Maynard Anderson, D. James Bidzos, National Computer Security Association, Mark Rasch, RSA Data Security, Inc., Dr. Eugene Spafford, and Dr. Ross Stapleton-Gray hereby respectfully submit this Brief Amici Curiae in support of Appellee Daniel J. Bernstein. Pursuant to Federal Rule of Appellate Procedure 29, Appellants and Appellee have consented to the filing of this Brief Amici Curiae. The letters indicating this consent are being filed simultaneously with the Clerk of the Court.
Amici curiae Maynard Anderson, D. James Bidzos, National Computer Security Association, Mark Rasch, RSA Data Security, Inc., Dr. Eugene Spafford, and Dr. Ross Stapleton-Gray are a group of individuals and organizations united in their view that the Export Administration Regulations ("EAR") at issue in this case constitute an unconstitutional prior restraint on plaintiff's speech, and that the Court should affirm the District Court's decision. Amici as a group bring to the core issue in the case particular knowledge of the effects which the regulations can have in the real worlds of national security, law enforcement, and electronic commerce. As professionals working in fields which utilize or are related to encryption technology and computer science, they all have a direct and substantial interest in this matter. They believe that while there are, quite clearly, legitimate governmental interests at stake here, the Government must be required to demonstrate and justify the need for these constraints in theory, as well as in fact, and that it failed to do so in the District Court.
Amici believe that the way the Court resolves the constitutional issues posed by the EAR can have important implications for academic freedom and scientific advancement, social welfare, national security, and international commerce in a global communications environment that is moving beyond all of history's previous information technologies.
Maynard Anderson is currently the President and Managing Director of Arcadia Group Worldwide, Inc. As a long-time former government official in the national security field, Mr. Anderson is concerned that the EAR may not be serving the best interests of U.S. national security. Currently, Mr. Anderson is engaged in advising U.S. companies on a variety of security matters, including the export of cryptographic systems. His freedom to assist foreign clients with technical matters of encryption and related technologies is burdened by the EAR.
As Acting Deputy Under Secretary of Defense for Security Policy, Mr. Anderson was responsible for providing staff advice and assistance to the Under Secretary of Defense for Policy and the Secretary of Defense in the development of overall defense policy for international security programs, national disclosure policy, special access programs, and NATO security. This position involved him in emergency planning and preparedness, crisis management, and special and sensitive activities. He chaired the committee which determines what classified weapons systems the U.S. will share with foreign countries.
Formerly, Mr. Anderson served as the Assistant Deputy Under Secretary of Defense (Counterintelligence and Security) with responsibilities for the management of Department of Defense ("DoD") investigative, security, and counterintelligence programs. He served as the focal point for such policy matters within the DoD and oversaw worldwide DoD counterintelligence activities.
As Director for Security Plans and Programs, Office of the Deputy Undersecretary of Defense for Policy, he had responsibilities for reviewing and formulating policies that govern DoD security practices and programs and served as the United States Representative to the NATO Security Committee.
Mr. Anderson has received two Presidential Rank Awards of Meritorious Executive and the DoD Distinguished Civilian Service Award for exceptional contributions to the national security.
Mr. Anderson has lectured and written extensively on various aspects of strategic planning, counterintelligence, security concepts, philosophies, and disciplines, as well as national security issues. He was a lecturer and seminar leader at the 1996 Nobel Peace Prize Forum and an advisor to the Commission on Protecting and Reducing Government Secrecy chaired by Senator Daniel Patrick Moynihan.
D. James Bidzos is the President and Chief Executive Officer of RSA Data Security, Inc. Under his leadership, RSA has become the worldwide de facto standard for encryption. RSA encryption is included in such products as Netscape Navigator, Lotus Notes, Novell Netware, Intuit's Quicken, and Microsoft Windows 95. Moreover, products from IBM, AT&T, Lotus, Sun, DEC, Novell, Netscape, Spyglass, and over three hundred others incorporate RSA's technology. Over 100 million copies of RSA's software are in use today. The EAR burden the First Amendment rights of Mr. Bidzos and RSA in a manner similar to the way in which Mr. Bernstein's rights are burdened by restricting the export of RSA's encryption software to foreign countries. Moreover, their freedom to discuss technical matters of encryption and related technologies with foreign customers-- which is critical to their livelihood -- is restricted by the EAR.
After a 1996 merger between Security Dynamics and RSA, the Security Dynamics Board of Directors elected Mr. Bidzos as a director and executive vice president of the company. In early 1995, Mr. Bidzos founded VeriSign and currently serves as Chairman of the Board. VeriSign is the world's leading provider of products and services that allow for the identification of parties on the other end of an electronic transaction or session on the Internet.
Mr. Bidzos is a member of the Board of Directors of the Electronic Privacy Information Center ("EPIC"), an organization which seeks to protect individual rights to privacy in cyberspace. Mr. Bidzos has testified on several occasions before the U.S. House of Representatives and the U.S. Senate on behalf of the U.S. computer industry, and has given hundreds of talks and speeches around the world.
National Computer Security Association ("NCSA"): NCSA is an independent organization with over 3,000 corporate members that strives to improve security and confidence in global computing through awareness and the continuous certification of products, systems, and people. NCSA promotes continuous improvement of commercial digital security by applying the NCSA Risk Framework and NCSA Continuous Certification model to certification, research, and related activities. NCSA services include security-related research, conferences, publications, professional membership, vendor and user based consortia, and certification.
NCSA currently hosts and manages six vendor-oriented consortia including CPC -- The Cryptography Product Consortium -- whose membership includes most worldwide vendors of cryptographic security products. Other NCSA security product-related consortia include: AVPD -- The Anti-Virus Product Developer's Consortium, whose membership includes essentially all vendors of anti-virus products; the Firewall Product Developer's Consortium, whose membership includes essentially all vendors of Internet Firewalls; ISPSec -- the Internet Service Provider Security Consortium, which has essentially all large (backbone) ISPs as members; SIFT -- Secure Internet Filtering Technologies Consortium; and BPC -- The Biometric Product Consortium.
Additionally, NCSA currently hosts two significant corporate-end-user-oriented consortia: FISC -- The Financial Information Security Consortium -- which has mainly medium and large banks as members; and Medisec -- The Medical Information Security Consortium.
NCSA is concerned about the national security implications of the weak domestic infrastructure that results from the lack of available strong encryption products, and believes that the security and First Amendment rights of its members are compromised by the EAR.
