CFP96 Plenary Session

Before the Court: Majority Opinion of the Shadow Panel

No. 95-3213

CHARLES F. WOODBURY, PETITIONER
v. UNITED STATES OF AMERICA, RESPONDENT

ON APPEAL FROM THE UNITED STATES COURT OF APPEALS FOR THE THIRTEENTH CIRCUIT

Argued March 28, 1996 -- Decided March 29, 1996.

McMorrow, J. and O'Rourke, J. delivered the opinion for the Court; Nesson, J. filed a concurring opinion.

Petitioner was convicted of unauthorized use of encrypted documents in violation of the Cryptography Control Act of 1995 [the "Act"]. The United States Court of Appeals for the Thirteenth Circuit affirmed his conviction and upheld the constitutionality of the Act. We reverse.

I.

Cryptography is the process by which a series of codes or "ciphers" are attached to a document to prevent it from being read by any person other than one who has the "key" to the code. Early use of encryption, while complex, was sufficiently simple that those wishing to "break" the code could do so with considerable effort. Recent technological advances have resulted in highly complex encryption codes, including codes that have in excess of 64 "bits."[1] Codes in excess of 64 bits are essentially impossible to decode without the key.

Congress passed the Cryptography Control Act of 1995 based on the following findings:

It is the findings of the Congress that: (a) the acquisition and interpretation of oral, written, and data communications.... are tools which have been historically used for domestic law enforcement and national security purposes, and, whether transmitted or not, affect national and global communications and therefore interstate and foreign commerce; (b) that advances in encryption technology pose a serious threat to the continued ability of law enforcement and national security agencies to make effective use of such tools; and (c) that the inability of such agencies to use such tools in the future would pose an unacceptable risk to the domestic tranquillity and to the national security of the United States.
In light of these findings, Congress passed four criminal prohibitions, imposing criminal sentences and fines on anyone who knowingly encodes information having a key in excess of 64 bits and who fails to register "with an authorized key escrow agency."[2] Section 10(b) imposes criminal sanctions of up to 5 years imprisonment, a fine of not more than $250,000, or both, to "[w]hoever knowingly and intentionally possesses, maintains, transmits, distributes, uses, or controls information which has been encoded using an encryption technique...in excess of 64 bits and which key has not been registered with an authorized key escrow agency or designate...."[3] Section 10(c) imposes up to 10 years and $500,000 fine, or both, to "[w]hoever knowingly and intentionally manufactures, creates, designs, distributes, sells, transmits, or possesses with the intent to distribute, sell or transmit" any encryption technique without registration. Section 10(d) reaches anyone who "knowingly and intentionally distributes, sells, or transmits, outside of the boundaries of the United States" or possesses with the intent to engage in those acts without registration.

Petitioner Woodbury was one of the first individuals prosecuted under the new law. In March 1995 a reliable police informant reported that Woodbury was involved in the distribution of controlled substances via the Internet. State police, with the assistance of the Drug Enforcement Administration (DEA), obtained a valid federal wiretap authorization. The DEA installed wiretaps on the two lines at Woodbury's home. Line one was used primarily for voice communications and was intercepted using the standard procedures. The wiretap on line two, however, encountered difficulties because a significant portion of the messages Woodbury sent and received by electronic mail were encrypted with "Cypherpunks Labs Automated Messenger 3.01" (CLAM), an encryption program widely available throughout the world via the Internet. Based in part on information derived from surveillance of the voice telephone line, and in part on evidence of the violation of the CCA observed from the surveillance of line two, the police obtained a federal warrant to search Woodbury's home. The agents seized Woodbury's computer and confirmed the presence of files encrypted with CLAM. A DEA expert test)fied that these files were formatted in a manner "consistent with the practices of a controlled substances distributor." Based in part on equivocal evidence from the search, Woodbury was indicted for conspiracy to distribute drugs and for violation of the CCA. The District Court rejected Woodbury's constitutional challenge to the CCA and found that probable cause had existed to issue the warrant. The case proceeded to trial, where Woodbury was acquitted of the drug charges, but convicted on the CCA charge. The trial judge sentenced him to five years imprisonment.

