With his suit against cryptography controls, Daniel Bernstein has stepped into the vanguard of a civilian insurgency to free the Net from the dying grasp of a national security state.
If you call Daniel Bernstein while he is away from home, his answering machine will greet you with a raucous rendition of the Shaker melody, "Simple Gifts," performed on the harmonica by Bernstein himself. You might remember the song's lyrics: "'Tis the gift to be simple, 'Tis the gift to be free .Š" The melody is a cheery - if ironic - choice for someone embroiled in a colossal and complicated struggle against the entire national security apparatus.
Bernstein is challenging export laws that define cryptography as a form of munitions - like land mines or cruise missiles. The young professor, lettered in mathematics by the University of California at Berkeley last year, is taking the Cold Warriors to court because the law barred publication of his cryptographic research over the Internet, casting the academician into the same net as unruly arms merchants.
This is more than a squabble over the convolutions of the International Traffic in Arms Regulations, violation of which carries criminal penalties of up to US$1 million and 10 years in jail. As the first legal challenge to the constitutionality of the export control laws governing cryptography, the suit contests the government's dominance over a pivotal cyberspace technology. At stake is whether the Net will come to bear the strong cryptography needed to become a universally trusted and commercially viable medium. Essentially, Bernstein's suit is at the vanguard of a civilian insurgency to free the Net from a subtle, though enervating, kind of martial law.
A White House Office of Intelligence staffer recently effused the party line when asked about Bernstein's case: "Powerful cryptography is not only a powerful protector of people's data, it is also a powerful weapon in the hands of a drug dealer, a terrorist, or an international organized criminal Š and we restrict its export to protect national security and to preserve an ability to get access to data that would otherwise be impossible to obtain." Arguments like this ignore the fact that strong cryptography gives ordinary people the ability to protect themselves against terrorists and criminals - and an imperious government as well.
"This suit is one front in the cryptowars," says John Gilmore, an early employee of Sun Microsystems and a founder of the Electronic Frontier Foundation. "Nobody really knows how these wars will end up or which front will be the one that finally collapses."
Digital Liberator is not a role Bernstein adopted out of a disdain for authority or a craving for adventure. His passions are aroused less by politics than by the technical minutiae of Unix systems and the exquisite mathematical filigrees of cryptography. Within the Internet hacker community, Bernstein's activist legend is limited to his campaign to close security holes in Unix systems.
But as a graduate student in the early 1990s, Bernstein got into hacking crypto, working from his cramped, windowless lair on the 10th floor of Evans Hall on the Berkeley campus. Unwittingly, he ventured into a domain claimed by the cryptographic wizards at the National Security Agency. Early in the Cold War, the NSA was created to spy on foreign enemies' communications and to supervise a system of patent and export laws, ensuring that the spread of American cryptography would not complicate the agency's eavesdropping mission. As soon as Bernstein was prepared to distribute his research paper and source code on the Internet for peer review, his programming became a national security issue.
Bernstein knew enough about export law to be concerned about putting his programs on the sci.crypt Usenet newsgroup - even though it was not executable cryptography, but a system for converting mathematical constructs into crude cryptographic programs. When he inquired at the State Department, he received a disturbing reply: posting his program would require a munitions export license. In other words: You publish, you perish. After his attempts to overturn the government's decision failed, Bernstein struck back.
With the EFF underwriting the costs, he filed suit in February 1995 against everyone involved in the censoring: the State Department, the Department of Defense, the Department of Commerce, and the NSA. Bernstein is contesting, in part, provisions of the ITAR that equate exportation with posting live crypto code on a domestic server. (Although the replies Bernstein got from the department were curt, it's apparent that his applications were being struck down under provisions that forbid "disclosing to foreign persons" any technologies regulated under the ITAR. This broad category could be applied to most any act of publication - including posting source code on the Internet).
The regulation has managed to go unchallenged for about one generation post-World War II, largely because until the 1970s, most cryptographers were current or former employees of military intelligence agencies and more or less sympathetic with export laws. That changed as a generation of cryptographers matured in academia and industry, and cryptography began finding wide application in the civilian domain.
