CDT Analysis of Bernstein Decision
A U.S. District Court judge in San Francisco has ruled that some federal
regulations on the export of encryption are unconstitutional restrictions
on free speech.
Judge Marilyn Hall Patel handed down the declaratory judgment on Wednesday
in Bernstein v. Dept. of State, a challenge to the Cold War-era International
Traffic in Arms Regulations (ITAR) that restrict export of encryption hardware
and software. The case was brought by researcher Daniel Bernstein, who
was prevented from publishing an encryption algorithm due to the export
controls. In her central ruling, Judge Patel held that, "The ITAR licensing
system as applied to Category XIII(B) [cryptographic systems] acts as an
unconstitutional prior restraint in violation of the First Amendment."
The opinion is an important first ruling by a Federal judge that there are
serious First Amendment problems with the Administration's encryption restrictions.
The ruling protects the publication of encryption source code and, if upheld,
would significantly undermine the outdated export controls that currently
threaten the privacy of computer users. The ruling also serves as a strong
statement of constitutional principles in the face of further encryption
regulations threatened both domestically and internationally.
A cautionary note: At this time the court's ruling does not- necessarily
permit widespread encryption exports. The ultimate effect of the ruling
on export of encryption products, particularly under new Commerce Department
rules expected to take effect on January 1, is unclear.
In a closely-reasoned 40 page opinion, Judge Patel presented the most extensive
ruling to date on the First Amendment problems raised by ITAR export controls
on encryption. Major holdings of the court include:
The court did not specifically address the constitutionality of object code
export restrictions. The court also declined to rule on whether encryption
rules are content-based, or whether there were other First Amendment interests
in encryption based upon anonymity. The court largely denied Bernstein's
other challenges based on overbreadth and vagueness, and denied Bernstein's
motion for a preliminary injunction on the grounds that it was not necessary
given representation's by the government .
- Encryption source code is protected speech -- The judge reiterated
her April ruling that "source code is speech," and held that:
"Software relating to encryption is simply a topic of speech employed
by some scientists involved in applied research. Hence, Snuffle [Bernstein's
encryption program] is speech afforded the full protection of the First
Amendment not because it enables encryption, but because it is itself speech."
- The ITAR export controls on encryption are an unconstitutional
prior restraint -- The court held that the ITAR licensing process as
applied to encryption exports has the effect of preventing the publication
of software source code and thus represents a "prior restraint"
on protected speech. Such restraints are highly disfavored under the First
Amendment since they bypass the judicial process and give government officials
broad discretion to rule on the permissibility of speech.
Calling the ITAR scheme "a paradigm of standardless discretion"
the court ruled that the government failed to meet any of the procedural
safeguards required for prior restraints of speech. "Because it fails
to provide for a time limit on the licensing decision, for prompt judicial
review and for a duty on the part of the [licensing agency] to go to court
and defend a denial of a license, the ITAR licensing system as applied to
Category XIII(B) acts as an unconstitutional prior restraint in violation
of the First Amendment."
- ITAR restrictions on "technical data" and "defense
articles" raise constitutional issues -- The court was "inclined
to agree" that export controls on 'technical data,' as they relate
to academic and scientific speech, violate the First Amendment, but was
forced by Circuit Court precedent to uphold the restrictions. The court
also held that ITAR definitions "defense articles" and "technical
data" are to be more narrowly construed so as to maintain their constitutionality.
Conclusion: Questions Remain
The Bernstein ruling leaves many issues unresolved:
Moreover, new rules from the Department of Commerce are expected to replace
the ITAR encryption regulations as of January 1. The immediate effect of
Judge Patel's holding on the new Commerce rules is unclear, although the
new rules are strikingly similar to the ITAR and appear to contain many
of the same underlying constitutional problems.
- The opinion's reasoning is based on source code protection, but its
ultimate applicability to the export of object code or commercial products
- The District Court's ruling is not controlling in other potential
prosecutions under the export controls, though it is influential.
- The court did not rule on the constitutional problems raised by encryption
export regulations that are not prior restraint, providing little guidance
should the Administration significantly modify the licensing process.
Despite these unanswered questions, Judge Patel's opinion represents a significant
step forward in the efforts to reform outdated U.S. encryption regulations.
The ruling lays the groundwork for further challenges to encryption restrictions.
The ruling also spells out important First Amendment protections for source
code as new encryption restrictions are being considered both internationally
and domestically. Finally, this ruling should serve as a wakeup call to
Congress, the Administration, and the public: current U.S. encryption policies
raise serious issues of individual liberty, and should be changed to respect
the free speech and privacy rights of computer users.
Posted on December 19, 1996