CNET también está disponible en español.

Ir a español

Don't show this again

Internet

Lawyers decipher crypto ruling

Yesterday's ruling that government encryption regulations violate free speech protections sets an important precedent, but one that may last only a little more than a week.

Yesterday's ruling that government encryption regulations violate free speech protections sets an important precedent, but one that may last only a little more than a week.

Lawyers familiar with the Bernstein vs. the U.S. Department of State case today say that Judge Marilyn Patel's U.S. District Court ruling, which was released yesterday, may end up meaning nothing once a new set of encryption regulations takes effect on January 1. Then again, the decision may make the brand-new rules unconstitutional. (See Related Story.)

The judge's ruling declares that the State Department's export regulatory structure is so cumbersome that it creates an atmosphere of "prior restraint" that prohibits the expression of protected speech--in this case, software source code. Judge Patel decided in April that source code is protected by the First Amendment. She found that the regulations--which require encryption makers to obtain a license before exporting their software--are "vague and overbroad" and place unfair restrictions on speech.

But in deciding the case, the judge was examining what are basically lame-duck regulations known as ITAR (International Traffic In Arms Regulations). These State Department rules on how to get export licenses for encryption software--classified by the State Department as a munition--will no longer apply to software cryptography as of January 1, when new rules under the aegis of the Commerce Department take effect.

Under pressure from both the national intelligence community and computer industry lobby groups, a government task force is still hammering out the details on the new rules. But until they are finalized, lawyers can't tell if Judge Patel's ruling will affect them.

"We don't know yet what the overall ramifications will be under the new regulations," said Shari Steele, staff attorney for the Electronic Frontier Foundation, an online rights organization that sponsored plaintiff Daniel J. Bernstein in the case.

Bernstein's counsel will meet to discuss its strategy concerning the upcoming Commerce regulations. The government is expected to appeal the decision, although a Justice Department spokesman would not comment, saying it was still reviewing Judge Patel's ruling.

The EFF's Steele was less circumspect. She has seen a working draft of the new regulations that circulated last week. She believes that if they don't change much in their final form, Patel's ruling will apply--making the new rules invalid from the get-go.

"Under the current proposed regulations, Bernstein would not be able to publish," said Steele. "The things that were found unconstitutional have not been corrected."

Others think the new rules are likely to address the concerns about prior restraint that the Bernstein case brought to light.

"Unlike the State Department, Commerce is bound to act upon export applications within specific timeframes," said Ken Mendelson, corporate counsel for Trusted Information Systems, a security company that just received five export licenses for products with strong encryption.

Regardless of what happens after January 1, Judge Patel's decision would not have any immediate effect on commercial encryption vendors seeking to export their offerings.

Her decision applied only to source code--the kind of code that a programmer writes in a high-level programming language like C--not the "object code" that a computer actually reads. Moreover, any action based on her ruling could be forestalled as Judge Patel has said that she will automatically refer the case to a higher court for appeal.

There also may be a conflict between Patel's decision and that of another federal court in Washington, D.C., which upheld the ITAR regulations earlier this year.

The conflict may be resolved on Capitol Hill next year, when the 105th Congress reintroduces two bills that attempt to eliminate government regulation of encryption and thus remove the question altogether of whether government regulations are constitutional.

Representative Bob Goodlatte (R-Virginia) will reintroduce his Security and Freedom through Encryption Act in the House, while Senator Conrad Burns (R-Montana) and colleagues will bring back the Pro-Code Act in the Senate.