SPECIAL INSERT

Encryption, the Internet and Bernstein v. Dep't of Justice: The First Amendment Rescues Electronic Commerce and Internet Privacy

by Kurt A. Wimmer

It's mid-1999, and the concept of an information economy finally has become more than rhetoric. Internet use has expanded to more than 160 million users worldwide. Electronic commerce is booming, with one company alone reporting more than $1 billion per month of sales over the Internet. The need to protect online privacy has seized the attention of consumer advocates and legislators from Washington to Brussels. Concerns over protecting mission-critical computer systems from hackers are at an all-time high following several devastating virus attacks. U.S. software companies are seeking to further their access to an enormous global market.

And the development and export of encryption software - the one technological means to protect the integrity of e-commerce and computer systems and guard personal privacy on the Internet - is under attack by the U.S. government. What's wrong with this picture?

Encryption - mathematical methods for encoding or scrambling the contents of written or spoken communication so that only the intended recipient can decrypt and access the communication - is widely regarded as the key to secure communications on the Internet. E-commerce relies on strong encryption to protect sensitive credit card and financial data, and Internet users have demanded greater protections for their privacy in both commercial and personal transactions. But the effectiveness of strong encryption to protect privacy has led to concerns by the law enforcement community that international terrorists could use encryption to keep their communications secret from law enforcement. This controversy has led the federal government to regulate encryption software as a munition - under this view, it can only be exported with a license from federal authorities. And because information posted on the Internet generally can be accessed from anywhere in the world, the Administration has taken the position that posting source code for encryption software on the Internet is an "export" that cannot occur unless the government grants the author a license.

This standoff was broken decidedly this summer by a combination of the First Amendment, the Ninth Circuit Court of Appeals in San Francisco, and a tenacious young mathematics professor named Daniel Bernstein. In a groundbreaking decision, the Ninth Circuit held that computer source code was expression protected by the First Amendment, and that the government's regulation of encryption source code effected an unconstitutional prior restraint on protected expression. In its 2-1 decision in Bernstein v. U.S. Dep't of Justice, the court also champ-ioned the importance of protecting the privacy of communications and transactions in the electronic realm. Similar constitutional challenges to government regulation of encryption software are currently pending in the D.C. Circuit and the Sixth Circuit, and Supreme Court review of this issue is likely. (Covington & Burling represents a group of amici challenging the government regulations in all three circuits, including the Electronic Privacy Information Center, Center for Democracy and Technology, National Association of Manufacturers, Internet Society, American Civil Liberties Union, as well as several world-renowned cryptographers.)

Background
Daniel Bernstein, then a graduate mathematics student at the University of California at Berkeley, developed a mathematical encryption formula. His formula was expressed in both a scientific paper and in source code, in a high-level computer programming language called "C". Bernstein sought to publish both the source code and the scientific paper through ordinary channels of scientific interchange - including the Internet, the medium of choice for scientists to debate their methods and conclusions - for evaluation, testing, and critique by his peers. In its Export Administration Regulations, the U.S. Department of Commerce requires anyone wishing to "export" (defined to include publication via the Internet) encryption software to receive a government license. The license may be withheld if the Bureau of Export Administration concludes that publication is not "consistent with U.S. national security and foreign policy interests." Although an unfavorable licensing determination may be appealed to the Executive, there are no time constraints placed on executive review, and no judicial review of a licensing determination is provided for under the regulations.

Bernstein applied for a license to "export" his encryption source code under the predecessor regulatory regime to the Export Administration Regulations. The license was denied. He filed suit, claiming that the regulations imposed an unconstitutional prior restraint on protected expression.

The First Amendment's Scope in the Digital Era
In addressing Bernstein's constitutional challenge, the Ninth Circuit first had to determine whether computer source code was expression protected by the First Amendment. This posed a rather novel legal question. It is well established that the spoken and written word are within the ambit of First Amendment protection because of their power to communicate ideas or emotions to human beings. But does code written in computer programming language really merit First Amendment protection? Does it serve the same sort of communicative role as other forms of protected expression? Even if it has certain communicative elements or features, are these overwhelmed by its functional aspects, as the government argued? In the First Amendment speech/conduct dichotomy, does source code - given its functional qualities - fall on the less-protected "conduct" side of this dichotomy?

