ANALYSIS OF CURRENT REGULATIONS AND A PREDICTION FOR THE FUTURE
* J.D., Emory University School of Law, Atlanta, Georgia 1999; B.A., Indiana
University, Bloomington, Indiana 1995. Special thanks to Professor Morgan Cloud
for his comments and to Chris Frieden for his editorial assistance.
SUMMARY:
... Information Warfare relies on the most advanced encryption technology. ...
One such encrypted product available to consumers is a computer software program
called Pretty Good Privacy or "PGP." ... In contrast, law enforcement and others
insist that national security calls for stringent regulation of encryption. ...
Due in large part to the enormous opposition to the government's initial
attempts at formulating encryption export policies, the Clinton Administration
began working with all interested groups, from civil libertarians to
representatives of the computer industry to members of law enforcement. ... The
following section details both this restrictive type of legislation and the more
relaxed legislation proposed by opponents, outlining arguments for and against
each proposal. ... Proponents of a regulation like that contained in the
Restrictive Bill argue that such a regulation is not seeking to increase the
government's search and seizure abilities. ... Third, supporters of tighter
encryption controls contend that they are not seeking to increase or decrease
law enforcement's search and seizure capabilities. ... Second, is the encryption
software itself speech? This is the point at which civil libertarians and
computer companies' argument is more vulnerable. ... The Relaxed Bill was
directed at deregulation of encryption software. ...
TEXT:
[*765]
Introduction
Information Warfare. n1 It is the purposeful and strategic use of information,
the ability to cripple a country by decrypting its coded messages, seizing its
financial centers, and disabling its communication hubs. The military, as well
as the FBI, unwaveringly predict information to be the most effective weapon of
the twenty-first century. n2 Specifically, seven areas have been identified as
ways in which information warfare will play an important role, including
electronic warfare, cyber warfare, command and control warfare,
intelligence-based warfare, and "hacker" warfare. n3 Information Warfare relies
on the most advanced encryption technology.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n1. See Information Warfare-Defense Before the House Nat'l Sec. Military
Procurement and Research and Dev. Subcomm., 105th Cong. (1997), available in
1997 WL 154159, at 1 (statement of Duane P. Andrews, chairman, Defense Science
Board Task Force) (recommending "over 50 actions designed to better prepare the
[Defense] Department for this new form of warfare ... [in light of] today's
information-dominated environment and our increasing civil and military
dependence on interconnected information and communications system."). Id. at
1-2.
n2. The Security and Freedom Through Encryption Act: Hearings on H.R. 695 Before
the House Comm. on Nat'l Sec., 105th Cong. 20 (1997) ("Nat'l Security Hearing")
(statement of Representative Jane Harman (D-Cal.)). See also H.R. Rep. No.
105-108, pt. 3, at 3 (1997) ("Nat'l Security Report") ("The U.S. military has
made information warfare a key element of U.S. military strategy and tactics.
U.S. strategy requires that the United States be able to protect its own
communications from interception while exploiting the weaknesses in the
information systems... of potential adversaries.").
See also The Encryption Debate: Criminals, Terrorists, and the Security Needs of
Business and Industry: Hearing Before the Subcomm. on Tech., Terrorism and Gov't
Info. of the Senate Comm. on the Judiciary, 105th Cong. 1 (1997) ("Judiciary
Subcomm. Hearing") (statement of U.S. Senator and Committee Chair Jon Kyl)
(noting that "the United States is leading the world into the information age,
an age in which information, rather than industrial mechanics will likely by the
dominant commodity").
n3. See Nat'l Security Report, supra note 2, at 3.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The problem, however, is that technology is advancing so rapidly that civilians
n4 are now utilizing a process in their daily lives that was once found only in
the military arena, namely, encryption.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n4. In its report on a proposed bill redefining the United States encryption
policy, the Committee on International Relations identified several civilian
uses for encryption. To name a few, banking systems, stock markets, air traffic
control systems, and television networks are all presently using encryption.
H.R. Rep. No. 105-108, pt. 2, at 5 (1997) ("Int'l Relations Report").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*766] Put simply, encryption is the process of coding information. n5
Historically, encryption was the business of the military and its spies. n6
Transmissions were frequently encoded to preserve the security of strategic
military operations. In the late 1960s, however, "computers got very fast and
very cheap." n7 As a result, never before seen unbreakable codes were developed
and personal consumption of computers reached unprecedented levels. n8 Not
surprisingly, the use and exportation of encryption was heavily regulated at its
inception. n9 It was even suggested that, similar to research conducted on
bombs, research and development of encryption should be deemed classified at
birth. n10
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n5. See David Beckman & David Hirsch, Making Encryption the Norm: New Software
Enhances Confidentiality of Sensitive Lawyer-Client Communiques, A.B.A. J.,
Sept. 1997, at 82 (explaining that "encryption is the process of making
electronic files, electronic mail and facsimile transmissions readable only to
those intended."); see also Int'l Relations Report, supra note 4, at 3 (defining
encryption as the use of software or hardware to scramble "wire or electronic
information using mathematical formulas... in order to preserve confidentiality,
integrity, or authenticity").
n6. See Lee Dembart, Hide and Peek. The Government Doesn't Mind If You Lock Up
Your Secrets - As Long As It Holds The Key, 25 Reason 41, 43 (1993).
n7. Id.
n8. See id. at 43-44.
n9. See id.
No sooner had it [an article detailing the possibility of now unbreakable codes]
appeared than the National Security Agency, the federal agency charged with
creating U.S. codes and intercepting the encoded messages of other nations,
declared that research on public-key cryptography could endanger the national
security of the United States.
Id.
n10. The Supreme Court recognized that declaring certain types of research as
classified at birth is a prior restraint on publication and, as such, a First
Amendment violation. However, the Court has allowed such classifications in the
limited context of grave national security concerns. See id. at 44.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
As the United States became an increasingly sophisticated financial center,
financial institutions began to encrypt transactions as well. n11 Banks
traditionally used what is regarded as the global standard in encryption - a
program called DES, or Data Encryption Standard. n12 DES operated then, and
still does, with 56-bit encryption.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n11. As of 1993, banks were sending over 350,000 encrypted transactions daily.
In addition, automated teller machines continuously communicate with the
mainframe via encryption. See id. at 42.
n12. See Robert T. Haslam & Thomas P. Maliska, Encryption Ensures Privacy of
Online Expression, Nat'l L.J., Feb. 12, 1996, at C13.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Encrypted products consist predominantly of software programs utilized for
coding information. One such encrypted product available to consumers is a
computer software program called Pretty Good Privacy or "PGP." n13 PGP [*767]
allows its users to send electronic messages in code. As such, only the intended
reader will be able to decipher the message. Pretty Good Privacy operates with a
128-bit key. It is virtually unbreakable according to the National Security
Agency ("NSA"). n14 For comparative analysis, the current global standard is
56-bits and a message utilizing the current allowable strength can still take
months to break. n15
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n13. Pretty Good Privacy was created by Phil Zimmerman, whom the government had
threatened to prosecute for releasing the product. PGP can be downloaded for
free from the Internet. See Beckman & Hirsh, supra note 5, at 82. William E.
Baugh, vice president of Science Applications International Corp., stated that
the Italian Mafia has downloaded this program. See Judiciary Subcomm. Hearing,
supra note 2, at 57.
n14. See Beckman & Hirsch, supra note 5, at 82.
n15. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
There are numerous computer manufacturers currently producing encrypted products
with varying degrees of strength and effectiveness. n16 Eudora, a software
program for e-mail users, will soon incorporate PGP. n17 PrivaSuite, another
software program that has encryption capabilities, utilizes Windows and, using
40-bit encryption, can encrypt anything run on Windows. n18
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n16. See id.
n17. See id.
n18. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The maker of PrivaSuite, Aliroo, has produced other encrypted products as well.
For example, Aliroo created a program entitled SealWare. n19 The purpose of this
program is to assure the user that his text has not been altered in any way.
SealWare encrypts text by exploiting the white space on each page of text. n20
More specifically, SealWare "echoes" the printed text and makes a copy of it. At
that point, the program pastes the text in the white portion of the page. n21 It
can do so invisibly or it can appear visibly, as gray shading. The user can
examine the document and make sure the "visible text corresponds to the map,
meaning it has not been altered." n22
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n19. See id. at 83.
n20. See id.
n21. See id.
n22. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
With the advent of civilian use of encryption the government began to recognize
the need to create accompanying regulations. n23 Currently, the export of
encryption products is heavily regulated, n24 but this regulation has been criti
[*768] cized as too stringent by the computer industry, n25 and has been
challenged on First Amendment grounds. n26 In contrast, law enforcement and
others insist that national security calls for stringent regulation of
encryption. It is clear that neither side is happy with the current state of
regulation, and numerous bills aimed at establishing a domestic and
international encryption policy have surfaced in both the Senate and House of
Representatives. n27
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n23. See Nat'l Security Hearing, supra note 2, at 1-2 (statement of U.S.
Representative and Committee Chair Floyd Spence) (in opening statements,
acknowledging need to balance increased encryption use with regulations that
appropriately consider national security interests).
n24. See infra Part II.A.
n25. See infra text accompaning notes 120-23.
n26. See infra note 139 and accompanying text.
n27. See S. 909, 105th Cong. (1997); H.R. 695, 105th Cong. (1997); see also S.
377, 105th Cong. (1997); S. 1726, 104th Cong. (1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In 1997, there were two pieces of legislation that fueled the debate over a
future encryption policy, Senate Bill 909 ("Restrictive Bill") and House Bill
695 ("Relaxed Bill"). These two bills embody the two sides of the debate over a
national encryption policy. Senate Bill 909, also known as the Secure Public
Networks Act, sought to increase existing regulations over the exportation of
encrypted products. n28 Senate Bill 909 never emerged from committee debate and
has not been reintroduced. In response to this inaction, President Clinton took
his proposal to the international community. n29 President Clinton encouraged
all member countries of the Organization for Economic Cooperation and
Development ("OECD") to adopt his encryption proposal. n30 As of May 1999,
President Clinton's proposal had not been adopted. Shortly after his lobbying
attempts with OECD, an organization called the Global Internet Liberty Campaign
conducted a survey of 230 nations, inquiring if they would adopt President
Clinton's proposal. n31 Only eight countries responded affirmatively: China,
France, India, Israel, the Republic of Korea, Pakistan, Russia, and Singapore.
n32
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n28. See S. 909.
n29. See Lisa S. Dean, Editorial, U.S. Encryption Policy Difficult to Decode,
Seattle Times, Apr. 21, 1998, at B5.
n30. See id.
n31. See id.
n32. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Proponents of legislation such as the Restrictive Bill are concerned with the
potential misuse of products like PGP and SealWare. Foremost, they raise
national security concerns implicated when security-threatening information is
encrypted, utilizing a program that cannot be broken in a reasonable period of
time. n33 Initially such proponents lobbied for a proposal that contained
[*769] extensive regulations, n34 but that proposal was universally unpopular
and ultimately rejected. n35
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n33. "It is of little use to us in the information age when the encryption is so
robust that even a court order ... cannot access ... [an encrypted message] on a
realtime basis." Judiciary Subcomm. Hearing, supra note 2, at 39 (statement of
Louis J. Freeh, Director of FBI). See also Nat'l Security Hearing, supra note 2,
at 1 (statement of Rep. Floyd Spence, Committee Chair) (contending any interest
raised by policy on encryption should be subservient to national security
concerns).
n34. For a discussion of the Clipper Chip proposal, see infra text accompanying
notes 81-106.
n35. "This high-tech proposal [Clipper Chip] has the dubious distinction of
being the least popular technical standard ever put forward by the federal
government." Marc Rotenberg, Wiretapping Bill: Costly and Intrusive, Insight on
the News, Oct. 24, 1994, at 20, 22.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In contrast, the other bill under consideration was House Bill 695, otherwise
known as SAFE, or Security and Freedom Through Encryption. n36 This bill,
supported by civil libertarians, n37 as well as the computer industry, n38 was
drafted to eliminate all existing regulation of the exportation of encrypted
products. n39 House Bill 695 died at the committee level, but was reintroduced
on April 27, 1999 as House Bill 850. n40 House Bill 850 was introduced by
Representative Robert W. Goodlatte, the same representative who had introduced
House Bill 695 in 1997. n41 Proponents of this type of bill are concerned with
the potential for abuse as the government attempts to limit the way in which
information is transmitted. n42 By regulating the exportation of encrypted
products, supporters argue, the government is demanding access to information
citizens have deliberately kept private. n43
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n36. See H.R. 695, 105th Cong. (1997).
n37. The Center for Democracy and Technology created a web page in which the
latest status on the encryption debate is published, followed by suggestions for
individuals concerned with potential privacy ramifications. See Key Recovery
Gets Mixed Review at Senate Judiciary Committee Hearing (visited Mar. 4, 1999)
<http://www.cdt.org/crypto/legis<uscore>105/mccain<uscore>kerrey/> (recommending
interested citizens "educate [their] representatives in Congress about the
importance of privacy and security on the Internet").
n38. Michael MacKay, vice president of Novell, Inc., one of the world's largest
software manufacturers, spoke on behalf of the computer industry in its
opposition to export controls on encrypted products. See Encryption, Key
Recovery, and Privacy Protection in the Information Age: Hearings Before the
Senate Comm. on the Judiciary, 105th Cong. 72-75 (1997) ("Judiciary Comm.