Twentysomething Bernstein, a thoroughly post-Cold War kind of guy, claims that the regulations are tantamount to the creation of a state licensed press, allowing spooks and bureaucrats to entertain their own whims in repressing freedom of speech, association, and scientific inquiry.
Stirring stuff, but when news of this suit hit the Net, some cynics' eyes rolled. The national security state doesn't just turn over with its legs in the air when someone waves the Bill of Rights at it. The reality is that the courts have become increasingly deferential to government claims of national security interest as they have filled up with jurists sympathetic to the exercise of the state's power - not an amiable environment for civil rights suits. Lawrence Walsh, the Iran-Contra special prosecutor, feared this trend enough that, in a report to Congress in December 1989, he warned that abuse of secrecy privileges had "created an unacceptable enclave that is free from the rule of law." Against this backdrop - righteously waving their freedom of speech flags - appeared Bernstein, the EFF, and Cindy Cohn, lead attorney for the San Mateo, California, law firm of McGlashan & Sarrail, PC.
Cohn points to the 1971 Pentagon papers decision, in which a federal court ruled that publication rights outweighed national security claims, as reason to believe there is a chance to topple this untouchable 40-year-old system. What's more, a 1978 case focused directly on the ITAR. In US v. Edler Industries, the court found that the "expansive interpretation of technical data relating to items on the munitions list could impede Š international scientific exchange," and that the regulations had to be interpreted narrowly.
One thing is for sure: Bernstein's barristers couldn't have asked for a better assignment than US District Court Judge Marylin Hall Patel. At the Northern California District in San Francisco, Patel is legend for championing the civil rights of civil plaintiffs and criminal defendants.
When the initial motion was presented during the first hearing last October, Patel showed no special deference to the national security élite. It quickly became apparent that the contest, in essence, would hinge on interpretations of the ITAR's authority over cryptographic source code. Cohn claims it is necessary for scientists to advance their mathematical theories for consideration by their peers; the government argues that cryptographic source code or software is a technological instrument that is scrupulously and clearly defined in regulation, and can therefore be controlled like a munition.
For Cohn, the hearing was confirmation that Patel grasped some of the larger ironies of export law. Still, the hearing transcript reveals that Patel showed some confusion about the distinction between source codes and the applications they animate - crucial concepts if the judge's decision is to be definitive and useful for other cryptography cases.
By April, when she ruled to deny the government's motion to dismiss, Patel's interpretation of ITAR in the constitutional context showed real command. Sweeping the government's arguments aside, Patel whipped up her own analogy, likening source code to a player-piano roll - executable music notation - which she deemed protected speech. This not only kept the case alive, but affirmed one of Cohn's key arguments and threw the burden of proof on the state.
Before the case is resolved, Patel's skepticism of the state's prerogatives will be tested to the limit when the government is called upon to defend its policy. Patel is then likely to be given the in camera presentation of The Deepest Darkest Secrets of Cryptography - probably a modified version of the classified briefing the NSA has used with great success to influence members of Congress. Legend has it that no one who ever got "the briefing" ever again opposed the agency.
If Bernstein does manage to neutralize the NSA's mesmerizing spells and rescue cryptography, it won't be because he had such grandiose ambitions from the outset. At least that's what the publicity-shy professor tells us. Bernstein will not discuss, in political terms, his case or his own role in it - the suit, he explains, is a practical application of law to effect a practical result; an equation made flesh.
"What gets me worked up here is plain old crime," says Bernstein. "I still remember the first computer intruder I ran into. How disgusted I was at finding out that he had been rifling through my files; how much time I spent trying to figure out if he had destroyed anything. In the years since, I've spent a lot of time thinking about how to stop these criminals. By now, I feel I can really help people protect themselves ‹ but the State Department says I can't share my advice. That's totally disgusting.
"What I see is the State Department and the ITAR standing in the way of cryptography moving forward," says Bernstein. No Promethean social struggle here; it's about advancing the popular acceptance of cryptography so the Kevin Mitnicks of the world won't be able to steal intelligible information from the systems they burgle. "Cryptography is a powerful crime-fighting tool," he says. "This is not a case of needing more laws. This is a case of needing more technology."
