Strong encryption has another good day in US courts

The right of individuals and businesses to use the strongest possible methods of keeping their communications private over the…

The right of individuals and businesses to use the strongest possible methods of keeping their communications private over the Internet moved a significant step closer last week, when the US courts upheld an earlier ruling that cryptographic source code could be posted on the Net.

Source code is the most basic language of a computer program. Cryptographic programs are one of the main privacy tools available for protecting the content of files sent over a private network or across the Internet.

The decision is hugely significant and establishes an important precedent, because it reaffirms that free speech protections under the American Constitution extend to the Internet and, equally important, to the "language" of computer programs.

This is important both for the individuals who may wish to protect data by using encryption programs and for US technology companies who have suffered under government restrictions on their ability to market encryption programs outside the US, but which are available widely through non-US companies. The second point may seem irrelevant or even damaging to, say, Irish companies which create strong encryption programs.

READ MORE

But actually, the restrictions are generally detested across business and industry. First, they cause difficulties in numerous business-to-business relationships where encryption might be used (for example, US companies cannot send a message encoded using strong encryption to an Irish affiliate).

Second, they are seen as a clear roadblock on the way to the widespread development of electronic commerce, because people want the security in communications and transactions that "weak" encryption no longer supplies. In general, the restrictions have been the source of one of the most bitter and protracted wrangles between government and business in the US.

Until now, the US government had told its citizens that they could not place cryptographic source code on the Net, because then cryptographic programs would be freely available to anyone who wanted to download them.

While US citizens themselves can now legally use such programs, the US government says they cannot be distributed outside the US.

The US has for some time been arguing that certain of the most secure encryption programs - termed "strong" encryption - should be kept out of people's hands, since terrorists, pornographers and a whole litany of other people could encode information that law enforcement could not crack.

But privacy advocates and businesses (an odd alliance) have fought that stance for a range of reasons (anyone interested in reviewing these arguments can find useful documents and further links at the Electronic Frontier Foundation site at www.eff.org, or the Electronic Privacy Information Center, www.epic.org).

The case has been shuffling around the courts for some time and involves a former University of California computer science graduate student, now an assistant professor of computer science at the University of Illinois, named Daniel Bernstein. Back in 1992 Mr Bernstein came up with a crypto program he called "Snuffle". In 1995, he agreed to work with the Electronic Frontier Foundation to force a legal consideration of the US government's ban on export encryption (to do this, he simply posted the source code on the Net and obligingly, the government brought a case against him).

Mr Bernstein won his initial case, which was heard in San Francisco, in 1997. The US government appealed the ruling, which this time was heard in the 9th Circuit Court of Appeal. The decision last Thursday from that court underlined a stance the US Supreme Court has already taken when it overturned a different attempt to restrict information that can be placed on the Internet, the Communications Decency Act. The Internet, say the courts, is not a special case, outside the normal realms of discourse, in which free speech protections should not apply.

While the decision was widely embraced by technology companies, they won't be able to sell their products abroad any time soon. The government has asked for a stay, which would prevent the judgment from coming into effect until a decision is made on whether to appeal - it is unlikely to leave the case where it now stands. In addition, it seems that restrictions built into export legislation in the US still apply and those must be formally changed.

And at any rate, legal experts say the judgement on posting source code to the Net won't come into effect for 45 days or so, when it is actually published.

Lawyers for both sides seem eager to push the case to the ultimate arbiter, the US Supreme Court, for a final decision. But that will take time as well, perhaps years, and in the meantime, electronic commerce will likely suffer.

But so will the individual right to privacy. Indeed, one of the most sobering statements made by the 9th Court in a "dicta" explaining its decision was a forceful defence of strong encryption.

"Whether we are surveilled by our government, by criminals, or by our neighbours, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb," it said. "The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost."

Karlin Lillington is at klillington@irish-times.ie

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology