No. 95-3213

IN THE SUPREME COURT OF THE UNITED STATES


October Term 1995
CHARLES F. WOODBURY,
Petitioner
v.

UNITED STATES OF AMERICA,
Respondent


Certiorari To The United States

Court of Appeals for the Thirteenth Circuit


Brief for the Respondent United States of America

Mark D. Rasch, Esq.
Science Applications International Corporation
Center for Information Protection
8301 Greensboro Drive, Suite 400
McLean, Virginia 22102

Scott Faga
George Mason University School of Law

Dan Zalenko
Robert Kluge
American University School of Law

ON BRIEF

COUNSEL FOR RESPONDENT

TABLE OF CONTENTS

TABLE OF AUTHORITIES

CASES

Boyd v. United States, 116 U.S. 616 (1886) 24
Braswell v. United States, 487 U.S. 99, 109-10 (1988) 24
Broadrick v. Oklahoma, 413 U.S. 601 (1973) 8
Buckley v. Valeo, 424 U.S. 1 (1976) 13
Compassion in Dying v. Washington, No. 94-35534, 1996 U.S. App. LEXIS 3944, at *161 (9th Cir. March 6, 1996) 17
Doe v. United States, 487 U.S. 201 (1988) 25
Fisher v. United States, 425 U.S. 391 (1976) 25
Gilbert v. California, 388 U.S. 263 (1967) 25
Griswold v. Connecticut, 381 U.S. 479 (1965) 16
Ladue v. Gilleo, 114 S.Ct. 2038, 2046 (1994) 14
McIntyre v. Ohio Elections Commission, 115 S.Ct. 1511 (1995) 11
NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958) 10
National Treasury Employees Union v. Von Raab, 489 U.S. 656 (1989) 21
New York Times Co. v. United States, 403 U.S. 713 (1971) 8
New York Times v. Sullivan, 376 U.S. 254, 269 (1965) 12
Nixon v. United States 418 U.S. 683 (1974) 10
O'Connor v. Ortega, 480 U.S. 709, 717 (1989) 22
Planned Parenthood of Southeast Pennsylvania v. Casey, 112 S.Ct. 1291 (1992) 16
Roe v. Wade, 410 U.S. 113 (1973) 16
Roth v. United States, 354 U.S. 476, 484 (1957) 12
Shapiro v. United States, 335 U.S. 1 (1948) 24
Sheets v. Salt Lake County, 45 F.3d 1383 (10th Cir. 1995) 19
Smith v. Maryland, 442 U.S. 735, 745-46 (1979) 18
Talley v. California, 362 U.S. 60, 64 (1960) 12
Trammel v. United States, 445 U.S. 40, 51 (1980) 10
United States v. Callahan, 669 F.2d 923 (4th Cir. 1992) 21
United States v. Doe, 465 U.S. 605 (1984) 21, 24
United States v. Elder, 579 F.2d 516 (1978) 6
United States v. Elder, 579 F.2d 516 (9th Cir. 1978) 8
United States v. Freed, 401 U.S. 601 (1971) 18
United States v. New York Telephone Company, 434 U.S. 159, 164 (1977) 20
United States v. O'Brien, 391 U.S. 367 (1968) 7
Whalen v. Roe, 429 U.S. 589 (1977) 17, 19

STATUTES

18 U.S.C. ß 2511 et. Seq 2
28 U.S.C. ß 1254 (1). 1
Cryptography Control Act of 1995 1, 7, 10, 13, 14, 27
Foreign Intelligence Surveillance Act, 50 U.S.C. ß 1801 et. Seq 2
International Traffic in Arms Regulations, 22 C.F.R 121-130 (1977) 3
Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. 2510 15
Title III, 18 U.S.C. ß 3121-3123 15, 20, 21

QUESTIONS PRESENTED

1. Does mere registration of tools which could be used, in the presence of a valid judicial order, to descramble communications, which is itself neutral with respect to the contents of the communications, constitute a prior restraint upon the content of the communications?

2. Is there an implied Constitutional right to absolute privacy which would permit individuals to engage in communications free from the possibility of government interception and comprehension even in the face of a valid court order for the interception?

3. Does a statutory requirement that those choosing to use certain tools to conceal the contents of files or communications register the means to descramble these communications constitute an unreasonable search or seizure under the Fourth Amendment?

4. Is the requirement that, as a condition of the use of a particular technology, an individual register the tools to decrypt communications in the event of a judicial order a compelled incriminating communication?

JURISDICTIONAL STATEMENT

This case arises on Certiorari to the United States Court of Appeals for the Thirteenth Circuit. Docket No. 95-3213. The petition for Certiorari was filed on November 1, 1995, and was granted on January 1, 1996. The matter is set for oral argument on March 28, 1996. A divided panel of the Thirteenth Circuit found that the statute involved in this case, the Cryptography Control Act of 1995, was constitutional. This case is reported at 200 F. 3d 175. Jurisdiction is conferred upon this Court pursuant to 28 U.S.C. ß 1254 (1).

STATEMENT OF THE CASE

Petitioner, Charles F. Woodbury (Woodbury), was convicted of unregistered use of restricted high level encryption under the Cryptography Control Act of 1995 (CCA). [1] It is undisputed that Petitioner used an encryption program with a 128-bit key[2] to encrypt electronic mail messages. The key to Woodbury's encryption program was not registered with a key escrow agency or designate as required by Section 10 of the CCA.

In March 1995, the government learned that Woodbury was involved in the distribution of crack cocaine, heroin, and other narcotics via the Internet. [3] The Drug Enforcement Administration (DEA) and State police obtained a federal wiretap authorization pursuant to 18 U.S.C. ß 2511 ]et. Seq.. Petitioner has not challenged the finding of probable cause or the lawfulness of the wiretap order. The DEA installed wiretaps on two lines at Woodbury's home, a voice line and a modem line. One of these telephone lines ("Line One") was used primarily for voice telephone calls. "Line Two" was used primarily for electronic communications including faxes and computerized connections to the Internet. The wiretap on Line Two quickly encountered difficulties, as a significant portion of the messages Woodbury sent and received by electronic mail (e-mail) were encrypted with "Cypherpunks Labs Automated Messenger" 3.01" (CLAM), a computerized encryption program which encrypts messages with a cipher called IDEA[4], which uses a 128-bit key.