Hearing").
n39. See H.R. 695 3(a)(g)(2)(A) ("No validated license may be required ... for
the export ... of any software, including software with encryption
capabilities.").
n40. H.R. 850, 106th Cong. (1999).
n41. Id.
n42. See Rotenberg, supra note 35, at 21 (hypothesizing that once government
gains its first foothold in regulating flow of information, it will only lead to
further intrusions); see also Don't Let Washington Play "I Spy' On You, Bus.
Wk., Mar. 21, 1994, at 176 (questioning whether "the Information Superhighway
[will] enable the federal government to become a high-tech snoop on a scale
undreamt of in George Orwell's worst nightmares?").
n43. See Maggie Canon, Yank the Clipper, 10 MacUser 23 (1994) (warning consumers
to "watch out: your privacy is in peril. The United States government seeks the
ability to eavesdrop on your telephone calls, read your e-mail, and browse your
database files. This Orwellian scenario is more than just a vague threat: It's
the official position of the current administration.").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*770] This Comment predicts that legislation such as the Restrictive Bill,
which moderately increases government regulation of the exportation and domestic
use of encryption, will eventually be passed. However, this Comment also
suggests that, in terms of an infringement upon civil liberties, such a benign
bill can only be the beginning of government regulation.
As it was written, the Restrictive Bill would have done no more than establish a
government foothold in encryption regulation. Consequently, it is surprising
that those who initially advocated extensive regulation supported a bill that
would have accomplished little in the way of ensuring government access to
encrypted files. The most plausible explanation for law enforcement's support of
such a moderate bill is that proponents of the Restrictive Bill believed that if
this bill was passed, they could then lobby for more intrusive regulations in
the future.
The regulation of encryption implicates both the First and Fourth Amendments,
and the difficulty faced by those urging more stringent regulation is in
predicting what the government is permitted to do and how much of an
infringement the courts are prepared to legitimize. While First and Fourth
Amendment constitutional challenges long ago established clearly demarcated
lines in terms of print media, the advent of electronic transmissions has made
it necessary to question not only whether the contents are protected, but also
whether the act of transmitting information using encryption software is
protected. In terms of the First Amendment, the content of the message would
surely be deemed speech. The more salient issue, therefore, is whether the
program itself is speech. If it is, then the act of compelling computer
manufacturers to create a key to decryption could be seen as a prior restraint
on speech and thus violative of the First Amendment.
With respect to the Fourth Amendment, the analysis must be likewise examined in
two parts. First, do consumers have a privacy interest in the contents of the
electronic message? Second, do consumers and computer companies have a privacy
interest in the software itself?
Before analyzing whether a regulation such as the Restrictive Bill could
withstand a constitutional challenge, it is essential to have a working
knowledge of the process of encryption. Part I of this Comment, therefore,
further explains what encryption is and how it is used. Part I also details two
previous instances in which the government regulated the increasing use of an
advanced technology in the civilian arena - digital telephone legislation and
[*771] the Clipper Chip proposal - and examines the constitutional implications
of such regulation.
Part II analyzes the government's current encryption policy as well as the two
major proposals that seek to modify existing policy. Part II concludes with a
brief synopsis of the arguments for and against the two positions.
Part III examines the Supreme Court's transformation of Fourth Amend-ment
doctrine from a property-based approach to an exercise in balancing. Part III
further addresses the roles of the First and Fourth Amendments in the final
determination of the constitutionality of the two approaches to regulation.
Finally, Part IV includes a discussion of the range of options available to
Congress in arriving at an encryption policy. In addition, the Comment predicts
which type of regulation will eventually be adopted.
Even though encryption has been the subject of several congressional hearings
and has entered the mainstream market, for many computer users, the concept of
encryption itself is indecipherable. The following discussion is aimed at
alleviating this confusion.
I. Government's Involvement in Electronic Transmissions
A. How Encryption Works
Encryption is the process of scrambling information so that it is indecipherable
to everyone except the individual for whom the information is intended. n44 To
achieve this, a mathematical formula is utilized. n45 Specifically, a computer
converts data into ones and zeroes according to a mathematical formula or
algorithm. n46 The complexity and strength of the code depends, in large part,
on the bit length. A bit is the same as one digit. n47 Bits are described in
terms of their length. The longer the bit length, the more combinations exist
for decoding a message. n48 It is important to note, however, that the
complexity [*772] of the code increases exponentially rather than
arithmetically. n49 That is, a 41-bit length code is twice as hard to decipher
as a 40-bit length code. n50
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n44. See Nat'l Security Report, supra note 2, at 3 ("Encryption is a means of
scrambling or encoding electronic data so that its contents are protected from
unauthorized interception or disclosure.").
n45. H.R. Rep. No. 105-108, pt. 1, at 5 (1997) ("Judiciary Report").
n46. See Int'l Relations Report, supra note 4, at 5.
n47. See Judiciary Report, supra note 45, at 5.
n48. See Int'l Relations Report, supra note 4, at 5.
n49. See Judiciary Report, supra note 45, at 5.
n50. See Int'l Relations Report, supra note 4, at 5.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Encryption is based on the proposition that although a computer can multiply
extraordinarily high numbers quite easily, a computer has an extremely difficult
time factoring. Put another way, "it is child's play for a computer to multiply
two very large numbers ... but if you give a computer a 150-digit number and ask
it what two prime numbers were multiplied together to produce it, the computer
will have fits." n51 With brute force, the computer will simply try every
conceivable combination of numbers. n52 To illustrate in practical terms, the
deputy director of the NSA, William P. Crowell, recently told the House
Committee on National Security that a transmission utilizing 56-bit encryption
took participants on the Internet 96 days to decipher, using 78,000 computers
simultaneously. n53 Crowell estimated a message using 65-bit encryption would
take 6,000 to 7,000 years to crack, and further still, a 128-bit encrypted
message would take 8.6 trillion times the "age of the universe" to crack. n54
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n51. See Dembart, supra note 6, at 43.
n52. See id. at 43.
n53. See Nat'l Security Hearing, supra note 2, at 9 (statement of William P.
Crowell, Deputy Director of the NSA).
n54. See id. Numerous experts in the field of encryption have made estimations
about the length of time needed to decode messages using various strengths of
encryption. Their estimations have varied substantially. Regardless, it seems
apparent that if a computer was programmed to decode any message utilizing
current encryption programs, with strengths varying from 56-bit to 128-bit, it
would not be feasible. See Dorothy E. Denning, The Case For "Clipper," 98 Tech.
Rev. 48, 53 (1995) (stating that cryptography experts hypothesized it would take
"a quadrillion years to factor a 125-digit number") As Denning noted, however,
technology advanced rapidly and in 1994, "a 129-digit number was factored in 8
months through the use of some 1,600 computers scattered around the world." Id.
But see Judiciary Comm. Hearing, supra note 38, at 39 (statement of Louis J.
Freeh, Director of the FBI) (stating that studies indicate message with 56-bit
encryption would take 30 million supercomputers over one year to crack).
Dorothy E. Denning, professor of computer science at Georgetown University and
past president of the International Association of Cryptologic Research,
estimated that, in order to crack a 64-bit code, it would take a student 136
million days, or utilizing the same time frame of eight days, approximately two
billion computers. Dorothy E. Denning & William E. Baugh, Jr., Key Escrow
Encryption Policies and Technologies, 41 Vill. L. Rev. 289, 292-93 (1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
B. The Digital Telephony Initiative
Although encryption has legitimate uses, unfortunately, it is also used for
unlawful purposes. It has been documented that terrorists and drug cartels n55
[*773] use encryption as a way to communicate their plans without detection.
Law enforcement has recognized, in light of this reality, that if it is to
maintain its ability to utilize electronic surveillance, the use of encryption
must be regulated. While encryption presents new challenges, law enforcement
faced similar obstacles when changes in the phone system threatened to make
wiretaps obsolete. Law enforcement responded to the wiretap challenge by
sponsoring legislation that required the telephone industry to participate in
ensuring that telephone equipment remained subject to surveillance. An
examination of this legislation highlights the constitutional implications of
mandating private-party participation in government surveillance.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n55. See Judiciary Subcomm. Hearing, supra note 2, at 46 (noting that Cali
Cartel uses encryption technology); see also Judiciary Subcomm. Hearing, supra
note 2, at 2 (detailing plan to blow up 11 U.S.-owned airliners, uncovered by
decrypting encrypted file); Judiciary Subcomm. Hearing, supra note 2, at 42
(recounting plot to blow up Holland Tunnel and several bridges and
infrastructures in New York); Judiciary Subcomm. Hearing, supra note 2, at 46
(discussing encryption used in California gambling ring).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Bush Administration took the first step in ensuring government access to
electronic surveillance in 1991. n56 At that point, the FBI, in conjunction with
the NSA, announced plans for digital telephony legislation. n57 This electronic
surveillance proposal was inserted into a major anti-crime bill, Senate Bill
266. n58 The FBI-sponsored legislation would have required telephone carriers
and manufacturers to install systems that enabled the government to listen in on
telephone conversations as they occurred. n59
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n56. See John Perry Barlow, A Plain Text on Crypto Policy, Communications of the
ACM, Nov. 1993, at 21.
n57. See id.
n58. See id.
n59. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
While the Supreme Court has interpreted the Fourth Amendment as allowing the
government the right to listen in on telephone conversations since 1968, n60 new
technology has threatened to make this right obsolete. Older technology employed
the analog system, which permitted officials to eavesdrop, after receiving a
valid search warrant, simply by attaching alligator clips to the phone line.
Recent telephone industry technology, on the other hand, employs a digital
system, which makes the alligator clips outmoded. n61 With digital [*774]
technology, changes would have to be made in the software itself to facilitate
surveillance. n62
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n60. See Title III Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C.
2516 (1994 & Supp. II 1996) ("Title III"). Title III states that a federal judge
may grant an order "authorizing or approving the interception of wire or oral
communications by the Federal Bureau of Investigation, or a Federal agency
having responsibility for the investigation of the offense ... [or for] any
offense punishable by death or by imprisonment for more than one year." 18
U.S.C. 2516(1), 2516(1)(a).
n61. See Judiciary Subcomm. Hearing, supra note 2, at 38 (statement of Louis J.
Freeh, Director of the FBI).
n62. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Although the digital legislation was rejected at the committee level in 1991, it
reappeared in the Communications Assistance for Law Enforcement Act ("CALEA")
and was signed into law on October 25, 1994. n63 The law passed with an
estimated cost of $ 500 million during the first four years. n64 These funds
were to be used to reimburse telephone companies for the cost of installing
software with built-in surveillance capabilities. n65 Through passage of this
legislation, the government successfully entrenched itself in the area of new
technology and electronic surveillance. At the most basic level, the executive
branch, represented by the FBI and NSA, established its presence in the debate
over regulation of electronic technology.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n63. Pub. L. No. 103-414, 108 Stat. 4279, 4280 (1994) (codified at 47 U.S.C.A.
1001 (1997)). CALEA requires telecommunications common carriers to provide
assistance to law enforcement in their wiretapping duties. Specifically, the
bill creates a precedent by which those common carriers that provide digital
telephony must provide law enforcement access.
n64. See Rotenberg, supra note 35, at 21.
n65. See id. at 20. In 1994, the wiretapping bill had only been proposed. Even
then, it was hypothesized that wiretapping could lead to "criminal sanctions for
developers of equipment that is not easily wiretapped or a presumption of
illegal conduct when people choose to communicate with technology that [cannot]
... be wiretapped." Id. at 21. Interestingly, the Restrictive Bill, would have
done exactly that. See S. 909, 105th Cong. 308 (1997) (stating that "any person
who exports an encryption product in violation of this Title shall be fined
under Title 18, United States Code or imprisoned for not more than five years").
See also S. 909 104 (making use of encryption separate offense from underlying
crime).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Although the government has successfully established itself in the regulation of
new technology, the constitutionality of such action is not entirely certain in
light of the historically inconsistent treatment of electronic surveillance.
The Supreme Court heard its first wiretapping case in 1928. In Olmstead v.