Mark Rasch is Director of Information Security Law and Policy in the Center for Information Protection at Science Applications International Corporation in McLean, Virginia. He is interested in this case on multiple levels. Mr. Rasch advises banks, insurance companies, and Fortune 100 companies both domestically and abroad concerning computer security, information protection, digital signatures, electronic commerce, encryption, and export control issues. His ability to provide technical assistance to foreign clients is burdened by the EAR. Finally, as a U.S. citizen, Mr. Rasch has a strong interest in the maintenance of the U.S. national security. Mr. Rasch has been an adjunct faculty member at the Washington College of Law at the American University and at the Columbus School of Law at Catholic University where he has taught courses in white collar crime and evidence law. He has also been an adjunct faculty member at the American University School of Justice, Law and Society where he has taught courses in criminal law, criminal procedure and constitutional law.
Mr. Rasch previously held several positions at the Department of Justice ("DoJ") where he focused his efforts on areas of export control and espionage in the DoJ Internal Security Section of the Criminal Division. He was involved in the investigation, prosecution, and export of high technology articles from the U.S. to the Middle East and to the former Soviet Union. He participated in the Government's efforts in foreign counter-intelligence and foreign intelligence surveillance cases. He also helped secure wiretap authority for the Government in intelligence and national security matters.
Mr. Rasch also served as a trial attorney with the Fraud Section of the DoJ Criminal Division and was responsible for investigations and prosecutions of "white collar" criminal offense cases, including the prosecution of Lyndon H. LaRouche, Jr. in Massachusetts and in Virginia. From 1984 through 1991, Mr. Rasch became the de facto head of DoJ's computer crimes unit, where he was responsible for the U.S. investigation of the KGB's efforts to steal U.S. secrets in the "Cuckoo's Egg" case and the prosecution of Robert Morris (the "Internet Worm" case). During his tenure, Mr. Rasch helped to formulate the Government's encryption and computer crime policies.
Dr. Eugene Spafford is a Professor of Computer Sciences at Purdue University. He is the founder and director of the COAST Laboratory at Purdue -- the world's largest academic research center dedicated to issues of applied information security and computer crime prevention. Dr. Spafford has authored over 100 articles, reports, and books on his research, including co-authoring three highly-regarded books on topics in computer and network security: (1) Computer Viruses; (2) Practical Unix and Internet Security; and (3) Web Security and Commerce.
Dr. Spafford is an internationally recognized expert on issues of network security, security response, and computer crime. He has chaired the International Federation for Information Processing ("IFIP") working group on network security and serves on the editorial boards of several major computer security journals,
Dr. Spafford is a Senior Member of the Institute of Electrical and Electronics Engineers, Inc. ("IEEE") and IEEE Computer Society, and is a Fellow-designee in the Association for Computing Machinery ("ACM"); the IEEE Computer Society and the ACM are the two largest and oldest computer science and engineering professional technical societies.
Dr. Spafford is currently a member of the Defense Science Study Group and is a member of the Information Security Technology and Science Study Group of the Federal Infosec Research Council which is engaged in information security research. He has served in an advisory, teaching, or consulting capacity on information security and computer crime with several U.S. government agencies and their contractors, including the FBI, the National Security Agency, U.S. Attorney's Office, the Secret Service, the Department of Energy, and the U.S. Air Force. He also has been an advisor to several Fortune 500 firms and to state and national law enforcement agencies worldwide.
The application of the EAR would have a similar effect on Dr. Spafford as it would on Dr. Bernstein by restricting his rights, under the First Amendment, to discuss and share technical information with colleagues abroad concerning encryption -- an issue of considerable importance to his career. It would also restrict the ability of Professor Spafford and his students to deploy and experiment with some research prototypes developed in their laboratory, thus adversely affecting the conduct and quality of his research efforts. Additionally, it may impact his ability to teach about issues of encryption in a laboratory setting involving his students and faculty colleagues who are not U.S. citizens; historically, this has been a significant percentage of the graduate student population at many U.S. universities.
Dr. Ross Stapleton-Gray is the President and founder of TeleDiplomacy, Inc., a consultancy on issues of diplomacy and international relations in the Information Age. TeleDiplomacy works with both governments and the private sector to explore new means for collaboration through the Internet. Dr. Stapleton-Gray is the Director of TeleDiplomacy's Electronic Embassy program which serves as a resource of and for the Washington, D.C. foreign embassy community.
Prior to joining TeleDiplomacy, Dr. Stapleton-Gray served six years as an officer of the Central Intelligence Agency, both as an analyst of information technologies worldwide, and as a planning officer on detail to the Intelligence Community Management Staff. In the latter position, he represented the Staff to the White House's Information Infrastructure Task Force, where he advocated greater use of the growing Global Information Infrastructure by the foreign affairs agencies. He is the author of, inter alia, "U.S. Cryptography Policy: Strategic Hamlets," published in the January 1996 edition of Telecommunications. Dr. Stapleton-Gray will be affected by the outcome of this case. The application of the EAR to Dr. Stapleton-Gray and his clients may restrict opportunities to provide Internet and computer-based communications assistance. Moreover, the application of the EAR would have a similar effect on Dr. Stapleton-Gray as it would have on Dr. Bernstein by restricting the ability of Dr. Stapleton-Gray to discuss and share technical information concerning encryption with colleagues abroad.
Although the Government has a strong interest in preserving national security, its Export Administration Regulations on encryption ("EAR") do not further this interest, and, in fact, may undermine it. The EAR are designed to prevent the foreign availability and use of "strong" (i.e., greater than 40-bit key length) encryption. Notwithstanding the existence of the EAR, however, strong encryption products already are used and widely available outside the United States. Thus, the EAR do little, if anything, to prevent foreign intelligence and law enforcement targets from obtaining and using strong encryption capabilities in their efforts to deny U.S. access to their communications. On this basis alone, the Government's attempt to justify the EAR as a direct and material means of preventing a threat to national security must fail.
Moreover, even if strong encryption were not already available to foreign entities, the Government's effort to prevent such availability through the use of the EAR is significantly undermined by the print exception to the EAR.(1) Nothing in the EAR prohibits a printed version of the encryption source code from export and, once abroad, conversion into electronic source code either manually or by automated means. As the District Court opinion (ER 544-78) described it, the print exception "undermines the stated purpose of the regulations." Id. at 568.
Ironically, by weakening the U.S. technology industry in international markets, the EAR may actually increase the development and use of strong encryption products abroad. Companies seeking to develop strong encryption will be attracted to countries with little or no encryption export controls because products developed in such countries may be exported to a wider potential international market than U.S.-manufactured products. Consequently, the EAR impose disadvantages on the U.S. encryption industry relative to worldwide competition.
Not only do the EAR fail to limit the availability and use of strong encryption abroad, they indirectly reduce the development, availability, and use of strong integrated encryption domestically. This occurs because it is significantly less costly for a U.S. vendor to develop, produce, market, support, and maintain a single version of a product with integrated encryption than it is to perform those functions for multiple versions. The EAR's prohibition on foreign sales of strong encryption technology creates strong economic incentives for U.S. vendors to develop products with weakened integrated encryption capabilities that can be sold both domestically and abroad. This, in turn, reduces the overall strength of encryption available to protect the security of domestic electronic communications.
