Electronic Speech - For Domestic Use Only

  • Bruce Schneier
  • Network World
  • January 16, 1995

The U.S. State Department recently ruled that some forms of electronic speech are not protected by the First Amendment and can be prohibited from export. This decision raises questions about freedom of speech on the information superhighway. As business communications continue to migrate from paper mail to electronic mail, these questions will become more important. It is vital that laws address this new form of speech.

Last year, I wrote a book called Applied Cryptography> (John Wiley & Sons, 1994), which explains cryptography in nonmathematical language. It describes how to build cryptography into products, illustrates cryptographic techniques, and evaluates algorithms and makes recommendations on their quality. It even includes source-code listings that enable readers to implement many of the algorithms and techniques described.

I applied to the State Department for export approval for the book, and it was granted. (The State Department wouldn't dare refuse -- the book is a publication, protected as free speech under the Constitution.] Then, I applied for export approval for a source-code disk. This electronic disk contained, line for line, the same source code listed in the book. There was no new information on the disk. The source code was not ready to run; it had to be tailored to a particular computer and then compiled. It was not a product -- it was no more than pages of the book in machine-readable form.

The State Department ruled that electronic source code for computer programs containing cryptographic algorithms is not protected under the First Amendment and thus is not exportable under current law. Under State Department rules, the export of almost all software with confidentiality and privacy features is prohibited unless permission is ranted by the National Security Agency prior to export.

William Robinson, director of the Office of Defense Trade Controls, wrote the ruling, stating "the text files on the subject disk are not an exact representation of what is found in Applied Cryptography...each source-code listing has been partitioned into its own file and has the capability of being easily compiled into an executable subroutine...This is an added value to any end user that wishes to incorporate encryption into a product."

From every angle, this ruling is absurd. Does the State Department really see a difference between cryptography source code on a printed page and cryptography source code on a computer disk? Does it seriously believe that no foreigner would ever consider retyping the printed code into a computer or that scanners are not available for sale outside the U.S.? Does it really contend that it is not the information that is important, but its form?

The Clipper Chip and the proposed Cantwell Bill (H.R. 3627), which would relax export controls over some forms of private-sector cryptography, brought the export of cryptography into the news, but this ruling has implications far beyond that. In effect, it says what you type into your computer isn't protected by the First Amendment until you print it; what you send via E-mail isn't protected unless you save a paper copy of it. It is only a matter of time before the courts recognize the lunacy of this ruling, but until then, users would be well advised to rely on the protection of paper.

Categories: Computer and Information Security, Laws and Regulations, National Security Policy

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.