Computer source code - which is written in English-like programming languages such as C and BASIC - is distinct from computer object code - which is written in 0s and 1s. While object code directly controls the functioning of a computer, source code can be read and understood by humans and can be used by programmers and mathematicians to communicate with one another. In fact, Bernstein argued that he and his fellow scientists often used source code as a vehicle for communicating mathematical theories on the science of cryptography with precision and mathematical rigor. But, the government contended, even if source code is expressive in some limited sense, it is essentially functional expression deserving of limited First Amendment protection. In any case, the government argued, regulation of encryption software is directed toward the functional aspects of such code - its ability (once translated into object code) to encrypt text, and not at all at the expressive aspects of the code or ideas embodied within it. In her decision for the court, Judge Betty Fletcher held that computer source code merits full protection under the First Amendment despite its functional character. "The fact that computers will soon be able to respond directly to spoken commands, for example, should not confer on the government the unfettered power to impose prior restraints on speech in an effort to control its 'functional' aspects," she wrote. "The First Amendment is concerned with expression, and we reject the notion that the admixture of functionality necessarily puts expression beyond the protections of the Constitution."

Upon finding source code to be expression protected by the First Amendment, the Court had little difficulty in concluding that the licensing scheme embodied in the Export Administration regulations imposed an unconstitutional prior restraint. In order to satisfy the dictates of the First Amendment, a pre-publication licensing scheme must either provide for certain procedural safeguards, or fall within an extremely narrow class of cases where the publication at issue would directly and imminently imperil national security - the Pentagon Papers standard. For materials that don't meet this "national security" test, a licensing scheme is only permissible if it restrains expression for only a specified brief time period and provides for swift judicial review. The government did not contend that the Internet publication of encryption source code would directly and imminently imperil national security, and the court found that the regulations utterly failed to provide the required procedural safeguards. There are no time limits at all imposed upon review of a denial of a license, and one denied a license is not provided with any opportunity for judicial review (much less expeditious judicial review). Thus, the regulations imposed an unconstitutional prior restraint on protected expression in violation of the First Amendment.

Privacy in the Digital Era
Beyond its groundbreaking First Amendment holding, the court also recognized that certain Fourth Amendment interests were at stake in the case before it. Judge Fletcher discussed the important role that encryption software plays in preserving the privacy interests of those who communicate and conduct business electronically using technologies such as e-mail, the Internet, and cellular phones. Without well-developed encryption technology, the court explained, we will be unable to carry over to the electronic realm the privacy in our communications and transactions that we have historically enjoyed in the non-electronic realm.

"In this increasingly electronic age," Judge Fletcher wrote, "we are all required in our everyday lives to rely on modern technology to communicate with one another. This reliance on electronic communication, however, has brought with it a dramatic diminution in our ability to communicate privately. . . . Whether we are surveilled by our government, by criminals, or by our neighbors, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb." But, Judge Fletcher found, strong encryption may hold the promise to recover some of the privacy that new technologies have undermined. Accordingly, "Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. Viewed from this perspective, the government's efforts to retard progress in cryptography may implicate the Fourth Amendment, as well as the right to speak anonymously, the right against compelled speech, and the right to informational privacy." In sum, the court recognized that the unfettered development and use of strong encryption technology best serves the public interest in protecting the privacy of electronic communications and transactions.