United States, n66 federal agents intercepted telephone conversations between
organized criminals engaging in violations of the prohibition laws then in
effect. n67 While the majority held that the wiretapping did not amount to a
search or seizure (for reasons subsequently rejected) n68 the Court suggested
that if [*775] Congress was concerned with privacy interests, Congress was
free to enact a statute making the contents of the message inadmissible at
trial.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n66. 277 U.S. 438 (1928).
n67. Id.
n68. The Court had held that no Fourth Amendment analysis was necessary for two
reasons: first, the agents did not intrude onto a constitutionally-protected
place, and second, the agents did not physically seize any tangible items. The
Court subsequently held in Katz v. United States, 389 U.S. 347 (1967), that the
Fourth Amendment attaches to people, rather than places, so that focusing solely
on the location is inappropriate. The Court also later rejected the second
presupposition that a seizure could only be established by taking tangible
items. See generally Silverman v. United States, 365 U.S. 505 (1961); Goldman v.
United States, 316 U.S. 129 (1942).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Congress did exactly that in the Federal Communications Act of 1934, which
regulated electronic surveillance until the passage of the Omnibus Crime Control
and Safe Streets Act of 1968 ("Title III"). n69 Section 605 prohibited anyone,
other than one authorized by the sender, from divulging the contents of an
intercepted message. n70 The Court subsequently interpreted section 605 as
essentially acting as an exclusionary rule. n71 Just two days before Congress
passed Title III, the Court, in fact, affirmed that section 605 mandated the
inadmissibility of intercepted telephone conversations at trial. n72
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n69. 47 U.S.C. 605 (1994).
n70. See id.
n71. For a discussion of the Court's application of section 605, see Nardone v.
United States, 308 U.S. 338 (1939).
n72. Lee v. Florida, 392 U.S. 378 (1968) (justifying necessity of exclusionary
rule based on complete absence of prosecution of those agents who violated
section 605). See also Berger v. New York, 388 U.S. 41 (1967).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Congress enacted Title III in response to the wholesale agreement that "its
predecessor, section 605, was the worst of all possible solutions." n73 Congress
reasoned that it did not make sense that private citizens could intercept
messages without repercussion, and yet law enforcement agents could not use the
same method as a way to investigate serious crimes. n74
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n73. Wayne R. LaFave & Jerold H. Israel, Criminal Procedure 248 (2d. ed. 1992).
n74. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The potential constitutional problem with the digital telephony legislation is
that while the government has been given the constitutional authority to conduct
wiretaps, pursuant to Title III, n75 the Police Powers Clause and the Necessary
and Proper Clause in article I, section 18, of the United States Constitution,
n76 there is no constitutional mandate requiring "private companies to make
their technologies wiretap friendly." n77
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n75. See 18 U.S.C. 2516-2521 (1994).
n76. What has come to be known as the state's police powers authority has been
interpreted from the Tenth Amendment. The "necessary and proper" clause is found
in U.S. Const. art. I, 8, cl. 18 ("To make all Laws which shall be necessary and
proper for carrying into Execution the foregoing Powers ....").
n77. See Rotenberg, supra note 35, at 20.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Although Title III was enacted to preserve government agents' authority to
conduct wiretaps, the statutory language, in fact, explicitly states that a
wiretap [*776] can only be conducted provided it passes a battery of
restrictions. n78 Disturbingly, the digital telephony legislation appears to be
an even greater infringement upon civil liberties because the ability of
government officials to seize conversations will already be in place.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n78. See 18 U.S.C. 2516-2521.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Another cause for constitutional concern is the lack of notice inherently
involved with the digital telephony legislation. Generally, notice is required
in order to conduct a valid search and seizure. n79 However, the lack of notice
argument has been unsuccessful in lower courts as a practical matter because, if
an agent reasonably believes notice will result in destruction of evidence, then
one of the recognized exceptions to the notice requirement is met. n80
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n79. See Berger v. New York, 388 U.S. 41, 60 (1967) (dismissing state's law as
offensive, in part, because it did not contain notice requirement).
n80. See LaFave & Israel, supra note 73, at 251-52.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
C. The Clipper Chip and the Key Escrow System
After the success of the digital telephony legislation, the government went one
step further. The Clinton Administration presented a plan to Congress whereby
all communications with federal agencies had to utilize a device called the
Clipper Chip. n81
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n81. See Canon, supra note 43, at 23.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Clipper Chip, designed by the NSA and the National Institute for Standards
and Technology ("NIST"), n82 is a microelectronic chip that operates as an
electronic "trapdoor" when it is inserted into encryption software. n83 The
trapdoor, called the Law Enforcement Access Field, allows law enforcement, upon
obtaining a valid search warrant, to decode the information. n84 Functionally,
the chip consists of both halves of a key. n85 Each half is kept, in escrow or
in trust, by a fiduciary agent. The trusted parties are the NIST and the
Department of Treasury's Automated Systems Division. n86
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n82. See id. at 23.
n83. See id.
n84. See Don't Let Washington Play "I Spy' on You, supra note 42, at 126.
n85. See Barlow, supra note 56, at 21-22.
n86. See Denning, supra note 54, at 50.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Clipper Chip utilizes 80-bit keys, which provide approximately "16 million
times the security against trial-and-error guesses at keys" as the current
56-bit DES standard. n87 Both the computer industry and civil libertarians
[*777] criticized the Clinton Administration's Clipper Chip proposal, however,
regarding it as too rigid. n88 Specifically, there were four major areas of
concern: namely, "(1) its encryption algorithm ("Skipjack') was classified, (2)
it required special hardware, (3) the government held the keys and (4) it did
not accommodate user data recovery." n89
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n87. See id.
n88. See Denning & Baugh, supra note 54, at 291.
n89. Id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The concern over the algorithm's classified status arises from cryptography
experts' firm belief that ability to work at breaking an algorithm or encryption
code is the only way to ensure its security. Virtually every other algorithm is
made public. n90 Hackers, specialists, students, and the like spend countless
hours trying to crack the code. The inability to do so is precisely what
provides credibility and faith in the code's ability to protect its users.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n90. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Civil libertarians feared the Clipper Chip proposal was just the beginning. Once
the government established its right to restrict an individual's ability to use
strong encrypted products, it would move on to restrict a citizen's ability to
communicate without the possibility of surveillance in other ways. n91 In
addition, according to civil libertarians, the government's proposed intrusion
primarily affects innocent persons because criminals will never use encrypted
products that contain a feature guaranteeing data recovery. n92
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n91. See Denning, supra note 54, at 51.
n92. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Furthermore, even supporters of the Clipper Chip recognize that when loopholes
and trapdoors are created, the system becomes increasingly vulnerable. n93 The
added risk takes on two forms: one, it simply introduces one more opportunity to
break into the system; and two, there is always the possibility that keys will
be mismanaged, misused, or lost. A key escrow agent could become susceptible to
bribes or a disgruntled employee could hold the keys hostage. n94 Despite these
concerns, the Clipper Chip was implemented in a few products. One such product,
manufactured by AT&T, plugs into a phone between the handset and base unit. n95
This product precludes any eavesdropping because outside parties hear only a
scrambled message.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n93. See Rotenberg, supra note 35, at 22.
n94. See id.
n95. See Denning, supra note 54, at 51.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*778] Due in large part to the enormous opposition to the government's
initial attempts at formulating encryption export policies, the Clinton
Administration began working with all interested groups, from civil libertarians
to representatives of the computer industry to members of law enforcement. n96
Responding to concerns voiced by members of each of these groups, the
Administration announced a revised policy in August 1995. n97 Under the August
1995 proposal, encrypted products could be exported utilizing up to 64-bits,
provided the products contained some form of key escrow so that the data could
be retrieved if needed. n98 Key escrow would still be an instrumental feature of
the proposal, but the keys could be held by a trusted third party within the
private sector. n99
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n96. See Denning & Baugh, supra note 54, at 291.
n97. See id.
n98. See id.
n99. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In its initial drafting, the Clipper Chip proposal seriously imperiled Fourth
Amendment privacy protections. n100 It greatly extended the authority granted to
the government by Title III. n101 If the initial proposal had done no more than
give government officials the capability to search and seize electronic
transmissions, arguably, it would have passed constitutional challenges because
the Necessary and Proper Clause of the Constitution allows the government to
enact laws necessary to effectuate its police power duties. n102 The original
proposal for the Clipper Chip, however, would have accomplish-ed far more than
that. It would have compelled the placement of the keys to private electronic
transmissions in the hands of government officials. n103 This is exactly the
type of intrusive government activity that the Bill of Rights was drafted to
limit.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n100. The Fourth Amendment has been interpreted to require notice. There is a
"knock and announce" requirement in order for a search and seizure to be
reasonable. With the Clipper Chip proposal, government agencies would already
have the key to decryption and upon a showing of authority, they could use the
key, but there does not appear to be a requirement that they first inform the
person whose encrypted messages are being seized. See Barlow, supra note 56, at
26-27.
n101. Title III ensured law enforcement's continued ability to conduct wiretaps
but within traditionally defined constitutional parameters. The Clipper Chip
proposal went further by not only requiring that a key to decryption be kept,
but that the government be designated as the keeper.
n102. U.S. Const. art. I, 18.
n103. See Denning, supra note 54, at 49 (contending that trade-off for
unbreakable encryption is system whereby "the keys to unlock the encrypted data
would be held by the U.S. government").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*779] Because the home has always been a uniquely protected location, n104 if
an individual, in his own home, used encryption software to scramble a private
message, his words should receive the greatest protection from government
seizures. In addition, the scrambled message should be afforded the greatest
Fourth Amendment protection because it is linked to a person's ideas, and
persecuting citizens based on their ideals holds a unique place in our country's
history. As a result, the initial Clipper Chip proposal arguably could have been
defeated by a constitutional challenge.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n104. See Payton v. New York, 445 U.S. 573 (1980).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Although the government became more responsive to concerns that it would be
amassing too much power via the original requirement that the key be housed with
government entities, the revised proposal still implicated Fourth Amendment
privacy concerns. n105 Individuals, as well as corporations, have privacy
interests that would be infringed upon if they were required by the government
to provide access to their message via a privately held key.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n105. Even under the revised Clipper Chip proposal, "products must include
information in the encrypted data that identifies the escrow agent(s) and the
particular keys needed for decryption." Denning & Baugh, supra note 54, at 294.
This requirement is necessary, the government contends, to ensure that law
enforcement is able to decrypt the information if it is acting pursuant to a
lawful authority. See Denning & Baugh, supra note 54, at 294. While the modified
proposal does allow for the exportation of stronger encryption, now up to
64-bits rather than the previous 40-bit limit, if computer manufacturers seek to
remain competitive and continue to develop stronger encryption programs, they
cannot do so unless they "provide acceptable key escrow mechanisms." Id. at 294.
Consequently, the notion that participation in the government's key escrow
system is in any way voluntary ignores the fact that computer manufacturers
cannot remain competitive without complying. See Judiciary Report, supra note
45, at 6 (noting that "although they [law enforcement] contend they only favor a
voluntary key escrow system, many believe that the use of export controls as
leverage to encourage the use of a key escrow system effectively amounts to
making such a system mandatory").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Citizens' privacy interests, however, must be weighed against the government's
need to carry out its duties. Consequently, the modified Clipper Chip proposal,
which would allow any government-approved private party to hold the key to
decryption, is more likely to withstand constitutional scrutiny than the
original proposal. It is worth noting, however, that when a technological
loophole is intentionally created to facilitate government access, it becomes
easier for officials to take advantage of the loophole and overreach in their
attempts to carry out their duties. n106
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n106. See Rotenberg, supra note 35, at 22 (listing problems with Clipper Chip
proposal, including concern that it makes encryption program more vulnerable to
abuse and attack).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*780]
II. Current and Future Encryption Policy
While the Clipper Chip proposal has not been fully implemented as a means of
restricting the use of encryption, the government does presently regulate the
use of encryption and the exportation of encrypted products through executive
orders. n107 Neither side of the encryption debate, however, is satisfied with
the current regulation of this advanced technology. n108 As a result, supporters
of a more relaxed policy as well as those advocating tighter controls over
encryption have proposed legislation. n109 It appears likely that Congress will
eventually accept one of the proposed positions rather than continue with its
current regulation. n110
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n107. See the Arms Export Control Act, 22 U.S.C. 2751 (1994); the International
Trafficking in Arms Regulations, 22 C.F.R. 120 (1998); the Export Administration
Act, 50 U.S.C. app. 2401; the Export Administration Regulations, 15 C.F.R. 730
(1998).
n108. Representatives from law enforcement agencies would like every encryption
program, utilizing a strength greater than that which can be decrypted within a
reasonable amount of time, to establish some system of key recovery. This
position is embodied in the Restrictive Bill, S. 909, 105th Cong. (1997).