The CCA permits the transmission of any messages over the Internet or over other computer networks, and does not regulate either the content or the character of speech transmitted over computer networks. Rather, Congress, in enacting the CCA found that the use of high-level encryption algorithms - those in excess of 64 bits - threatened both public safety and national security because they prevented the government from effectively enforcing valid court orders under the Fourth Amendment, the wiretap statute, 18 U.S.C. ß 2511 and the Foreign Intelligence Surveillance Act, 50 U.S.C. ß 1801 et. Seq. As a result, Congress imposed a mild registration restriction on high-level encryption devices.

Encryption describes the process of converting plain text - which is ordinarily readable - into cipher text - which cannot be understood except through the use of some form of decryption cipher. [5] Encryption technology has always been among the most sensitive technologies available, and the ability to encrypt and decrypt communications one of this nation's most heavily guarded secrets.[6] Encryption technologies have long been controlled for export, and are treated as munitions and require export licenses under the Arms Export Control Act before such technologies may be exported - even to friendly countries. They may not be exported at all to hostile nations due to the severe deleterious impact such technologies may have on U.S. national security.[7]

Typically encryption requires, at a minimum, text to be encrypted, and some formula or algorithm for the encryption. While the process for mathematical encryption is complicated, it need not long distract this Court. The longer the encryption "key" the more difficult it is to decipher a message so encrypted. Indeed, the difficulty of decryption increases exponentially with the key length, with it taking twice as long to decrypt a message encrypted with a 65 bit key as with a 64 bit key.

At some key length, it becomes virtually impossible to decrypt messages so encrypted.[8] In enacting the CCA, Congress determined that the threshold was at 64 bits. Therefore, Congress required all those who wished to encrypt files or communications[9] using higher level encryption keys to register their key either with a government agency, or with a third party escrow agent.

Acting on a finding of probable cause and with a search warrant, the validity of which Petitioner has not challenged, agents then searched Petitioner's home and seized, inter alia, his computer. An examination of the seized computer determined that the files contained therein were unreadable, as they had been encrypted using the CLAM algorithm.[10] Based on the facts outlined above, Petitioner was convicted by a jury of violating the CCA. Petitioner does not challenge the sufficiency of the evidence against him, or the facial validity of the conviction.

Petitioner appealed his conviction to the United States Court of Appeals for the Thirteenth Circuit. Petitioner alleged that the statute on its face violated the First, Second, Fourth, and Fifth Amendments, as well as the general constitutional right to privacy. Specifically, he alleged that the statute has a chilling effect on free speech, that the key escrow requirement constitutes an unreasonable search, that the key escrow requirement amounts to compelled self-incrimination under the Fifth Amendment, and that the statute violates Petitioner's right to informational privacy. On December 25, 1995, the Court of Appeals for the Thirteenth Circuit upheld Petitioner's conviction, holding that the statute was constitutional on its face.

ARGUMENT

I. THE CCA DOES NOT VIOLATE THE FIRST AMENDMENT

A. The Key Itself is Not Expressive and is Not Protected Speech

Petitioner first argues that the Cryptography Control Act should be struck down on the ground that it is overbroad on its face. However, an examination of the statute reveals that it is a narrowly tailored attempt to deal with a real and substantial threat to national security and crime control, does not regulate the content of speech, much less the content of "protected speech," and is, in fact, the most narrowly tailored statute possible to accomplish legitimate, and even compelling, state interests. Petitioner asserts that "the act of filing a key [is] a statement that the person has documents important enough to use strong cryptography." Pet. Br. At 5. This is simply not the case. An individual may file a high level encryption key, and choose never to encrypt a single document or file. The registration of an encryption key admits no more about the contents of a message than the registration of a firearm admits the value of the contents of a home to be protected by the firearm. It is simply content neutral. Indeed, the registration key is neither speech nor non-verbal expressive conduct. [11] Because the registration requirement is not speech, its mandatory nature is not "compelled speech." Indeed, the requirements of the CCA do not differ substantially from the myriad of regulations which require individuals to register certain information with the government. These include the mandatory registration of motor vehicles as a condition precedent to driving, registration under the FCC as a condition precedent to the use of the radio airwaves, registration with the ATF as a condition precedent to the acquisition of a firearm. [12] In each of these cases, the individual is compelled to tell the government something by the process of registration as a condition precedent to the exercise of a right or a privilege. In none of these cases is the mere act of registration considered to be compelled speech in violation of the First Amendment.

It is important to note also that the registration requirement is a condition precedent not to making communications, but to the use of a particular technology for concealing this communication. Much like statutes which prohibit or limit the use of flash paper, the CCA is neutral as to what may be written on this flash paper, or who may be attempting to use it.

It is undisputed in this case that the regulation of the content of pure speech should be subject to strict scrutiny. However, this case does not present that issue. An encryption key is not expressive, and it is not a form of speech. It is simply an article of commerce - a tool, a cipher.

Petitioner correctly analogizes this case with United States v. O'Brien, 391 U.S. 367 (1968), albeit with the wrong result. In O'Brien, this Court held that, while a draft card may be used in an expressive manner by some individuals, it was not expressive in and of itself. Hence, the draft card was not pure speech, and regulation of its use (and destruction) was not a restraint on pure speech. O'Brien, 391 U.S. at 375. The same is true of an encryption key. It is not expressive, and it is not speech.

Petitioner next argues that the Cryptography Control Act is not "narrowly tailored" toward the achievement of a legitimate governmental interest. As noted above, because the Act does not infringe upon the content of "speech", the narrowly tailored test does not apply. Nevertheless, the statute is as narrowly tailored as possible. The statute does not proscribe the use of high level encryption - although such proscription would be within the powers of Congress. It does not require registration with the government per se, but rather permits registration and escrow with an identified third party. It is certainly less intrusive than the alternative means of obtaining the same information - subpoenaing Mr. Woodbury before a grand jury and requiring him to testify under oath about the nature of his encryption key. Moreover, the more intrusive conduct described above would not effectuate the government's legitimate interest in near real-time surreptitious surveillance of persons for whom probable cause has been established to a neutral and detached magistrate. Therefore, the statute is narrowly tailored toward achieving a legitimate governmental interest. [13]

B. The Key Registration Requirement is Not an Unconstitutional Prior Restraint

A statute may violate the First Amendment if it imposes an unreasonable prior restraint on what constitutes speech, New York Times Co. v. United States, 403 U.S. 713 (1971) (invalidating an injunction issued against the New York Times for publishing sensitive information on the Vietnam War), or if it is substantially overbroad. Broadrick v. Oklahoma, 413 U.S. 601 (1973). The CCA suffers from neither of these infirmities. It regulates conduct, not speech, and its effect on speech is incidental. Furthermore, the statute is narrowly tailored to be as unintrusive as possible.

The Ninth Circuit has addressed the prior restraint issue in a case involving regulation of encryption. United States v. Elder, 579 F.2d 516 (9th Cir. 1978). In that case, the defendant challenged the constitutionality of the ITAR regulations, which prohibit the export of encryption technology without a license. This Court held that the regulations did not impose an unconstitutional prior restraint because they required receipt of a license, which is a regulation of conduct, not speech. Elder, 579 F.2d at 521. In reaching this conclusion, the Court relied on O'Brien, 391 U.S. 367.

This Court in O'Brien held that, when speech and non-speech elements are combined in a course of conduct, a sufficiently important government interest in regulating the non-speech element can justify imposing a burden on freedom of expression. O'Brien, 391 U.S. at 376. This Court laid out its test as follows:

we think it clear that a government regulation is sufficiently justified if it is within the constitutional power of the Government; if it furthers an important or substantial governmental interest; if the governmental interest is unrelated to the suppression of free expression; and if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest.
O'Brien, 391 U.S. at 377.

The CCA can easily meet this test. First, the CCA clearly furthers an important government interest, protecting domestic national security. Second, the government's interest is unrelated to suppression of free speech. The government does not ask to alter the status quo on wiretapping or provide new penalties for certain types of speech. It simply attempts to maintain its ability to monitor communications with a lawful search order.

Finally, the CCA is not overbroad because its effect on free speech is no greater than necessary to further its interest. The CCA is the least intrusive means available to achieve Congress's goal. It does not prohibit the use of any form of encryption. It does not regulate a broad range of encryption devices. It only requires the registration of the strongest forms of encryption. Under the CCA, the user of strong encryption may register the key with a government key escrow agency or with a private key escrow designate. Cryptography Control Act ß10(b)-(d). These measures are clearly necessary to effectuate Congress's important interest.[14]

C. The CCA does not Infringe on the Freedom of Assembly or the Right to Communicate Anonymously

Petitioner, relying upon this Court's holding in NAACP v. Alabama ex rel. Patterson, 357 U.S. 449 (1958) next argues that the CCA violates his right to freedom of assembly. At the outset, we note that Petitioner lacks standing to assert this right. The government in this case, based upon probable cause and two valid court orders (the Title III order and the search warrant) sought evidence not of Mr. Woodbury's membership in clubs or associations, but rather his unlawful narcotics activities.

Petitioner's claim appears to be as follows. Were members of organizations required to register high level encryption keys, it would be theoretically possible for the government to obtain a court order to view associational documents. This argument is without merit for various reasons. First, the CCA grants to the government no additional rights to observe, obtain or interfere with membership in organizations than exist under present law. It simply grants it the ability, having lawfully obtained a document or communication, to understand it.[15] If a court were to grant a wiretap order for such pure associational documents (similar to the membership lists in ]NAACP, supra) in the absence of probable cause, the proper remedy would be to attack the Title III order or search warrant on that basis. Additionally, the right to free association does not imply the absolute right to conceal from any possibility of government knowledge the membership in any organization. Were this the case, members of organized crime families would assert an absolute privilege against proof of such membership; membership in racketeer influenced corrupt organizations would be elevated to constitutionally protected status - and this Court held that requiring the NAACP to submit a membership list could subject its members to harassment and was therefore in violation of the freedom of assembly. This issue is also not presented in this case. The key registration requirement does not include with it any de facto requirement to disclose membership in any association, or any affiliation of any kind. Therefore, it has no effect on the freedom of association.

Furthermore, the CCA does not violate the right to communicate anonymously. As with all privacy rights, the right to communicate anonymously is qualified, and people do not have a right to communicate anonymously without any possibility of government intrusion. This Court recently addressed the right to anonymous speech in McIntyre v. Ohio Elections Commission, 115 S.Ct. 1511 (1995) (Holding that a state "antifraud" which prohibited the distribution of anonymous political pamphlet unconstitutionally burdened the right to anonymous political speech). The Court noted that an individual may wish to publish anonymously because of a fear of official reprisal, concern about social ostracism, or a desire to retain as much privacy as possible [emphasis added]. McIntyre, 115 S.Ct. at 1515 (citing Talley v. California, 362 U.S. 60, 64 (1960)).

The CCA is not a direct regulation of core political speech, which would subject it to the most "exacting scrutiny" in order to protect the free discourse of ideas. McIntyre, 115 S.Ct. at 1519. In addition, the CCA was enacted to protect critical national security interests, which are certainly more compelling than an attempt to prevent fraud. It does not regulate the content of communications, including the identity of the communicator. In order to view a communication, the government must receive judicial sanction and satisfy the key escrow agent, public or private, that the search order is valid. Therefore, the CCA does not violate the right to communicate anonymously. It only affects an expectation of communicating without any possibility of government interference, which has never been recognized in this country.