The United States Court of Appeals for the Thirteenth Circuit affirmed Woodbury's conviction and rejected his Constitutional challenges. In relevant portions, the Court of Appeals concluded that neither the First nor the Fourth nor the Fifth amendments prohibited the registration requirement contained in the CCA, nor did the statutory scheme violate his constitutional right to privacy.

II.
A.
As stated in the CCA, Congress has a legitimate and compelling interest in effective law enforcement, at least to the extent that it intersects with an enumerated power. That interest, however, does not justify all means of law enforcement. The government not only must exercise its power pursuant to one of the enumerated powers granted by the Constitution, but must also comply with the limitations of granted power in the Constitution as well.

The concept of privacy is an important constitutional value that is implicated in many specific constitutional provisions. For purposes of Fourth Amendment analysis, a search begins when the Government first interferes with an individual's legitimate expectation of privacy. _Maryland v. Macon_, 472 U.S. 463, 469 (1985); _United States v. Jacobsen_, 466 U.S. 109, 113 (1984). The First Amendment protection from government intrusion on speech includes a recognition of the importance of private activity within the confines of one's home. _Stanley v. Georgia_, 394 U.S. 557 (1969). The Ninth Amendment, although not the express basis of a constitutional right to privacy, implicates the values behind the notion of privacy when it states that "[t]he enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people."

The traditional jurisprudence of the First and Fourth Amendments does not fit squarely, however, into the challenges posed by encryption. Froomkin, _The Metaphor is the Key: Cryptography, The Clipper Chip, and the Constitution_, 143 U. PENN. L. REV. 709, 810 (1995). In this case we need not rely on the specific jurisprudence of the First and Fourth Amendment because this case is better grounded directly in the underlying value at issue.

B.
The application of traditional doctrine to new technologies is a not unfamiliar problem to this Court and we have refined Constitutional doctrines to meet changing conditions. _See, e.g., Katz v. United States_, 389 U.S. 347 (1967). In rare circumstances we have recognized a constitutionally protected "zone of privacy." _Roe v. Wade_, 410 U.S. at 152-53; _Whalen v. Roe_, 429 U.S. at 598. This zone of privacy has implicated at least three different kinds of interests: the right to be left alone, the right to independence in making decisions in certain kinds of intimate matters, and the right to control information concerning personal matters. _Whalen_, 429 U.S. at 599-600; _Griswold v. Connecticut_, 381 U.S. 479, 499-500 (1965) (Harlan, J. concurring). See also Froomkin, 143 U. Penn. L. Rev. at 838. The CCA, as written, violates Petitioner's legitimate expectations of privacy in the right to be left alone.

Unlike burglary tools and possession of nuclear weapons, encryption codes are devices that individuals may seek to use to protect proprietary information, personal information, confidential attorney-client communications, or just to gossip.[4] Individuals may seek encryption to prevent a third party from accessing personal data from the Internet. Instances of high profile private "hackers" have been well-publicized. Such private party "hackers" may proceed merely for the thrill of breaking into someone else's computer, or possibly to seek private information about groups or causes with which the "hacker" disagrees.

Consequently, we begin with the premise that encryption is not a device designed for the primary purpose of aiding individuals in unlawful activities. That encryption codes may incidentally be used by individuals seeking to commit crimes does not make their use inherently suspect. Nor, as the government implies, does a desire to not register with the government flow only from those who wish to hide unlawful activity.

Never before has this Court faced a statute that compelled universal requirement that a person carry on communication in a manner that would facilitate the government's ability to overhear that conversation if the government otherwise has a lawful warrant. The use of metaphors and analogies in this context is necessarily incomplete, but nonetheless helpful. Encryption is better analogized to the concept of a private walk on a beach or a private conversation behind closed doors. While the government might legitimately impose time, place and manner restrictions on such conversations, for example by prohibiting walks on public beaches from midnight to 6 a.m., the government could not require individuals to disclose their intent to hold such private conversations.