The Future of Encryption, Privacy and Free Expression
The broad holding of Bernstein provides a much-needed second step in the establishment of cyber-rights that was begun in Reno v. ACLU. In the Reno case, the U.S. Supreme Court established that the First Amendment applied in full force in cyberspace. The value of that case lies not only in its holding striking down portions of the Communications Decency Act, but in the scope of its language and analysis. Similarly, the Bernstein court now has established that computer source code is protected by the First Amendment and has done so in a decision that recognizes that privacy rights are of crucial importance in an age defined by electronic commerce and Internet communication. The Bernstein case thus provides a basis for moving forward. The most immediate benefit is that crypto-graphers such as Professor Bernstein finally will be able to discuss their science on the Internet effectively and with the protection of the First Amendment. The more global benefits, however, may inure to much broader groups. U.S. software companies that have been hampered in their efforts to market encryption software abroad will be able to more effectively compete with their international counterparts. U.S. companies that wish to secure their communications by exporting encryption software to their partners and employees abroad will be free to do so. Secure electronic commerce will be able to extend past our borders, and U.S. companies will be able to market goods and services effectively to security-conscious consumers around the world. Perhaps most importantly, the e-mail and other Internet communications of individuals everywhere will have the potential to be private. The path toward the effective use of encryption is not, of course, an entirely clear one. The Department of Justice is considering further attacks to the holding of the panel in Bernstein, and it almost certainly either will seek rehearing by the entire court or review by the U.S. Supreme Court. Two other federal Courts of Appeal have cases pending before them involving similar First Amendment challenges to export restrictions on encryption. In Junger v. Daley, 8 F. Supp. 2d. 708 (N.D. Ohio 1998), currently pending before the Sixth Circuit, computer law professor Peter Junger was refused a government license to publish encryption source code via the Internet. Junger is appealing from the district court's decision that source code - because of its functional characteristics - cannot be characterized as "pure speech" and does not merit full protection under the First Amendment. In Karn v. U.S. Dep't of State, 925 F. Supp. 1 (D.D.C. 1996), now on remand from the D.C. Circuit, cryptographer Philip Karn was also refused a government license to publish encryption source code in electronic form. The district court in Karn held that, because the government regulations were not motivated by a desire to suppress expression but rather by legitimate national security interests, the First Amendment was not offended. If, as is likely, either the Sixth Circuit or D.C. Circuit companion cases are resolved differently from Bernstein, Supreme Court review of this important legal issue is likely.

PROJECT ECHELON
[The following is from the ACLU web site on Project Echelon. This has been reprinted with the permission of the ACLU. We thought this might be interesting to section members in the context of a discussion of internet communications.]

Q - What is Project ECHELON?
ECHELON is a code word for an automated global interception and relay system operated by the intelligence agencies in five nations: the United States, the United Kingdom, Canada, Australia and New Zealand (it is rumored that different nations have different code words for the project). While the United States National Security Agency (NSA) takes the lead, ECHELON works in conjunction with other intelligence agencies, including the Australian Defence Signals Directorate (DSD). It is believed that ECHELON also works with Britain's Government Communications Headquarters (GCHQ) and the agencies of other allies of the United States, pursuant to various treaties. (1)

These countries coordinate their activities pursuant to the UKUSA agreement, which dates back to 1947. The original ECHELON dates back to 1971. However, its capabilities and priorities have expanded greatly since its formation. According to reports, it is capable of intercepting and processing many types of transmissions, throughout the globe. In fact, it has been suggested that ECHELON may intercept as many as 3 billion communications everyday, including phone calls, e-mail messages, Internet downloads, satellite transmissions, and so on. (2) The ECHELON system gathers all of these transmissions indiscriminately, then distills the information that is most heavily desired through artificial intelligence programs. Some sources have claimed that ECHELON sifts through an estimated 90 percent of all traffic that flows through the Internet. (3)

However, the exact capabilities and goals of ECHELON remain unclear. For example, it is unknown whether ECHELON actually targets domestic communications. Also, it is apparently very difficult for ECHELON to intercept certain types of transmissions, particularly fiber communications.

Q - How does ECHELON work?
ECHELON apparently collects data in several ways. Reports suggest it has massive ground based radio antennae to intercept satellite transmissions. In addition, some sites reputedly are tasked with tapping surface traffic. These antennae reportedly are in the United States, Italy, England, Turkey, New Zealand, Canada, Australia, and several other places. (4)

Similarly, it is believed that ECHELON uses numerous satellites to catch "spillover" data from transmissions between cities. These satellites then beam the information down to processing centers on the ground. The main centers are in the United States (near Denver), England (Menwith Hill), Australia, and Germany. (5)

According to various sources, ECHELON also routinely intercepts Internet transmissions. The organization allegedly has installed numerous "sniffer" devices. These "sniffers" collect information from data packets as they traverse the Internet via several key junctions. It also uses search software to scan for web sites that may be of interest. (6)