Bernstein's early cryptographic excursions were inspired by Usenet postings about how hash functions are unregulated by export control laws - even though they use the same mathematical engines as cryptographic encoding systems. (A file run through a hash function returns a string of letters and numbers that appears random but is the unique product of the hash function and that file. The result, like a fingerprint, can identify the file.)
Intrigued, Bernstein took a hash function named Snefru and wrote a pair of programs to make the function's mathematical engine encrypt and decrypt data. The final package, which he called Snuffle 5.0, comprised a research paper and the programs' source code - instructions readable by humans but not usable by a computer until translated into a machine-executable format. Researchers who wanted to study his work would be able to pick up the paper and source code from the newsgroup, compile the code, and run it on their computers.
Mathematically, the idea was to re-engineer a hash function into a cryptographic program. While Bernstein ostensibly did this to make an academic point, Snuffle 5.0 exposed a hole in the logic of the export control laws: You can take an unregulated, exportable hash function and, with Bernstein's system, use its cryptographic engine to produce a working, yet inelegant, cryptography program. "A program like Pretty Good Privacy is all set to go; my program is a machine that gives you a method of encrypting data, but you have to do a lot more work to make it usable," says Bernstein. In effect, Bernstein's academic pursuit proved that the export regulations could be avoided, albeit with some machinations.
When Bernstein asked the State Department in June 1992 if the export laws applied to Snuffle, the agency responded a couple of months later that he would need a munitions license to post. Presumably, the department's interpretation was that posting on Usenet constituted de facto exportation given the borderless nature of the Net. A license to publish? This wasn't an answer an academic could accept. Bernstein called and wrote to the State Department and the NSA for clarification.
"In the beginning, I was naive. I thought they had procedures for academics - we have the First Amendment. I was surprised," says Bernstein.
It was a different kind of education for a graduate mathematics student who'd spent most of his life in school. Suddenly, here he was playing telephone tag with an agency that employs the heaviest spooks in the world. The initial rejection sent Bernstein searching for help. He emailed John Gilmore, in part because Gilmore had posted extensively about export controls on Usenet. Gilmore and the EFF board quickly began supporting Bernstein's case.
In July 1993, on the EFF's advice, Bernstein submitted five separate requests to the State Department for publishing approval, one for each segment of his Snuffle package, so that each would be considered separately. At a minimum, he hoped to get clearance to publish his research paper. By October 1993, the five requests had been consolidated by the department and flung back at him - again advising that publication required a license. One month before, however, Bernstein had appealed the agency's first ruling, asking for his research to be considered under the Commerce Department's more liberal export regimens.
The government could have invited Bernstein to explore other levels of appeal and drawn him deeper into the ITAR appeals labyrinth. But the State Department failed to respond within its allotted 30 days, and after much preparation, Bernstein filed suit in February '95.
It was not just the Internet community that cheered Bernstein's chutzpah - the software industry, long forced to play by the ITAR rules, also approved, if less publically. "The public interest groups were very enthusiastic about the case," says Ken Mendelson, corporate counsel at Trusted Information Systems Inc., a cryptographic systems developer in Glenwood, Maryland. "Many companies, I think, were quietly relieved that someone else was doing it because of the expense."
But those in the commercial sector know that the provisions of ITAR Bernstein is contesting are only part of the hammer lock that the NSA established over cryptography during the 1950s. A patent secrecy system allows the agency to direct the Patent and Trademark Office to impound patent applications and bar innovators from discussing their inventions under threat of massive fines and jail - big, fat regulatory sticks the agency has wielded to gag academics and keep commercial cryptographers under control.
The law, according to Geoffrey Baehr, chief network officer at Sun Microsystems, has created a situation where "those who have the ability to create the technology usually don't, because they know they can't sell it worldwide. These controls are forcing us into an anti-competitive state." For example, they've prevented the development of vital components of a strong cryptographic system, such as key management systems that would allow users to acquire and trade keys easily.
"The government wants to block the development of key management systems that scale to a million users," says Baehr. "Let's say that 50 million people have keys and the ability to change them frequently. You can then have a relatively simple cryptographic algorithm but, by changing keys frequently, make it strong."
