DOJ Seal

Department of Justice FAQ

on

Encryption Policy

April 24, 1998


A. GENERAL POLICY ISSUES

  1. What is the Administration's Policy on Encryption?

  2. Aren't you really trying to force the market where it won't go?

  3. Some bills currently before Congress, such as H.R. 695, would make the criminal use of encryption a crime. Isn't this sufficient?

  4. Does the government want to hold everyone's private keys?



    B. LAW ENFORCEMENT ISSUES

  5. Why does law enforcement oppose the use of encryption? Don't you realize that it will make your job easier by stopping crime?

  6. We don't ban cars, do we? Then why are you trying to ban encryption?

  7. We lived without wiretaps for centuries -- couldn't we do so again?

  8. Aren't you overstating the threat?

  9. Isn't the government's policy unworkable because strong unrecoverable encryption is widely available and, therefore, criminals will not use data recovery products even if they are widely available and commonly used?

  10. Shouldn't we solve this problem by equipping law enforcement with the resources necessary to break encryption in particularly important cases?

  11. I heard about one group of Internet users that worked together to crack a 56-bit encrypted message. If they did it, why can't the federal government?

  12. If even 56-bit DES encryption stops law enforcement, why did the Administration decide to allow export of such products?

  13. Don't Americans have a right to privacy?

  14. Why does law enforcement want to be able to snoop on everyone's private communications?



    C. CONSTITUTIONAL ISSUES

  15. Wouldn't the use by law enforcement of recovery systems in encryption products violate the Fourth Amendment?

  16. What about a mandatory plaintext recovery regime? Wouldn't that violate the Fourth Amendment?

  17. Would such a hypothetical mandatory plaintext recovery regime violate the Fifth Amendment's prohibition against compulsory self-incrimination?

  18. What about the First Amendment? Doesn't the First Amendment protect the right of persons to speak in "code"? Wouldn't a restriction on encryption products be analogous to placing a restriction on the use of a foreign language? Wouldn't restriction of available encryption products "chill" free speech?

------------------------------------------------------------------------------------------------

A. GENERAL POLICY ISSUES

1. What is the Administration's Policy on Encryption?

The Administration's policy is to promote the development and use of strong encryption which enhances the privacy of communications and stored data while preserving law enforcement's ability to gain access to evidence as part of a legally authorized search or surveillance. We are willing to look at any options that advance these goals, as well as protecting national security, securing electronic commerce and preserving U.S. competitiveness. The Administration has identified one method to achieve the necessary balance -- the use of encryption products that incorporate recovery systems. With such products, law enforcement agents can, pursuant to lawful process, obtain recovered "plaintext." The Administration is open to other approaches.

2. Aren't you really trying to force the market where it won't go?

Not at all. Indeed, we know that hardware and software companies have begun to develop data recovery products in response to the needs of businesses and individuals. For example, dozens of companies are now members of the "Key Recovery Alliance," including some of the largest computer companies in the United States. That such products are economically viable is not surprising. For example, companies may need access to encrypted data when employees are ill or otherwise unavailable, and individuals may forget their keys.

However, while industry must take the lead in developing cryptographic products and services, it is also true that market forces alone will not adequately protect public safety and national security. For example, market forces alone are not permitted to determine whether an airline should be allowed to fly -- the government grounds unsafe airlines to protect public safety. Market forces alone do not determine whether meat is safe to sell in supermarkets and restaurants. Likewise, when the government pursues a cryptographic policy, it must take into account the need to protect public safety and national security.

3. Some bills currently before Congress, such as H.R. 695, would make the criminal use of encryption a crime. Isn't this sufficient?

Making the use of encryption a crime if in furtherance of the commission of another crime makes an important statement, because encryption can pose a significant obstacle to the investigation and prosecution of criminal offenses.

