Encryption export picture remains unclear

The fat lady's solo is still to come.

That's the consensus from some IT industry-watchers on Monday's ruling by a federal judge invalidating encryption export controls on First Amendment grounds. Experts including Jim Bidzos, president of crypto-maker RSA Data Security Inc., called the ruling a victory for civil libertarians, but questioned its impact on the U.S. software industry, which is still embroiled in legislative battles to eliminate the export curbs.

"We could be in danger of winning the battle in the courtroom but losing the war on Capitol Hill," Bidzos said. Two bills on encryption policy are still pending and could come up for a vote within weeks.

The decree by U.S. District Court Judge Marilyn Hall Patel calling the export restrictions invalid was the culmination of a dispute that arose in the halls of academia in 1995. That year, mathematician Daniel Bernstein sued the State

Department over the right to publish and discuss with other scientists the technology behind his encryption program, dubbed Snuffle. Bernstein argued in his lawsuit that the export controls limited his ability to disseminate his work.

Patel wrote in Monday's ruling, and in another ruling last December on an earlier version of the Clinton administration's crypto export policy, that

data scrambling software programs are akin to "music and mathematical equations," and therefore enjoy First Amendment free speech protections.

Bernstein's lawyer, Cindy Cohn, called the decree a step in the right direction for U.S. encryption export policy, which bans the export of strong encryption programs on the grounds that their widespread use would hamper law enforcement efforts to hunt down criminals. She also said it was an acknowledgement that the government erred in trying to regulate the dissemination of a scientific product.

Officials at the Electronic Frontier Foundation went further, saying in a statement "The decision knocks out a major part of the Clinton administration's effort to force companies to design government surveillance into computers, telephones and consumer electronics." They went on to call the ruling "a victory for free speech, academic freedom, human rights and the prevention of crime."

To Bidzos, though, Patel's 32-page ruling represents "another brick in the government's wall" of arguments in favor of export controls. He noted that the decree does not bar the enforcement of current U.S. crypto export rules, but rather prohibits their enforcement against anyone seeking to discuss or publish Bernstein's software program.

Bidzos thinks the outlook for the U.S. software industry is likely to be decided when Congress returns from its summer break next month and takes up two pieces of legislation -- the so-called SAFE bill calling for elimination of current export controls, and a Senate bill sponsored by Sen. John McCain, R-Ariz., and Sen. Bob Kerrey, D-Neb., that would maintain current export controls while providing incentives for domestic use of key recovery schemes.

SAFE (the Security and Freedom through Encryption bill) cleared the House Committee on International Relations last month and could face a vote in the full House in September.

"I think we may be headed for a showdown between the McCain/Kerrey bill and the SAFE bill," Bidzos said.

Other experts were more upbeat.

The ruling provides "a very important legal precedent," said Declan McCullagh, a freelance columnist who writes frequently on Internet legal issues. "It will be persuasive when other courts look at export restrictions. It will also make it much easier for the industry to mount its own legal challenge and ask for permission to export browsers or E-mail programs with built-in encryption."

But McCullagh cautioned that the SAFE bill still needs to clear several key House committees and that President Clinton has voiced his intention to veto any pro-crypto legislation.