The reduction in the availability and use of strong domestic encryption creates a tangible national security risk for two reasons. First, the increasing role of computer-controlled networks in maintaining the nation's key assets, such as power, water, finance, communications, emergency, and other critical infrastructure systems, increases the nation's vulnerability to computer-based attack. The EAR diminish the availability and use of strong encryption domestically, thereby heightening the risk of successful computer-based attacks on the U.S. infrastructure. Second, by reducing the availability and use of strong encryption domestically, the EAR will hinder the continued growth of electronic commerce, an increasingly important sector of the economy that is vital to the health and security of the nation.
For the foregoing reasons, the EAR cannot withstand any applicable First Amendment analysis.(2) Amici strongly endorse the position of Appelleethat the regulations constitute an impermissible prior restraint on speech. However, even assuming arguendo that the regulations should be judged under the intermediate scrutiny standard, the regulations are still constitutionally infirm. Because the regulations do not further the important government interest of preserving national security, and, in fact, serve to undermine this interest, the regulations must fail even under an intermediate scrutiny standard.
The Government, through the EAR,(3) restrained Professor Daniel Bernstein from publishing his academic research regarding cryptography and his computer source code for cryptography software. As the District Court concluded, the Government's restriction constitutes a prior restraint on speech. ER at 570-71. It is a fundamental principle of First Amendment jurisprudence that "any system of prior restraints of expression comes to [the court] bearing a heavy presumption against its constitutional validity." Bantam Books, Inc. v. Sullivan, 372 U.S. 58, 70 (1963) (citations omitted). This heavy constitutional presumption against prior restraints on speech is subject only to what the Supreme Court has described as "exceptional cases." Near v. Minnesota, 283 U.S. 697, 713, 716 (1931). The Government therefore "'carries a heavy burden of showing justification for the imposition of such a restraint.'" New York Times Co. v. United States, 403 U.S. 713, 714 (1971) (percuriam) (citations omitted).
The Government cannot meet this burden with a mere assertion that the prior restraint is justified "in the name of 'national security.'" Id. at 718-19 (Black, J. and Douglas, J., concurring). Rather, a prior restraint must be supported by "governmental allegation and proof that publication must inevitably, directly, and immediately" cause harm. Id. at 726-27 (Brennan, J., concurring) (emphasis added). The Court determines the weight of asserted national security interests by examining the Government's factual justifications. See Haig v. Agee, 453 U.S. 280, 308-309 (1981); see also id. at 284-85 nn.4-7 (citing, inter alia, affidavits of CIA Deputy Director for Operations). The Government has overstated the national security imperative in the past.(4) Thus, the bare assertion of a national security interest, without more, cannot overcome the presumption against prior restraints on speech.
Even assuming arguendo that the regulations in this case do not constitute a prior restraint on speech, for the EAR's restrictions on First Amendment freedoms to survive constitutional scrutiny, the Government must do more than simply state the harm which might result from the restricted speech. United States v. National Treasury Employees Union, 513 U.S. 454, 475 (1995). Rather, the Government "must demonstrate that the recited harms are real, not merely conjectural, and that the regulation will in fact alleviate these harms in a direct and material way." Turner Broadcasting Sys., Inc. v. FCC, 512 U.S. 622, 664 (1994) (emphasis added).
Therefore, the Court in this case must examine critically the validity of the Government's asserted interest, rather than accept at face value the claim that the encryption export controls are necessary to protect national security. The requisite critical analysis in this case will show, as demonstrated below, that the EAR do not further the preservation of national security concerns in a direct and material fashion and, in fact, they serve to undermine it. As such, Appellants' "national security" justification in this case is insufficient to overcome the constitutional infirmities presented by the regulations.
Appellants assert a strong interest in protecting national security and state that the export restrictions are necessary to achieve that goal. Appellants' Br. at 4, 5, 8. The first of these assertions is self evident: national security is clearly an important and legitimate federal concern. However, Appellants' assertion that the encryption export restrictionsfurther the Government's stated goal of preserving national security does not withstand analysis. This is so for three primary reasons:
The EAR are designed to prevent the foreign availability and use of strong encryption that could deny U.S. access to vital foreign intelligence information and thereby compromise U.S. national security. Id. However, the fact that strong encryption products already are widely available outside the United States renders the export controls ineffective in accomplishing that goal.
Nearly 600 foreign encryption products are available from over 28 foreign nations, with some products originating in Iran and Russia. Trusted Information Systems Worldwide Survey of Cryptographic Products (Jan. 17, 1997) <http://www.tis.com/docs/research/crypto/survey/index.html>. Moreover, 229 of the foreign encryption products employ the Data Encryption Standard algorithm (using a 56-bit key length). Id. Worldwide, nearly 1,400 encryption products of varying strengths are produced and distributed to at least 68 countries. Id. "The survey results show that cryptography is indeed widespread throughout the world." Id.
Many of these foreign encryption products are comparable in strength to strong U.S. encryption products. See id.; see also National Research Council, Cryptography's Role in Securing the Information Society 130-31 (Kenneth W. Dam & Herbert S. Lin eds. 1996) ("NRC Report") ("The committee has no reason to believe that the stand-alone security-specific products with encryption capabilities made by U.S. vendors are on average better [than foreign products] at providing security.") (footnote omitted). The Business Software Alliance identified at least six foreign software companies in Germany, Belgium, Switzerland, the U.K., Ireland, and Australia that have developed add-on products allowing any person with a Web browser to download software from the Internet and upgrade their encryption key length from 40 to 128-bits (a strong encryption level currently restricted from export by the EAR). See Hearing on Encryption Control Relief for Software with Encryption Capabilities Before the Senate Comm. on Commerce, Science, & Transp., 105th Cong., 1st Sess. (Mar. 19, 1997) (statement of Robert Holleyman, President, Business Software Alliance) <http://www.bsa.org/pressrel/NewsMar19-3.htm>. As of June 1996, there were 217 foreign programs and products available abroad which employ the Data Encryption Standard algorithm with its 56-bit key length (which would be restricted by the U.S. controls). The Security & Freedom through Encryption (SAFE) Act: Hearing on H.R. 695 Before the House Courts & Intellectual Subcomm. of the Comm. on the Judiciary, 105th Cong., 1st Sess. (Mar. 20, 1997) (testimony of Ira Rubinstein, Senior Corporate Attorney, Microsoft Corp.), available in LEXIS, Legis Library, Cngtst File ("Mar. 20, 1997 House Testimony of Ira Rubinstein"). Moreover, a memorandum for the Acting Assistant Secretary of Defense confirmed four years ago that strong encryption was widely available to foreign users in both hardware and software form and that "DES software could be downloaded anywhere in the world." Bruce Schneier & David Banisar, The Electronic Privacy Papers 326 (1997) ("The Electronic Privacy Papers"). The memorandum stated:
The national security community is especially interested in
preventing the spread of high quality encipherment routines overseas, and argues
that more extensive use here at home will inevitably result in such a
proliferation. Actually, it is too late.