Conversely, advocates from the computer industry, as well as civil libertarians,
favor a policy that calls for complete deregulation of encrypted products, as
can be seen in the Relaxed Bill, H.R. 695, 105th Cong. (1997).
n109. See S. 909; H.R. 695.
n110. The Senate Judiciary and National Security Committees held hearings on the
development of an encryption policy and specifically considered the Restrictive
Bill, S. 909. The Relaxed Bill, H.R. 695, was considered by several house
committees and has been reintroduced as House Bill 850.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
A. Current Government Position on Encryption Regulation
It is important to understand the present encryption policy before analyzing the
potential directions encryption policy may take in the future. Currently, the
use of encryption is heavily regulated. The regulation of encryption is
authorized by the Arms Export Control Act ("AECA") n111 and its accompanying
International Trafficking in Arms Regulations ("ITAR"), n112 as well as the
Export Administration Act ("EAA") n113 and its accompanying Export
Administration Regulations ("EAR"). n114 While the EAA expired in 1994, it
remains in effect under President Clinton's Executive Order 12,924. n115
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n111. 22 U.S.C. 2751 (1994).
n112. 22 C.F.R. 120 (1998).
n113. 50 U.S.C. app. 2401.
n114. 15 C.F.R. 730 (1998).
n115. 59 Fed. Reg. 43,437 (Aug. 23, 1994).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Prior to the fall of 1996, the State Department had jurisdiction over the
exportation of encrypted products. n116 The policy allowed for the exportation
of [*781] encrypted products operating with 40-bit encryption or less. n117 If
a corporation wished to manufacture and export stronger encryption products, it
had to obtain a special license. n118 A license was required because encrypted
products were regarded as munitions. n119 That is, they were considered
materials used in war - no different from guns or ammunition.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n116. See Judiciary Report, supra note 45, at 6-7.
n117. See id.
n118. See id.
n119. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
There was, however, increasing frustration on the part of the computer software
industry because it felt oppressed by the export restrictions. n120 According to
William Reinsch, undersecretary for Export Administration with the Department of
Commerce, U.S. companies control seventy-five percent of the global software
market share. n121 Representatives of the computer industry argued that, due to
export restrictions, U.S. computer companies would be effectively removed from
the international marketplace because a number of foreign countries do not place
export restrictions on encrypted products. n122 Consequently, individuals in
need of greater encryption strength would buy from foreign-based firms rather
than U.S. companies. n123
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n120. Computer manufacturers argue that current controls are not successful in
curbing crime. The regulations only succeed in placing U.S. computer companies
at a disadvantage. See id. at 8.
n121. See Nat'l Security Hearing, supra note 2, at 21 (statement of William
Reinsch, undersecretary for Export Administration, Department of Commerce).
n122. Nat'l Security Hearing, supra note 2, at 64-71 (statement of Thomas
Parenty, on behalf of the Business Software Alliance).
n123. See id. at 66 (statement of Thomas Parenty, on behalf of the Business
Software Alliance). Parenty argued the computer industry is one of America's
most profitable and competitive industries. Specifically, it has grown "seven
times faster than the economy" and is currently the sixth-largest industry. See
id. at 68 (statement of Thomas Parenty, on behalf of the Business Software
Alliance). Under current export limitations, in which U.S. firms are limited to
exporting 40-bit strength encryption, U.S. software companies are taking a large
hit as approximately one-half of their business is in exportation. Under the
Administration's new proposal, the strength could be increased to 56-bit
provided the corporations set up a system of key recovery. See id. at 69
(statement of Thomas Parenty, on behalf of the Business Software Alliance). The
concern is that "American companies will no longer be providing the world with
the answers to their security problems. Instead foreign nations will." Id. at 66
(statement of Thomas Parenty, on behalf of the Business Software Alliance).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In response, on October 1, 1996, Vice President Gore unveiled the
Administration's new encryption proposal. n124 The proposal allows corporations
to export 56-bit key length encrypted products provided that the corporations
commit to building a system of key recovery. n125 The corporations are given two
years to implement the system. In the interim two-year window, six-month [*782]
licenses will be given after a one-time review. n126 If the corporations do not
provide for a key recovery system within two years, the export restrictions will
be tightened again, limiting the export to 40-bit key length encrypted products.
n127
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n124. See Judiciary Report, supra note 45, at 8.
n125. See id.
n126. See id.
n127. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The fundamental change in the Administration's new policy was that it does not
require the keys be given to two entities selected by the government. n128 Under
the 1996 proposal, corporations must give the key to some trusted third party,
whether that party be external or internal to the corporation. On November 15,
1996, President Clinton took steps to effectuate this policy by signing
Executive Order 13,026. n129 Under the Executive Order, jurisdiction for
non-military encryption was transferred to the Department of Commerce. n130 On
December 30, 1996, the Department of Commerce developed regulations consistent
with President Clinton's announced objectives. n131
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n128. The revised policy only requires that a "trusted party (in some cases
internal to the users organization)" hold the key. Id.
n129. 61 Fed. Reg. 58,767 (Nov. 19, 1996).
n130. See Judiciary Report, supra note 45, at 7-8.
n131. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Administration's key escrow policy is voluntary in theory but mandatory in
practice. n132 If a corporation exports only 56-bit key length encryption, it
can do so under current regulations. n133 However, in order to export encrypted
products with stronger than 56-bit key length encryption, a corporation must
provide a system of key recovery within two years. n134
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n132. See id. at 6-7.
n133. See id.
n134. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
On February 27, 1998, the Hewlett-Packard Company became the first company to
obtain a license to export encrypted products utilizing more than a 56-bit key
length. Hewlett-Packard announced that it had been granted government approval
to export encryption software utilizing up to 128-bit keys. n135
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n135. See Carol Power, Hewlett-Packard Export of Strong Encryption Allowed by
Government, Am. Banker, Mar. 3, 1998, at 23.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Clinton Administration is allowing the product, VerSecure Technology, to be
exported to the United Kingdom, Germany, France, Denmark, Australia, and Canada.
n136 In compliance with the Administration's [*783] current encryption policy,
the product contains an optional system of key recovery. n137 Users have the
option to select the strength of encryption they would like to use, as well as
whether they would like to use the key recovery at all. n138
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n136. See id.
n137. See id.
n138. Internet Security: HP to Make Electronic World Safe for Internet Business;
HP Granted Approval by U.S. Government to Export Strong-Cryptography Technology,
Edge: Work-Group Computing Rep., Mar. 2, 1998, at 2.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Although the Administration has begun to implement its current policy, there has
yet to be a definitive answer as to whether the policy is constitutional. Only
two district courts have heard cases regarding the constitutionality of export
restrictions on encrypted products, and they have confined their holdings to
First Amendment theory. n139 The Supreme Court has not yet spoken on this issue
in the encryption context, and no court has considered export restrictions in
terms of potential Fourth Amendment violations. With no case currently before
the Supreme Court, the constitutionality of export controls will remain in its
current state of uncertainty for at least the near future. In light of this
uncertainty, a faction, comprised mainly of law enforcement personnel, proposed
a bill aimed at maintaining regulations in the future. The following section
details both this restrictive type of legislation and the more relaxed
legislation proposed by opponents, outlining arguments for and against each
proposal.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n139. Karn v. United States Dep't of State, 925 F. Supp. 1 (D.D.C. 1996)
(holding that export restriction was content neutral and narrowly tailored, and
therefore did not violate First Amendment), remanded by 107 F.3d 923 (D.C. Cir.
1997). See also Bernstein v. United States Dep't of State, 945 F. Supp. 1279
(N.D. Cal. 1996) (standing for proposition that export restrictions operate as
prior restraints on free speech and, as such, are unconstitutional), amended by
974 F. Supp. 1288 (N.D. Cal. 1997). Both cases returned to their respective
district courts for application of the Administration's new policy.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
B. Two Proposals for Regulating Encryption
1. The Restrictive Approach
As stronger encryption software is produced by foreign computer companies and
made available for downloading on the Internet, some have argued for greater
controls. On June 17, 1997, Senator John McCain, a Republican from Arizona and
Chairman of the Senate Commerce, Science, and Transportation Committee, and
Senator Robert Kerrey, a Democrat from Nebraska and Vice Chairman of the Select
Committee on Intelligence, [*784] introduced a bill closely aligned with the
Clinton Administration's executive policy. n140
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n140. Graeme Browning, Scrambled Data and Spam - Hold the Smut, Nat'l J., June
21, 1997, at 1278.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Senate Bill 909, ("The Restrictive Bill"), also known as the Secure Public
Networks Act ("SPNA"), placed restrictions on the exportation of encrypted
products with a strength of more than a 56-bit key length. n141 In terms of
exportation, the bill outlined a quid pro quo situation. If the computer
industry desired to export stronger encryption to meet customers' demands, it
would be able to export such encrypted products provided it established a system
of key recovery. n142
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n141. S. 909, 105th Cong. 302 (1997) ("Exports of encryption products up to and
including 56 bit DES or equivalent strength shall be exportable under a license
exception ....").
n142. S. 909 304 ("Encrypted products may be exported under a license exception
... without regard to the encryption algorithm selected or encryption key length
chosen when such encryption product is based on a qualified system of key
recovery ....").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
However, as FBI Director Louis J. Freeh explained, simply because a software
manufacturer may be required to implement a system of key recovery, it does not
necessarily follow that every user will take advantage of it. n143 Put another
way, Freeh likened the key recovery system to airbags in cars. Manufacturers may
be required to install airbags but that does not mean drivers are required to
activate them. n144
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n143. See Judiciary Subcomm. Hearing, supra note 2, at 48.
n144. See id. (statement of Louis J. Freeh, Director of the FBI).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Restrictive Bill did not place any restrictions or requirement for a key
recovery infrastructure on domestic use of encryption or on the importation of
encryption products. n145 However, Freeh recently indicated that such a
requirement would be the FBI's recommendation. n146
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n145. S. 909 101 ("It shall be lawful for any person within any State to use any
encryption, regardless of encryption algorithm selected, encryption key length
chosen, or implementation technique or medium used."); See also S. 909 103 ("The
participation of the private persons in the key management infrastructure
enabled by this Act is voluntary."); see also S. 909 401 ("Nothing in this Act
may be construed to require a person, in communications between private persons
within the United States, to (1) use an encryption product with a key recovery
feature.").
n146. See Judiciary Subcomm. Hearing, supra note 2, at 48 (statement of Louis J.
Freeh, Director of the FBI).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In addition, the Restrictive Bill would have established the Information
Security Board. n147 The Board would have consisted of representatives from both
the public and private sector. It would have met at least once annually to
[*785] review current encryption policies and make recommendations to the
President. n148 If the Board advised the President that stronger encrypted
products must be allowed, the only ground on which President would have been
authorized to veto the recommendation would have been national security.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n147. S. 909 801.
n148. See S. 909 801(b)(1)-(2), (c), (d).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The inclusion of the Information Security Board would have operated as a check
on the executive branch's ability to illegitimately preclude the exportation of
encrypted products. Illegitimate reasons for preclusion, as the Restrictive Bill
suggests, would have been anything other than national security concerns.
National security concerns, as the following section illustrates, were the
impetus behind proponents' support of the Restrictive Bill.
a. Proponents' Arguments
Proponents of a regulation like that contained in the Restrictive Bill argue
that such a regulation is not seeking to increase the government's search and
seizure abilities. Rather, it is merely trying to preserve these abilities. n149
Currently, encryption software is being developed that utilizes a 128-bit key.
n150 Encryption this strong "can generate more possible solutions than there are
particles in the known universe." n151 Implicit in the right to search and seize
information, proponents assert, is the assumption that law enforcement will be
able to understand the seized information. n152 The language in the Restrictive
Bill confirmed the proponents' position that the Restrictive Bill would not have
expanded search and seizure powers because the Restrictive Bill [*786]
allegedly only allowed law enforcement access to encrypted products after a
search warrant had been obtained. n153
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n149. See Judiciary Subcomm. Hearing, supra note 2, at 42 (statement of Louis J.
