The US Department of Commerce is investigating a California man over powerful data-scrambling software he created and made available on his Web site. If indicted, his case could become another test of federal policy restricting the export of strong encryption.
Charles Booher, a 39-year-old programmer for a hard-disk diagnostics company in Fremont was ordered to appear Wednesday before a US District Court grand jury in San Jose. But after spending the morning at the courthouse, Booher said Thursday that he never got into the court room.
The US Attorney Anthony West prosecuting the case told Booher that the court didn't have enough grand jurors, and he was sent home. Booher was told he would hear from the prosecutor in due course as to whether the case would proceed or be dismissed.
Booher's hunch is that the delay may indicate a retreat by the Commerce Department. "My source code has not been made public yet, so it makes it hard for them to deal with."
If a grand jury hearing is eventually conducted, it would determine whether to charge Booher with violating federal restrictions on software that scrambles data at an extremely secure level, known as strong encryption.
In an interview earlier this month, Booher said he received a subpoena ordering him to "show up in the courtroom and be prepared to explain myself, [about] why I don't want to give my source code to them."
The court order, which Booher also made available on his Web site, ordered him to bring to the hearing the programming code behind his encryption software, SecureOffice. The product is a strong, 168-bit Windows utility for making data unreadable. It is also available in a version for Unix-based computers.
Cryptographic source code consists of advanced mathematical algorithms that provide instructions for scrambling and descrambling information, such as sensitive email or computer files. Booher wants to have his source code patented and does not plan under any circumstances to share it with anyone, including Commerce Department officials.
Citing Commerce Department policy, officials said they would neither confirm the subpoena nor comment on any ongoing investigation.
Encryption proponents have long argued that US government restrictions limiting worldwide distribution of domestic strong encryption software -- which uses encryption keys longer than 56 bits -- are unfair and ineffective at limiting the use of such software.
The Department of Commerce maintains that the overseas export of encryption must be as tightly regulated as the flow of munitions. Before any strong encryption product, including Booher's, can be made available to anybody outside of the United States, the seller must get permission from the Commerce Department.
The agency has granted permission only in special circumstances and often includes conditions for the inclusion of a key recovery capability in the encryption code. Key recovery gives law enforcement officials the ability to unlock any piece of scrambled data.
In the weeks prior to the hearing, Booher was considering certain bargaining chips as an alternative to turning over the software's source code.
His wife, Theresa Bromar, said he would consider building key recovery into SecureOffice if the Commerce Department were willing to work out a compromise.
Earlier this month, Booher said he believed that part of what led to the Commerce investigation of his software was the ease with which data could be encrypted. He has said he would therefore be willing to "make [SecureOffice] a little more difficult to use."
If charged for illegal export of encryption software, Booher plans to fight. "They can either say we want to indict this guy in which case ... I'll plead not guilty and go with a First Amendment defense," he said.
Booher's case could signal another benchmark in the evolution of US encryption policy. Other cases waged over the issue are likely to be finally settled only by the US Supreme Court.
An Ohio District Court recently ruled in a case pitting the Commerce Department against a Cleveland law professor, Peter Junger. Commerce Department restrictions are legal, the judge ruled, and cryptographic ciphers are not subject to First Amendment protection.
That case was in direct contrast to a ruling by a federal judge in San Francisco in favor of Daniel L. Bernstein, a mathematician. Bernstein successfully argued to the court that source code was protected from restrictions in the same way the US Constitution protects free speech. The diverging opinions may put the issue on a course for final settlement by the country's highest court.
The difference between the court battle that Booher may face and those of Junger and Bernstein is significant. The latter pair were civil cases where the plaintiffs sought to take federal export restrictions to task by challenging them in court. Booher's would be a criminal, rather than civil, case.
If charged with illegally posting his software, Booher would have to defend himself against prosecution by the Commerce Department. In that way, his legal struggle would more closely resemble the first, and most famous, crypto-export case: the government's prosecution of Phil Zimmermann.
In the early '90s, Zimmermann authored a popular encryption program, Pretty Good Privacy. He posted the code for PGP to globally accessible Internet discussion groups in June 1991. The act prompted a long federal investigation by a grand jury over violation of encryption export rules. In January 1996, the Justice Department attorney investigating the case announced without explanation that the case was being closed.
"Zimmermann was under indictment for possibly exporting without a license," said Cindy Cohn, lead attorney in the challenge by cryptographer Bernstein. Cohn says Booher, like it or not, could be the "next poster child for crypto."
"When you watched what happened to Zimmermann -- he was investigated by a grand jury for five years -- it almost bankrupted him," said Cohn.
Zimmermann was able to put together a great team of lawyers, she noted, many of whom donated their time. And in the end Zimmermann's PGP encryption software became a worldwide brand in a way it might not otherwise have been. He is now an executive with security software giant Network Associates, and PGP is one of the company's products.
In the Bernstein case, Cohn is awaiting an outcome from a government appeal to the district court that ruled in favor of Bernstein. She is expecting a decision from the Ninth Circuit Court of Appeals "any day now," she said.
The current subpoena is Booher's second order to appear before a court over SecureOffice. He said he had previously been subpoenaed by the Commerce Department.
"My attorney wrote a response and advised me not to go," he said. "They went to a grand jury and got another subpoena. This one is more serious because a grand jury has the power to indict."
Booher admits dual motives in putting himself in the legal sights of the Commerce Department: One is his belief that export of all encryption products should be legal and unrestricted, the other is publicity for his software.
"Being a software programmer is a lot like being a novelist," Booher said. "You have to say this novel has to exist and if it sells, great.... I am looking for publicity. I have a commercial interest here. I also have a political interest."
Cohn believes Booher's ploy could have a long-term beneficial effect for his software, but added, "he could also end up in the pen. It's a hard way to do your marketing."
Meanwhile, following his Wednesday court date Booher said he's received fan mail from supporters. "I love your product, thank you for standing up for people's right to use strong encryption," were the nature of the emails he received, Booher said.