Memorandum from Ray Pollari, Acting Deputy Assistant Secretary of Defense to the Acting Assistant Secretary of Defense of Apr. 30, 1993, reprinted in The Electronic Privacy Papers at 627.
The Government asserts a continued need for the application of encryption export controls even if comparable products are available from sources outside the United States. See Appellants' Br. at 12-13 ("[T]he President specifically determined that 'the export of encryption products . . . could harm national security and foreign policy interests even where comparable products are or appear to be available from sources outside the United States . . . .'") (emphasis added) (citing 61 Fed. Reg. 58,767 (1996)). The Government does not attempt to support this conclusory assertion. Rather, it claims that such support cannot be articulated publicly or be made subject to judicial review "without revealing or implicating" classified information which could harm United States national security and foreign policy interests. Id. at 13 (emphasis added). This claim bears scrutiny. The NRC Report notes that thirteen of the committee's sixteen members were fully cleared for review of classified information and received "classified briefings on material relevant to the subject of [their] study." See NRC Report at xiv. After considering the classified information, the cleared members of the committee nonetheless concluded that "debate over national cryptography policy can be carried out in a reasonable manner on an unclassified basis" and that "[c]lassified material, while important to operational matters in specific cases, is not essential to the big picture [of U.S. encryption policy] . . . ." Id. at 298. Seen in this light, the Government's circular explanation for its policy, and its refusal to recite any facts which allegedly support this policy, is particularly suspect, and certainly insufficient to justify a prior restraint on speech or even to meet the Turner standard.
Strong stand-alone encryption products not only are widely available abroad, they also are commonly used by the entities in whose communications the U.S. intelligence community is interested. See, e.g., id. at 129 ("some foreign targets of interest to the U.S. Government today use encryption that is for all practical purposes unbreakable"). For example, the "Cali [drug] cartel is reputed to be using sophisticated encryption to conceal their telephone communications" and to "scrambl[e] transmissions from computer modems." Dorothy E. Denning & William E. Baugh, Jr., Encryption and Evolving Technologies: Tools of Organized Crime and Terrorism 8 (National Strategy Information Center, Washington, D.C. 1997) (citing P.N. Grabosky and Russell G. Smith, Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, 1997). The Italian Mafia downloads copies of PGP, a powerful software-based encryption tool, off the Internet. Id. at 9 (citing Joshua Cooper Ramo, Crime Online, Time Digital, Sept. 23, 1996, at 28-32). Dutch criminal organizations encrypt their communications and computers with PGP and IDEA (a patented 128-bit Swiss block cipher algorithm(5)). See id. at 7.
There is ample evidence that encryption products are used and widely available overseas, and that these products contain strong technology comparable in quality and strength to the technology restricted for export from the United States. As such, the control of strong U.S.-manufactured encryption products from export to worldwide markets does little, if anything, to prevent foreign intelligence targets from obtaining and using equivalent encryption capabilities in efforts to deny U.S. access to foreign intelligence information.
Ironically, the EAR may actually increase the development of strong encryption products abroad, an effect directly counter to their stated purpose. This can occur because companies seeking to compete in the international sale of encryption software will be attracted to countries with few or no encryption export controls since production in such countries offers a wider possible market to which encryption products may be sold:
[T]he emergence of strong foreign competition in a number of
high-technology areas appear[s] in close temporal proximity to the enforcement
of strong export controls in these areas for U.S. vendors. While the
correlation does not prove that export controls necessarily influenced or
stimulated the growth of foreign competition, the history suggests that they may
have had some causal relationship.
NRC Report at 155 n.52.(6) Because the overhead costs to enter the software development industry are low,(7) competitive entry is encouraged by even marginal disadvantages to existing companies. Export controls can impose such disadvantages on the U.S. encryption software industry relative to worldwide competition. See id. (citing National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment 23 (1991)).(8) The likelihood is significant that countries will continue toseize upon the EAR as a catalyst for the increased production of their own strong encryption technology, and that such technology, if developed, will be sold widely in other countries. As a result of the EAR, the U.S. software industry's heretofore unquestionable dominance in international markets may suffer significantly, with substantial consequences for the U.S. economy as a whole.
Put simply, the growing international demand for strong easy-to-use encryption capabilities ensures a supplier market. The EAR preclude U.S. vendors from participating in this market. Nevertheless, even if there is not current widespread foreign use of products with strong integrated encryption capabilities,(9) this phenomenon is temporally limited. Recognizing the supply vacuum, foreign nations are increasingly interested in promoting the strength of their domestic software industries relative to U.S. industry by encouraging the development of software integrated with strong encryption. See, e.g., Hearing on Online Security Issues Before The Senate Subcomm. on Science, Technology and Space, 104th Cong., 2d Sess. (June 26, 1996) (testimony of Barbara Simons, USACM, IBM-Santa Teresa Laboratories), available in LEXIS, Legis Library, Cngtst File (noting that the Singapore National Computer Board, a governmental entity, funded a project of approximately $42 million which includes the development of strong encryption and described the desired product as having "the ability to bypass U.S. export restrictions"); see also Benedict Monroe & Chia Swee Hon, Singapore Information Technology Services, IT Market IS 970710.300 July 1, 1997, at 4 (stating the international dominance of the U.S. software industry, explaining the "acute demand" worldwide for encryption products and noting that "[e]ncryption systems are the key to the safe development of banking and commerce on-line. U.S. regulations prohibiting the export of certain strong encryption software have given German companies, for instance, a monopoly on this niche market in Singapore as in the rest of the world"); Marcia MacLeod, Hitting at the Code of American Misconduct, The Times of London, Oct. 29, 1997, available in 1997 WL 9239456 (reporting that the European Commission has called for European software companies to develop strong integrated encryption products for electronic commerce); see also NRC Report at 302 (noting that "foreign vendors may well attempt to step into the vacuum [caused by the EAR]").
The mundane ease with which strong integrated encryption can be used suggests that the increased foreign availability of foreign-produced products integrated with strong encryption will inevitably increase still further the foreign use of strong encryption. Moreover, as noted above, those entities in whose communications the U.S. intelligence community is most interested already use strong stand-alone encryption products abroad.