Freeh, Director of FBI) ("We're not asking for any new powers or new
authorities. We're asking for a Fourth Amendment that works in the information
age.").
n150. A Canadian computer company, Intrust Solo, is selling a 128-bit encryption
technology. See Mark-Up Hearing on the SAFE Act Before the House Comm. on
National Security, available in 1997 WL 563977, at 14.
n151. See Judiciary Report, supra note 45, at 28-29.
n152. For examples of the futility in obtaining search warrants for information
that cannot be decoded, see Judiciary Comm. Hearing, supra note 38, at 7-8
(statement of Senator Charles E. Grassley (R-Iowa)). An eleven-year-old boy
committed suicide after disclosing he had been sexually abused. Police suspect
the boy recorded the details of the crime in his personal organizer, for which
the password was encoded. As of February 1996, over one year later, the case was
still under investigation, pending possible decryption. See id. at 7-8
(statement of Senator Charles E. Grassley (R-Iowa)). In another case, a
suspected child pornographer encrypted an entire hard drive. See id. (statement
of Senator Charles E. Grassley (R-Iowa)).
n153. S. 909, 105th Cong. 106(3) (1997). A key recovery agent would be required
to relinquish the key to a government agency upon a showing of a subpoena, a
state or federal warrant or court order, or upon other lawful authority.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Furthermore, proponents stress that important national security interests cannot
be ignored. While the computer industry has become one of America's most
lucrative industries, its interests should not be allowed to supersede the
important government interest in national security. Senator Joe Kyl (R-Ariz.)
expressed this sentiment before the Senate Judiciary Committee on the subject of
encryption, "I am concerned that some day, this very committee is going to be
holding an oversight hearing and it will be reviewing a terrorist incident in
which American lives were taken. Fingers will be pointed and questions will be
asked about how this could have happened." n154
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n154. See Judiciary Comm. Hearing, supra note 38, at 31 (statement of Senator
Joe Kyl). FBI director Louis Freeh reported additional situations in which
encrypted data has proven detrimental to national security. The same individuals
responsible for the World Trade Center bombing conspired to blow up eleven U.S.
commercial airplanes. They were unsuccessful, despite the fact that the plans
detailing the crime were deposited in an encrypted file which took months for
authorities to decrypt. See Judiciary Comm. Hearing, supra note 38, at 61
(statement of Louis J. Freeh, Director of FBI). The FBI's computer analysis
response team ("CART") estimated, in 1996, there were between 250 and 500
computer forensic cases involving encryption. CART further estimated that number
will grow 50 to 100% in the following year. See also Judiciary Subcomm. Hearing,
supra note 2, at 55-56 (statement of Dorothy E. Denning, professor of computer
sciences, Georgetown University).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In addition, proponents claim regulations such as the Restrictive Bill actually
increase the use of encrypted products. n155 One of the principal reasons more
people do not take advantage of the Internet, they claim, is the lack of faith
in its security. n156 According to a survey conducted by Business Week, "the
biggest deterrent to computer users making purchases online was lack of
confidence in the Internet security." n157 Currently, there is no viable way to
know for certain whom one is dealing with and whether the identity, as well as
the message, is authentic.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n155. Kenneth Lieberman, senior vice president, VISA U.S.A., Inc., explained, at
the Judiciary Subcommittee's hearings on encryption, that it was his belief that
electronic commerce would flourish, just as the use of credit cards has, if
people trusted the system and had some protection from liability. See Judiciary
Subcomm. Hearing, supra note 2, at 79.
n156. "Until trusted key management infrastructures are developed, the promise
of encryption and electronic commerce will remain largely unfulfilled."
Judiciary Comm. Hearing, supra note 38, at 47 (statement William P. Crowell,
Deputy Director of NSA). Key recovery is not the same thing as key management
infrastructure. Rather, key recovery is a service. It is just one part of the
notion of developing a key management infrastructure.
n157. Id. at 25.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*787] According to William Crowell, deputy director of the NSA, the type of
regulation contained in the Restrictive Bill, and its inclusion of a key
management infrastructure, would "provide essential support services to
encryption users by helping with the generation, authentication, distribution,
and replication, and very importantly, the revocation of encryption keys that
are no longer valid." n158
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n158. Id. at 47 (statement of William P. Crowell, Deputy Director of NSA).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The Restrictive Bill was drafted to not only ensure the authenticity of the
receiving party, but also to impose criminal sanctions on those who make use of
encryption in furtherance of a crime. n159 This provision was designed to
prevent what Robert R. Burke, chairman of the Protection of Information and
Technology Committee Overseas Security, termed ""muggings' along the information
superhighway." n160
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n159. S. 909, 105th Cong. 104 (1997).
n160. Judiciary Subcomm. Hearing, supra note 2, at 66 (statement of Robert R.
Burke, chairman, Protection of Information and Technology Committee Overseas
Security).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
b. Opponents' Position
Those opposed to the Restrictive Bill responded to the arguments in favor of
increased regulation. First, opponents claimed that the Restrictive Bill would
have indeed accomplished more than the mere preservation of the government's
search and seizure capabilities. As proof of this assertion, opponents cited the
language of the Restrictive Bill. Section 106 of the Restrictive Bill, entitled
"Access to Encrypted Messages by Government Entities," outlined the situations
in which the key holder would be required to turn over the key to a government
official. n161 Key holders would have been forced to relinquish the key to a
government entity if the entity obtained a warrant, subpoena, certification by
the attorney general under the Foreign Intelligence Surveillance Act, or upon
"other lawful authority." n162
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n161. S. 909 106.
n162. S. 909 106(2)(a) (emphasis added).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
This last basis for allowing government access to encrypted messages was never
defined. The phrase is not included anywhere within Fourth Amend-ment
jurisprudence, which in general provides for government intrusions only after
probable cause is established and a warrant issued. n163 If proponents of the
Restrictive Bill only sought to preserve the government's surveillance ability,
one may wonder why they did not use the language of the Fourth Amendment [*788]
and limit intrusion to situations in which the government entity has
established probable cause and obtained a warrant. The Restrictive Bill, by
providing for government access upon a showing of "other lawful authority,"
would have created an entirely new basis for trumping an individual's privacy
interests. n164
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n163. U.S. Const. amend. IV.
n164. See Browning, supra note 140, at 1278 (noting technology executive,
Kenneth A. Wasch, president of Software Publishers Association, suggests the
added provision makes the entire bill unconstitutional).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Second, while advocates for a more relaxed encryption policy recognize that
national security concerns are valid, they claim the Restrictive Bill would not
have answered those concerns. n165 In its revised form, the Restrictive Bill
would have made domestic use of the key recovery system entirely voluntary. n166
In terms of exportation, if the encryption strength was equal to or greater than
56-bits, computer companies would have been required to make the option of key
recovery available but the user would not have been forced to take advantage of
it. n167 Moreover, the Restrictive Bill provided for no control over the
importation of encrypted products. The question then becomes, what kind of
advanced criminal, such as an international terrorist, would voluntarily use
such a key recovery system? n168
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n165. "No one with any brains would use it if he or she were trying to get away
with anything." See Barlow, supra note 56, at 22; see also Judiciary Comm.
Hearing, supra note 38, at 32 (statement of Senator Dianne Feinstein)
(commenting on the practical effects of such a voluntary position: "Therefore,"
Senator Feinstein concluded, "law enforcement could be in exactly the same
position with [this] legislation than they were without it.").
n166. While the Restrictive Bill does not include any import or domestic
restrictions on encryption, it may have exactly that effect. Because it would be
incredibly time-consuming and expensive for computer companies to develop
separate software for export and domestic use, computer companies will likely
create only one type of software, which would utilize an algorithm weak enough
to be exported under current regulations. As a result, the domestic availability
of high strength encryption may be minimal. See Judiciary Report, supra note 45,
at 28-29.
n167. S. 909, 105th Cong. 401 (1997).
n168. See Canon, supra note 43, at 23. See also Judiciary Comm. Hearing, supra
note 38, at 70-74. Among others, Michael MacKay, vice president of Corporate
Architecture, and Senator John Ashcroft, a Republican from Missouri, indicated
skepticism that any criminal would use the key-recovery system. Rather, they
argued, such individuals would do their best to avoid it.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In fact, those in favor of fewer restrictions over encryption assert that
encryption actually decreases crime. n169 Encryption protects vital national
secrets. In its CRISIS Report ("Cryptography's Role in Securing the Information
Society"), the National Research Council Committee concluded that "the advan
[*789] tages of more widespread use of encryption outweighed the disadvantages
... [because] the U.S. government has "an important stake in assuring that its
important and sensitive information ... is protected from foreign government and
other parties whose interests are hostile to those of the United States.'" n170
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n169. The Computer Security Institute and the FBI conducted a recent survey,
which predicts corporations in the global market will suffer losses totaling in
the millions, due to breaches in security. Thomas Parenty, testifying before the
House National Security Committee on behalf of the Business Software Alliance,
concluded that "information security is critical to the integrity, stability and
health of both corporations and governments." See Nat'l Security Hearing, supra
note 2, at 67.
n170. See id. at 68.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In addition, both sides of the debate seem to recognize that key recovery will
likely result in more computer breaches. n171 Those prone to engage in criminal
activities will find a way to take advantage of a new doorway into an otherwise
secure network. Moreover, there will be human fallibility problems. People may
select obvious passwords or their trusted agents, holding the keys, could be
bribed into releasing them. n172
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n171. See Judiciary Comm. Hearing, supra note 38, at 85 (statement of Peter
Neumann, cryptographer from the Center for Democracy and Technology) (warning of
the inevitability that a system of key management and recovery will be
compromised and abused).
n172. See id. at 81-82 (statement of Ray Ozzie, chairman of Iris Associates, a
subsidiary of Lotus Development and member of the Key Recovery Alliance).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Third, while supporters of regulation similar to the Restrictive Bill contend
that there is a lack of faith among the public concerning the security of the
Internet, n173 opponents make a compelling counter-argument. The computer
industry, as both sides have recognized, is one of the largest and
fastest-growing industries in the United States. n174 If its customers are
demanding digital signatures, which is a way of proving the authenticity of the
user and receiver just like a signature on a check, then the computer industry
will supply it. If customers are demanding more security built into the
encrypted products, then the computer industry will respond. Consequently, the
com-puter industry argues, there is no need for the government to legislate in
this area. Market forces can solve the problem, and the computer industry is
more than capable of responding to its customers' needs.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n173. See supra notes 155-57.
n174. See Nat'l Security Hearing, supra note 2, at 69 ("The computer software
industry is one of our country's most internationally competitive."); see also
Judiciary Subcomm. Hearing, supra note 2, at 1-2 (comments of Senator Kyl, a
supporter of tighter encryption controls) (recognizing that U.S. computer
companies are forging the way in telecommunications field).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Furthermore, when the government is given a new way in which to access citizens'
private information and a new basis by which to do it, there is always the
possibility for abuse. As Representative Ronald V. Dellums (D-Cal.) noted in a
hearing before the House Committee on National Security, "at this period of
extraordinary technological advancement, the government can be the [*790]
ultimate hacker." n175 For all the talk about national security, Representative
Dellums was quick to remind the Committee that citizens' privacy interests and
civil liberties are of national concern as well. n176
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n175. See Nat'l Security Hearing, supra note 2, at 29.
n176. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
2. The Relaxed Approach
At the same time the Restrictive Bill was being presented and discussed in
Senate and House hearings, a bill that was introduced on February 12, 1997 and
sponsored by Representative Robert Goodlatte (D-Va.) was moving through the
House of Representatives. n177 In contrast to the Restrictive Bill, House Bill
695 ("Relaxed Bill"), also known as Security and Freedom Through Encryption
("SAFE"), would have loosened export restrictions on encrypted products. n178
After its introduction, the bill was sent to five committees for mark-up:
Judiciary, n179 International Relations, n180 National Security, n181 Commerce,
n182 and Intelligence. n183 The Relaxed Bill passed each committee [*791] with
amendments. n184 The bill died, but has been reintroduced as House Bill 850.
Just like the Restrictive Bill, the Relaxed Bill allowed for unlimited domestic
use of encryption. n185 The pivotal difference between the two bills is in the
area of exportation. The Relaxed Bill forbade restrictions on the exportation of
encrypted products for non-military uses. n186
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n177. H.R. 695, 105th Cong. (1997).
n178. H.R. 695 3(a)(g)(2).
n179. See Judiciary Report, supra note 45.
n180. See Int'l Relations Report, supra note 4. An opponent to the SAFE bill,
Representative and chairman of the International Relations Committee, Benjamin
Gilman (R-N.Y.), introduced an amendment that would make it a crime to
manufacture, sell or import any product that did not include a method for
decoding the information in "real time." Put another way, if the information
could not be decoded within 24 hours, the product would be illegal. The civil
penalty would be a fine of $ 100,000. Apparently, the 24-hour time limitation
had its origins in the amount of time it currently takes to crack information
utilizing a 40-bit key length. See Rebecca Vessely, An Attempt to Hobble House
Crypto Bill (July 25, 1997)
<http://www.wired.com/news/news/politics/story/5492.html>.
n181. See Nat'l Security Report, supra note 2. Representatives Curt Weldon
(R-Pa.) and Ronald Dellums (D-Cal.) proposed an amendment to the Relaxed Bill
that effectively returned control over export limits to the President.