D. The CCA is Content Neutral, and Is Not Subject to Strict Scrutiny

In New York Times v. Sullivan, 376 U.S. 254, 269 (1965), this court stated that "The constitutional safeguard, we have said, 'was fashioned to assure unfettered interchange of ideas for the bringing about of political and social changes desired by the people.'" (citing Roth v. United States, 354 U.S. 476, 484 (1957)). With this statement, this Court affirmed the need to protect free expression of ideas, particularly those ideas which are not popular and therefore more susceptible to suppression. The government in this case fully appreciates and embraces this concept. It is fully acknowledged that content based restrictions on speech must be subject to the strictest scrutiny. However, this concern is not presented by this case.

The CCA requires all users of encryption with a key longer than 64 bits to register the key with a key escrow agency. Cryptography Control Act ß 10(a). It does not require political dissidents or felons to do so, while other users are free from restriction. It does not address the content of speech at all, but only places a mild restriction on the manner of speech.

Electronic communication has grown exponentially in the preceding decades. It is used by nearly every element of society in one form or another. Encryption appeals to users of electronic communication for many reasons, some legitimate and others illegal. Current and probable future users of cryptography include banks, which use encryption for electronic transfers and automated teller transactions, businesses, professionals, criminals, political dissidents, and individual users of electronic mail and facsimile devices. See A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. Penn. L. Rev. 709, 719-729 (1995). Clearly, these uses encompass a broad range of types and purposes of speech. They are all regulated equally under the CCA.

In Buckley v. Valeo, 424 U.S. 1 (1976), this Court examined the constitutionality of the Federal Election Campaign Act. Specifically, this Court examined the constitutionality of a requirement that political candidates disclose the identity of campaign contributors to the Federal Election Commission. This Court held that, in order to survive First Amendment scrutiny, the government must show a "relevant correlation" or a "substantial relation" between the government's need and the information demanded. Buckley, 424 U.S. at 64.

The facts of Buckley are relatively similar to the facts of this case, but there are several crucial distinctions. In Buckley, the candidates were compelled to disclose information, including names and amounts of contributions. Under the CCA, users of strong encryption are required to register a key. The key itself contains no usable information. It is not a disclosure of ideas or statements. As such, the CCA does not compel speech and may not be subject to the Buckley test.

However, even if the CCA is subject to the Buckley test, it must surely pass. Congress passed the CCA because it believed that the widespread, unrestricted use of strong encryption would "pose a serious threat to the continued ability of law enforcement and national security agencies to make effective use of such tools" [communications over telecommunications networks and information stored in written and digital media]. Cryptography Control Act ß 1(b). In short, Congress believed that the unrestricted use of encryption would render law enforcement agencies nearly powerless. To rectify this threat, Congress imposed a key registration requirement, allowing law enforcement agencies to continue to monitor communications pursuant to a lawful search order. There is clearly a "substantial relation" between the information which the statute requires, the key to encryption devices, and the governmental need, protecting domestic national security.

E. Mandatory Key Registration Does Not Have a Chilling Effect on Free Speech

Petitioner next argues that the regulation of the use of high level encryption would have a "chilling effect" on constitutionally protected speech. In Ladue v. Gilleo, 114 S.Ct. 2038, 2046 (1994), this Court outlined the factors to be considered in determining whether or not a statute has an unconstitutional chilling effect on free speech. They are: 1) the extent to which speech is chilled; 2) the extent to which the effect of regulation falls unevenly on groups in society; 3) the availability of alternate channels of communication. When the CCA is analyzed using these factors, it becomes evident that it has little, if any, effect on free speech, and is not constitutionally infirm on these grounds.

The CCA does not give the government any power to intercept communications which it does not already have. Under Title III, 18 U.S.C. ß 3121-3123 and the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. 2510 et. Seq., the federal government has the authority to install secret wiretaps pursuant to a lawful search order. The CCA only allows the government to retain that ability. Hence, it does not chill speech any more than measures which are already in place.

Furthermore, as noted above, encryption is used by a wide range of individuals and entities within society. They do not represent a political viewpoint or a particular interest. Hence, the CCA does not fall unevenly on certain groups. People in this country have never had an unqualified right to speak without the government's hearing. There has never been an expectation that speech will not be heard under any circumstances. The CCA only maintains the status quo. In order to hold that this has an unconstitutionally chilling effect on free speech, this Court must implicitly adopt the view that the advances in electronic communication alter the nature of communication, not just its scope.

II. AN INDIVIDUAL DOES NOT HAVE A GENERAL RIGHT TO INFORMATIONAL PRIVACY WHICH CANNOT BE OVERCOME BY A SUFFICIENT GOVERNMENT INTEREST

The general right to privacy beyond the scope of the specific protections of the Constitution is an ambiguous concept which this Court has struggled with for decades. This Court has defined three major areas where individuals are entitled to privacy: 1) the right to be let alone; 2) the right to autonomous choice concerning intimate matters; 3) the right to autonomous choice concerning other personal matters. See Planned Parenthood of Southeast Pennsylvania v. Casey, 112 S.Ct. 1291 (1992). The second area does not concern us in this case. This Court has traditionally confined its decisions in this area to issues such as the right to have an abortion, Roe v. Wade, 410 U.S. 113 (1973) and the right to make other procreative decisions. Griswold v. Connecticut, 381 U.S. 479 (1965).

In Katz, 389 U.S. at 510-511, this Court noted that "the protection of a person's general right to privacy--his right to be let alone by other people is, like the protection of his property and of his very life, left largely to the law of the individual States." This clearly indicates a reluctance on the part of this Court to afford constitutional protections to issues of general privacy. The right to be left alone has never been well delineated.

