Prior to the 1970s, encryption technology in the United States was developed and controlled exclusively by the National Security Agency (NSA). During this period private companies began to develop alternative encryption technologies that were outside the NSA’s control. (18) Consequently, the federal government began to explore regulatory means through which it could restrict public access to encryption technology. The government has tried to control cryptography through two primary means: export controls and the adoption of key escrow (key recovery) programs.
Citing national security concerns, the government began by designating encryption software and hardware as “defense articles” on the U. S. Munitions List. Thus, encryption technology was subject to the Arms Control Export Act and was regulated under the authority of the U. S. Department of State. Additionally, President Clinton announced the Clipper Chip proposal, which would have required mandatory key escrow, on April 16, 1993. This proposal, which was not well received, was subsequently dropped by the Clinton Administration.
On November 15, 1996, President Clinton removed encryption technology from the Munitions List and transferred jurisdiction over encryption from the Department of State to the Department of Commerce. Under Executive Order 13,026, encryption was designated a dual-use commodity subject to the Export Administration Regulations. Recognizing that existing controls on encryption exports were too restrictive, in December of 1998, the U. S. Department of Commerce enacted a new set of regulations governing all U.
S. exports of data encryption technology. These new encryption exports regulations and concludes that, while they are a positive step forward, they do not go far enough toward striking the appropriate balance among the interests of national security, privacy, and the needs of U. S. industry. Major Case Law around Export Controls Prior to the announcement of the Administration’s new policy on encryption, criticism of U. S. export controls on encryption technology was abundant and varied.
This Part briefly summarizes the main concerns of the critics. First, it discusses the potential constitutional concerns. Next, it addresses concerns over the restriction of individuals’ privacy rights. Third, it will focus on the practical concerns of how the U. S. export regulations restrict domestic computer software companies’ ability to compete in the global marketplace. Finally, it discusses and reflects upon the debate over the national security interests behind the encryption policy. Constitutional critique of the U. S.
export policy on encryption technology has been raised both in the courts and in the scholarly world. While those who have sought redress through the courts have primarily argued that the export policy violates the First Amendment, some scholars have claimed that the regulations implicate the Fifth Amendment as well. At least three individuals have challenged in Federal Court the application of the export policy as it relates to their products; all three cases challenge the export regulations enacted pursuant to the 1996 Executive Order. In Junger v.
Daley, the plaintiff, Junger, applied for a license to export software programs and a textbook containing encryption source code. The Department of Commerce allowed the export of the book, but denied the request to export the software. Junger challenged this decision on First Amendment grounds, claiming that the restrictions operate as a prior restraint, are overbroad, and are vague. The court, however, dismissed Junger’s claims, finding that “although encryption source code may occasionally be expressive, its export is not protected conduct under the First Amendment.
” Similarly, in Karn v. United States Department of State, the government denied Karn’s license application to export a disk containing object code for encryption software that had previously been distributed in book form. The government argued that while the book was in the public domain and could therefore be exported, the disk fell under the encryption regulations. Karn challenged this decision, claiming that it violated the First Amendment; the court found, however, that the encryption policy was a regulation of conduct, not of speech.
The court stressed the functional (as opposed to expressive) nature of the object code, concluding that the Department of State’s regulation passed the test prescribed by the Supreme Court in United States v. O’Brien, in that the regulation was not related to the suppression of expression and was within the power of the government. Not all courts have found that the encryption regulations can survive First Amendment scrutiny.
In Bernstein IV, the court distinguished between source code and object code, finding that source code is a readable form of scientific communication between programmers, whereas object code is a grouping of purely functional ones and zeros. The court thus found source code to be expressive speech and held that because the Encryption Export Policy “applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint on speech.
” In addition, the district court, which was affirmed in Bernstein IV, placed a great deal of emphasis on the Supreme Court’s decision in Reno v. American Civil Liberties Union, which was said to suggest that “the distinction between print and electronic media [is] increasingly untenable. ” Thus, there is not a clear consensus among the courts as to whether the regulations constitute a violation of the First Amendment.
Encryption regulation has been suggested by some as violating the Fifth Amendment on two different grounds (1) mandatory key recovery violates a person’s right to be free from self-incrimination, and (2) the regulations violate substantive due process. The first of these theories needs no reexamination here because the U. S. government has abandoned the requirement of mandatory key recovery in its newest export policy. As for the second theory, at least one scholar has argued that the “liberty” provision of the due process clause may be implicated by the regulations in that they restrict the fundamental right “to pursue any lawful vocation.
” Following this reasoning, he argues that while national security is a compelling governmental interest, the widespread availability of encryption software abroad would preclude a finding that the regulations are narrowly tailored to serve that compelling interest. The court in Karn, however, found that no fundamental right had been implicated by the government’s application of the regulation, rebuffing the plaintiff’s argument that the regulations were being applied in an “arbitrary and capricious” manner. Technology Industry Compliance
Because export control rules are broad, complex, and subject to periodic change, and because violations of the rules can be punished severely, companies involved in technology transfer should – as a matter of due diligence – assess and implement measures to ensure compliance. Industry best practices call for the development of an internal compliance program, tailored to the structure and operations of the company concerned, that institutes checks and safeguards on transactions and minimizes possible violations of export control laws.
Should a violation occur, existence of a compliance program should serve as a mitigating factor in an investigation. General Compliance Measures There are certain basic elements that all competent corporate internal compliance programs (ICP) should include. BIS has recognized and encouraged exporters to embrace these elements. These elements also apply with respect to exports under jurisdiction of other agencies such as OFAC and DTC. Whereas the precise scope and details of the program will depend on the nature and structure of a company’s operations, the fundamental elements include the following :
1. Corporate Policy Statement 2. Product and Technology Classification 3. Customer and End-User Screening 4. Monitoring Activity of U. S. Persons and Entities Abroad 5. Clearance and Record Keeping 6. Training and Auditing 7. Notification and Enforcement 8. Due Diligence in Corporate Transactions Systems Compliance As companies expand their global operations, they must integrate the worldwide workforce across timelines through use of the company computer network. Integrated, electronic communications and information sharing has its hazards, however.
The possible transfer of controlled technology via a company’s computer network raises special export control concerns and calls for special compliance measures. Many U. S. companies operate networks that can be accessed through terminals in the United States, at the companies’ subsidiaries and affiliates abroad, and through remote dial-in facilities in other countries. An effective compliance program must ensure that the computer network, particularly information-processing, operates consistently with U. S. export laws regulating the transfer of technology, software, data and other information to persons outside of the U.
S. and to foreign persons within the United States. Given the many ways in which technology can be transferred, this is a difficult undertaking. Special compliance measures to prevent unlawful technology transfers via a company’s computer network are following: 1. Identification of the Technical Data and Software on the Network 2. Segregation of Technical Data and Software Subject to Export Controls 3. Restriction of Transfers of Controlled Technical Data and Software 4. Direct Requests for Access to Controlled Technologies to Designated In-House Compliance Managers