Furthermore, it is believed that ECHELON has even used special underwater devices which tap into cables that carry phone calls across the seas. According to published reports, American divers were able to install surveillance devices on to the underwater cables. One of these taps was discovered in 1982, but other devices apparently continued to function undetected. (7)

It is not known at this point whether ECHELON has been able to tap fiber optic phone cables. Finally, if the aforementioned methods fail to garner the desired information, there is another alternative. Apparently, the nations that are involved with ECHELON also train special agents to install a variety of special data collection devices. One of these devices is reputed to be an information processing kit that is the size of a suitcase. Another such item is a sophisticated radio receiver that is as small as a credit card. (8)

After capturing this raw data, ECHELON sifts through them using DICTIONARY. DICTIONARY is actually a special system of computers which find pertinent information by searching for key words, addresses, etc. These search programs help pare down the voluminous quantity of transmissions which pass through the ECHELON network every day. These programs also seem to enable users to focus on any specific subject upon which information is desired. (9)

Q - If ECHELON is so powerful, why haven't I heard about it before?
The United States government has gone to extreme lengths to keep ECHELON a secret. To this day, U.S. government refuses to admit that ECHELON even exists. We know it exists because the Australian government (through its Defence Signals Directorate) has admitted to this fact. (10) However, even with this revelation, U.S. officials have refused to comment.

This "wall of silence" is beginning to erode. The first report on ECHELON was published in 1988. (11) In addition, besides the revelations from Australia, the Scientific and Technical Options Assessment program office (STOA) of the European Parliament commissioned two reports which describe ECHELON's activities. These reports unearthed a startling amount of evidence, which suggests that ECHELON's powers may have been underestimated. The first report, entitled "An Appraisal of Technologies of Political Control", suggested that ECHELON primarily targeted civilians.

This report found that:
"The ECHELON system forms part of the UKUSA system but unlike many of the electronic spy systems developed during the cold war, ECHELON is designed for primarily non-military targets: governments, organisations and businesses in virtually every country. The ECHELON system works by indiscriminately intercepting very large quantities of communications and then siphoning out what is valuable using artificial intelligence aids like Memex to find key words. Five nations share the results with the US as the senior partner under the UKUSA agreement of 1948, Britain, Canada, New Zealand and Australia are very much acting as subordinate information servicers.

"Each of the five centres supply "dictionaries" to the other four of keywords, phrases, people and places to "tag" and the tagged intercept is forwarded straight to the requesting country. Whilst there is much information gathered about potential terrorists, there is a lot of economic intelligence, notably intensive monitoring of all the countries participating in the GATT negotiations. But Hager found that by far the main priorities of this system continued to be military and political intelligence applicable to their wider interests. Hager quotes from a "highly placed intelligence operatives" who spoke to the Observer in London. "We feel we can no longer remain silent regarding that which we regard to be gross malpractice and negligence within the establishment in which we operate." They gave as examples. GCHQ interception of three charities, including Amnesty International and Christian Aid. "At any time GCHQ is able to home in on their communications for a routine target request," the GCHQ source said. In the case of phone taps the procedure is known as Mantis. With telexes its called Mayfly. By keying in a code relating to third world aid, the source was able to demonstrate telex "fixes" on the three organisations. With no system of accountability, it is difficult to discover what criteria determine who is not a target." (12)

The most recent report, known as "Interception Capabilities 2000", describes ECHELON capabilities in even more elaborate detail. (13)

In addition, an Italian government official has begun to investigate Echelon's intelligence-gathering efforts, based on the belief that the organization may be spying on European citizens in violation of Italian or international law. (14)

The Danish Parliament also has begun an inquiry.