Individual licenses for exportation of encrypted products above the maximum
level could be vetoed by the Defense Department. See Weldon/Dellums Amendment to
H.R. 695, 3 (d)(1) (visited Mar. 4, 1999)
<http://www.cdt.org/crypto/legis<uscore>105/SAFE/970909<uscore>amd.html>.
The National Security Committee was concerned with the notion that it would be
forced to approve the exportation of "supercomputers" to foreign countries, if
such computers contained encrypted software. The amended version of the Relaxed
Bill, after leaving the National Security Committee, included the Weldon/Dellums
amendment.
n182. H.R. Rep. No. 105-108, pt. 5 (1997) ("Commerce Report"). Representatives
Oxley and Manton proposed an amendment to the Relaxed Bill which provided that
all encrypted products must allow access for law enforcement, domestically and
internationally. Perhaps more importantly, the amendment specified that notice
to the user was not required. As opponents have suggested, this would seem to be
in direct contradiction to the Fourth Amendment's notice requirement. In
addition, the Oxley/Manton amendment called for the imposition of criminal
penalties for those who produced software without including government access.
See Oxley/Manton Amendment to H.R. 695, (3)(C) (visited Mar. 4, 1999)
<http://www.cdt.org/crypto/legis<uscore>105/SAFE/Oxley<uscore>Manton.html>. The
amendment was not included in the Commerce Committee's amended version of the
Relaxed Bill.
n183. H.R. Rep. No. 105-108, pt. 4 (1997) ("Intelligence Report").
n184. See Nothing Safe About Encryption, Investor's Bus. Daily, Sept. 26, 1997,
at A26.
n185. See Commerce Report, supra note 182. The Commerce Committee included in
its amended version of the Relaxed Bill, the establishment of a National
Electronic Technologies Center (NET). Within the NET, an Advisory Board would be
established functioning similar to the Board set up under the Restrictive Bill.
n186. H.R. 695, 105th Cong. 3 (a)(g)(2) (1997). In addition, while the
Restrictive Bill and the Relaxed Bill have garnered the majority of publicity
and concern, a lesser-known bill was introduced February 27, 1997 by Senator
Conrad Burns (R-Mont.). Senate Bill 377 is Senator Burn's second attempt at
relaxing export controls over encrypted products. Senator Burns sponsored a
similar bill in 1996, Senate Bill 1726, also referred to as Pro-Code, or
Promotion of Commerce On-Line in the Digital Era. See S. 1726, 104th Cong.
(1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Restrictions on the exportation of encrypted products are seen by proponents of
legislation such as the Relaxed Bill as an unacceptable hindrance on the
development of encryption. Encryption is necessary, proponents assert, for a
variety of reasons.
a. Proponents' Position
First, legislation relaxing the regulation of encryption, supporters assert, is
an essential tool in fighting crime and espionage. Through the use of
encryption, sensitive materials such as trade secrets, financial data, and
strategic war plans can remain secret. n187 With the rise of electronic
commerce, consumers are demanding virtually unbreakable encryption. n188 Thus,
interests in national security would seem to dictate that the United States
devote more time and money to developing greater-strength algorithms. n189
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n187. See Judiciary Report, supra note 45, at 9-10.
n188. The National Counterintelligence Center issued a report to Congress in
which it concluded computer intrusions and private-sector encryption weaknesses
"account for the largest portion of economic and industrial information lost by
corporations." Int'l Relations Report, supra note 4, at 5.
n189. The President has not achieved any international consensus among the
various countries currently producing encrypted products in terms of
exportation. See id. at 6. Restrictive Bill supporters concede that the export
controls depend on similar participation from foreign countries.
In fact, William Reinsch, Undersecretary of Commerce for Export Administration
and one of the Restrictive Bill's chief supporters conceded that if other
encryption-producing countries do not support the Administration's plan for
international regulations, "we're going to have a serious problem because we
have not opted for import controls." Nat'l Security Hearing, supra note 2, at
11.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*792] Second, the loosening of regulation is necessary to protect U.S.
computer companies' interests. Virtually unbreakable encryption has already been
developed, and if U.S. computer companies are forced out of the market, foreign
countries will simply fill the gap. n190 Consequently, U.S. companies fear they
will either be precluded from participating in the encryption market, or they
will be forced to move their companies to offshore locations. n191
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n190. However, William Reinsch, Undersecretary of Commerce for Export
Administration, believes the concern of foreign competitors is exaggerated.
Presently, Reinsch stated there are only a few countries capable of producing
advanced encryption products. Japan and Switzerland can produce the technology
but the United States is currently engaged in discussions with both of these
countries. See Nat'l Security Hearing, supra note 2, at 5.
n191. Sun Microsystems, a U.S. computer company at the forefront in the
development of encryption software, has recently declared it will soon be
entering into a partnership with a Russian manufacturer to produce and
distribute encryption products globally. Through this symbiotic relationship,
"Sun can import the Russian product and distribute it domestically" because the
United States has not posed any restrictions over the domestic use of
encryption, "while the Russian Company distributes the same product overseas."
Judiciary Report, supra note 45, at 26 (additional views of Rep. Robert
Goodlatte, sponsor of the Relaxed Bill).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Furthermore, while supporters of legislation such as the Restrictive Bill
profess that national security interests mandate tighter controls over
encryption, they have not addressed how this will work if other countries do not
fall in line with the policy of the United States. Even if other foreign
countries supported the Administration's policy on encryption, that is not the
end of the analysis. Not all foreign countries have provisions similar to the
Bill of Rights, ensuring their citizens' liberty and privacy interests. n192 As
a result, assuming foreign countries are willing to sacrifice their citizens'
civil liberties, it does not necessarily follow that the United States has the
same option. n193
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n192. See Judiciary Comm. Hearing, supra note 38, at 66. U.S. Senator, John
Ashcroft noted that the comparison to other countries may be inappropriate.
"There are some countries where they have mandated encryption systems with key
recovery and deposit .... It is one thing to tell the population of a country
[like, the Soviet Union] we don't ... have any secrets here, so we are going to
mandate a key recovery system, and they have done so." Senator Ashcroft then
proceeded to explain that it is wrong to focus on the activities of countries
that are not committed to recognizing their citizens' civil liberties. See
Judiciary Comm. Hearing, supra note 38, at 66.
n193. See Judiciary Subcomm. Hearing, supra note 2, at 78 (statement of R.
Patrick Watson, corporate security manager, Eastman Kodak Company).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Third, proponents argue that the prohibition on any kind of mandatory key escrow
system is necessary to ensure that citizens' Fourth Amendment privacy rights
will be protected. Even a voluntary key-recovery system is unnecessary; there is
no need to insert statutory language outlining any kind of key-recovery system
because the market will respond if consumers demand such a system. n194
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n194. See Int'l Relations Report, supra note 4, at 5.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*793] Furthermore, this type of legislation would not affect the government's
search and seizure capabilities because it provides for government access to the
keys upon a traditional showing of authority, such as upon a showing of probable
cause and a warrant. n195 Relaxed Bill-type legislation seeks neither to
increase nor decrease law enforcement's powers. Opponents have responded to each
of these arguments, respectively.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n195. H.R. 695, 105th Cong. 2804(b) (1997).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
b. Opponents' Position
First, while the use of encryption can successfully protect sensitive material,
it also eliminates the United States' ability to decipher codes created by rogue
nations. n196 If national security was not a concern, supporters of restrictive
legislation might encourage a robust, global market for encryption, free from
regulations. n197 However, national security continues to be a compelling
government interest and it is not enough to develop unbreakable encryption
domestically. To be truly effective, the United States must limit the
availability of unbreakable encryption to our adversaries. The Administration
stressed that "information dominance," or the ability to "acquire and protect
information necessary for successful operations, while simultaneously denying
such information to an adversary," is the key to success in future conflicts.
n198
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n196. See Judiciary Subcomm. Hearing, supra note 2, at 55.
n197. As Representative Curt Weldon stated:
At every possible opportunity, we should, in fact, provide deregulation, but to
do that in a vacuum and totally remove all controls and give our adversaries the
capability to harm this country's security in the future ... is just
unexplainable.... It is not just about ... the ability of Americans to have
their civil liberties protected - all of us want that - but it is also about
fundamental security and not giving rogue nations... the capability to encrypt
technology that... in the end [may] be used against our soldiers.
Nat'l Security Hearing, supra note 2, at 16 (statement of Rep. Curt Weldon
(R-Pa.)).
n198. Nat'l Security Hearing, supra note 2, at 20 (statement of Rep. Jane Harmon
(D-Cal.)).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Second, opponents respond to the argument that unbreakable encryption exists
and, if U.S. companies cannot meet the demand, consumers will simply download
foreign-manufactured products. Opponents of regulations such as the Relaxed Bill
contend it is unlikely that those in need of strong encryption software will
simply download the encryption from the Internet. n199 Such software may be
stronger than current U.S. regulations allow, but it is untested and unreliable.
n200 Individuals and corporations in need of such advanced [*794] encryption
technology likely would not trust valuable information to an unfamiliar source.
n201
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n199. See Judiciary Report, supra note 45, at 17-19 (letter from Andrew Fois,
assistant attorney general).
n200. See id.
n201. See id. at 19 (letter from Andrew Fois, assistant attorney general).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In addition, while it is true that there exists no global consensus on the type
of regulations the United States should be employing, several key players have
indicated that they will support the United States' approach. n202 Specifically,
Britain, France, and Japan have shown approval of the Administration's approach.
n203
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n202. See Int'l Relations Report, supra note 4, at 19-20 (dissenting views).
n203. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Third, supporters of tighter encryption controls contend that they are not
seeking to increase or decrease law enforcement's search and seizure
capabilities. They are simply trying to preserve the status quo. n204 The
en-cryption debate, they claim, should not be seen as civil liberties versus
national security. The Administration's proposal recognizes the commercial and
privacy interests implicated by any kind of encryption policy. n205 However, the
Relaxed Bill did not take into consideration the compelling national security
interest. n206
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n204. See id. at 21-24 (letter from Janet Reno, attorney general).
n205. The congressional hearings are replete with comments about the importance
of including interests of the computer industry, as well as those of civil
libertarians.
n206. The Relaxed Bill prohibits any regulation over the strength of encrypted
products used domestically, imported or exported. See H.R. 695, 105th Cong.
2(a), 3(a)(g)(2) (1997).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Rather, opponents of the Relaxed Bill believe that this type of regulation
ignores the fact that the Fourth Amendment is an attempt to balance the
government's need to infringe on liberty interests in order to perform its
duties with citizens' privacy interests. Any new policy applying the Fourth
Amendment must likewise conduct a balancing test. If such a balancing test is
not done, privacy interests will triumph, but at the expense of public safety.
As opponents of the Relaxed Bill suggested, a constitutional analysis is
necessary. However, it is not legisation such as the Relaxed Bill that is likely
to face constitutional challenges. The Relaxed Bill's approach seeks to
deregulate the exportation of encrypted products, and consequently, does not
envision government intrusion. If such regulation does not succeed it will be
precisely because it did not include the government's law enforcement interests.
Restrictive legislation, on the other hand, could encounter [*795]
constitutional challenges because it is based on the assumption that the
govern-ment is entitled to this information.
III. Constitutional Challenges
A. First Amendment Analysis
Any legislation that regulates the way in which information and ideas are
transmitted is likely to face a number of constitutional challenges.
The First Amendment precludes the government from abridging the freedom of
speech. n207 First Amendment doctrine has interpreted this truism to mean that
the government cannot prohibit speech based on bias or animus against it. n208
The government may, however, regulate speech if it is not motivated by animus
directed at the content of the speech. n209
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n207. Steven H. Shiffrin, The First Amendment, Democracy, and Romance 17-18
(1990).
n208. "One way of looking at the structure of first amendment doctrine is that
it is exclusively designed to combat biased actions by the government." Id.
n209. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The First Amendment enters the constitutionality analysis in two places. First,
does the First Amendment protect the contents of an encrypted message? The
answer to that question is unequivocally yes. No one has argued that the message
itself is not speech.
