US Government Cryptography Policy

The Government of the United States has fought a long running battle to prevent the free export of encryption technology from the US to other countries. The reason most frequently stated for this effort is to prevent criminals, including international terrorists and child pornographers, from obtaining and using strong cryptography to hide their activities. Critics of US policy have long pointed out that export controls do not achieve this goal, since strong cryptography is already available in hundreds of forms in every country on the planet. The real reason for the US government's campaign is to prevent the implementation of global standards for strong crypto, which would inevitably lead to routine encryption of voice and data traffic throughout much of the world. In this scenario, nobody would have to take special precautions to secure their communications. Stupid criminals would enjoy the same protections smart criminals do today. Of course, so would law abiding persons everywhere.

The advent of strong cryptography available to the masses, combined with cheap global communications, has threatened to weaken government control everywhere in the world. As with any significant change, this possibility has good and bad implications. Less government control means greater freedom for individuals to make choices about their lives. Many people will make bad choices with their freedom. Many more will make better choices. Trying to assess the impact such a change will have on the world is a matter of guessing how many good choices will be made versus how many bad ones, their magnitudes and consequences. Without a true science of Sociology, this is an intractable assessment to try to make. One approach to this lack of certainty is to clamp down on individual freedom in order to suppress the incalculable number of bad choices that could be made by individuals. Another approach is to encourage individuals to exercise their freedoms in order to maximize the values of the incalculable number of good choices they might make. Which precise mixture of approaches you take depends on your individual assessment of human nature. Democracy is based on the faith that, given the opportunity, greater numbers of people will make good choices more often than not.

Another factor to consider is the practical impossibility of suppressing ideas over the long term. For many years, knowledge of cryptology was limited to the security organs of major governments. In the US, the National Security Agency employed the best cryptoligists the country produced. The results of their research were naturally tightly held secrets. The NSA's near monopoly on cryptological research was broken in the mid-1970's with the public discovery of public key cryptography. Researchers including Ralph Merkle, Whitfield Diffe, Martin Hellman, Ronald Rivest, Adi Shamir, Len Adleman and many others started publishing papers on this new branch of cryptography. Their work stimulated public research on the whole range of cryptological science, previously the near exclusive domain of national security organs. In the US, the NSA briefly tried to control the publication of the results of this research, before recognizing the futility of their efforts in a free society.

Since the early 1980's, the US Government's approach has been to focus on suppressing the international use of strong cryptography. The reasoning seems to be something like "It's easier to control actions than ideas." This is true as far as it goes. But there's another idea behind the use of cryptography that will not be suppressed forever: that people have a right to private communication over and above any government's right to control it. This idea is so fundamental to concepts like Democracy and Human Rights that any attempt to suppress it without crushing those related concepts is doomed to failure. My personal belief is that the US Government is not, on balance, interested in suppressing Democracy. It follows from this that the US should abandon the attempt to suppress strong cryptography, and instead embrace its use in promoting individual liberty and Democracy worldwide.

The US Judiciary and Legislative branches of Government seem to be leaning toward this approach. The Executive branch lost a major round in court with the decision of a three judge panel of the 9th US Circuit Court of Appeals in the BERNSTEIN VS USDOJ. case. The ruling upholds a lower court ruling that US export controls on cryptography are unconstitutional on their face. It's unlikely that this ruling will have any immediate effect on the stupid US Government cryptography export regulations. The US Department of Justice has been granted a rehearing of the appeal by the full 9th Circuit Court, and is likely to appeal an adverse decision on the issue to the US Supreme Court.

Meanwhile, the US House of Representatives is considering H.R.850, a bill that in part

Authorizes the Secretary [of Commerce], after a one time, 15 day technical review, to authorize the export or re-export of computer hardware, software, or computing devices with encryption capabilities for nonmilitary and end uses in any country: (1) to which exports of computer hardware, software, or computing devices of comparable strength are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such computer equipment will be diverted to a military end-use or an end-use supporting international terrorism, modified for military or terrorist end-use, or re-exported without authorization by the United States; or (2) if the Secretary determines that a computer hardware, software, or computing device offering comparable security is commercially available outside the United States from a foreign supplier, without effective restrictions.

This bill passed through the House Committees of the Judiciary and Commerce. It underwent significant revision in the House Armed Services Committee and House Permanent Select Committee on Intelligence, emerging weakened but alive.

Faced with these developments, the Clinton Administration announced on September 16th 1999 a major liberalization of US policy with respect to the export of strong cryptography. The Bureau of Export Administration of the US Department of Commerce (BXA) went through several rounds of revision coming up with rules to implement the new policy. The resulting document, published on January 13^th 2000 (available here in draft form from the Center for Democracy and Technology) reveals a huge improvement in the old regulations. Most restrictions on the export of strong cryptography with any key length are lifted, including freely available source code. The changes are so sweeping that a question naturally arises as to why the export regulations were not lifted entirely. Since the new regulations still impose arbitrary restraints on information made available in electronic form, which do not apply to the same information published in a book, the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC) are continuing to lobby the administration to do away with the restrictions entirely. They will also continue to support Professor Bernstein in his suit against the US. Their joint statement is available here.