Undoubtedly the zone of privacy is not unlimited and we have recognized many instances in which the government's interest outweighs a reasonable expectation of privacy. The need for a closer inquiry in this case is triggered by two factors. First, as noted above, this statute implicates important privacy interests by compelling all users of complex encryption codes to disclose the key to the government. Second, the statute reaches into the privacy of an individual's home.[5] In such circumstances, a statute will be valid only if the government demonstrates that it has crafted a statute that is narrowly tailored to minimize the invasion of the protected interests and that it has chosen the least restrictive means available to achieve its interests. The government has not sustained its burden in this case.

"A statute is narrowly tailored if it targets and eliminates no more than the exact source of the 'evil' it seeks to remedy." _Frisby v. Schultz_, 487 U.S. 474, 485 (1988). The record in this case is conspicuously absent in establishing that the statute is narrowly tailored. In its effort to reach, we infer, anyone who knowingly has any contact with encrypted messages, the statute sweeps too broadly. The mere fact of knowingly receiving an encrypted message meant that Petitioner had possessed forbidden material and was subject to 5 years imprisonment. Mere possession, without actual transmittal, triggers a statutory violation.[6] Arguably, receiving a message for which one does not have the key triggers a violation of the Act.

Unlike general registration statutes, such as Selective Service or gun registration requirements, the Cryptography Control Act raises particularly troublesome issues because is it compels the registration of the "key" which provides any one with access to the key the ability to have access to the contents of communications. Unlike simply registering a physical item, or an individual's location, the encryption code is more analogous to the government compelling the registration of the key to a diary. That encryption code, if used by the govemment, unlocks and enters into a traditionally private domain of protected activity. We cannot ignore this additional element.

The government has also failed to demonstrate that it has established the least restrictive and intrusive means, which includes assuring that the govemment has take all reasonable efforts to protect the legitimate privacy interests of those compelled to register a key. Unlike the detailed security scheme described in _Whalen_. in this case Congress provides only that registration be made with "an authorized key escrow agency or designate...." The statute provides that rules are to be promulgated by the Attorney General, and that the information registered would only be released to the FBI, DEA, or other police and intelligence services upon presentation of a warrant or other lawful order. (CA p.2) The statute provides no structural assurance of a check and balance in which a neutral party is establishing the security measures and rules for disclosure. The statute is notoriously silent about security measures required for the key escrow agency. It provides no fail-safe methods to assure that unauthorized disclosure does not occur, and unlike _Whalen_ -- provides no criminal penalties for unlawful disclosure of the information. _Cf. Whalen v. Roe_, 429 U.S. at 595 (protecting medical records). There is no provision to prevent interception of the key itself by a private parties. The Statute provides no provisions to protect the legitimate expectation of privacy that a depositor would have in this personal information held by the government.

As we recognized in _Whalen_, "[w]e are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks, or other massive government files." _Whalen v. Roe_ 429 U.S. at 605. The concomitant duty to proceed with measured caution and to avoid unwarranted disclosures has not been met here. This duty has its roots in the Constitution, a document intended not only to grant government power but to limit it as well.

We do not suggest that there is an absolute right of privacy to use one's computer in any manner one wishes. Nor do we hold that the government could never regulate encryption codes. We hold simply that under the statute at issue here the government has not furfilled its burden.

Reversed.

Notes

1 A bit is a single digit

2 Section 10(a) prohibits "knowingly" encoding, while section (b) - (d) prohibit "knowingly and intentionally" engaging in the prohibited acts. It is unclear what Congress intended by the use of this additional language.

3 Section 10(a) limits reporting to the "escrow agency" which sections (b) and (c) provides for reporting to a "key escrow agency or designate." Section (d) combines these terms to require registration with "an authorized key escrow agency designate." It is unclear what Congress intended by this variable use.

4 Consequently, this case does not invoke the regulatory power to the government to develop regulations for hazardous activities, regulated industries, or control over activities of those who have waived privacy through prior criminal activity.

5 As the dissent in the United States Court of Appeals asserted, the mere fact of encryption does not trigger a reasonable expectation of privacy.

6 We do not reach whether prosecution in that circumstance would raise a question under United States v. Lopez. 115 S.Ct 1624 (1995).


Back to CFP Moot Court page

Back to case overview page

Back to CFP96 home page


Last updated May 27, 1996
cfp96@mit.edu