Second, is the encryption software itself speech? This is the point at which
civil libertarians and computer companies' argument is more vulnerable. If the
software is concluded to be speech for First Amendment purposes, the government
is nevertheless entitled to regulate it so long as the regulation is not aimed
at the content of the message. When ascertaining whether a regulation is
grounded in content bias, courts often apply what is commonly known as "the
O'Brien test." The Supreme Court held, in United States v. O'Brien, n210 that a
regulation limiting free speech will be permissible if it is within the
government's power, furthers an important or substantial government interest,
the government interest is unrelated to the suppression of free expression, and
the regulation is the least intrusive means of accomplish-ing the government's
goal. n211
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n210. 391 U.S. 367 (1968).
n211. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*796] As of May 1999, two courts had heard challenges to the Administration's
current policy on First Amendment free speech grounds. The plaintiff in
Bernstein v. United States Department of State, n212 a graduate student at the
University of California at Berkeley, had created an encryption software
program. n213 Bernstein wanted to teach others about the software program he had
developed. In addition, he sought to publish a paper detailing the software
program. n214 The problem was that encryption technology was classified as a
defense article or munition under the International Traffic in Arms Regulation.
n215 As such, exportation of such a product required a license. Exportation is
defined as "disclosing ... technical data to a foreign person, whether [the
disclosure] is in the United States or abroad." n216 Consequently, Bernstein was
told that any lecture or publication of his new software program could be deemed
an act of exportation. As a result, Bernstein brought an action to enjoin
enforcement of the government regulations asserting that they were
unconstitutionally vague, overbroad, and a prior restraint on speech. n217 The
court did not rule on the constitutional claims until December 1996, at which
time it held that the executive branch's regulations constituted a prior
restraint on speech. n218
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n212. 922 F. Supp. 1426 (N.D. Cal. 1996).
n213. See id. at 1429.
n214. See id.
n215. 22 C.F.R. 120.17(a)(4) (1998).
n216. Id.
n217. See Bernstein, 922 F. Supp. at 1430-31.
n218. See Bernstein v. United States Dep't of State, 945 F. Supp. 1279 (N.D.
Cal. 1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The State Department's response highlights the two-fold analysis that must be
undertaken when examining the constitutionality of encryption regulation. First,
is the content of the encrypted message speech? In this case, the message would
be the paper Bernstein sought to have published. The defendant conceded that the
paper was indeed speech. n219
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n219. See id. at 1434.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
But the message is not really what the State Department was attempting to
regulate. They were attempting to regulate the exportation of the software
program that encrypts the message. The State Department argued that the software
program was not speech or conduct, but rather an item whose purpose was
"functional rather than communicative." n220 As such, there would be no need to
engage in First Amendment analysis.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n220. Id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*797] The court, however, rejected this argument and denied the State
Department's motion for summary judgment, concluding that the software program
could be deemed speech. n221 As a result, "listing cryptographic software as
requiring an export license, may result in the unconstitutional suppression of
free speech." n222
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n221. See id. at 1436.
n222. John R. Liebman & Kristen E. Green, Encryption Software Export Regulations
and Free Speech, L.A. Law., Oct. 1997, at 21, 22. Subsequent to his holding, an
executive order transferred authority over encryption from the State Department
to the Department of Commerce. The plaintiff then filed an amended complaint
with the district court. The court held that the encryption regulations were
subject to a prior restraint on speech analysis, and furthermore, that they were
unconstitutional under the First Amendment. See Bernstein, 974 F. Supp. 1288
(N.D. Cal. 1997).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In the only other case heard concerning government regulation of encryption
software, Karn v. United States Department of State, n223 the government was
granted summary judgment because the regulation passed the O'Brien test. In Karn
the plaintiff was a computer software exporter who wanted to export a disk
containing cryptographic software. n224 Karn challenged the designation of the
disk as a defense article in need of an export license. n225 The district court,
however, granted summary judgment to the State Department. n226
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n223. See Karn v. United States Dep't. of State, 925 F. Supp. 1 (D.D.C. 1996).
In a per curiam opinion, this case was remanded in light of the recent transfer
of regulatory authority to the Commerce Department. See Karn v. United States
Dep't of State, 107 F.3d 923 (D.D.C. 1997).
n224. See Karn, 925 F. Supp. at 1.
n225. See id. at 3.
n226. See id. at 8-9.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The court concluded that the government's regulation was content neutral in that
it was not attempting to regulate because of the kind of encryption software
utilized or because the government disapproved of the idea expressed, but rather
because the code made it "easier for foreign intelligence sources to encode
their communications." n227 Applying the rest of the O'Brien test, n228 the
court concluded that the government had a compelling interest in the form of
national security concerns and that the regulation was narrowly tailored to meet
that goal. n229
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n227. Id. at 10.
n228. See id. at 11.
n229. See id. at 12.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
As a result, as of spring 1999, the courts were split on whether encryption
software is speech and if it is, whether government regulations pass the O'Brien
test. Although the Supreme Court has not yet heard a case involving [*798]
this issue, this Comment predicts that the regulations will survive
constitu-tional scrutiny.
One way to determine whether encryption software is speech or expressive conduct
is to examine the way in which it is described. Encryption software is defined
by the Administration as a type of computer program that "provides [the]
capability of encryption functions or confidentiality of information." n230
Computer programs can then arguably be aimed at conveying a message. Thus, they
would be entitled to the greatest First Amendment protection. n231
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n230. Export Administration Regulations, 15 C.F.R. pt. 772 (1998).
n231. See Bernstein v. United States Dep't of State, 922 F. Supp. 1426, 1435
(N.D. Cal. 1996) ("Even if Snuffle source code [type of encryption program] ...
is essentially functional, that does not remove it from the realm of speech.").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
This Comment, however, predicts that the Court would be swayed by the
government's compelling concern for national security and, consequently, find
that the regulation passed the O'Brien test. There are irrefutable examples of
the tragic ways in which encryption has been used by terrorists. n232 In the
wake of the most devastating terrorist incident on domestic soil, the bombing of
the Murrah Federal Building, n233 the Court would likely be extremely responsive
to government concerns.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n232. See supra note 55 and accompanying text.
n233. The bombing of the Murrah Federal Building occurred in Oklahoma City on
April 15, 1995.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
B. Fourth Amendment Analysis - From Property to Balancing Approach
The First Amendment, however, is not the only source of refuge for encryption
software exporters. The current encryption regulation proposals also introduce
potential Fourth Amendment infirmities. The Fourth Amend-ment prohibits
unreasonable searches and seizures. Case law has interpreted this to mean that
the government must obtain probable cause and a warrant before it can search or
seize items. n234 Papers occupy a special status under the Fourth Amendment.
They are expressly mentioned as an item that the Fourth Amendment means to
protect. n235 Undoubtedly, papers are specially protected because of their
unique history. During the early formation of our country, citizens were
routinely persecuted for their ideals, and proof of their ideals were found in
their words written down on paper. n236
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n234. See Payton v. New York, 445 U.S. 573 (1980).
n235. U.S. Const. amend. IV ("The right of the people to be secure in their
persons, houses, papers, and effects ....").
n236. "Private papers are the archetype of tangible property deserving greater
protection than other kinds of property. Papers are special because they contain
the physical manifestations of the author's thoughts." Morgan Cloud, The Fourth
Amendment During the Lochner Era: Privacy, Property, and Liberty in
Constitutional Theory, 48 Stan. L. Rev. 555, 620 (1996).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*799] As such, conversations, in the form of words on a computer screen,
although encrypted to ensure privacy, should receive the utmost protection.
Furthermore, case law has concluded intangible items, such as conversations, are
subject to the Fourth Amendment as well. n237
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n237. See Goldman v. United States, 316 U.S. 129 (1942), overruled by Katz v.
United States, 389 U.S. 347 (1967).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
However, Fourth Amendment doctrine has been modified as our country and its
technological developments have advanced. As a result, before an educated guess
can be formed as to the constitutionality of the types of regulation contained
in the Restrictive Bill and the Relaxed Bill, it is necessary to comprehend how
the Court has historically understood the Fourth Amendment.
1. The Property-Based Boyd-Era
Long before the exclusionary rule became a remedy against unreasonable searches
and seizures and seventy-five years before it was applied to the states, the
Supreme Court grappled with the substantive meaning of due process. In 1886, the
Court decided Boyd v. United States. n238 The federal government accused Boyd of
failing to pay import duties, and to prove it, the district judge ordered Boyd
to produce the invoices. n239 On review, the Supreme Court held that the act of
compelling Boyd to produce the invoices constituted an unreasonable search and
seizure. n240 The Court gave meaning to the due process clause by way of another
substantive body of law, namely, property. n241
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n238. 116 U.S. 616 (1886).
n239. See id. at 618.
n240. See id. at 635 ("Though the proceeding in question is divested of many of
the aggravating incidents of actual search and seizure ... it contains their
substance and essence ... illegitimate and unconstitutional practices get their
first footing ... by silent approaches and slight deviations from legal modes of
procedure.").
n241. See id. at 623-24. The government was only entitled to a person's property
if the government had a superior property interest. For example, if the goods
were stolen, they would not belong to the defendant and, as such, the government
could take them. In Boyd, however, the Court held that the government had not
exhibited a superior property interest in the invoices.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
During the Boyd-era, a search and seizure was unreasonable if the government was
intruding on an individual's private property rights without establishing a
superior right vested in the government. n242 Of particular note, the [*800]
Court explicitly rejected the government's utility argument. n243 The mere fact
that the government claimed this evidence, or rather, method of obtaining
evidence, was necessary was deemed irrelevant. Necessity, or what was later
couched in terms of a significant public interest, would not trump a citizen's
property rights. n244
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n242. Id.
n243. See id. at 629.
n244. See id. (quoting Entick v. Carrington, 19 Howell's State Trials, 1029,
1073 (1762) ("Lastly, it is urged as an argument of utility, that such a search
is a means of detecting offenders by discovering evidence.... Such a proceeding
was never heard of.... Our law has provided no paper-search in these cases to
help forward the conviction.")).
Lord Camden subsequently suggested one plausible rationale for the failure to
adopt law enforcement's utility argument was the recognition that "such a power
would be more pernicious to the innocent than useful to the public." Id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Through a series of subsequent decisions, the Supreme Court developed an
interpretation of the Fourth Amendment that focuses on the protection of places,
rather than people. n245
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n245. See Lanza v. New York, 370 U.S. 139 (1962) (holding that occupants in
jail's visitor's room cannot receive Fourth Amendment protection because jail's
visitor's room is not protected area); Olmstead v. United States, 277 U.S. 438
(1928) (refusing to apply Fourth Amendment to wiretap that Court concluded did
not invade suspect's house or office); Hester v. United States, 265 U.S. 57
(1924) (concluding that Fourth Amendment was not applicable to open fields
because open fields were not constitutionally protected areas).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
2. Katz and Expectations of Privacy
In the 1960s, the Court modified Fourth Amendment doctrine in response to
increasingly intrusive government activities. In 1967, the law changed
significantly with the Court's decision in Katz v. United States. n246 Holding
that a federal wiretap violated Katz's Fourth Amendment right to be free from
unreasonable searches and seizures, the Court ignored its previous property
justifications. n247
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n246. 389 U.S. 347 (1967).
n247. See id. at 359.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Rather, the Court defined a search and seizure in terms of whether the defendant
displayed a subjective expectation of privacy and, in addition, whether that
expectation was one society regarded as reasonable. n248 If the two privacy
criteria had been met, a search and/or seizure would have occurred, but it would
have been deemed reasonable if the government had utilized a lawful [*801]
procedure. n249 Specifically, a lawful procedure would involve obtaining a
warrant. n250 Consequently, law enforcement could intrude upon legitimate
property rights without claiming a superior property right. They could intrude
provided they followed the appropriate procedure.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n248. See id. at 351-52 ("What a person knowingly exposes to the public ... is
not a subject of the Fourth Amendment protection.... But what he seeks to
preserve as private ... may be constitutionally protected.").
n249. Had the police attempted to obtain a warrant, the Court concluded it would
likely have been granted. See id. at 354. The problem was, as the Court stated,
"restraint was imposed by the agents themselves, not be a judicial officer." Id.
at 356.
n250. See id. at 357.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
After Katz, Fourth Amendment rights had a somewhat attenuated connection to
property rights, but Fourth Amendment rights were certainly not limited by
property rights. n251 Katz was intended to respond to law enforcement's use of
increasingly intrusive investigatory techniques. As such, Katz was aimed at
expanding citizens' Fourth Amendment rights. The end result of Katz and its
progeny was that the Fourth Amendment right afforded protections to people, not
places.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n251. Id. at 351 (holding that Fourth Amendment will no longer be controlled by
property rights).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
3. Terry and Reasonable Suspicion
The Court again modified its approach to the Fourth Amendment in Terry v. Ohio.
n252 Terry and its progeny stand for the proposition that "the level of
suspicion required [will be tailored] to the intrusiveness of the search." n253
In some situations, the government will be permitted to conduct a search and
seizure based on a showing of reasonable suspicion. n254 In justifying a
departure from the probable cause requirement, the Court accepted the
government's argument that a limited search and seizure, or rather, a stop and
frisk, is absolutely necessary for law enforcement. n255
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n252. 392 U.S. 1 (1968).
n253. Michael Adler, Cyberspace, General Searches, and Digital Contraband: The
Fourth Amendment and the Net-Wide Search, 105 Yale L.J. 1093, 1105 (1996).
n254. The Supreme Court defined reasonable suspicion as having facts that would
""warrant a man of reasonable caution in the belief' that the action taken was
appropriate." Terry, 392 U.S. at 22.
n255. The Court found this type of police conduct to be essential. Moreover, the
Court could not find a way in which the brief interaction between officers and
the suspect, as displayed in Terry, could be subject to the traditional Fourth
Amendment requirements of probable cause and a warrant. See id. at 20.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The same utility argument that failed in 1886 succeeded in 1968. At this
juncture, the Supreme Court declared that reasonableness would be determined not
by the existence of a lawful procedure embodied in the warrant [*802]
requirement, but upon a careful balancing of the government's interest in the
search as opposed to its degree of invasion. n256
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n256. See id. at 20-21.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Terry was subsequently expanded and applied to situations outside the parameters
of a stop and frisk. Later, persons suspected of carrying drugs could be stopped
at the airport based only upon reasonable suspicion. n257 Vehicles could be
stopped based upon a reasonable suspicion that the vehicle contained illegal
aliens. n258
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n257. See United States v. Mendenhall, 446 U.S. 544 (1980).
n258. Congress exempted border searches from the probable cause requirement. See
19 U.S.C. 482 (1994).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Ironically, the Court first revised its Fourth Amendment analysis to allow for
greater protections from governmental invasions. Following its subsequent
decisions in cases like Terry, however, the Court began to employ something akin
to a sliding scale to measure the reasonableness of a search and seizure under
the Fourth Amendment. It is this revised interpretation of the Fourth Amendment
that must be used to determine the constitutionality of legislation such as the
Restrictive Bill and the Relaxed Bill.