The Government stipulates that individuals possess the constitutional right to privacy as well as the right to communicate by any means possible. Petitioner's contention, however, that the Constitution guarantees an absolute right of private communication stemming from the constitutional right to privacy, though intellectually attractive, has no basis in the Constitution or Supreme Court jurisprudence. This Court has recognized special zones of privacy involving the general right to be left alone and the narrower individual fundamental liberties involving intimate decisions and associations. [16] While the list of fundamental rights has not been definitively closed to expansion, this Court has indicated an unwillingness to find new penumbral, privacy-type fundamental rights. ]Compassion in Dying v. Washington, No. 94-35534, 1996 U.S. App. LEXIS 3944, at *161 (9th Cir. March 6, 1996).

However, in Whalen v. Roe, 429 U.S. 589 (1977), this Court did hold that individuals have some constitutional right to avoid disclosure of personal matters. In that case, this Court considered the constitutionality of a New York law which required doctors to keep records of patients who received dangerous prescription drugs and to disclose the names of those patients to state agencies. This Court applied a balancing test, weighing the interests of the individual against the state's interest and the effect of the statute. Whalen, 429 U.S. at 604. This Court concluded that the government had a legitimate need to collect the information, and that procedural safeguards were in place to prevent its misuse. As has been amply explained above, the same holds true of the CCA. The government has a compelling need to require registration of encryption keys longer than 64 bits, and the keys are to be held by escrow agents who cannot release the keys to law enforcement officials without certification of a valid court order. Therefore, the intrusion on informational privacy is as minimal as possible under the circumstances, and the statute should easily pass the Whalen test.

III. THE CCA DOES NOT VIOLATE THE FOURTH AMENDMENT

A. Registration of Encryption Keys is Not a Search

The key escrow requirement of the CCA is not a search. The key is not information by itself. It reveals nothing unless it is applied to communications which are encrypted with it. Enforcement agencies cannot gain access to the key or use it without a judicial order. The key becomes part of a search at that time, but that search is conducted with judicial sanction as required by Katz, 389 U.S. at 349. Furthermore, Katz may not even require prior authorization in a situation where national security interests are integrally involved, as in this case. Katz, 389 U.S. at 358 n23 (noting that the case did not present the issue of whether safeguards other than judicial sanction would suffice when national security interests were involved).

The key escrow requirement is simply a condition precedent for using a particular form of technology. Individuals do not have an expectation of privacy in the use of specific technology. The registration of a key is analogous to the registration of a gun or a car. The government has a valid interest in knowing who possesses potentially dangerous items, and that registration is not converted into a search unless there is a legitimate expectation of privacy. See United States v. Freed, 401 U.S. 601 (1971).

Key registration is also highly analogous to the government's use of pen registers, which this Court has found not to infringe on legitimate expectations of privacy. In a case involving a private communication between two parties, the Supreme Court held that the warrantless installation and use of a pen register by a telephone company at the behest of the police did not constitute a search under the Fourth Amendment. In Smith v. Maryland, 442 U.S. 735, 745-46 (1979), this Court held that non-content based information, the telephone numbers one dials, does not carry with it an expectation of privacy. Therefore, the government's acquisition of this information did not implicate the Fourth Amendment. This holding is consistent with Katz, 389 U.S. at 353, where this Court determined that the application of the Fourth Amendment depends on whether the person invoking its protection can claim a reasonable expectation of privacy. The key that must be registered with the government under the CCA provide even less content than the pen register revealed in Smith. It provides no information about any actual communication. Therefore, Petitioner and other registrants do not have a reasonable expectation of privacy in the escrowed key.

Petitioner also argues that the CCA infringes upon his expectation of privacy because there is no assurance that the government will not accidentally or inadvertently disclose his encryption key and this fear of possible disclosure creates an infringement on a legitimate expectation of privacy. Pet. Br. At 19, citing Whalen v. Roe, 429 U.S. 589 (1977); Sheets v. Salt Lake County, 45 F.3d 1383 (10th Cir. 1995). However, the statute provides numerous legal safeguards to the integrity and confidentiality of such encryption keys, establishes detailed procedures for the disclosure of such keys, and protects their confidentiality zealously. Moreover, Petitioner need not rely upon the good graces of the government to ensure the confidentiality of his encryption key. The statute offers him the option of registering his encryption key with any other third party, so long as that party is certified by the government.

B. Any Infringement on a Legitimate Privacy Interest is Reasonable

Congress enacted the CCA after determining that advances in encryption technology pose a serious threat to the continued ability of law enforcement and national security agencies to make effective use of such tools. CCA ß 1(b). Congress found that the inability of law enforcement agencies to keep up with the advances in encryption technology would pose an unacceptable risk to the domestic tranquillity and to the national security of the United States. Id. at 1(c). The advent of encryption technology increases the likelihood that individuals will be able to frustrate law enforcement attempts to decrypt their communications.

The CCA's requirement of mandatory escrow for users of keys in excess of 64 bits is the least intrusive means of providing the government with the ability to decrypt messages with valid legal justification. The CCA does not ban the use of any form of cryptography; it merely places a limited condition on the use of high level encryption. Because the key escrowed with the government can only be used pursuant to a lawful government order such as those provided in Title III, 18 U.S.C. ßß 3121-3123 (1988) [17], the CCA only impinges on the privacy interest of encryption users who seek to protect their communications from a lawful government search. Mandatory key escrow creates the same expectation of privacy that users of 64 bit and under keys are currently entitled to from unreasonable government intrusion. This requirement simply levels the playing field for all encryption users. As a result, the government will have the same capability to effectuate a Title III search warrant, regardless of the level of encryption technology.

