Reason.com

Outside the administration, critics charged the government with not going far enough--it had talked a good game about liberalization, they argued, but had failed to deliver. Rep. Bob Goodlatte (R-Va.) began gathering support for the Security and Freedom through Encryption Act (SAFE), a bill that would remove restrictions on the export of encryption technology while imposing a greater criminal sanction on those who used encryption to commit crimes. When first introduced, it stalled. When Goodlatte reintroduced it, he had much greater success, garnering about 200 cosponsors, and passing the bill out of five separate committees before it was halted once again. In the current Congress, SAFE has even more support--it has once again passed through five committees (as well as several subcommittees), and has 258 representatives, more than half the House, cosponsoring it.

The government's export policy was faring no better in the courts. Dan Bernstein, a professor at the University of Illinois at Chicago, wanted to post the source code for an encryption-related algorithm on the World Wide Web, and had asked the government whether he would need a license. (Under present law, to publish something on the Web is effectively to export it.) The feds replied that his source code qualified as a munition, so he couldn't do it. In August 1997, a federal district court in San Francisco ruled in Bernstein's favor, finding that this restriction looked a great deal like prior restraint of publication, which is prohibited by the First Amendment. On appeal, the trial court's ruling was affirmed, albeit on slightly narrower grounds; and while the DOJ has continued to litigate the case, encryption-policy mavens inside the government know that the feds were not necessarily going to prevail. The courts will hear further arguments later this year.

Facing challenges in both Congress and the courts, the administration knew it had to take action if it was going to regain control of the issue. In the words of Jerry Berman, director of the pro-privacy Center for Democracy and Technology, "The government has realized that delay is no longer a policy."

So by late 1999, America's once-mono-lithic encryption policy--stop the spread at all costs!--had been reduced to fragmented and perhaps self-contradictory rubble. Perhaps the biggest reason for the Clinton administration's latest liberalization is the heat they've been feeling from the American computer industry. As Vice President Al Gore has hit the campaign trail in earnest, he's been working to strengthen his support among the leaders of high-tech industries. To the extent that such restrictions have prevented these businesses from developing domestic products with encryption features, software companies have been at a disadvantage in the global marketplace. They've made their dissatisfaction known.

What's more, as Georgetown's Denning has noted, the government has simply had more time to adjust to the spread of encryption tools, further easing its once-vivid panic. That point is seconded by Stewart Baker, former general counsel of the National Security Agency, who adds a twist: The original export- control regime has largely served its purpose of limiting the spread of encryption. Absent those controls, he argues, computer and software manufacturers would have almost certainly incorporated encryption tools into the operating system of every mass-market computer. That may still happen, he continues, but right now encryption is far from ubiquitous. This gives the intelligence community some breathing space to adapt.

And the police? Berman notes that "the FBI has been strangely silent," and policy watchers believe there is still serious debate within the administration about the wisdom of the new liberalization. CESA, apparently, is meant to mollify those in Congress and in the executive branch who remain concerned about encryption's alleged threat to law enforcement. The Department of Justice, of course, is still engaged in a full-court press in the Bernstein case.

So: Is there a consistent encryption policy framework now? To Baker, the current muddle, for all its inconsistencies, "is as coherent as government policy gets." Meanwhile, Berman is cautiously optimistic that we're seeing the beginning of the end of encryption controls. Congress seems prepared to pass SAFE, he notes, if the administration fails to fully liberalize the export of encryption products.

But, he warns, "one terrorist incident involving encryption could change the landscape."