Events in the United States have also indicated that the "wall of silence" might not last much longer. Exercising their Constitutionally created oversight authority, members of the House Select Committee on Intelligence recently started asking questions about the legal basis for NSAís ECHELON activities. In particular, the Committee wanted to know if the communications of Americans were being intercepted and under what authority, since US law severely limits the ability of the intelligence agencies to engage in domestic surveillance. When asked about its legal authority, NSA invoked the attorney-client privilege and refused to disclose the legal standards by which ECHELON might have conducted its activities. (15)

President Clinton has now signed into law a funding bill which would, at a minimum, require the NSA to report on the legal basis for ECHELON and similar activities. (16)

In addition, Rep. Bob Barr (R-GA), who has taken the lead in Congressional efforts to ferret out the truth about ECHELON has arranged for the House Government Reform and Oversight Committee to hold oversight hearings.(17)

Finally, the Electronic Privacy Information (EPIC) has sued the U.S. Government, hoping to obtain documents which would describe the legal standards by which ECHELON operates.(18)

Q - What is being done with the information that ECHELON collects?
The original purpose of ECHELON was to protect national security. That purpose continues today. For example, we know that ECHELON is gathering information on North Korea. Sources from Australiaís DSD have disclosed this much because Australian officials help operate the facilities there which scan through transmissions, looking for pertinent material. (19)

However, national security is not ECHELONís only concern. Reports have indicated that industrial espionage has become a part of ECHELONís activities. While present information seems to suggest that only high- ranking government officials have direct control over ECHELONís tasks, the information that is gained may be passed along at the discretion of these very same officials. As a result, much of this information has been given to American companies, in apparent attempts to give these companies an edge over their less knowledgeable counterparts. (20)

In addition, there are concerns that ECHELONís actions may be used to stifle political dissent. Many of these concerns were voiced in a report commissioned by the European Parliament. What is more, there are no known safeguards to prevent such abuses of power. (21)

Q -Is there any evidence that ECHELON is doing anything improper or illegal with the spying resources at its disposal?
ECHELON is a highly classified operation, which is conducted with little or not oversight by national parliaments or court. Most of what is known comes from whistleblowers and classified documents. The simple truth is that there is no way to know precisely what ECHELON is being used for.

But there is evidence, much of which is circumstantial, that ECHELON (along with its British counterpart) has been engaged in significant invasions of privacy. These alleged violations include secret surveillance of political organizations, such as Amnesty International. (22) It has also been reported that ECHELON has engaged in industrial espionage on various private companies such as Airbus Industries and Panavia, then has passed along the information to their American competitors. (23) It is unclear just how far ECHELONís activities have harmed private individuals.

However, the most sensational revelation was that Diana, Princess of Wales may have come under ECHELON surveillance before she died. As reported in the Washington Post, the NSA admitted that they possessed files on the Princess, partly composed of intercepted phone conversations. While one official from the NSA claimed that the Princess was never a direct target, this disclosure seems to indicates the intrusive, yet surreptitious manner by which ECHELON operates. (24)

What is even more disquieting about these allegations is that if proven, may have circumvented countless laws in numerous countries. Many nations have laws in place to prevent such invasions of privacy. However, there are suspicions that ECHELON has engaged in subterfuge to avoid these legal restrictions. For example, it is rumored that nations would not use their own agents to spy on their own citizens, but assign the task to agents from other countries. (25) In addition, as mentioned earlier, it is unclear just what legal standards ECHELON follows, if any actually exist. Thus, it is difficult to say what could prevent ECHELON from abusing its remarkable capabilities.

Q -Is everyone else doing what ECHELON does?
Maybe not everyone else, but there are plenty of other countries that engage in the type of intelligence gathering that ECHELON performs. These countries apparently include Russia, France, Israel, India, Pakistan and many others. (26) Indeed, the excesses of these ECHELON-like operations are rumored to be similar in form to their American equivalents, including digging up information for private companies to give them a commercial advantage.

However, it is also known that ECHELON system is the largest of its kind. What is more, its considerable powers are enhanced through the efforts of Americaís allies, including the United Kingdom, Canada, Australia, and New Zealand. Other countries don't have the resources to engage in the massive garnering of information that the United States is carrying out.

Notes

1. Development of Surveillance Technology and Risk of Abuse of Economic Information (An appraisal of technologies for political control), Part 4/4: The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition, Ch. 1, para. 5, PE 168.184 / Part 4/4 (April 1999). See Duncan Campbell, Interception Capabilities 2000 (April 1999) (http://www.iptvreports.mcmail.com/stoa_cover.htm).

