is changing rapidly. Nevertheless, because the regulations speak in terms of "source code," we premise our discussion on the meaning commonly ascribed to this term by the programming community.

(4) It must be emphasized, however, that source code is merely text, albeit text that conforms to stringent formatting and punctuation requirements. For example, the following is an excerpt from Bernstein's Snuffle source code:

(6) We are reminded of at least one occasion in which a judicial thinker resorted to a mathematical equation to express a legal principle. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir. 1947) (Judge Hand's famous BPL formula to determine "when the absence of a bargee or other attendant will make the owner of the barge liable for injuries to other vessels if she breaks away from her moorings.").

(7) Bernstein's Snuffle, in fact, provides an illustration of this point. By developing Snuffle, Bernstein was attempting to demonstrate that a one-way hash function could be employed as the heart of an encryption method. The Snuffle source code, as submitted by Bernstein to the State Department, was meant as an expression of how this might be accomplished. The Source Code was plainly not intended as a completed encryption product, as demonstrated by the fact that it was incomplete and not in a form suitable for final compiling. The Source Code, in fact, omits the hash function entirely - until combined with such a function and compiled, Snuffle is incapable of performing encryption functions at all.

Snuffle was also intended, in part, as political expression. Bernstein discovered that the ITAR regulations controlled encryption exports, but not one-way hash functions. Because he believed that an encryption system could easily be fashioned from any of a number of publicly-available one-way hash functions, he viewed the distinction made by the ITAR regulations as absurd. To illustrate his point, Bernstein developed Snuffle, which is an encryption system built around a one-way hash function.

(8) We express no opinion regarding whether object code manifests a "close enough nexus to expression" to warrant application of the prior restraint doctrine. Bernstein's Snuffle did not involve object code, nor does the record contain any information regarding expressive uses of object code in the field of cryptography.

(9) If it were, we would have expected the Supreme Court to start and end its analysis of David Paul O'Brien's burning of his draft card with an inquiry into whether he was kept warm by the ensuing flames. See United States v. O'Brien, 391 U.S. 367, 20 L. Ed. 2d 672, 88 S. Ct. 1673 (1968).

(10) The government also argues that the EAR regulations are "laws of general application" because they are not purposefully aimed at suppressing any particular ideas that may be expressed in source code. With respect to this contention, the panel (including the dissenter) agree that the purpose of the regulations is irrelevant to prior restraint analysis. It is clear that a prior restraint analysis applies equally to content-neutral or content-based enactments. See FW/PBS, Inc. v. Dallas, 493 U.S. 215, 223, 107 L. Ed. 2d 603, 110 S. Ct. 596 (1990) (plurality opinion of O'Connor, J.) ("Because we conclude that the city's licensing scheme lacks adequate procedural safeguards, we do not reach ... whether the ordinance is properly viewed as a content-neutral time, place, and manner restriction. ..."); Lakewood, 486 U.S. at 764 ("Even if the government may constitutionally impose content-neutral prohibitions on a particular manner of speech, it may not condition that speech on obtaining a license or permit from a government official in that official's boundless discretion.") (emphasis in original). Indeed, where unbridled discretion is vested in a governmental official, it is difficult to know whether a licensing regime is content-based or content-neutral. Accordingly, the government's purpose in censoring encryption source code is, at this stage of our First Amendment inquiry, beside the point. In other words, a prepublication licensing regime that has a chilling and censorial effect on expression is properly subject to facial attack as a prior restraint, whatever the purpose behind its enactment. See Lakewood, 486 U.S. at 759 (upholding facial attack against newsrack ordinance because of censorial effects, without discussing governmental purpose for enacting the ordinance).

(11) It is at this juncture that we part ways with the dissent. The dissent concedes that source code can be expressive. Nevertheless, the dissent contends that Bernstein is not entitled to bring a facial attack against the EAR regulation. This argument, it seems to us, is based on two foundations.

First, the dissent conceives of the exchange of source code among scientists as "conduct." We disagree. The source code at issue here is text intended for human understanding, albeit in a specialized language. To say that the "export" of this text is "conduct" for First Amendment purposes, rather than straightforward scientific "expression," is to call into question all distribution and circulation of scientific texts that communicate ideas by using specialized languages. Of course, source code may be functional as well as expressive. We are not persuaded, however, that that fact transmogrifies the distribution of scientific texts from "expression" into "conduct" deserving of diminished First Amendment protection.

Having cast the question as one relating to "conduct," the dissent then takes a second step. Drawing from Lakeside, the dissent asks whether the "conduct" - the exchange of cryptograph