Wendy M. Grossman is the author of net.wars, which is online for free.

On May 10, a federal appeals court ruled that limiting the export of cryptographic software under the International Traffic in Arms Regulations (ITAR) violates the First Amendment. If the government does not now appeal and demand a stay on this ruling, anyone based in California, Washington or Oregon should soon be able to export cryptographic source code.

This is a big deal. Cryptography is one of the most important technologies for both guarding individual privacy and providing security and authentication as we transmit more and more confidential data over the public Internet. Until recently, however, only governments had sufficiently big computing iron to use strong cryptography. Perhaps reminiscent of the fact that intercepting German communications was one of the key developments that enabled the Allies to win World War II, cryptography was put on the list of "munitions" whose export from the U.S. was strongly regulated under the ITAR.

Now, however, we are in a networked world, and in these times of burgeoning peace, strong cryptography is needed for more than fighting wars. The crypto experts no longer all work for the National Security Agency, and the challenges to the old policies are numerous.

Both sides of the pond

Can encryption be protected by the First Amendment?

The recently upheld ruling is one of those. The case goes back to 1995, when then-graduate student Daniel Bernstein wanted to publish on the Internet for the scrutiny of the cryptographic community the results of his research into cryptography: a paper, an algorithm called "Snuffle" and a software program using the algorithm. Unable to get permission, Bernstein, with the support of the Electronic Frontier Foundation, sued the Department of Justice and 11 named officials, claiming that the regulations amounted to prior restraint and a violation of his First Amendment rights. He won in court at the end of 1997.

The appellate decision shows how well the judges understand the issues: "The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. Viewed from this perspective, the government's efforts to retard progress in cryptography may implicate the Fourth Amendment ... ."

In Britain, where the government announced its intention to embed cryptography policy in its pending electronic commerce bill, law enforcement has trotted out the same, tired threats (what physicist and cypherpunk Timothy C. May used to call "The Four Horsemen of the Infocalypse") for limiting crypto. Civil libertarians, privacy advocates, business and technical experts have all lined up on the other side from the government.

But, of course, Britain has no written constitution and no Bill of Rights. The last few years have seen the promulgation of the mantra that if you have nothing to fear, you have nothing to hide. (A logic that has fuelled the mass deployment of closed-circuit TV cameras "for security.") So why would cryptography matter?

Of course, the British government misses the point. The assumption that if you value your privacy you should be willing to live your life under full scrutiny completely upends the presumption of innocence on which both U.S. and British judicial systems are based.

A year of change?

The Bernstein ruling comes midway through what is turning into the year of cryptography policy change. In early January, France, previously one of the most restrictive countries, did an about-face and announced it would drop all crypto regulations as fast as it could -- and in the meantime was raising the limit to 128-bit keys (the rest would have to await parliamentary legislation).

In March, Britain announced that although it still wanted input from the technology industry regarding ways to crack encrypted data and snoop on citizens when a court order allowed, it was dropping the idea of key escrow. The question is whether the United States government will follow suit and accept that it is fighting a losing battle and change tactics.

Certainly, the software industry would welcome deregulation, as it would mean developing a single worldwide product for such applications as Lotus Notes (where cryptography protects confidential business data) and Netscape (where crypto protects customer information such as credit-card details in transit). This would run counter to what the intelligence services have been arguing for years -- that free cryptography only serves to protect the dark deeds of child pornographers, terrorists, drug dealers and organized crime -- but it also would reflect the reality of the digital age.

The fact is that, in general, we have allowed the intelligence services to hijack the discussion about cryptography. Yes, criminals might use it to cloak their activities. But there are many more instances where the intelligent deployment of cryptography would protect consumers from fraud. Take, for example, the instance where 20,000 customers' credit-card numbers were copied off Netcom's system and circulated; while the file should not have been accessible from the Net, had it been encrypted it would not have been readable by anyone who did hack into it successfully.

Or what about analog cellular phones? The use of cryptography to scramble those conversations would make it irrelevant that someone with a scanner could pick up private conversations. Just think: We would not now know Prince Charles' sexual ambitions. Would that be much of a loss?