Encryption Source Code Export Ban Challenged

Encryption Source Code Export Ban Challenged

In a major development in the continuing debate over encryption export policy, a federal appeals court has ruled that it is unconstitutional for the Commerce Department to prohibit exports of encryption source code. However, the export restrictions will remain in effect while court proceedings continue.

Federal regulations prohibit or restrict exports of most commercial encryption products and technologies. These regulations are important to Internet companies because cryptographic security tools are widely used to preserve confidentiality in e-commerce applications and because encryption technologies can easily be "exported" illegally over the Internet.

Export restrictions apply to hardware, software, and technical information. Encryption software is "exported" from the U.S. whenever cryptographic capabilities are accessible outside of the U.S. and Canada. This rule applies to human-readable "source code" as well as the corresponding machine-readable "object code."

In the recent court case, Bernstein v. U.S. Department of Justice, a university professor argued that the Constitution protected his right to export the source code to an encryption program which he wrote. After years of litigation, the Ninth Circuit Court of Appeals in San Francisco agreed, concluding that encryption source code is "speech" which is protected by the First Amendment. You can read the court's decision at by clicking here. The court did not question the Government's right to restrict exports of encryption object code and related technologies.

The Government has asked the court to reconsider its decision, arguing that source code is not protected "expression" and that the court should not interfere in "national security" matters.
Meanwhile, the Commerce Department export restrictions remain in effect. Companies which allow Internet or "intranet" users to access or download export-controlled encryption products or technical information should continue to screen all requests to prevent unauthorized foreign access, notify recipients that the materials are export-controlled, and require recipients to agree to comply with the export restrictions.