I’m reading yet another book about eavesdropping, Diffie and Landau’s Privacy on the Line, which covers privacy and surveillance debates from a crypto-focused standpoint. This is not surprising given that one of the co-authors, Whitfield Diffie, is one of the most famous names in cryptography research.
One of the cases it discusses, which I didn’t previously know about, is Phil Karn’s challenge to the Clinton administration’s silly export-control restrictions on cryptography software. The government required a license before cryptographic software could be exported. Karn applied for, and recieved, a license to export Bruce Schneier’s famous Applied Cryptography, a textbook on cryptography that included the source code to many important cryptographic algorithms. The government ruled, reasonably enough, that books were protected by the First Amendment and he could export Schneier’s tome.
Karn then typed the source code to one of the crypto algorithms printed in Schneier’s book, saved it on a floppy disk, and applied for permission to export that. This time the answer was different: the floppy disk was a “munition,” and could not be sent out of the country. Karn sued, and the case dragged out in federal courts through 2000, when the Clinton administration finally relented and stopped trying to control the export of cryptography software. I think there are a couple of important lessons from this. First, the good guys do often win technology battles. I’m too young to have participated in the crypto wars myself, but crypto regulations were a major cause of concern among programmers in the 1990s, and they achieved an almost complete victory. When government regulations are silly enough, a small but determined band of activists can get them changed by highlighting their absurdity.
The other, less inspiring, point is that the courts don’t always seem to learn from their mistakes. Karn’s argument that source code is a form of expression protected under the First Amendment is virtually identical to the argument made early in this decade against the DMCA, as typified by the gallery of DeCSS descramblers. If telling someone he can’t ship a floppy containing 3DES source code to a foreign country is censorship—and I think it is—then so too is telling a magazine that it can’t offer the source code to DeCSS on its website. Unfortunately, the courts didn’t see things that way, drawing a bogus distinction between code’s functional and expressive attributes.
A final lesson, and probably the most important one, is to observe why the good guys one. The reason was not that they won a legislative victory. Rather, it was because technological and economic forces brought us to the point where the old policy no longer made any sense. At root, the export control regime was based on the belief that restricting crypto exports were limit espionage by foreign countries. This argument was never particularly compelling, but by the year 2000 it had been palpably ridiculous, as any foreign exchange student could walk into any library, check out any of the dozens of books on cryptography that could be found there, and email the relevant parts back to their home governments. Once crypto reaches a certain level of ubiquity, there ceases to be any plausible rationale for further controls.
I suspect that the same will happen to the DMCA’s anti-circumvention rules. The inherent brokenness of DRM will slowly doom companies that adopt it, until we reach a point, sometime in the next decade, when most content companies are distributing their wares in DRM-free formats. At the same time, tools like Handbrake will continue to gain in popularity. At some point, the writing on the wall will become visible to even the most blinkered observers. Once that happens, opposition to reform may evaporate, because the anti-circumvention rule will have ceased to serve anyone’s interest.
At least I can hope.