It is rare that a court reviews a challenge to the government's administration of export controls. Agency decisions in the area almost never are subject to judicial review. About the only way a would-be exporter can seek judicial recourse is to claim a constitutional right has been violated. That's exactly what then-graduate student, now professor, Daniel Bernstein did. The result was a court decision last week that, if it remains the law (a huge "if"), will force the Clinton Administration and Congress to re-visit its entire approach toward one of the most sensitive areas in export -- and in e-commerce -- today: encryption.
On May 6, the U.S. Court of Appeals for the Ninth Circuit, in Bernstein v. U.S. Dep't of Justice (Case No. 97-16686, May 6, 1999), invalidated the U.S. government's regulation of the export of cryptographic source code. The court majority reasoned that source code is a form of speech and, as such, the Bureau of Export Administration ("BXA") licensing requirement transgresses the First Amendment. Technology companies, the financial services industry, and just about any business hoping to engage in transactions on the Web would do well to pay close attention to the court's decision and to its aftermath.
Backdrop To The Case
Ever since the first realization that the government creation called the Internet might find its true (profitable) calling through commerce, U.S. authorities have struggled with the right approach toward the use and proliferation of cryptography. American businesses, recognizing the perils and promise of the new medium, have demanded the ability to authenticate parties and messages, to secure documents from tampering and to protect privacy on-line. U.S. technology companies have responded, quickly establishing a leading presence in the global development and improvement of encryption techniques.
At the same time, the U.S. government has grown ever more fearful that widespread dissemination of cryptographic technology will finally give the "bad guys" the upper hand -- the ability to shield their dastardly activities from the prying eyes and ears of law enforcement and national intelligence agencies. With no legal authority to restrict use of encryption domestically, America's cops and spies turned to the one avenue open to them -- exports, a field in which the government traditionally exercises substantial control and that, at the time, treated encryption products as "defense articles" and included them on the highly regulated U.S. Munitions List, administered by the State Department.
Industry found the restrictions imposed by Munitions List classification to be intolerable and clamored for transfer to the more hospitable regulatory regime reserved for civilian exports, which are administered by BXA in the Department of Commerce. The result? The classic political compromise: transfer of controls to BXA, but with the express delegation of concurrent review authority to State, Defense, the National Security Agency and the FBI. The resulting situation has satisfied no one and, despite subsequent tinkering, the battle rages in the Administration and on Capitol Hill between those favoring tighter controls and those arguing for looser restrictions.
Almost lost in the debate have been three court challenges to the encryption rules, the first of which was finally heard and decided by the federal appeals court this month.
What The Case Was About
Professor Bernstein wanted to post on the Web two encryption programs that exemplified an encryption method he had developed and named "Snuffle," in order to solicit comment and reaction from colleagues around the world. He also wished to provide instructions on how to use the programs. The programs consisted of "source code" -- operating instructions that tell the reader all he or she need know to duplicate the programs themselves.
The government informed Bernstein that his planned posting was an "export" and required a license, which it was free to grant or to deny based on what it viewed as in the "public interest."
Ordinarily, government export-licensing decisions are not subject to judicial challenge. However, Bernstein claimed that the regulations infringed his right to free speech guaranteed by the First Amendment and, as a result, was able to invoke judicial review. Bernstein challenged the regulations "on their face," without regard to the facts of his specific situation. As a result, when the appeals court, in a 2-1 decision, affirmed the district court decision in Bernstein's favor, it invalidated the regulations with respect to source code in their entirety and threw the current encryption export regime into uncertainty.
The Majority's Reasoning
The crux of the majority's reasoning was simple: source code is a form of expression (i.e., speech) and, thus, is entitled to all protections afforded speech by the First Amendment. Courts call a law or regulation that allows the government to restrain speech before it is uttered a "prior restraint." Prior restraints on speech are disfavored; there is a heavy presumption against their validity. They can be justified only in the narrowest of circumstances, and only when subject to both procedural and substantive safeguards to assure that as little speech as possible is curtailed. An example of the skepticism with which courts regard arguments in favor of prior restraint: the Supreme Court's decision in 1971 rejecting the government's claim that publication of confidential Defense Department documents (the "Pentagon Papers") would irreparably harm national security and the Vietnam War effort.
The pivotal question in this case was whether the regulations, in the court's formulation, "exhibit[ed] 'a close enough nexus to expression'" -- in other words, whether the requirement of a license most appropriately should be regarded as a regulation of speech. In view of the long chain of prior-restraint precedent, most observers had little doubt that, if source code were regarded as speech, the regulations would fail to pass Constitutional muster.