The Supreme Court has consistently held that the government has a legitimate interest in executing a valid search warrant under Title III. In United States v. New York Telephone Company, 434 U.S. 159, 164 (1977), this Court held that a telephone company could be compelled to assist the government in the installation of pen registers.[18] This Court recognized that if the telephone company were to prohibit the government from enforcing a valid court order, this would frustrate Congress's intention to make the pen register a permissible law enforcement tool. ]Id. at 178. Under the All Writs Act, federal courts have the inherent authority to issue and enforce search warrants. Id. at 176-78. By enacting the CCA, Congress seeks to preserve the government's ability to carry out a valid search warrant.

Furthermore, Congress could prohibit the use of strong encryption. It poses a direct threat to law enforcement and national security. Courts have upheld statutes prohibiting the use of dangerous articles of commerce. See United States v. Callahan, 669 F.2d 923 (4th Cir. 1992) (upholding a state statute which banned the possession and use of flashpaper). A registration requirement is certainly a less intrusive means of addressing the problem than outright prohibition. Therefore, the registration requirement is reasonable under the circumstances even if it does impact on some legitimate privacy expectation.

C. If the Key Registration Requirement is a Search, It is a Regulatory Search

Even if the key escrow requirement is a search for Fourth Amendment purposes, it is a regulatory search which does not require a warrant under National Treasury Employees Union v. Von Raab, 489 U.S. 656 (1989). In Von Raab, the United States Customs Service required its field employees to submit to drug screening without any suspicion of drug use. This Court upheld the requirement, balancing the individual's privacy interest against the special needs of the government to assure that its field employees were drug free. Von Raab, 489 U.S. at 666.

Von Raab is applicable to all routinized disclosure requirements, not just situations where the government is the employer. This Court notes at the outset of the opinion that the government's position as employer does not exempt it from the reasonableness standard of the Fourth Amendment. Von Raab, 489 U.S. at 665 (citing O'Connor v. Ortega, 480 U.S. 709, 717 (1989)). However, this Court went on to state that "neither a warrant nor probable cause, nor, indeed, any measure of individualized suspicion, is an indispensable component of reasonableness in every circumstance." Von Raab, 489 U.S. at 665.

In Von Raab, this Court relied on the fact that the search was not made for routine law enforcement purposes, but rather to prevent the development of hidden conditions which could pose a serious threat. Von Raab, 489 U.S. at 668. The Customs Service could not use the results of the drug tests for criminal prosecution without consent of the party tested, so its purpose was clearly to prevent the development of hidden conditions rather than provide for criminal prosecution. The same is true of the CCA. The government may not use the key without a court order requiring its use from the escrow agency. Therefore, its purpose is to prevent the widespread use of strong encryption by criminals without the possibility of search. Its purpose is not to aid in the prosecution of anyone absent probable cause obtained on other grounds.

This Court in Von Raab makes one other key point. This Court noted that requiring a warrant would add very little to the individual's right to privacy. Von Raab, 489 U.S. at 667. The government could require the drug test without any individualized grounds. Therefore, notice of grounds or independent analysis of grounds by a magistrate was essentially pointless. The same is true in this case. A warrant requirement would simply notify the user that he was required to register a key to prevent widespread, uncontrollable use of strong encryption. It would not give him any reasons why he was suspected of criminal activity because he is not suspected of criminal activity. The government merely seeks to apply the registration requirement universally because it is impracticable to determine ex ante who has criminal intent and require key registration from only those people. Therefore, a warrant requiring the registration of the key would only waste resources, since the individual would learn nothing from it.[19]

Petitioner next claims that the statute is unconstitutional because it limits "the means by which a person may ]attempt to establish a legitimate expectation of privacy" Pet. Br. At 26 (emphasis added). This phrase exemplifies Petitioner's true desire here - to create an absolute right of privacy where none exists. The government does not challenge Petitioner's expectation of privacy in the encrypted communications. However, this expectation of privacy while legitimate, is not absolute. The key registration does not allow the government to enter the home or to peer into the user's windows. It simply allows the government to have the potential to monitor the user's communications over public or semi-public communications networks upon a showing of probable cause.

IV. THE CCA'S KEY REGISTRATION REQUIREMENT DOES NOT VIOLATE THE FIFTH AMENDMENT RIGHT AGAINST SELF INCRIMINATION

In the case below, the Petitioner contended that the mandatory registration of an encryption key resembled the mandatory production of a private paper and that it required an individual to effectively give testimony against himself, both in violation of the Fifth Amendment. Petitioner's first claim was based on Boyd v. United States, 116 U.S. 616 (1886) (holding that a man's private papers are his dearest possession and that compelled production of that property was unconstitutional under the Fifth Amendment). It is debatable whether an encryption key even resembles a private paper so as to afford it protection under Boyd. However, even if an encryption key does resemble a private paper, this Court of Appeals for the Thirteenth Circuit correctly concluded that Boyd has been effectively undermined by succeeding Court decisions.

In Braswell v. United States, 487 U.S. 99, 109-10 (1988), this Court held that a corporation cannot claim Fifth Amendment privilege, nor can an individual with regard to corporate papers, even if the individual created and possesses the papers. In Shapiro v. United States, 335 U.S. 1 (1948), this Court held that records required to be kept for legal or regulatory purposes are not privileged under the Fifth Amendment. In United States v. Doe, 465 U.S. 605 (1984), this Court held that, where the creation of business records was voluntary, no compulsion is present when such documents are subpoenaed and the Fifth Amendment does not protect the contents of the documents. These and several other related holdings make it clear that Boyd's protection of private papers effectively no longer exists. [20]

Petitioner also contends that the CCA's key registration requirement forces him to give testimony against himself in violation of the Fifth Amendment. This claim is similarly without merit because the production of the key is not testimonial, nor is it self incriminating. In Fisher v. United States, 425 U.S. 391 (1976), this Court held that the Fifth amendment cannot be used as a shield for personal privacy to prevent acquisition of evidence which does not involve compelled testimonial self incrimination. This Court has consistently held that certain types of disclosures are not testimonial and do not qualify for Fifth Amendment protection. Gilbert v. California, 388 U.S. 263 (1967) (holding that a handwriting sample is not testimonial). The encryption key required by the CCA is also not testimonial. It provides no information about the user, his thoughts, his actions, or the contents of any document which he might later encrypt.