2. Kevin Poulsen, Echelon Revealed, ZDTV (June 9, 1999) (http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2120457,00.html).

3. Greg Lindsay, The Government Is Reading Your E-Mail, TIME DIGITAL DAILY (June 24, 1999) (http://www.pathfinder.com/time/digital/daily/0,2822,27293,00.html).

4. PE 168.184 / Part 4/4, supra note 1, Ch. 2, para. 32-34, 45-46.

5. Id. Ch. 2, para. 42.

6. Id. Ch. 2, para. 60.

7. Id. Ch. 2, para. 50.

8. Id. Ch. 2, para. 62-63.

9. An Appraisal of Technologies for Political Control, at 20, PE 166.499 (January 6, 1998). See Steve Wright, An Appraisal of Technologies for Political Control (January 6, 1998) (http://cryptome.org/stoa-atpc.htm).

10. Letter from Martin Brady, Director, Defence Signals Directorate, to Ross Coulhart, Reporter, Nine Network Australia 2 (Mar. 16, 1999) (on file at http://sunday.ninemsn.com.au/sunday_images/cover/DSD_page1.gif and http://sunday.ninemsn.com.au/sunday_images/cover/DSD_page2.gif

11. Duncan Campbell, Somebody's Listening, NEW STATESMAN,12 August 1988, Cover, pages 10-12. See Duncan Campbell, ECHELON: NSA's Global Electronic Interception, (last visited October 12, 1999) (http://jya.com/echelon-dc.htm).

12. PE 166.499, supra note 9, at 19-20.

13. PE 168.184 / Part 4/4, supra note 1.

14. Nicholas Rufford, Spy Station F83, SUNDAY TIMES (London), May 31, 1998. See Nicholas Rufford, Spy Station F83 (May 31, 1998) (http://www.sunday-times.co.uk/news/pages/sti/98/05/31/stifocnws01003.html?999).

15. H. Rep. No. 106-130 (1999). See Intelligence Authorization Act for Fiscal Year 2000, Additional Views of Chairman Porter J. Goss, (last visited August 24, 1999) (http://www.echelonwatch.org/goss.htm).

16. Intelligence Authorization Act for Fiscal Year 2000, Pub. L. 106-120, Section 309, ___ Stat. ___ (1999). See H.R. 1555 Intelligence Authorization Act for Fiscal Year 2000 (Enrolled Bill (Sent to President)), (last visited Dec.17, 1999) (http://www.echelonwatch.org/hr1555c.htm).

17. House Committee to Hold Privacy Hearings, (August 16, 1999) (http://www.house.gov/barr/p_081699.html).

18. ELECTRONIC PRIVACY INFORMATION CENTER, PRESS RELEASE: LAWSUIT SEEKS MEMOS ON SURVEILLANCE OF AMERICANS; EPIC LAUNCHES STUDY OF NSA INTERCEPTION ACTIVITIES (1999). See also Electronic Privacy Information Center, EPIC Sues for NSA Surveillance Memos (last visited December 17, 1999) (http://www.epic.org/open_gov/foia/nsa_suit_12_99.html).

19. Ross Coulhart, Echelon System: FAQs and website links, (May 23, 1999) (http://sunday.ninemsn.com.au/sun_bg2.asp?id=817).

20. PE 168.184 / Part 4/4, supra note 1, Ch. 5, para. 101-103.

21. PE 166.499, supra note 9, at 20.

22. Id.

23. PE 168.184 / Part 4/4, supra note 1, Ch. 5, para. 101-102.

24. Vernon Loeb, NSA Admits to Spying on Princess Diana, WASHINGTON POST, December 12, 1998, at A13. See Vernon Loeb, NSA Admits to Spying on Princess Diana, WASHINGTON POST, A13 (December 12, 1998) (http://www.washingtonpost.com/wp-srv/national/daily/dec98/diana12.htm).

25. Ross Coulhart, Big Brother is Listening, (May 23, 1999) (http://sunday.ninemsn.com/sun_cover2.html?id=818).

26. PE 168.184 / Part 4/4, supra note 1, Ch. 1, para. 7.