Amici who are authorities on U.S. national security recognize that the foreign availability of strong encryption undermines Appellants' justification for the EAR. For example, Dr. Ross Stapleton-Gray, who analyzed worldwide information technologies as part of his duties at the Central Intelligence Agency, confirms that despite U.S. export controls, strong encryption is available worldwide. Mark Rasch, who headed the computer crimes project for the U.S. Department of Justice after serving in the Justice Department's Export Control Unit and Espionage Unit, recognizes that the United States export control laws do nothing to prevent strong encryption from being available to and used by the potential targets of U.S. foreign intelligence. Echoing these sentiments, U.S. Senate Majority Leader Trent Lott has stated:
While we are restricting our own international commerce, foreign
companies are now manufacturing and selling stronger, more desirable encryption
systems, including the top-end 128-bit systems, anywhere in the world they want
. . . . Today there are hundreds of suppliers of strong encryption in the world
marketplace. Strong encryption can be easily downloaded off the Internet. Even
if Congress wanted to police or eliminate encryption altogether, I am not sure
that is doable.
143 Cong. Rec. at S10,880 (daily ed. Oct. 21, 1997). In recent testimony, Congresswoman Zoe Lofgren concurred:
[I]t is time for the government to recognize that superior
encryption products are still widely available and being sold by overseas
competitors, and that the current controls only hurt American industry, without
furthering law
enforcement and national security goals.
The Security & Freedom through Encryption (SAFE) Act: Hearing on H.R. 3011 Before the House Comm. on the Judiciary, 104th Cong., 2d Sess. (Sept. 25, 1996), available in LEXIS, Legis Library, Cngtst File.
In short, the purpose of the EAR is severely misaligned with the actual circumstances in the global marketplace. The EAR do not prevent the use or widespread foreign availability of strong encryption technology. Stated another way, the existence of such controls fails to achieve the Government's national security goal and, in fact, undermines it by encouraging the development of strong encryption abroad.
Appellants assert that encryption source code is subject to the EAR because source code can be readily converted into object code. Appellants' Br. at 25-27. Specifically, the Government notes that someone "given encryption source code on a floppy disk or other electronic medium can load the source code into his computer, convert it into object code [using a compiler], and execute the program without reading the source code or understanding the sequence of computer instructions [the source code] contains." Id. at 27 (footnote omitted).
At the same time, however, the EAR "print exception" allows the export of encryption source code on paper (as opposed to electronic form). Specifically, this exception provides that "[a] printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see § 734.3(b)(2))." 15 C.F.R. § 734.3 (1997).(10)
The Government has adopted this print exception notwithstanding the fact that nothing in the EAR would prohibit source code written on paper from being converted into computer-readable source code by hand (e.g., by retyping the source code into a computer from a printed listing) or by automated processes. For example, written documents can be converted to electronic form using scanning technology, a well-developed process for which software is widely available on the retail market.(11) This process is widely used, for example, by the U.S. Postal Service to sort mail automatically by "reading" printed ZIP codes, and by financial institutions to "read" automatically routing and account numbers off printed checks.(12)
Similarly, nothing in the EAR prohibits a printed version of the source code for encryption software employing strong encryption from being mailed to a foreign country. Once received, the printed version could be converted to electronic source code manually or by automated means.
While the Government acknowledged at oral argument before the District Court that encryption codes in printed form could be converted into a functioning encryption product, it defended the distinctive treatment of printed and electronic source code on the basis that converting the print version to working software requires a good deal of skill. ER 568. The District Court was understandably "confounded by this explanation:"
Defendants claim that encryption poses unique and serious threats to
national security, yet the printed matter exception belies this rationale by
making encryption freely available to only those foreigners who are
technologically sophisticated . . . . This seems to defeat the very purpose
of the regulation since those who likely pose a greater
threat to national security are likely more willing to expend the time and
resources in that effort and will not be prevented by the regulation.
Id. In other words, it is highly probable that terrorists and other criminals, as well as foreign intelligence agents, have or can obtain the skills to convert printed source code to executable encryption software.
Thus, even if strong encryption were not already available to foreign entities, the Government's effort to prevent such availability through the use of the EAR is undermined by the print exception. Seen in this light, the District Court properly concluded that the print exception "undermines the stated purpose of the regulations," and therefore exacerbates their constitutional infirmity. Id.
While the EAR fail to limit the availability and use of strong encryption abroad, they indirectly reduce the development, availability, and use of strong integrated encryption domestically. This has two effects, both of which impair national security:
The larger market of products integrated with strong encryption capabilities is restricted domestically due to the EAR. The Federal Bureau of Investigation concedes that the encryption export controls reduce the domestic availability and use of strong integrated encryption: "'the use of export controls may well have slowed the speed, proliferation, and volume of encryption products sold in the U.S.'" NRC Report at 138 n.29 (citing written statement, "FBI Input to the NRC's National Cryptographic Study Committee," received Dec. 1, 1995).
Fundamentally, the reduced domestic availability and use of strong integrated encryption is a result of the fact that it is significantly less costly and less administratively burdensome for a U.S. vendor to develop, produce, market, support, and maintain a single version of a product with integrated encryption than it is to perform those functions for multiple versions. Id. at 136. Thus, the prohibition on sales of strong encryption technology in foreign markets creates strong economic incentives for U.S. vendors to develop products with weaker integrated encryption capabilities that can be sold both domestically and abroad. The incentive to develop a single software version is particularly strong because "[t]he domestic software industry makes approximately one-half of its revenues through exports, and customers are increasingly demanding uniform capabilities; therefore, most mass-market software and hardware is designed to offer the same [low strength] encryption capabilities both domestically and abroad." Mar. 20, 1997 House Testimony of Ira Rubinstein.
The "lowest common denominator" incentive created by the export restrictions ultimately reduces the availability of strong integrated encryption in the U.S. Moreover, the EAR appear to deter actual usage of and reliance on strong encryption protections due to the additional complexities and difficulties involved in using a stand-alone product as opposed to encryption capabilities integrated into the application, operating system, or network software itself. The consequences may be particularly significant because the strength of integrated encryption software currently available in the U.S. (and suitable for export) already is insufficient: "[T]he ability to undertake brute-force cryptanalysis on messages encrypted with a 40-bit key [has] led to a widespread perception that such key sizes are inadequate for meaningful information security." NRC Report at 123; see also United States Dep't of Commerce & National Security Agency, A Study of the International Market for Computer Software with Encryption, reprinted in part in The Electronic Privacy Papers at 632 ("Study of International Market for Computer Software with Encryption") ("In many countries surveyed, exportable U.S. encryption products are perceived to be of unsatisfactory quality.").
The Cryptography Report by the National Research Council offers concrete examples of the reduction in the level of integrated encryption strength domestically resulting from the EAR. For instance:
The Microsoft Corporation . . . received permission to ship Windows
NT Version 4, a product that incorporates a cryptographic applications
programming interface approved by the U.S. government for commodity jurisdiction
to the CCL. However, this product is being shipped worldwide with a
cryptographic module that provides encryption capabilities using 40-bit RC4.