Judge Betty Fletcher, writing for herself and perhaps for one other colleague, answered that question in unequivocal terms. Source code, she wrote, at its core is expression because it communicates ideas. Essentially, Judge Fletcher found, source code represents a form of speech that is highly specialized but nevertheless expressive. It allows mathematicians and programmers to exchange ideas with a precision that is not possible in ordinary discourse.
Judge Fletcher rejected the government argument that, because source code can be used to control the operation of a computer without conveying information to the user, the government's regulation can be said to have been targeted at "this unique functional aspect of source code, rather than the content of the ideas that may be expressed therein." To the majority, the two aspects are inseparable; regulation of one is regulation of the other.
Judge Fletcher pointed out that source code is intended for human understanding and must be compiled into "object code" before a computer can make direct use of it. She also questioned the logical extent of the government's "functionality" distinction, wondering how the government would regard voice commands that soon will be used to activate a wide range of computer functions. Under the government's test, Judge Fletcher reasoned, that ordinary speech would lose its protection as a result of its "functional" capabilities -- in her mind a wrongheaded result. Based on these factors, she found the regulations to comprise a direct restriction of speech and, therefore, because they vest virtually limitless discretion in the decision-maker, declared them invalid.
A Dissenting Opinion (Or Two?)
Judge Thomas Nelson, the dissenting member of the panel, focused on the core issue separating him from the majority: in his view, source code is not predominantly speech, although he conceded that in certain circumstances it might be. Consequently, he argued, the regulations do not bear a direct nexus to expression and should not have been subject to Bernstein's broad-based complaint. Instead, contended the dissent, Bernstein's case should have been returned to the district court to allow him to mount an "as applied" challenge to the regulations, in which he would argue that, in his specific circumstances -- given the academic and intellectual nature of his intended exchange -- the source code in question should fall outside of the government's licensing powers.
The third panel member, Judge Bright, concurred with Judge Fletcher's opinion, but also noted "the validity" of Judge Nelson's view and suggested that this case would be appropriate for Supreme Court review.
Next Steps And Implications If Upheld
Where are we now? No responsible company should think the coast is clear and begin exporting source code or products containing controlled encryption features without regulatory authorization. The government has announced its intent to appeal, either for a rehearing by a larger panel of the appellate court or for Supreme Court consideration. In the interim, the Department of Justice is sure to seek a stay -- to preserve the current regulatory status quo until all appeals have been exhausted.
Even if a stay were denied, the court's ruling (unless affirmed by the Supreme Court) technically only extends to the geographic confines of the Ninth Circuit -- California, Oregon, Washington, Nevada, Arizona, Idaho, Montana, Alaska and Hawaii. Similar challenges to the encryption rules are pending before the Sixth Circuit in Ohio and in the federal courts of the District of Columbia.
Moreover, the court expressly limited its holding to source code. Other types of encryption software or commodities are not covered. Although in most instances it may make little sense to regulate object code or the final product incorporating the encryption if the source code itself is unregulated, the government well may insist on its right to restrict export of those items whatever the eventual disposition of the Bernstein decision.
With all that in mind, an affirmance of Bernstein would wreak an upheaval in the government's approach to encryption. At a minimum, it would occasion a fundamental re-thinking of the efficacy of controls when the source code itself would be unregulated.
PHJ&W's Crystal Ball
Our e-group's crystal ball is fairly clear on this one: we think a government appeal, both for a rehearing before a larger panel of the Ninth Circuit ("en banc" review) and, if that fails, to the Supreme Court is a "no-brainer." The court's decision represents the views essentially of a single judge, and this issue raises fascinating questions of the interplay among free speech, technology and national security that other judges will find difficult to resist. Add to that the Supreme Court's much-remarked proclivity to reverse the Ninth Circuit, and we definitely see a conclave in Washington in this issue's future. Although the Supreme Court may wait for the result of the Sixth Circuit's review of the same issue in a different case before taking action, we feel certain that at some point this will reach its docket.
What will happen in the end is much more difficult to predict. Categorizing source code as speech or as "something else" is a difficult task, particularly for judges not known for profound appreciation of the technological underpinnings of terms such as "source code," "hash functions," and other concepts central to an understanding of encryption.
Observers in the business community can take heart in the Supreme Court's 1997 ruling that invalidated attempted restrictions of content on the Internet and offered a ringing endorsement of First Amendment principles in cyberspace. Nevertheless, we think the Supreme Court ultimately will find a narrow way to avoid invalidating the entire regulatory structure, perhaps by carving out specific categories of source code as speech and leaving the rest subject to regulation (much as Judge Nelson's dissent intimates) or perhaps by according source code a lesser, protected status, similar to that of commercial or pornographic speech. Those types of speech traditionally have been able to claim some, but not all, of the panoply of First Amendment protections.
Bottom line: stay tuned, and stay on course. If you run a Web business dependent on encryption to secure your own or customers' information, keep applying for those licenses or license exceptions.