1 2 3 4 5 6 7 8 9 10

made in the export regulations between printed and machine-readable versions of the same source code for encryption algorithms. This suit was brought by Phil Karn, a software engineer at Qualcomm, a developer and manufacturer of digital cellular and personal communications systems and the widely used email program Eudora. Karn is challenging a ruling by the State Department under ITAR that allows him to export copies of Bruce Schneier's classic book Applied Cryptography, which contains in printed form the source code for many of the world's most popular cryptographic algorithms including triple DES, but not to export floppy disks holding electronic versions of those same algorithms.[14] As Karn said in his June 26, 1996, testimony to the Senate Subcommittee on Science, Technology, and Space, "I guess only Americans can type."

The other case was brought by Daniel J. Bernstein, then a graduate student at the University of California at Berkeley and now a professor at the University of Illinois at Chicago. Bernstein wanted to publish the results of his research on the Internet and in scientific journals for examination and peer review by the cryptographic community. This meant making available a paper about his work, an algorithm he called Snuffle, and a program using that algorithm. Snuffle uses a technique called a hash function[15] to allow interactive encryption in real time, which would allow secure live communications. On June 30, 1992, he asked the State Department for permission to publish. Within a couple of months, he was advised that he first had to apply for and receive a license as an arms dealer; then he would have to get approval for each recipient of the software or the paper about the software. After failed attempts to clarify this ruling, he appealed in 1993 but never received a response. Accordingly, he filed suit on February 21, 1995, seeking declaratory and injunctive relief on the grounds that his freedom of speech rights are being violated.

The two cases met with opposite fates in their lower court decisions, both of which came in April 1996. First, in Karn's case, Washington, D.C., district court judge Charles Richey granted the government's motion to dismiss the complaint. T h e ruling was a bad one for opponents of export controls, as it essentially held that the courts did not have the right to review what items were included on the munitions list. Karn appealed. In the meantime, in Bernstein's case, Judge Marilyn Patel of the Northern District of California ruled that Bernstein's source code was indeed speech for the purposes of the First Amendment. Bernstein's legal team, from the San Francisco-based firm McGlashan and Serrail, argued its motion for summary judgment in September. The motion was granted just before Christmas, 1996.[16] The ruling was reviewed and upheld after responsibility was shifted to the Department of Commerce; however, the government immediately requested and won a stay, pending appeal.

Pressure on the government to change the laws is also coming from within Congress: in the spring of 1996, Senator Conrad Burns (R-MT) and Senator Patrick Leahy (D-VT) both introduced bills seeking to lift export controls; Burns's bill (known as "Pro-CODE," for Promotion of Electronic Commerce in the Digital Era) would also prohibit the government from promoting its own standards for encryption.[17] A similar bill introduced in 1994 in the House by Representative Maria Cantwell (D-WA) failed; 1994 instead saw the passage of the Communications Assistance for Law Enforcement Act (often referred to as "Digital Telephony" on the Net, after the failed 1991 rider). This bill, like the language that scared Zimmermann into releasing PGP in 1991, requires that new communications systems be designed to allow law enforcement secret access to specific electronic communications. T h e government has promised funding of $500 million to help pay for these changes.

Karn, testifying in support of Pro-CODE, highlighted the delays faced by his company in complying with the ITAR while trying to sell digital phones in Hong Kong in competition with European companies that have no such regulations to worry about. That bill failed, although it attracted a lot of support. Burns followed up with a new version on February 27, 1997, while a second, called SAFE, for Security and Freedom through Encryption, is also under consideration.

A less formal test of the workings of the ITAR was carried out in 1995 by Matt Blaze, who decided to donate some of his time to following the full set of legal