Without strong cryptography, Baehr points out that cellular phones are subject to outrageous frauds because hackers can defeat their crypto systems with ease. Hospitals are still unable to fully computerize medical records, and Europe's automated electronic toll-taking systems aren't even on the drawing boards in the United States.
In the balance of this struggle hangs the question of whether communications privacy will be technically or even legally possible in the future. Whitfield Diffie, the inventor of public key encryption, summed up the technological politics of cryptography best last year when he said in Congressional hearings on Clipper: "It is in no way obvious that the freedom to have a private conversation will survive."
Bernstein is resignedly sanguine about the suit - hopeful, but prepared for a long haul. His new employer - the University of Illinois at Chicago where he's taken a position as research assistant professor in the department of mathematics, statistics, and computer science - is very supportive, he says. The young professor's reserve and institutional resources will be important assets in a case that could become a grudging contest of attrition, given the government's interest in preserving the status quo. As the government well knows, it's the stranglehold on the proliferation of technology that keeps the NSA in business. Should the agency's spell over cryptography weaken, the spooks would have to find real jobs.
__ Born Broken__
While conventions for character sets (such as ASCII) and data transport protocols (such as the TCP/IP suite that moves email over the Internet) have long been established, cryptographic standards are not even a dream. And systems that do survive the NSA's 40-bit-length key restrictions are born crippled. This was dramatized in August '95 when cryptographic researchers in France decoded a message that was encrypted with an approved-for-export variant of RSA Data Security Inc.'s RC4 algorithm, used to transfer credit card and customer data on Netscape's Navigator.
The Clinton administration has responded with a plan to allow the export of systems with keys of up to 64 bits in length - if they are developed with an escrow scheme giving government access to the keys (the heart of the widely despised Clipper program). In effect, the administration has linked "export" with adherence to its demands for escrowed systems, a quid pro quo to industries already feeling exposed by the relative impotence of systems that they are allowed to use internationally. Meanwhile, it's estimated that computing power more than 309 trillion trillion times greater than that used to break the RC4 40-bit encryption would be necessary to decrypt RC4 128-bit security currently available domestically.
__ Don't Say Triple Anything__
Because the old Data Encryption Standard has, due to its small key size, become exposed to cracking by ever more powerful computers, industry is using the levers at its disposal to indirectly shape standards by countering government's power to regulate cryptography.
In January 1995, against the official protests of the NSA, the ANSI Accredited Standards Committee X9F1 decided to proceed with the development of a data security standard based on Triple-DES, a multiple iteration of the old DES. The committee is expected to vote on it by the end of this year, a decision closely watched by other nations interested in using the specification. Some are hoping this could lead to the internationalization of a standard that would be difficult for the agency to make go away.
Meanwhile, the Internet Engineering Task Force is working on a new version of the data transport protocol that carries packets around the Internet. The next version, IPv6, will require those implementing security measures to use DES for encryption; it will also require a system of authentication considered compliant with the new protocol. Modularized to allow components to be deleted - and thus, exportable - it is yet another nudge from the technology-creating community toward establishing a critical mass of international standards.
__ Insidious Agenda__
In documents recovered last year through the FOIA, the Electronic Privacy Information Center in Washington, DC, discovered that the NSA's and FBI's solution to the spread of civilian cryptography may be simply to outlaw it. These laws would make possession of privacy-enhancing technologies a crime, something already partially achieved in the realm of telephony technology (see "Same Old Shit," Wired 3.11, page 88).
In a briefing document titled "Encryption: The Threat, Applications, and Potential Solutions," sent to the National Security Council in February 1993, the FBI, NSA, and Department of Justice concluded that "technical solutions, such as they are, will only work if they are incorporated into all encryption products. To ensure that this occurs, legislation mandating the use of government-approved encryption products or adherence to government encryption criteria is required."
This objective found its way into the Digital Telephony Bill signed into law by President Clinton in the fall of 1994. The bill, using language skillfully sculpted by the NSA, effectively outlawed telephony technologies that challenge any government agency's ability to wiretap, making technical facilitation of eavesdropping a legally enforceable design criterion in telecommunications systems.