C. Constitutionality of the Restrictive Bill
The Fourth Amendment is clearly implicated in the language of the Restrictive
Bill. First, any governmental taking of the encrypted message or file itself
would be a search and seizure under the Fourth Amendment. As Katz held, a search
occurs when there has been a subjective expectation of privacy and it is a
privacy interest society deems to be reasonable. n259
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n259. Katz v. United States, 389 U.S. 347 (1967).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
In the case of encrypted information, there is a clear subjective expectation of
privacy in that the user is intentionally coding the information. Furthermore,
it is at least arguable that it is a privacy interest society would be willing
to recognize because encrypted information is simply the electronic version of
letters and files. In addition, most individuals keep their computers at home or
at the office. While the Fourth Amendment no longer focuses solely on the area
one seeks to protect, a person's home and office still enjoy the greatest Fourth
Amendment protection. n260
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n260. "The balancing standard developed in Katz, Camara, and Terry continued to
provide the home and office with an exceptionally high level of protection."
Adler, supra note 253, at 1105.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
[*803] The issue then becomes whether the search and seizure is unreasonable.
Because any search or seizure would not likely be akin to a stop and frisk, law
enforcement would need probable cause and a warrant. A potential problem for the
Restrictive Bill language is that it appears to allow access to law enforcement
based on any "lawful authority." n261 Because the scope of this phrase has not
been definitively explained, it is possible the search and seizure could be
deemed unreasonable.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n261. S. 909, 105th Cong. 106(2)(a) (1997).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
There are additional concerns with the type of regulation embodied in the
Restrictive Bill. First there is the possibility that the very fact an
individual is using encryption may form the basis of probable cause. n262 While
there is nothing illegal about coding one's private information, in practice, it
may be seen by law enforcement as suspicious.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n262. See Sean M. Flynn, A Puzzle Even the Codebreakers Have Trouble Solving: A
Clash of Interests Over the Electronic Encryption Standard, 27 Law & Policy in
Int'l Bus. 217, 237 (1995).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Second, the FBI does not enjoy a particularly good reputation with respect to
its previous use of wiretaps. n263 The way that encryption technology is
currently being developed, a company would use a specific encryption formula in
all of its communications. Once the government establishes the predicate lawful
authority and is given the decryption key, the government would have the
capability to decipher all of the communications using that encryption formula.
That is not to say law enforcement would legally be able to search all of the
company's files. In fact, they most assuredly would not have the legal authority
to do so. However, they would, disturbingly, have the capability to do so.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n263. See generally Athan G. Theoharis & John Stuart Cox, The Boss: J. Edgar
Hoover and the Great American Inquisition (1988).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Assuming, however, that the ambiguity of the phrase "other lawful authority" is
resolved in a way that does not provide law enforcement with a new basis with
which to establish probable cause, this Comment predicts that the Court would
not deem the search and seizure to be unreasonable. Appreciating the Court's
relatively recent propensity toward balancing, the government has a compelling
interest in ensuring our nation's security and protecting the general welfare of
its citizens through the successful prosecution of crimes. Conversely, the
resulting intrusion could be classified as minimal. When using encryption
domestically, citizens do not have to participate in a [*804] system of key
recovery. n264 Furthermore, they do not have to participate if they are
exporting encrypted products with a strength of less than 56-bits. n265
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n264. S. 909 101-103.
n265. S. 909 302 ("Exports of encryption products up to and including 56 bit DES
or equivalent strength shall be exportable under a license exception ....").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Even when participation in the key recovery system is mandatory, law enforcement
may not require relinquishment of a key without a showing of lawful authority.
n266 If law enforcement were to illegally obtain a key, the Restrictive Bill
provided for criminal prosecution. n267 When the Court balances these two
competing interests, it is likely, given the history of the Court's Fourth
Amendment analysis, that the government's interest will trump the infringement
of personal privacy. n268
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n266. S. 909 106(2)(a).
n267. S. 909 104 (outlining criminal prosecution for illegally obtaining key).
n268. The Supreme Court has a history of characterizing the Fourth Amendment
intrusion in terms of individuals, rather than examining its collective impact.
Put another way, the Court, when presented with the facts of a particular case,
notes the government's broad interest in preventing crime for the entire
country, but only discusses the impact on the one person claiming a
constitutional violation. This process fails to consider the intrusion
collective impact.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Next, this Comment considers whether regulating the use of encryption software
would violate the Fourth Amendment. For the same reasons discussed above,
prohibiting export of encrypted products above a strength of 56-bits would be a
seizure. If a computer manufacturer attempted to export such encrypted products,
he would face criminal penalties. n269 Again, the government has a compelling
interest in national security and this Comment predicts the Court would favor
this interest over arguments from the computer industry focusing on economics.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n269. S. 909 308 ("Any person who exports an encryption product in violation of
this Title shall be fined under Title 18, United States Code or imprisoned for
not more than five years.").
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
However, if legislation such as the Restrictive Bill eventually passes, and is
only the beginning of incremental increases in government regulation of
encrypted products, the regulation could successfully be challenged on Fourth
Amendment grounds in the future. If the Administration propels forward with its
ultimate goal of domestic control over encryption software, n270 the [*805]
government's interest diminishes with the rise of privacy and liberty interests.
The Restrictive Bill only targeted the exportation of unbreakable encryption.
n271 Thus, it was in line with the Administration's contention that the
government is only interested in preventing harm from foreign countries.
However, if the Administration begins to regulate domestic use of encryption
software, the Administration would have to concede that eradicating terrorist
threats is not its only motivation.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n270. See Judiciary Subcomm. Hearing, supra note 2, at 47-48. FBI Director Freeh
conceded domestic control of encryption use is the law enforcement's ultimate
goal. In response to Senator Kyl's skepticism that the Restrictive Bill could
meet the Administration's needs concerning national security, Freeh stated:
The main concern ... is domestic access .... we would recommend ... the
legislation contain a provision that would require the manufacturers of
encryption products and services, those which will be used in the United States
or imported into the United States for use, include a feature which would allow
for the immediate lawful decryption.
Judiciary Subcomm. Hearing, supra note 2, at 47-48 (statement of Louis J. Freeh,
Director of FBI).
n271. S. 909 302. Only products utilizing a strength of more than 56-bits are
required to establish a system of key recovery. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
If this point is reached and there is a constitutional challenge, the Court
would have to reapply its balancing test. The government's interest would not be
as compelling because national security would not be the interest at stake.
Rather, the government would merely be seeking the Court's approval of a
highly-intrusive investigative technique.
D. Constitutionality of the Relaxed Bill
The Relaxed Bill was directed at deregulation of encryption software. n272 It
would be difficult for such regulation to be challenged on constitutional
grounds. Congress has the authority to enact statutes, but it does not have to
do so. Congress can remain dormant on the issue of encryption regulation and
leave it to the states to regulate under their police powers. n273 If this type
of legislation is defeated, it will be because it does not include a mechanism
for government lawfully-justified intrusion.
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n272. H.R. 695, 105th Cong. 3(a)(g)(2) (1997).
n273. "The powers not delegated to the United States by the Constitution, nor
prohibited by it to the States, are reserved to the States respectively, or to
the people." U.S. Const. amend. X.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
IV. Proposal
As this Comment suggests, either type of legislation could probably be passed
and survive constitutional challenges. The question, then, is which type of
legislation will eventually be passed? The answer depends on which interest
Congress is most concerned with protecting. If Congress wants to ensure that
privacy interests are not infringed upon in even a minimal sense, relaxed
legislation such as House Bill 850 may best address that interest. Again, if
[*806] Congress is swayed by the very real potential for American computer
companies, whose presence accounts for the majority of the software market
share, to be squeezed out of the market, then some version of the Relaxed Bill
is the best option.
However, Congress may be persuaded by assertions that national security concerns
compel enactment of a bill that provides for government access to virtually
unbreakable encryption. Certainly, law enforcement has provided proof of the
burden such encryption has put on its crime-solving duties. In this case, the
Restrictive Bill-type legislation would be the only option. William Reinsch,
head of the Bureau of Export Administration, underscored the Administration's
dislike of bills such as the Relaxed Bill and the Administration's continued
committment to encryption regulation. n274 Reinsch predicted that any bill
calling for relaxing control over encryption would never survive the Senate.
n275
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n274. See John Schwartz, Tales from the Crypto, Without an End in Sight, Wash.
Post, Mar. 8, 1999, at F28.
n275. See id.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
Considering the Clinton Adminstration's stance, it is likely that some sort of
restrictive bill will prevail over a bill relaxing control over encryption.
Although a restrictive bill may be only the first step in a slippery slope
leading toward increased government intrusion, regulation such as that contained
in Senate Bill 909 would not be overly offensive as it would not control
domestic use of encryption. Thus, those in Congress who are concerned with the
effect that a restrictive bill may have on privacy interests can allay their
fears with the knowledge that a restrictive bill will not impinge on the privacy
interests of United States citizens.
Conclusion
Our nation's security is a compelling interest. There are terrorists, drug
cartels, and child pornographers presently using encryption to hide and carry
out their illegal activities. Given the FBI's data, it is unquestionable that
encryption is being used to further elicit activities. But, the more salient
question is how much are we, as citizens, willing to give up in the name of
national security. Alan Davidson of the Center for Democracy and [*807]
Technology asks, "Is it worth this tremendous cost to privacy and security just
to slow down the spread of encryption to a few bad guys?" n276
- - - - - - - - - - - - - - - - - -Footnotes- - - - - - - - - - - - - - - - - -
n276. Quoted in Schwartz, supra note 274, at F28.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
The passage and implementation of a restrictive bill does not seem too great of
a burden for the assurance that our national security remains protected. With a
restrictive bill, the government is not carving an extensive hole in civil
liberties. In fact, the entire system of key recovery and a key management
infrastructure is entirely voluntary. Surely, such a benign bill is worth it.
A restrictive bill, however, will not successfully address the national security
concern. It will not come remotely close to ensuring that unbreakable encryption
is not developed or that criminals and terrorists are not able to gain access to
such encrypted products. There are no domestic and, more importantly, no import
restrictions over encrypted products. There is no global consensus on regulating
the strength of encryption.
Consequently, a restrictive bill is likely only the beginning of government
regulation of private, coded transmissions. A restrictive bill achieves
relatively nothing for law enforcement. It accomplishes little unless it is
viewed as starting the deliberate process of government restriction in this area
of advanced technology. In that sense, a restrictive bill has a great deal of
meaning because the bill is extremely susceptible to incremental intrusions by
government.
The Administration's current proposal is a fallback position. Initially, it
proposed the Clipper Chip and mandatory key escrow, whereby the key would be
housed with a government-designated entity. That proposal encountered such
universal opposition that the Administration was forced to retreat. Senate Bill
909, therefore, was the compromise. It was a moderate proposal, but precisely
because of that, this type of regulation is worthless except for where it could
lead. In order to eradicate criminal use of unbreakable encryption, we must be
willing to give up much more than a restrictive bill demands. The question is
how much are we willing to give up.