That said, the mere fact that the criminal use of encryption would itself be a crime would be unlikely, standing alone, to prevent most criminals from using encryption. Moreover, since the encrypted data cannot be decrypted without recovery systems -- and the plaintext cannot be ascertained -- it would be difficult, if not impossible, to prove in most cases that the encryption was used in the furtherance of a crime. Finally, such a prohibition would fail to address the true public safety threat: that terrorists, child pornographers, drug dealers, and any other criminals could render useless court-authorized searches and wiretaps.

4. Does the government want to hold everyone's private keys?

No, the government does not want to hold the keys of private citizens or commercial enterprises.

Actually, the Administration encourages the design, manufacture, and use of encryption products and services that allow for recovery of the plaintext of encrypted data, including the development of plaintext recovery systems, which permit through a variety of technical approaches timely access to plaintext either by the owners of data or by law enforcement authorities acting under lawful authority. Only the widespread use of such systems will both provide greater protection for data and protect public safety.

The Administration is not advocating any single product, technology, or even technical approach, and is certainly not insisting upon "escrow" of keys with the government. Key recovery, for example, where the encryption key is held by a trusted third party, is merely one possible approach, and is by no means the only one that would meet law enforcement's goals. Rather, we are flexible -- provided that the resulting solutions and arrangements preserve the Nation's critical abilities to protect the public safety and defend our national security.

B. LAW ENFORCEMENT ISSUES

5. Why does law enforcement oppose the use of encryption? Don't you realize that it will make your job easier by stopping crime?

We do not oppose the use of encryption -- just the opposite, because strong encryption can be an extraordinary tool to prevent crime. We believe that the use of strong cryptography is critical to the development of the "Global Information Infrastructure," or the GII. We agree that communications and data must be protected -- both in transit and in storage -- if the GII is to be used for personal communications, financial transactions, medical care, the development of new intellectual property, and other applications.

The widespread use of unrecoverable encryption by criminals, however, poses a serious risk to public safety. Encryption may be used by terrorist groups, drug cartels, foreign intelligence agents, and other criminals to secure their data and communications, thus nullifying the effectiveness of search warrants and wiretap orders. The Department's goal -- and the Administration's policy -- is to promote the development and use of strong encryption that enhances the privacy of communications and stored data while also preserving law enforcement's current ability to gain access to evidence as part of a legally authorized search or surveillance.

At bottom, it is important to recognize that society has an important choice to make. On the one hand, it can promote the use of unrecoverable encryption, and give a powerful tool to the most dangerous elements of our global society. On the other hand, it can promote the use of recoverable encryption and other techniques, achieve all of the benefits, and help protect society from these criminals. Faced with this choice, there is only one responsible solution.

6. We don't ban cars, do we? Then why are you trying to ban encryption?

The Administration generally, and law enforcement particularly, are not trying to ban encryption. Law enforcement supports the responsible spread of strong encryption. Use of strong encryption will help deter crime and promote a safe national information infrastructure.

The more fundamental point raised by the analogy to the rise of the automobile is that society "managed" the automobile, not by letting it develop completely unfettered and without regard to public safety concerns, but first by recognizing that cars could cause substantial damage to the public safety, and then by regulating the design, manufacture, and use of cars to protect the public safety. Cars must be inspected for safety on a regular basis. Cars are subject to minimum gasoline mileage requirements and maximum pollutant emission requirements. Cars built today must include seat belts and air bags. Indeed, the laws of every jurisdiction in the United States closely regulate every aspect of driving cars on the public streets and highways, from driver's licenses to regulation of speed to direction and flow of traffic. Congress and the state legislatures recognized the public safety and health threats posed by the technology of automotive transportation, even as they recognized the dramatic benefits of mobility, productivity, and industrialization that the automobile brought with it. Elected government representatives of the people have consistently acknowledged and acted on their sworn responsibilities by assessing the public safety issues at stake and then regulating the technology accordingly.