This situation is analogous to the issue addressed by this Court in Doe v. United States, 487 U.S. 201 (1988). In Doe, the government sought to obtain bank records controlled by "John Doe", the target of a federal grand jury investigation. Under the law of the Cayman Islands and Bermuda, where the bank was located, the government could only obtain these records with Doe's consent. The government unsuccessfully sought an order from a federal district court requiring Doe to execute the consent forms. The Supreme Court, however, rejected a Fifth Amendment challenge to the proposed order holding that the execution of the consent forms was non-testimonial. This Court based its decision on the fact that the form did not make reference to specific accounts but only authorized the disclosure of accounts, if any, Doe may have in the foreign banks. "By signing the form, Doe makes no statement, explicit or implicit regarding the existence of a foreign bank account." Doe, 487 U.S. at 222. Significantly, this Court noted that any records obtained from the bank would not fall within the scope of Doe's Fifth Amendment privilege. The CCA's mandatory key escrow is similar to the consent form in Doe. Registration of the key, like the consent form, does not make statement regarding the existence of encrypted communications much less inform the government as to individual communications or information the user has encrypted. It follows then that information obtained by the government pursuant to a valid court order, like the records obtained from the bank, would not be within the scope of Petitioner's Fifth Amendment privilege.

The encryption key can only become self incriminating if future acts by the user subject him to criminal investigation. This Court addressed this issue in Freed, 401 U.S. at 606-607. In Freed, the Supreme Court upheld a National Firearms Act registration requirement against a Fifth Amendment claim that the information disclosed by registering might be used against the defendant if he committed an offense with a firearm in the future. 401 U.S. at 606. This Court stated that such a concern "assumes the existence of a periphery of the Self- Incrimination Clause which protects a person against incrimination not only against past or present transgressions but which supplies insulation for a career of crime about to be launched. We cannot give the self-incrimination Clause such an expansive interpretation." Id. This leads to the conclusion that, if a user of registered encryption later subjects himself to criminal investigation and the escrowed key is used to decrypt information pursuant to a valid court order, the original registration of the key will not become testimonial or self incriminating as a result.

Furthermore, the registrant is not required to provide a chain in the government's evidence against him by providing the key. If there were not a registration scheme, the government could compel the release of a key from a defendant at trial. The fact that the defendant owned the key could be used as evidence, so the key release would have to be immunized. The same immunity applies to the CCA. It is express in other statutes, such as the National Firearms Act, but it is implied in the CCA. However, the mere fact that the immunity is implied does not render the statute constitutionally infirm.

CONCLUSION

The Cryptography Control Act of 1995 is a constitutionally valid regulation of new technology. It does not violate the First, Fourth, or Fifth Amendments, nor does it unduly infringe upon a general right to informational privacy. For these reasons, the judgment of the United States Court of Appeals for the Thirteenth Circuit should by upheld.


Footnotes

1. A copy of the statute is attached as Appendix A.

2. Encryption devices convert plain text messages into illegible gibberish. The sender encodes the message using an algorithm which assigns codes to blocks of information. The sender also uses a key to encrypt the information. The message cannot be decrypted, or unscrambled, without the key. The bit length of the key determines how secure the transmission will be. The number of possible outcomes increases exponentially with each bit of key length, thereby decreasing the possibility of decryption by a party who does not possess the key. See William Stallings, Practical Cryptography for Internetworks 1-4 (1996) [hereinafter Stallings].

3. The Internet is a system of interconnected computer sites. A site= is a database or other depository of information. Each site is independent of every other site. The Internet is accessed by individuals using a telephone modem and relatively inexpensive communications software. By accessing the Internet, individual users can communicate with anyone in the world who also has access. Users can also utilize electronic mail, upload and download files, and subscribe to various services. Currently, at least three million people have access to the Internet, with some estimates ranging as high as twenty million. See George P. Long, III, Who Are You: Identity and Anonymity in Cyberspace, 55 U. Pitt. L. Rev. 1177, 1180-1184 (1994).

4. IDEA is a public key encryption device, which differs from conventional encryption, such as the United States government's Data Encryption Standard (DES). Conventional encryption devices have one key. Each party must have a copy of that key before communication can take place. Public key systems use multiple related keys. Each user has a private key, which they keep, and a public key which is readily accessible to the public. The sender may encrypt a message using the recipient's public key. It can then only be deciphered by the recipient's private key. This technique allows individuals to communicate secretly without previously exchanging keys. Encrypted messages can be sent to anyone with a public key by any sender, who may also choose to remain anonymous, which is a practical impossibility with conventional encryption. Stallings at 4-14.

5. A simple form of encryption, used in the times of Julius Caesar was called transposition, where each letter of the alphabet is transposed by a certain number of letters. If, for example, this number was one, then the letter A would be B, B would be C, and so on. A message HELP would be encrypted to read IFMQ. With knowledge of the appropriate transposition formula, the message can be deciphered. However, such a transposition scheme is subject to straightforward attack, either by "brute force" guessing of every possible transposition key, or, as in the case of Edgar Allan Poe's "The Purloined Letter," by determining the relative frequency at which certain letters appear in any particular language, and comparing these frequencies to the frequency of the ciphertext characters. Edgar A. Poe, The Purloined Letter, in The Complete Tales and Poems of Edgar Allan Poe 42, 62-67 (1938)

6. Indeed, it is no understatement to observe that the ability of the United States to decipher the so-called Enigma code used by the Germans in World War II, and the equivalent codes used by the Japanese led in no small measure the victory of the Allied forces. Similarly, the fact that the Germans, Japanese and other Axis powers lacked the ability to decipher U.S. and other Allied codes served to protect the lives of Americans fighting abroad. See Allan R. Millett & Peter Maslowski, For the Common Defense: A Military History of the United States, 414 (1984).

