The IT Law Wiki
Register
Advertisement

Citation[]

Bernstein v. United States Dept. of Justice, 176 F.3d 1132 (9th Cir. 1999) (full-text), withdrawn, 192 F.3d 1308 (9th Cir. 1999) (full-text).

Factual Background[]

Daniel Bernstein was a doctoral student at the University of California (Berkeley). His research interests include cryptography, a field of applied mathematics that uses computer programs to encrypt electronic communications. Encryption converts a set of data into code, and a strong encryption system can ensure data integrity, authenticate users, link messages to their senders, and maintain confidentiality.

In June 1992, Bernstein submitted source code for an encryption algorithm he called "Snuffle," together with papers explaining the program, to the Department of State. Under the then-current Arms Export Control Act (“AECA”), 22 U.S.C. §2278, and the International Traffic in Arms Regulations (“ITAR”), 22 C.F.R. §§120-30, the Department of State determined that “Snuffle” was a “defense article” subject to limited export of encryption items and that it required a license for export under the United States Munitions List ("USML").

Bernstein brought a declaratory relief action. The district court held that the source code was speech and protected by the First Amendment.[1]; and then granted him summary judgment on the ground that the regulation was “facially invalid as a prior restraint on speech.”[2]

In December 1996, most of the ITAR, including encryption, were transferred to the Bureau of Export Administration (“BXA”), part of the Department of Commerce, where they were added to the Export Administration Regulations (“EAR”), already enforced by BXA. Once again, the district court enjoined the encryption rules.[3]

Appellate Court Proceedings[]

The government appealed, and lost again. The majority opinion was written by Judge Betty B. Fletcher and affirmed the lower court decisions. Judge Fletcher noted that encryption has uses beyond sending secret messages: “[I]t can also be employed to ensure data integrity, authenticate users, and facilitate non-repudiation (e.g., linking a specific messaged to a specific sender”)."

Reviewing the EAR, Judge Fletcher noted several areas where encryption rules were stricter than those covering other software. And unless excepted by the rules, all controlled items must have a license before being exported. While BXA has ninety days to act on a request for an export license, it may refer the matter to the President, who is under no time limit. And final administrative decisions are not subject to judicial review.

Judge Fletcher first determined that the EAR is subject to "facial attack" because:

  1. It is a licensing scheme where the only guideline for the licensing official is whether the export might be inconsistent with the “national security and foreign policy interests” of the United States; and
  2. For First Amendment purposes, source code has “a close enough nexus to expression, or to conduct commonly associated with expression, to pose a real and substantial threat of . . . censorship.”

The next question: Are the EAR encryption rules a prior restraint on speech? The answer: Yes. While emphasizing that the court is not saying that all software is expression, nor deciding whether the challenged regulations are content-based and therefore subject to strict scrutiny, or are content neutral which has a lower standard, Judge Fletcher wrote:

We hold merely that because the prepublication licensing regime challenged here applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint.

To her ruling Judge Fletcher added two comments:

  1. While the EAR regulations are intended to slow other countries from getting encryption technology, the government is thereby “intentionally retarding the development of encryption.” To the extent this interdicts “the flow of scientific ideas ... these efforts would appear to strike deep into the heartland of the First Amendment.”
  2. Government regulation of encryption knowledge may also implicate the Fourth Amendment: unreasonable searches for information, the right against compelled speech, and the right of privacy.

Circuit Judge Thomas G. Nelson dissented, saying: “The basic error which sets the majority and the district court adrift is the failure to fully recognize that the basic function of encryption source code is to act as a method of controlling computers.” And he noted, the EAR “regulates the export of encryption technology generally, whether it is software or hardware,” citing Junger v. Daley, 8 F. Supp. 2d 708, (N.D. Ohio 1998) (which sustained the EAR encryption rules, and is, at this writing, pending before the Sixth Circuit Court of Appeals).

Judge Bright, the third member of the panel, wrote a three-sentence opinion:

I join Judge Fletcher's opinion. I do so because the speech aspects of encryption source code represent communication between computer programmers. I do, however, recognize the validity of Judge Nelson's view that encryption source code also has a functional purpose of controlling computers and in that regard does not command the protection under the First Amendment. The importance of this case suggests that it may be appropriate for review by the United States Supreme Court.

On request by the government, on September 30, 1999, the Court ordered that the case be reheard en banc and the original opinion was withdrawn.[4]

Subsequent Developments[]

Before the rehearing could take place, defendants announced plans to make additional changes to the EAR. In January 2000, defendants added 14 C.F.R. §740.13(e) to the Federal Register, which allows the Department of Commerce to exempt “publicly available” encryption source code from license requirements. Plaintiff amended his complaint in January 2002, alleging that the changed regulations still amounted to a prior restraint under the First Amendment. The defendants brought a motion for summary judgment on the amended complaint on the grounds that he lacked the requisite standing, which this court granted on July 28, 2003.

References[]

  1. Bernstein v. Department of State, 922 F. Supp. 1426 (N.D. Cal. 1996) (full-text).
  2. 945 F. Supp. 1279 (N.D. Cal. 1996) (full-text).
  3. 974 F. Supp. 1288 (N.D. Cal. 1997) (full-text).
  4. 192 F.3d 1308 (9th Cir. 1999).
Advertisement