Perhaps most analogous to the policy issues posed by encryption is the practice, begun by most states about a hundred years ago, of requiring cars to be registered and to bear license plates. More recently, federal law has required all vehicles to bear a vehicle identification number, or VIN. As you may recall, it was the VIN in the Oklahoma City bombing case that led the FBI to the truck rental office at which Timothy McVeigh rented the truck he used. We now recognize that license plates and VIN's afford victims of accidents, victims of car theft, and law enforcement officials with an essential means of identifying vehicles and obtaining information on the movements of criminals. Just as legislatures in the early 1900's acted to manage the risks posed by automotive technology, government leaders today, as the 21st century approaches, must bring the same sensitivity to the need to preserve and advance public safety as encryption use expands in the information age. And such a regulatory scheme, if constructed properly, will, like license plates, have benefits for businesses and consumers as well.

Of course, no analogy is perfect. Computers are not cars, and plaintext recovery is not a speed limit. But the broader point is an important one: The Framers of our Constitution determined that individuals would not have an absolute right of privacy. The Constitution recognizes that there are certain circumstances in which it is appropriate for law enforcement to obtain information that an individual wants to keep private: for example, when a judge finds probable cause to believe that such information is *** evidence of a crime. Decisions as to where that line should be drawn are political and legal ones, not scientific or business ones; they should be made by the Congress, the Executive, and the courts, not by programmers or marketers. Policy should regulate technology; technology should not regulate policy. Just as in the first part of the twentieth century, when the law had to take account of the changes in society brought about by the automobile, the law will have to take account of the changes brought about by encryption.

7. We lived without wiretaps for centuries -- couldn't we do so again?

Court-authorized wiretaps have proven to be one of the most successful law-enforcement tools in preventing and prosecuting serious crimes, including terrorism. The inability of law enforcement to conduct effective wiretaps would have a tremendous impact, especially as the use of "traditional investigative techniques" is no substitute for wiretaps. In fact, under 18 U.S.C.  2518(1)(c), such techniques must have been tried, be expected to fail, or be too dangerous to use, before a wiretap order may be issued. In other words, wiretaps may only be used when necessary. As society has becoming increasingly reliant on wire communication, law enforcement's need to access the contents of those communications in appropriate circumstances has also increased.

It is also important to recognize that widespread use of unrecoverable encryption will not merely negate wiretaps: the effect of encryption on court-authorized searches and seizures of computer data will also be significant. As society becomes more dependent on computers, evidence (and the fruits) of crime increasingly will be found in stored computer data, which can be searched and seized pursuant to court authorized warrants. But if unbreakable encryption proliferates, this critical law enforcement tool could also be nullified. And this would affect not only our ability to prosecute cases of terrorism and drug trafficking, but any case that relies on documents, such as fraud and child pornography cases.

If American society is to be protected as it rightfully expects and demands, law enforcement agents must have investigative tools that work. To the extent society is unwilling to grant law enforcement such tools, it must be willing to accept fewer successful investigations, fewer successful prosecutions, and, consequently, more crime that goes unprosecuted.

8. Aren't you overstating the threat?

Not at all. Law enforcement has already confronted encryption in high-profile espionage, terrorist, and criminal cases. For example:

* An international terrorist was plotting to blow up 11 U.S.-owned commercial airliners in the Far East. His laptop computer, which was seized during his arrest in Manila, contained encrypted files concerning this terrorist plot.

* A subject in a child pornography case used encryption in transmitting obscene and pornographic images of children over the Internet.

* A major international drug trafficking subject recently used a telephone encryption device to frustrate court-approved electronic surveillance.

And this is just the tip of the iceberg. Convicted spy Aldrich Ames, for example, was told by the Russian Intelligence Service to encrypt computer file information that was to be passed to it.

