Posted By: Aidan L. Clark
Could the government regulate encryption? Encryption is a word that is used quite often in the public vernacular. At times, encryption is used as a general term, which is invoked when one is referring to concepts of digital information security and securing content of communications. Oftentimes, encryption code is copyrighted, a form of intellectual protection usually reserved for forms of expression protected by the First Amendment. However, it is important to understand the concept of encryption in a fuller sense if there is to be a discussion on the feasibility of regulating such a technology. This is because it is vital to understand why encryption came about, what it is, what it can do, and what it certainly cannot do, when attempting to discover the public policy effects of putting rules in place to govern it.
To build that frame of reference, it is useful to note that encryption is one application of the field of cryptography. Cryptography itself, and the applications of it—from the most basic to the most advanced—were born from the need for security and privacy. Specifically, people needed a way to secure their communications with others, so that those not within their trusted circle would not be able to read or distinguish these messages. So-called “classic cryptography” originated out of these necessities. Predating even the notion of the advent of computing technology, cryptography was used and developed to become easier to use and to become more secure. Substitution and transposition ciphers were commonly used, such as the Caesar cipher and Rail Fence cipher, and involved rudimentary manipulation of the alphabet to obscure the original message, or plaintext. For example, if we shift the alphabet by three letters, then each letter “A” in the plaintext becomes the letter “D” in the coded message, or ciphertext. The idea was that unless an individual knew the magnitude of the alpha-shift, the message would be unreadable; while, on the other hand, an individual given that magnitude would be easily able to decipher the message. This is where the concept of cryptographic keys became important: the magnitude of the alpha-shift was referred to as the “key.”
In effect, these simplistic methods formed the basis for modern cryptography, and they illustrate what encryption can achieve: the privacy and security of messages and information. However, as one might imagine, these original encryption techniques have since been broken, through technical methods like letter frequency analysis, and the like. It is this point that is especially important to comprehend; for even as technology advances, and better algorithms for encryption are developed, there will always be the inevitable possibility that these mechanisms will be broken, alike to their “classical” forbearers. While encryption can offer security in communication, it cannot offer total security and impervious privacy. If there is a method of encryption that has not yet been broken, it is simply because it is either not feasible to do so, or because no one has taken the time to show that breaking it would be feasible, by their efforts to crack it. Thus, when considering public policy implications of regulating encryption, it is important to realize that encryption, as a cryptographic method, is not an impenetrable beast. It must continue to evolve to become stronger and more secure, which paves the way for ever-changing legal and policy consequences, as well as shifts in public opinion and expectations.
Given the power of this technology, certain regulations on encryption exist today in differing strengths across the world. Currently, the United States has some regulations on the export of encryption methods, but it does not have any regulations on domestic use that are of any significance. Historically, the United States has strongly regulated the export of cryptography, because it was considered a type of munition. The ability to secure information is indeed a great power to have and, naturally, the government did not want those methods distributed to, or shared with, foreign enemies—even by well-meaning private manufacturers of computing devices, based in the Unites States, but who conduct business in other parts of the world. Those restrictions on exportation were significantly relaxed in an Executive Order issued by former President Bill Clinton in 1996. However, some regulation still applies and is overseen by the Export Administration Regulations, or EAR. Other world-leading governments, such as Britain, have recently suggested a move towards more regulated encryption to aid in government surveillance. Most other influential governments are in a similar state of controversy over the topic, as is the United States. It would seem that the entire world stands in awe at the leaps and bounds that technology has taken in recent years, and are presently stymied as to what to do about it.
Arguably, one of the most basic privacy protections at work in the United States, stems from constitutional protections under the First Amendment. Under the First Amendment, all have a right to the freedom of speech and expression. First and foremost, some argue that regulation in any form is unconstitutional, because of the idea that computer code itself, which is used to write encryption algorithms, is considered a form of speech, and is thus protected against regulation because of the protections of the First Amendment. Bernstein v. U.S. Department of State, a case also referred to as “Bernstein I” in a series of well-known cases concerned with the export restrictions on the encryption algorithm of Daniel Bernstein, was brought before the United States District Court for the Northern District of California in 1996. Bernstein, was a mathematician, a student at the University of California at Berkeley, and was the author of the encryption software called “Snuffle.” He challenged the export restrictions of the Arms Export Control Act and the International Traffic in Arms Regulations on grounds that included the First Amendment. The Court held that “… cryptographic computer source code is ‘speech’ protected by First Amendment…” and that the Court could “… find no meaningful difference between computer language, particularly high-level languages… and German or French. All participate in a complex system of understood meanings within specific communities.”
With all due respect to the Court’s opinion, the First Amendment argument is easily dismissed if coding and software engineering are correctly understood. Computer programming languages are commonly referred to as “high-level languages” as the Court says. These high-level languages are used to make coding an easier process for programmers and software developers. For example, when writing a program in the widely-used programming “language” of C++, the code itself will resemble English words and phrases along with common mathematical operators. Since the code resembles some type of readable words and phrases, computer scientists call it a “language.” However, this language is not something that a computer can understand and translate into meaningful instructions without extensive manipulation, which is why it is called a “high level” language. The fact that computer scientists use the term “language” to refer to various coding schemes is not because they are functional languages per se, but because it is a metaphorical reference to a structure of words that is used in such a way as to create a convenient syntax. However, computers, whether they are personal computers, mobile devices, or supercomputers capable of incredible computational power, are just machines. Simply put, these machines take input, in the form of very basic instructions, in order to make a certain computation or perform a certain task. The use of high-level coding schemes allows a software programmer to form these machine instructions with relative ease. However, through processes called “compilation” and “assembly,” the high-level code must be broken down into simplistic instructions, in the form of 1’s and 0’s, that the machine can carry out. These 1’s and 0’s are akin to a light switch, with one position representing “on” and another representing “off.” It is with these instructions, of the most basic form, that a machine carries out what it is programmed to do. Of course, this is a very simplified explanation of the process, but it still serves to prove the point that code cannot be considered speech when the reality of what code is properly understood.
In fact, the United States Patent and Trademark Office considers certain computer programs to be patentable as “methods.” These methods are simply a set of ordered steps to be carried out by a machine. This interpretation from statutory law is consistent with the argument that code is a set of instructions, and not a form of speech. It should be noted that some code is not considered eligible for patenting, and thus software engineers seek legal protection under current copyright law—laws that normally apply to forms of speech—but, this is simply a flaw in our current collection of laws, and is not indicative of how code should be regarded in the real world. The Court in Universal City Studios, Inc. v. Reimerdes offered a similar analysis in 2000, and pointed out that “computer code is not purely expressive” as it “causes computers to perform desired functions.” It is apparent that this Court understands how computer code should be viewed in light of what it actually is.
Can the government regulate encryption based on a free speech argument? Does the fact that computer code is often copyrighted make it impossible to regulate that source code? With arguments weighing heavily on both sides, the answer remains to be seen.