Taking on Uncle Sam over encryption

In an interview with CNET News.com, professor Daniel Bernstein discusses his beef with government encryption standards and the role of Internet security after Sept. 11.

6 min read
Computer programmer Daniel Bernstein says he just wants to make the Internet more secure. But he says the government is still standing in his way.

Bernstein, who for the past seven years has been successfully chipping away at U.S. encryption regulations, is back in the news this week after renewing his court fight against the government.

On Monday, Bernstein filed an amended complaint to his lawsuit, which since 1995 has sought to remove regulations on exporting strong encryption software. The government has considerably revised its standards several times in response to suits brought by Bernstein and others, but Bernstein says the latest revamp, in January 2000, still didn't go far enough.

The University of Illinois at Chicago computer science professor maintains that current encryption regulations violate free speech and prevent him and his colleagues from conducting legitimate research. The government, however, has argued that some restrictions are necessary to prevent terrorists and criminals from using the Web for illegal purposes.

And with worries about terrorism on everyone's mind, the tension between the government and free-speech activists is escalating.

In an interview with CNET News.com, Bernstein discusses his continuing beef with government standards and the role of Internet security after the Sept. 11 terrorist attacks.

Q: Why are you renewing your court battle?
A: It's really a continuation of the existing battle. The government two years ago made a big exception to the previous regulations, a nice exception allowing publication of strong cryptographic software under certain constraints. The problem is that even with this exception the regulations still pose all sorts of problems for me.

I think it's silly to imagine that the science of cryptography can be wiped out, or can be eliminated. The genie's out of the bottle. What are some of those problems?
Because the regulations are so complicated, it's actually a rather long list of different ways that the regulations hurt, but the first and most obvious problem is that the regulations insist that you send copies of everything to the government. Before you show something to a foreigner, you have to send it to the government, or at latest at the same moment you send it to a foreigner you have to send it to the government.

Now, if I'm away at a conference, and I'm working with a foreign cryptographer on new security software, there's no way that I can send every line of code to the government before disclosing it to that foreigner. It's impossible for interactive, in-person discussions to be constantly sending everything you say to the government before disclosing it to a foreigner.

What about doing it online?
When I'm sending e-mail it's certainly practical for me to send everything to the government as I send it to someone else. If I'm at a conference, and I don't have e-mail access, then it's a lot more difficult. Scientists still visit each other, and go to conferences, because it's still a lot faster to work with somebody in person than it is through the Internet. And if I have to send everything to the government before showing it to a foreigner, it really dramatically slows down collaboration. Even when it's practical, I don't think most people would like it if they had to send all of their e-mail to the government. And certainly we're raising the Fourth Amendment problems with that in the lawsuit.

Do you ever worry about the technology you're working on falling into the "wrong hands" because of an easing of these regulations?
If I thought that stopping my research could prevent terrorists from communicating in secret, then I would have to decide that ethical question. But it's just ridiculous to imagine that stopping people like me from helping Internet users protect themselves will have any effect.

In an ideal world, what would the encryption situation look like?
I don't see a need and I don't think anybody else sees a need for any laws relating to encryption. The situation in Europe is anything goes, and there's really no reason the government needs any laws related to this. It's really difficult to figure out what they're trying to accomplish with the current laws.

I don't see a need and I don't think anybody else sees a need for any laws relating to encryption. Do you think that there is any situation where information like this should be restricted?
I think it's silly to imagine that the science of cryptography can be wiped out, or can be eliminated. The genie's out of the bottle. There's just no way to take this information back. It's been possible for many years for people to communicate in secret, and the recent research on encryption, the recent research on computer security, is aimed at making these things easier for normal people to use.

But criminals who are willing to go to substantial length to protect their communications can already do it. What I'm trying to do is make computer security, Internet security, cryptography easier for legitimate users who don't have much patience for painful, slow encryption, for example.

The government's argument in keeping these restrictions, in keeping this software out of the hands of some foreigners, is that it can thwart terrorism. What do you think of that? And how have the Sept. 11 attacks affected the encryption debate?
I don't think there's been any actual effect. It's silly to imagine that stopping my research--even stopping every current piece of cryptographic research--would stop terrorists from communicating in secret. The fact is, as illustrated by Sept. 11, the terrorists can communicate in secret. If there was something I could do to stop them, I would, but there isn't. What I can do is help legitimate users protect their computers--protect the Internet--against criminals.

Encryption has sort of fallen off people's radar screens. Some would even say the battle over encryption has already been won. But you don't agree.
It's certainly much better. I would like to recognize how much the regulations were improved at the beginning of 2000. But they aren't gone. The regulations are still there. Because the government decided to make them more and more complicated and didn't just take them away, there still are all sorts of situations where the regulations interfere with scientists like me.

Do you think there really is a chance you could be thrown in jail for the type of research that you're doing?
I hope not, but the government hasn't committed itself to that position. They haven't fixed the regulations.

Do you see any similarities between your case and other cases, such as the professors who were trying to give a speech and were afraid they would violate the DMCA, or the Russian programmer who was arrested for sharing his e-book technology?
Certainly, many of the same legal issues come up in all of these cases. It's important in a very large number of these cases the fact that software, that instructions, are protected speech under the First Amendment. Even if people can follow those instructions and do something that the government doesn't like, publishing the instructions, communicating the instructions, is still protected speech.

What about broader ramifications for consumers or Internet users? How can the outcome of your case affect those people?
I like to think that the software that I publish can stop some Internet attacks. There are certainly some other researchers who are affected the same way by these regulations. In some of those cases, they're thinking about the same thing. They want to help protect the Internet. I really see it as, here are some things that I want to publish, and here are some things I want to work on with my foreign colleagues. The government regulations are stopping me from doing that. By doing that, they are hurting the users who could be protected by this software.