There have also been numerous other cases where law enforcement, through the use of electronic surveillance, has not only solved and successfully prosecuted serious crimes but has also been able to prevent life-threatening criminal acts. For example, terrorists in New York were plotting to bomb the United Nations building, the Lincoln and Holland Tunnels, and the main federal building in New York City as well as conduct assassinations of political figures. Court-authorized electronic surveillance enabled the FBI to disrupt the plot as explosives were being mixed. Ultimately, the evidence obtained was used to convict the conspirators. In another example, electronic surveillance was used to stop and then convict two men who intended to kidnap, molest, and kill a child. In all of these cases, the use of unrecoverable encryption might have seriously jeopardized public safety and resulted in the loss of life.

As encryption proliferates and becomes an ordinary component of mass market items, and as the prevalence of encryption products increases to the point of regularly denying law enforcement access to intercepted communications or physical evidence, the threat to public safety will increase greatly.

9. Isn't the government's policy unworkable because strong unrecoverable encryption is widely available and, therefore, criminals will not use data recovery products even if they are widely available and commonly used?

No policy will guarantee that, in every case, law enforcement's needs are met -- some criminals won't use recoverable encryption under any circumstances. However, many criminals will use encryption that permits access by law enforcement, if that is the type of encryption that is commonly used and included in over-the-counter software. Criminals use telephones today, even though they are aware that telephones can be tapped. What we want to avoid is a situation where common street-corner drug dealers reguarly without thinking make their record books and notes utterly unreadable by law enforcement at the click of a mouse button. In this regard, we hope that the availability of highly reliable encryption that provides recovery systems will reduce the demand for other types of encryption, and increase the likelihood that criminals will use recoverable encryption.

10. Shouldn't we solve this problem by equipping law enforcement with the resources necessary to break encryption in particularly important cases?

Additional resources alone will not solve this problem. It is not possible to build machines with any reasonable resources that would permit law enforcement to break even 56-bit DES encryption in the time necessary to be useful in real cases. Obviously, stronger encryption would be even more difficult to crack. In many cases, it might be difficult even to determine the type of encryption used.

This is especially significant in investigations, which can be extremely time-critical. Particularly in the case of wiretaps, decrypting messages weeks or months after interception will not protect the public. Wiretaps are used only in the most critical cases, and often provide crucial information just before a crime is to occur. Near real-time access is necessary, as days or weeks are too long to wait to find out that a terrorist attack is about to occur.

Even if the FBI were able to build a supercomputer that could periodically crack a single message encoded with 56-bit DES, each wiretap or search can result in thousands of messages or files to be decoded. Cracking all of those messages is unrealistic. And, obviously, it would be impossible to supply such a supercomputer to every state and local law enforcement agency around the country. It will always be easier and cheaper to devise stronger cryptographic methods than to build computers powerful enough to break these methods in a reasonable period of time.

11. I heard about one group of Internet users that worked together to crack a 56-bit encrypted message. If they did it, why can't the federal government?

That example actually underscores the problems that accompany a "brute force" approach. The successful group actually used over 14,000 computers and took over four months -- over ten million hours of computer time -- to decrypt one single message. That is not practical for law enforcement, especially if, for example, we are trying to prevent a terrorist attack or find a kidnap victim. Significantly, the time needed to decrypt a message rises exponentially as the length of the encryption key increases. If the message had been encrypted with a 64-bit key, it would take 10,000 Pentium computers on average 58 years to crack a single message.

And a new message would require law enforcement to start again from scratch because each message may be encrypted with a different key. During 1995, for example, federal and state courts authorized more than a thousand electronic surveillance court orders, resulting in over two million intercepted communications, each of which could require separate decryption. Given such numbers, brute force attacks are not a feasible solution. This commitment of time and resources is unavailable for every wiretap and every search and seizure executed at federal, state, and local levels.

Additionally, law enforcement agencies at the federal, state, and local level are finding that searches in routine cases now commonly result in the seizure of electronically stored information. Because storage devices have increased in capacity and decreased in price, the quantity of data seized in "ordinary" cases continues to increase dramatically. If all of these communications and stored files were encrypted with unrecoverable cryptographic systems, brute force attacks would not provide a meaningful and timely solution. Thus, even if tens of thousands of computers were obtained and coordinated (an expensive undertaking, to say the least), the approximately 17,000 federal, state, and local law enforcement agencies could not be given timely access to the evidence needed to prevent and solve crimes.