While domestic users may replace the default module with one providing stronger
encryption capabilities, many will not, and the result is a weaker encryption
capability for those users.
NRC Report at 135 (footnote omitted). Another instance involves an unnamed "major U.S. software vendor" which:
distributes its major product in modular form in such a way that the
end user can assemble a system configuration in accordance with local needs.
However, since the full range of USML export controls on encryption is applied
to modular products into which cryptographic modules may be inserted, this
vendor has not been able to find a sensible business approach to distributing
the product in such a way that it would qualify for liberal export
consideration. The result has been that the encryption capabilities provided to
domestic users of this product are much less than they
would otherwise be in the absence of export controls.
Id.
The reduction in the development, availability, and use of strong integrated encryption software domestically creates a national security risk. The increasing role of computer-controlled networks in maintaining the nation's power, water, finance, communications, emergency systems, and other mission-critical infrastructure systems -- as well as the Government's heavy reliance upon this infrastructure -- increases the nation's vulnerability to computer-based attack:
Certain national infrastructures are so vital that their incapacity
or destruction would have a debilitating impact on the defense or economic
security of the United States. These critical infrastructures include
telecommunications, electrical power systems, gas and oil storage and
transportation, banking and finance, transportation, water supply systems,
emergency services . . . and continuity of government. Threats to these
critical infrastructures fall into two categories: physical threats to tangible
property . . . and threats of electronic, radio-frequency, or computer-based
attacks on the information or communications components that control critical
infrastructures ("cyber threats").
Exec. Order No. 13,010, 3 C.F.R. 198 (1996).
A recent report by the President's Commission on Critical Infrastructure Protection cautioned that "the nation is so dependent on our infrastructures that we must view them through a national security lens" and that the "owners and operators of our critical infrastructures are now on the front lines of our security effort [and are] most vulnerable to cyber attacks." Report of the President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures, Oct. 1997, at vii. "Potential cyber threats" include attacks on databases, networks, services such as emergency 911, and the Internet itself, all of which are vulnerable. Id. at 15-16. The "basic attack tools -- computer, modem, telephone, and user-friendly hacker software -- are common across the spectrum and widely available." Id. at 15. Robert Marsh, Chairman of the President's Commission, recently expressed concern that "[a] serious threat is sure to evolve if we don't take steps now to protect these systems in the future." Is Our Country Vulnerable to Cyberattack? (ABC World News Tonight, Oct. 22, 1997), available in LEXIS, News Library, ABCNews File.
Attacks on the U.S. infrastructure can have serious consequences for the effectiveness of critical government and private sector functions. For example, the Government's military and intelligence efforts rely heavily on the use of these private infrastructure systems rendering their protection a matter of national security. Over 95% of U.S. military and intelligence community voice and data communications are carried over private facilities owned by public carriers. NRC Report at 36 (citing Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, Feb. 28, 1994, at Ch. 8). Threats to the underlying infrastructure systems endanger the continued efficient operation of the national security functions reliant thereon:
[E]ncryption technology . . . has so many beneficial purposes. It
prevents hackers and espionage agents from stealing valuable information, or
worse, from breaking into our own computer networks. It prevents them from
disrupting our power supply, our financial markets, and our air traffic control
system. This is scary and precisely why we want this technology to be more
available.
143 Cong. Rec. at S10,880 (daily ed. Oct. 21, 1997) (statement of U.S. Senate Majority Leader Trent Lott).
These threats are not hypothetical. Computer attacks on critical infrastructure networks already have occurred. For example, domestic terrorists were accused of planting programs in Public Switched Telephone Network elements across the country designed to shut down major telephone switching hubs. See NRC Report at 35 (citing National Communications System, The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications: An Awareness Document 2-5 (2d ed. 1994)). In 1994, before U.S. banks were permitted to use strong encryption in their international financial transactions, an international group of criminals moved $12 million from Citicorp customer accounts by penetrating the Citicorp electronic transfer system. See id. at 23.
The threat from computer-based attack is not limited to the U.S. infrastructure. The Department of Defense experienced as many as 250,000 attacks on its information systems in 1995. Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, General Accounting Office Report No. AIMD-96-84 (May 22, 1996). "There is mounting evidence that attacks on Defense computer systems pose a serious threat to national security." Id. at Ch. 0:3.3.
FBI Director Freeh testified that FBI investigations reflect 23 countries engaged in economic espionage activities against the United States. Hearing on Economic Espionage Before the Senate Select Comm. on Intelligence and Senate Comm. on the Judiciary, Subcomm. on Terrorism, Tech. & Gov't Espionage, 104th Cong., 2d Sess. (Feb. 28, 1996) (statement of Louis J. Freeh, FBI Director), available in LEXIS, Legis Library, Cngtst File. According to an annual report to Congress on foreign economic collection and industrial espionage, "the U.S. counterintelligence community has specifically identified 'suspicious collection and acquisition activities' of foreign entities from at least 23 countries," and that "technological advances are making corporate spying and theft easier and cheaper." Barbara Starr, 'Legal' Espionage Hits U.S. High-Technology Targets, Jane's Defence Weekly, Sept. 17, 1997, at 8, available in LEXIS, News Library, Janedef File. The National Counterintelligence Center concluded that "'specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations.'" NRC Report at 31 (quoting NACIC Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, July 1995).
The availability and use of strong integrated encryption capabilities domestically would diminish the threat of successful computer-based attacks. By contrast, weak encryption capabilities heighten the risk of attacks to the U.S. infrastructure and the likelihood that such attacks will prove particularly damaging. Because the export controls diminish the availability and use of strong integrated encryption software domestically, they actually introduce vulnerabilities to national security.
The national security of the United States depends today, in large part, on the continued overall strength of its economy including the leadership of U.S. technology-sensitive industries such as telecommunications and computer hardware and software. President Clinton repeatedly has emphasized the dependence of the national security on the economy. See Remarks of President William J. Clinton at Defense Conversion Ceremony at California State University, Monterey Bay, California (Sept. 4, 1995), available in LEXIS, News Library, Script File ("our national security in the 21st century depends upon our agreeing to . . . grow our economy"); see also Remarks of President William J. Clinton at Panel Discussion in Columbus, Ohio (Oct. 20, 1995) available in LEXIS, News Library, Script File ("economic polic[y] . . . is a big part of what national security means in the 21st century just like it meant defense policy and weapons policy during the Cold War" and noting that he created an "Economic Policy Council within the White House and a President's Economic Advisor, like the President's National Security Advisor" to oversee the Government's economic policy). The National Research Council has noted that:
information technology is one of a few
high-technology areas . . . that play a special role in the economic health of
the nation, and that leadership in this area is one important factor underlying
U.S. economic strength in the world today . . . . The economic dimension of . .