7. See International Traffic in Arms Regulations, 22 C.F.R 121-130 (1977) (requiring a license for all items placed on the United States Munitions List and all technical data which is directly and significantly related to them, including encryption technology)

8. A distinction should be made between deciphering a message and decrypting it in real time. If an individual encrypted message is intercepted, and banks upon banks of high speed supercomputers were dedicated to the task of deciphering the individual message, it might be theoretically possible to decipher a single message encrypted with high level encryption in a matter of only a few years. However, even this capacity defeats the governments ability to decrypt messages in anything approaching "real time."

9. The same technology which may be used to encrypt messages in transit may be used to encrypt files stored in electronic form. Thus, high level encryption may frustrate not only wiretap orders, but also subpoenas, search warrants, and demands for production of documents.

10. Petitioner makes much of the fact that there has been no underlying conviction for the substantive narcotics offense. Indeed, the inability of the government to obtain evidence to support such a prosecution, despite a lawful search and seizure, was directly due to Petitioner's violation of the CCA. It is precisely this type of frustration of legitimate governmental authority the CCA was attempting to prevent.

11. In that regard, Petitioner relies upon Fed. R. Evid. 801(a) defining "statement" as an oral or written assertion, or nonverbal conduct if intended by a person as an assertion for the contention that key registration constitutes a "statement' and therefore protected speech. However, the language, structure, history and caselaw supporting this evidentiary rule makes clear that non-verbal expressive conduct must intend to be, and actually be communicative in nature: e.g., head shrugs nods, etc. As this Court of Appeals correctly observed, compliance with a regulatory requirement is not speech.

12. Petitioner asserts that the vehicle analogy made by the Court of Appeals was not apt because there is no constitutional right to drive a car, while there is a constitutional right to speech. However, the CCA does not regulate speech -- merely the use of encryption technology to communicate. There is no constitutional right to communicate in any manner one desires and various government agencies routinely regulate both the manner and content of speech -- even pure speech (e.g., FCC regulates speech over airways, FTC regulates forms of commercial speech, FDA regulates health and safety claims.) Moreover, despite the fact that the Second Amendment guarantees the right to bear arms in support of a well regulated militia, courts have found no constitutional infirmity in predicating the exercise of that constitutional right on a prior registration. See United States v. Elder, 579 F.2d 516 (1978).

13. Petitioner next argues that the statue is not narrowly tailored because it applies to every person in the country who chooses to use cryptography, regardless of whether the Government even has reason to suspect that person is using cryptography to commit a crime. Pet. Br. At 7. It is precisely for this reason that the statute is content neutral. It applies to all those who choose to use high level encryption, for good or for evil, just as firearms registration does not distinguish among those who use the firearms for malicious purposes, for good purposes, or not at all, and vehicle registration does not distinguish among those who use their vehicles in furtherance of criminal activity. It is simply a registration scheme.

14. The Department of Justice credits information obtained through legal wiretaps for over 20,000 felony convictions since the early 1980's. Senate Subcommittee on Technology and the Law, Hearing on the Administration's Key Escrow Encryption Standard, May 3, 1994. Without key escrow, Congress has found that there is a substantial risk that such results will be impossible in the future. See Cryptography Control Act 1.

15. Petitioner correctly observes that many individuals and organizations may wish to encrypt communications to prevent government observation or interference, with no desire to promote unlawful activity. For example, Petitioner notes, attorneys may encrypted privileged communications to protect their confidentiality. See Trammel v. United States, 445 U.S. 40, 51 (1980). As this court observed in Trammel, however, privileges are not absolute, and may fall in the face of a compelling government showing. Accord, Nixon v. United States 418 U.S. 683 (1974). If this court accepts Petitioner's argument, any individual could effectively convert a qualified privilege (or an invalid claim of privilege) into an absolute privilege through the use of technology. The CCA simply grants the government the ability -- in the face of a valid court order for the interception or seizure of a communication or file -- to understand the lawfully seized materials. It has no impact whatsoever on the ability or authority of anyone to assert a privilege, or upon the obligation of the government to respect such privileges.

16. The government agrees with the Thirteenth Circuit's conclusion that Petitioner's claim rests with the former of these privacy rights rather than the latter's privacy implications of marriage, procreation, contraception, family relationships, and child rearing and education.

17. In fact, the Department of Justice has elaborate procedures in place for agents who wish to obtain a key from an escrow agent. Among other things, the agents must receive a court order containing provisions for after the fact minimization, obtain detailed certification of this Court order and the requesting agency, and submit the certification to the escrow agency, which may not release the information until it has determined that the key will only be used in connection with the lawful search. The Department of Justice has also assumed oversight responsibility to assure that all procedures are adhered to in all cases. Department of Justice Authorization Procedures for Release of Encryption Key in Connection With Title III Searches, 1994.

18. The authority of the District Court to direct the telephone company to assist in the installation of the pen registers was derived from the All Writs Act. This is because the District Court ruled that pen registers are not governed by the proscriptions of Title III because they are not devices used to intercept oral communications. New York Telephone, 434 U.S. at 163.

19. Petitioner also argues that, under the Fourth Amendment, it would be improper to prosecute those who have encrypted files prior to the effective date of the statute since such individuals would have a legitimate expectation of privacy in such lawfully encrypted files. This Court need not address this issue since it was not presented below. However, if a file were encrypted prior to the effective date of the statute, and no further action were taken with respect to the file, such a prosecution would probably be prohibited by the ex post facto clause. If, however, a prior encrypted file were transmitted after the effective date of the statute, this would constitute an offense.

20. See United States v. Doe, 465 U.S. 605, 618 (1984) (O'Connor, J., concurring) (stating that "the Fifth Amendment provides absolutely no protection for the contents of private papers of any kind.").