12. If even 56-bit DES encryption stops law enforcement, why did the Administration decide to allow export of such products?

In developing encryption policy, the government must balance the competing needs and desires for individual privacy, international economic competitiveness, law enforcement, national security, and secure electronic commerce. The decision to permit export of 56-bit DES or equivalent strength products during a two-year window reflects this balance. The Administration's goal is to encourage the use of strong encryption to protect privacy and commerce, but in a way that preserves law enforcement's ability to preserve public safety and protect national security against criminal, terrorist, and military threats.

That's why export of 56-bit DES is permitted during that two-year window only when supported by a satisfactory business and marketing plan for recoverable items and services. Renewal of these export licenses is required for every six-month period and will depend on the applicant's adherence to explicit benchmarks and milestones as set forth in the plan approved with the initial classification request and amendments as approved by the Commerce Department's Bureau of Export Administration. Building an infrastructure that supports recovery serves the goals of preserving public safety and national security, while the Administration recognizes that this process can take time, and that privacy and security must be provided in the interim.

13. Don't Americans have a right to privacy?

Privacy is an extremely important value to be protected, and people sometimes lose sight of the fact that law enforcement is responsible, in part, for protecting privacy in a variety of circumstances. For example, we prosecute violations of the wiretap statute, as well as cases where data confidentiality has been breached. See, e.g., 18 U.S.C.  1030(a)(2). But our society has never recognized an absolute right to privacy. Rather, the Fourth Amendment strikes a careful balance, permitting government invasion of privacy to protect public safety and to prosecute crimes, but only when law enforcement can make the necessary showing, such as demonstrating "probable cause" to a neutral and detached magistrate. For example, most people would think it was justifiable for the police to search a man's bedroom pursuant to a search warrant -- normally one of the most private places in one's life -- if there were probable cause to believe that he had murdered someone there. In the Information Age, unbreakable encryption would upset this delicate constitutional balance, which is one of the bedrock principles of our legal system, by effectively nullifying a court's issuance of a search warrant or wiretap order.

14. Why does law enforcement want to be able to snoop on everyone's private communications?

Government should not be able to access arbitrarily the plaintext of encrypted communications of citizens or businesses. Law enforcement should obtain access pursuant to legal procedures such as those set out by 18 U.S.C.  2518, i.e., only as part of a legally authorized investigation, and only after making the necessary legal showing. The same constitutional protections -- such as the requirement that a search warrant or Title III order be obtained from a neutral judicial official, upon determination of probable cause -- that preserve every American's privacy interests today will continue to prevent unauthorized intrusions in a key recovery regime.

C. CONSTITUTIONAL ISSUES

15. Wouldn't the use by law enforcement of recovery systems in encryption products violate the Fourth Amendment?

It is difficult to understand how use of recovery systems under the present, voluntary regime might violate the Fourth Amendment. As with any kind of stored and transmitted data, it is axiomatic that the government may obtain both encrypted text and decryption keys pursuant to lawful process, which may include a wiretap order, a search warrant issued upon probable cause, a subpoena, or the consent of the party possessing the particular item. Each of these procedures comports with the Fourth Amendment, and voluntary data recovery products do not change this analysis. Additionally, if an individual's encryption key were stored with a third party, Congress could require by legislation that, to compel production of the key, law enforcement would have to meet a standard higher than that required by the Fourth Amendment, much as the Electronic Communications Privacy Act requires a court order to obtain transactional data.

16. What about a mandatory plaintext recovery regime? Wouldn't that violate the Fourth Amendment?

The Administration does not advocate a mandatory approach, and believes that a voluntary solution is preferable. Nonetheless, many have asked about the constitutionality of hypothetical legislation prohibiting the manufacture, distribution and import of encryption products that do not contain plaintext recovery technologies, so that the capability to decrypt encrypted data and communications is available to law enforcement upon presentation of valid legal authority.