. national security itself may well depend critically on a few key industries
that are significant to military capabilities, the industrial base, and the
overall economic health of the nation.
NRC Report at 39. The U.S. Government found that promoting development of telecommunications and computer hardware/software products is critical to national security, noting that, among other reasons, these industries are of "'strategic interest to the United States [because they] . . . are responsible for the leading-edge technologies critical to maintaining U.S. economic security.'" Id. at n.8 (citing National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage 15 (July 1995)); see also Remarks of William J. Clinton at the Knoxville Auditorium Coliseum (Oct. 10, 1996), available in LEXIS, News Library, Script File (noting that the Internet "has to be repaired and upgraded to meet all our . . . national security needs"); see also Remarks of Albert Gore at the National Urban League Annual Conference, Washington, D.C. (Aug. 6, 1997), available in LEXIS, News Library, Script File ("we are entering a new economy . . . driven by information and technology").
The means by which commerce is conducted world-wide is evolving; we are entering an era of electronic commerce, or "e-commerce," where commerce will increasingly rely on the availability of sophisticated computer facilities to communicate with each other. Developing the infrastructure necessary to support this electronic commerce is critical to the health of the U.S. economy generally which, in turn, has serious national security implications.
The trend toward interconnection of computer networks to support commerce can be observed at many levels. Consumers recognize the nearly-ubiquitous "Internet addresses" now featured in television, radio, and print advertisements and know that "surfing the Internet" requires a networked computer. Businesses are expanding their markets by opening "electronic storefronts" on the Internet to serve consumers located around the world.(13) Forty percent of surveyed businesses indicated that the Internet would be their medium of choice for marketing their products. Cahners Business Confidence Index Rises to 67.4 in Feb., Dow Jones News Service, Feb. 24, 1997, available in WL, USNEWS File, 2/24/97 DJNS; see also Miles Weiss, Microsoft in Pursuit of Internet Talent, Austin American-Statesman, May 26, 1997, available in 1997 WL 2824975. Companies, whether large or small, are creating the infrastructure for electronic commerce by building interconnected networks that link their offices with suppliers and customers globally. A recent report shows that "electronic commerce will represent $66 billion in U.S.-related Internet revenues by the year 2000." Forrester Research Inc., E-Commerce Revs Up, PC Week, Dec. 23, 1996, available in 1996 WL 14277478. Indeed, even Government institutions are using the Internet to make vast amounts of information available.(14)
Yet the evolution toward electronic commerce has not changed the essence of the commercial transaction and the need to address traditional commercial issues. For example, businesses engaged in electronic transactions must be certain that orders received are from valid customers and that satisfactory payment arrangements are in place. Similarly, consumers will be reluctant to engage in electronic commerce if they believe that the information submitted to perform transactions may not be secure. See Hearing on Financial Privacy Before the House Subcomm. on Fin. Institutions & Consumer Credit Comm. on Banking, 105th Cong., 1st Sess. (Sept. 18, 1997) (testimony of Jill A. Lesser, Deputy Director, Law and Public Policy, America Online, Inc.), available in LEXIS, Legis Library, Cngtst File (noting that without a secure environment for consumers, "it will be difficult, if not impossible, for the Internet to reach its full potential as a mass medium").
Strong encryption is therefore required to secure the systems on which electronic commerce will occur and to protect the proprietary and private information that will be carried on those systems. In the absence of such security, trust in the electronic systems will not evolve, and the development of electronic commerce will be retarded. Notwithstanding that "[a]bout 40 million people used the Internet at the time of trial [of Reno v. ACLU], a number that is expected to mushroom to 200 million by 1999," Reno v. ACLU, 117 S. Ct. 2329, 2334 (1997), "[s]ecurity isn't as strong as it needs to be on the Internet for electronic commerce to move ahead." Jim Lewis, Director of Strategic Trade and Foreign Policy, Bureau of Export Administration, U.S. Department of Commerce , quoted in Christopher Guly, Encryption's Future Grows More Complex, Financial Post, Sept. 13, 1997, at T17. According to executives from leading U.S. software vendors, strong encryption is required. "Without encryption, businesses and individuals will not entrust their valuable proprietary information, creative content, electronic commerce, and sensitive personal information to . . . electronic networks." The Security & Freedom through Encryption (SAFE) Act: Hearing on H.R. 3011 Before the House Comm. on the Judiciary, 104th Cong., 2d Sess. (Sept. 25, 1996) (testimony of Melinda Brown, VP and General Counsel, Lotus Development Corp.), available in LEXIS, Legis Library, Cngtst File. "Electronic banking and commerce will not happen 'on-line' without strong encryption." Mar. 20, 1997 House Testimony of Ira Rubinstein.
The Government has acknowledged that the development of electronic commerce is linked to the protection afforded by strong encryption: "[t]he market for encryption in distributed computation, databases, and electronic mail is beginning to expand exponentially as the U.S. and other countries develop and popularize electronic commerce, public networks and distributed processing." See Study of International Market for Computer Software with Encryption at ES-2, reprinted in The Electronic Privacy Papers at 630. The increased dependence on information technologies for e-commerce should correspond to a greater demand for strong integrated encryption capabilities. Id., reprinted in The Electronic Privacy Papers at 631. The National Research Council has noted that "[i]n a future world of electronic commerce, connections among nonfinancial institutions may become as important as the banking networks are today," emphasizing the growing importance of strong encryption capabilities. NRC Report at 123. The Department of Commerce and the NSA noted that "civil use of software-based encryption will significantly increase in the next five years, with corporate customers dominating this new marketplace." See Study of International Market for Computer Software with Encryption at III-2.
However, because the EAR diminish the domestic use and availability of strong encryption, the lack of consumer confidence in the security of e-commerce may dampen its dynamism. The resulting absence of critical mass interest in e-commerce significantly reduces the incentives for U.S. businesses to invest in the integrated infrastructure required for its development. The consequent harm to the health of the U.S. economy is self-evident. Bearing in mind the economy's importance to national security, it becomes apparent that far from preserving national security, the EAR actually undermine it.
As the foregoing discussion demonstrates, the EAR cannot withstand any First Amendment analysis. Amici strongly endorse the position of Appelleethat the EAR constitute an impermissible prior restraint on speech. Even applying arguendo the lower standard of scrutiny urged by Appellants, the EAR fail to overcome their constitutional infirmity. Appellants state that a content-neutral government regulation may be sustained under the First Amendment only if, among other things, it "furthers an important or substantial government interest." Appellants' Br. at 30 (citations omitted). As demonstrated herein, because the EAR do not further the important government interest of preserving national security in a direct and material way, and, in fact, serve to undermine this interest, they must fail constitutional scrutiny even under Appellants' own legal analysis.
Amici thus respectfully urge this Court to affirm the District Court's decision. Elimination of the EAR would have little or no effect on the foreign availability and use of strong encryption because, as noted, strong encryption already is used and widely available abroad even with the regulations in place. However, elimination of the regulations will provide incentives for U.S. vendors to increase the development, deployment, and use of strong encryption domestically. This, in turn, will enhance the security of the nation's key assets including domestic infrastructure systems that are critical to the nation's military, law enforcement, and economic interests, thereby promoting the important and legitimate goal of protecting the national security.
Respectfully submitted,
Maynard Anderson; D. James Bidzos;
National Computer
Security Association;
Mark Rasch; RSA Data Security, Inc.;
Dr. Eugene Spafford; and Dr. Ross
Stapleton-Gray
__/s/_______________
Brian Conboy
Michael H. Hammer
Andrew R. D'Uva
Gunnar
D. Halley
WILLKIE FARR & GALLAGHER
Three Lafayette Centre
1155
21st Street, N.W.
Suite 600
Washington, D.C. 20036-3384
(202)
328-8000
THEIR ATTORNEYS
November 10, 1997
Pursuant to Rule 32(e)(4), I hereby certify that: (1) this brief is double-spaced; (2) the brief is printed using a 14 Point Times New Roman font; and (3) the word processing program used to prepare the brief reports that the brief is 9,343 words long.
_____/s/_______________
Brian Conboy
I hereby certify that on November 10, 1997, I have filed and served the BRIEF OF MAYNARD ANDERSON; D. JAMES BIDZOS; NATIONAL COMPUTER SECURITY ASSOCIATION; MARK RASCH; RSA DATA SECURITY, INC.; DR. EUGENE SPAFFORD; AND DR. ROSS STAPLETON-GRAY, AS AMICI CURIAE IN SUPPORT OF APPELLEE DANIEL J. BERNSTEIN by: causing copies to be delivered to counsel in the manner specified below.
Civil Division, Room 9550 Counsel for Appellants |
Robert Corn-Revere Counsel for Appellee |
|
Cindy A. Cohn Counsel for Appellee |
Lee Tien Counsel for Appellee |
|
Elizabeth Pritzker Counsel for Appellee |
_________/s/_______________
Brian Conboy
(1) See 15 C.F.R. § 734.3 (1997).
(2) Amici will not burden the Court by repeating herein the thorough legal analysis and cited authority as set forth in the brief of Appellee Daniel Bernstein.
(3) The regulations are administered by the Department of Commerce, 15 C.F.R. § 730 et seq. implementing the Export Administration Act of 1979, 50 U.S.C. app. 2401 et seq.,which controls "dual use" items that can be used for both military and civilian purposes.
(4) For example, millions of documents have been classified unnecessarily under the rubric of "national security interest," including weather reports produced by an aide to General Eisenhower during World War II which remained classified thirty years after the fact. See Report of the Commission on Protecting and Reducing Government Secrecy, S. Doc. No. 105-2, at 49-52 (1st Sess. 1997) (Commission formed pursuant to Pub. L. No. 103-236).
(5) The Massey-Lai patent (5,214,703) is held by Ascom Tech AG. See Alfred J. Menezes et al., Handbook of Applied Cryptography 640 (1997).
(6) Citing Charles Ferguson, "High Technology Product Life Cycles, Export Controls, and International Markets," in Working Papers of the National Research Council Report Balancing the National Interest, U.S. National Security Export Controls and Global Economic Competition, National Academy Press, Washington, D.C., 1987.
(7) "Unlike, say, nuclear weapons, which require amounts of difficult-to-obtain materials to build, computer software design has virtually no 'barriers to entry.'" The Security & Freedom through Encryption (SAFE) Act: Hearing on H.R. 695 Before the House Subcomm. on Telecomm., Trade & Consumer Protection of the Comm. on Commerce, 105th Cong., 1st Sess. (Sept. 4, 1997) (testimony of George A. Keyworth, II, Chairman, Progress & Freedom Foundation), available in LEXIS, Legis Library, Cngtst File.
(8) Export restrictions, generally, can impose economic harm on the relevant industry of the exporting nation. See, e.g., National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment 22 (1991) ("Unilateral embargoes on exports [of technologies for commercial aircraft and jet engines] to numerous countries not only make sales impossible but actually encourage foreign competitors to develop relationships with the airlines of the embargoed countries. By the time the U.S. controls are lifted, those foreign competitors may have established a competitive advantage.").
(9) Integration means software that incorporates easy-to-use encryption capabilities as part of its larger function. Current examples include Microsoft Outlook Express (electronic mail) and Netscape Communicator. These programs automatically employ encryption when necessary, automating and simplifying the encryption/decryption process so that it is as transparent as possible to the user. For example, in order to send an encrypted message using an electronic mail program containing integrated encryption software, the user simply selects the "encrypt message" option of the electronic mail program. The message is automatically decrypted by the recipient's electronic mail program when the proper password is supplied.
By contrast, stand-alone encryption software is designed primarily to encrypt and decrypt information. Using this type of software to add functional encryption capabilities to other software applications, such as electronic mail, typically requires multiple steps. For example, in order to encrypt an electronic mail message using stand-alone encryption software, the user creates a message, then launches the stand-alone encryption software application and generates an encrypted version of the message using the stand-alone encryption software before using the electronic mail application to actually transmit the encrypted file. The recipient must then reverse the steps in order to read the message. Hence, integrated encryption is much simpler to use than stand-alone encryption.
(10) The Government has stated that it reserves the right to control scannable source code in printed form. However, such reservation is not contained in the export control regulations and, in any event, the Government has not sought to control print source code. 61 Fed. Reg. 68,575 (1996).
(11) This software is called "optical character recognition" or "OCR" and is widely used, for example, to permit the recipient of a facsimile to convert the document to a machine readable, electronic form that can be edited further.
(12) This technology is also used outside the United States. See, e.g., New Technology for Aberdeen Means Letter Sorting at the Speed of Light, Origin Universal News Services Limited, May 28, 1997, available in LEXIS, News Library, Curnws File (describing use of post office scanning technology in Scotland and the United Kingdom).
(13) It is now possible, for example, to purchase books from a "virtual bookstore" on the Internet (e.g., <http://www.amazon.com/>), place brokerage orders for immediate execution (e.g., www.fidelity.com), make travel reservations and purchase tickets (e.g., expedia.msn.com), receive nearly instantaneous multimedia news updates (e.g., cnn.com).
(14) For example, it is now possible to search via the Internet many databases at the Library of Congress (<http://www.loc.gov/>), the White House (www.whitehouse.gov) and the Federal Bureau of Investigation (<http://www.fbi.gov/>).