A discussion of the constitutionality of such hypothetical legislation must be prefaced with several caveats. First, the constitutional issues that such a regime would present are undoubtedly novel ones. Indeed, the spectacular growth of the digital world has created many confounding legal issues that the Congress, the courts, the Administration, and our society at large are wrestling with. If history is any guide, changes in technology can lead to changes in our understanding of applicable constitutional doctrine. Moreover, these issues are particularly difficult to address in the abstract, because mandatory plaintext recovery could take a variety of forms. Nonetheless, and with these caveats, it is the best judgment of the Department of Justice that a mandatory plaintext recovery regime, if appropriately structured, could comport with constitutional doctrine.

The Fourth Amendment does not provide an absolute right of privacy, but protects reasonable expectations of privacy by prohibiting unreasonable searches and requiring that a warrant issue only upon a finding of probable cause by a neutral and detached magistrate. A well-designed plaintext recovery regime would ensure that users' reasonable expectations of privacy were preserved. Any legislation in this area, whether or not it imposed plaintext recovery requirements, should not lessen the showing the government must make to obtain access to plaintext. If a search warrant for data was required before, it should be required under any new regime. By requiring the government to meet current constitutional thresholds to obtain plaintext, such a regime would, in our view, comply with the Fourth Amendment. Moreover, Congress could require under such a regime that even if law enforcement obtains a search warrant for data or communications, it would need additional authority, such as a court order, to obtain the key or other information necessary to perform any decryption if the information is encrypted.

17. Would such a hypothetical mandatory plaintext recovery regime violate the Fifth Amendment's prohibition against compulsory self-incrimination?

Again, it must be clearly stated that the Administration does not advocate a mandatory plaintext recovery regime. The Administration believes that a voluntary solution is preferable.

However, in response to questions about the Fifth Amendment, we note that the Fifth Amendment generally prohibits only disclosures that are compelled, testimonial, and incriminating. If a manufacturer of an encryption product were required to maintain information sufficient to allow law enforcement access to plaintext, we believe that there would be no violation of the Fifth Amendment because no disclosure at all would be compelled from the user of the encryption product. If, on the other hand, a mandatory plaintext recovery regime required the user of an encryption product to store his key (or other information needed for recovery) with a third party in advance of using the product, we do not believe that such an arguably compelled disclosure would be testimonial as that term has been interpreted by the Supreme Court. In Doe v. United States, 489 U.S. 201 (1988), the Court held that an order compelling a person to execute a form consenting to disclosure of foreign bank accounts did not violate the Fifth Amendment because the form was not testimonial. The compelled disclosure of decryption information to a third party would not seem to be any more testimonial. Moreover, we doubt whether such a disclosure would be incriminating, because unless and until the encryption product is used in the commission of a crime, the key would pose no threat of incrimination against the user.

18. What about the First Amendment? Doesn't the First Amendment protect the right of persons to speak in "code"? Wouldn't a restriction on encryption products be analogous to placing a restriction on the use of a foreign language? Wouldn't restriction of available encryption products "chill" free speech?

Again, the Administration prefers a voluntary solution. Nevertheless, many ask about whether a mandatory plaintext recovery regime would in some manner violate the First Amendment.

A First Amendment argument that encrypted speech is like a foreign language rests on the faulty premise that the creation or dissemination of ciphertext itself is constitutionally protected. But, unlike a foreign language, the ciphertext that is created by strong encryption products cannot be understood by the viewer or listener. When it is heard, such as on a wiretap of a telephone, ciphertext simply takes the form of unintelligible static. In written form, ciphertext may be in the form of letters, numerals and symbols, but no human being can read or "understand" it: it does not contain characters or words or symbols that represent or correspond to any other characters, words or symbols. Accordingly, ciphertext is not like a foreign language, the use of which can convey unique meaning and nuance to the listener or reader. Thus, ciphertext itself -- as opposed to the underlying plaintext -- has none of the properties of protected "speech" that the Supreme Court has traditionally identified, and, accordingly, the dissemination of ciphertext should not be entitled to First Amendment protection.

A second form of First Amendment argument focuses not on the ciphertext, but on the underlying plaintext. Under this theory, a prohibition on the manufacture or distribution of nonrecoverable encryption products would inhibit an alleged constitutional right of persons to obscure their communications in any manner they see fit. Even if legislation would impose such a practical limitation on the manner in which speakers may obscure their underlying communications, it could be drafted so as to pass muster as a permissible time, place and manner restriction -- particularly since any such restriction on the "tools" of speech would be unrelated to any communicative impact of the underlying plaintext and the controls would leave open ample and robust alternative channels or methods for obscuring the underlying plaintext.

A related argument is that a communications infrastructure in which recoverable encryption is the de facto standard will impermissibly chill a significant quantum of speech because individuals' knowledge of law enforcement's ability to overhear and decipher communications and data will unduly deter them from communicating. But under such a system, the government would have no greater access to the content of private parties' communications than it currently has, and it is well-settled that the government's exercise of its established statutory powers to intercept and seize communications does not create such a "chilling" effect on speech as to transgress the First Amendment, so long as that power is exercised consistent with the Fourth Amendment, and for valid reasons authorized by statute, such as to discover evidence of criminal wrongdoing. See, e.g., United States v. Ramsey, 503 F.2d 524, 526 n.5 (7th Cir. 1974) (Stevens, J.) (rejecting argument that "the very existence of wiretapping authority has a chilling effect on free speech and, therefore, . . . violates the First Amendment"); accord United States v. Moody, 977 F.2d 1425, 1432 (11th Cir. 1992).

A final type of First Amendment argument often heard is that a restriction on the manufacture and distribution of certain types of encryption products would impermissibly restrict the ability of cryptographers, and others, to disseminate the computer code that is used by computers to transform plaintext into ciphertext. But that argument is based on the mistaken premise that dissemination of the code embedded in encryption products itself is necessarily a form of expression protected by the First Amendment. Most such code is in the form of "object code." Object code is simply an immense string of "0"s and "1"s, representing a bewildering concatenation of thousands or millions of high and low voltage electrical impulses. As such, machine-"readable" cryptographic object codes can reveal to possible "readers" neither the ideas they embody, nor the manner in which the ideas are expressed. And this is especially true where such object code is embedded in a product such as a semiconductor chip, so that even the "0"s and "1"s cannot be discerned. Therefore, a restriction on the dissemination of encryption products containing object code would not violate the First Amendment.

Somewhat more complicated questions might be raised if such legislation were to reach encryption products in the form of source code -- i.e., the instructions to the computer that human beings write and revise. Some persons do disseminate source code for communicative purposes. Nevertheless, we believe that a restriction on the dissemination of certain encryption products could be constitutional even as applied to those relatively infrequent cases in which such products are in the form of software that is disseminated for communicative reasons, because such a restriction could satisfy the "intermediate" scrutiny that the First Amendment provides for incidental restrictions on communicative conduct. As we have argued in litigation in the export-control context, such intermediate scrutiny would be appropriate because the government's reason for regulating source-code software would not be based on any informational value that its dissemination might have. (Indeed, such legislation would not restrict the publication of any ideas reflected in such source code.) Instead, regulation would be premised on the fact that such software -- like all of the "encryption products" that would be regulated -- has physical, functional properties that can cause a computer to encrypt information and thereby place plaintext beyond the technical capabilities of law enforcement to recover.

 

Go to . . . CCIPS Home Page || Justice Department Home Pages


Last Updated October 10, 1998
usdoj-jmd/irm/css/mam