← Back to Blog

The Crypto Wars: When the US Tried to Control Encryption, and Lost

The Crypto Wars: When the US Tried to Control Encryption, and Lost

In the 1990s the United States government treated strong encryption roughly the way it treated fighter jets and cluster munitions: as a weapon that could not leave the country without an export license. The decade that followed was a running argument, fought in press releases, academic papers, printed books, and federal courtrooms, over a deceptively simple question. Is a piece of software the same kind of thing as a gun, or is it closer to a pamphlet? By the time the argument ran out, the government had lost the central point, and the encryption that now guards your bank login and your text messages had become ordinary and legal to share. This is how that happened.

The Clipper chip and the spare key

On April 16, 1993, the Clinton White House announced the Clipper chip, a hardware encryption device meant to secure telephone calls while guaranteeing that law enforcement, with the right authorisation, could still listen in (Clinton White House archive). The design put the government on both sides of the lock. Each chip encrypted calls with a classified cipher and also stored a copy of what amounted to a spare key, held by the government in a scheme called key escrow. The idea was that citizens would get real encryption while the state kept a way in, opened only with a court's blessing.

The cipher inside was Skipjack, an NSA-designed symmetric block cipher with an 80-bit key and a 64-bit block. It stayed classified for years and was not declassified until June 1998, at which point cryptographers Eli Biham and Adi Shamir published an attack on reduced-round versions within a day (Wikipedia). NIST turned the whole approach into an official government standard, the Escrowed Encryption Standard, published as FIPS 185 in February 1994 (Clinton White House archive). On paper the government had squared the circle. In practice the design had a hole in it.

The 16-bit hole

The escrow scheme depended on a piece of data each Clipper device broadcast alongside the encrypted call, a 128-bit Law Enforcement Access Field, or LEAF, that carried the escrowed key information the government would need to decrypt the conversation. The catch was that the LEAF was protected by only a 16-bit checksum (Wikipedia). That number turned out to matter enormously.

In November 1994, AT&T researcher Matt Blaze presented a paper titled "Protocol Failure in the Escrowed Encryption Standard" at the second ACM Conference on Computer and Communications Security (ACM Digital Library). Because the value guarding the LEAF was only 16 bits wide, an attacker could search the roughly 65,000 possibilities (that is 2 to the 16th power) and find a bogus field that still passed as valid. Two Clipper devices would then talk to each other normally, the call would be encrypted, but the LEAF would be garbage and the government's spare key would open nothing. Put plainly, you could use a Clipper phone and quietly defeat the one feature that was supposed to justify it.

The flaw was public well before the formal paper appeared. John Markoff reported it in The New York Times in June 1994, and NIST issued a statement that same month acknowledging the problem while arguing it did not defeat lawful telephone wiretaps in ordinary use (NIST). The technical rebuttal hardly mattered. The credibility of a system built on a government spare key had been holed by a graduate-level search over 65,000 numbers. By 1996 the Clipper chip was effectively dead. As Wikipedia notes, the only significant buyer of phones containing the chip was the United States Department of Justice itself (Wikipedia).

PGP and a three-year investigation

While the government was promoting escrow, a programmer named Phil Zimmermann had already handed the public the opposite tool. In June 1991 he released Pretty Good Privacy, or PGP, posting it to USENET and FTP sites. It was the first strong public-key encryption program that ordinary people could actually get and use (Internet Hall of Fame). It spread overseas quickly, and that is where Zimmermann's trouble began.

Under the Arms Export Control Act and its International Traffic in Arms Regulations (ITAR), strong cryptography was classed as a munition, and exporting it without a license could be a crime. Early in 1993, US Customs opened a criminal investigation. Agents visited Zimmermann in San Jose in February 1993, and grand-jury subpoenas followed by September (Philip Dubois, Zimmermann's attorney). The theory was that by releasing PGP onto the internet, Zimmermann had illegally exported a weapon to the world.

The investigation ran for about three years. On January 11, 1996, the US Attorney for the Northern District of California, Michael J. Yamaguchi, announced that the government would decline to prosecute over the 1991 USENET posting. The case closed with no charges and no stated reason (IEEE Cipher). The government had spent three years treating a piece of privacy software as a smuggled munition, and then walked away without explaining why it stopped.

Printing the source code as a book

The Zimmermann case turned on a strange asymmetry in the law. A diskette carrying encryption source code was a regulated munition. A printed book was protected speech under the First Amendment and could be carried out of the country freely. So Zimmermann's camp tested the boundary head-on.

In 1995, MIT Press published the complete PGP source code as a hardcover volume, "PGP: Source Code and Internals" (Wikipedia). The premise was blunt. If the printed word is protected, then a printed program should be protected too, and the government would struggle to argue that the same characters became a weapon the instant someone typed them back into a computer. The book was widely understood as a factor in the decision to drop the case, because prosecuting the export of a program that anyone could legally buy in book form made little sense.

Two years later the tactic went international and physical on a far larger scale. For the 1997 release of the international edition, PGP 5.0i, the source was printed as a set of roughly ten to twelve thick volumes running to thousands of pages, exported to Europe as ordinary printed matter, and then read back in. A Norwegian team led by Stale Schumacher OCR-scanned the pages and reconstructed working, legally exportable international PGP from them (PGPi scanning project). It was a deliberate, almost theatrical demonstration that the export rules could not survive contact with the printing press.

Code is speech

The printed-book manoeuvres made a rhetorical point. Two lawsuits turned it into law.

Daniel Bernstein was a mathematics PhD student at UC Berkeley who had written an encryption algorithm he called Snuffle, along with a paper and source code describing how it worked. To publish, he was told, he might first have to register as an arms dealer and obtain a license. Backed by the Electronic Frontier Foundation, he sued the State Department on February 21, 1995 (EFF).

Judge Marilyn Hall Patel handed him a landmark result. On December 6, 1996, according to EFF's docket, she held that the ITAR licensing scheme was an unconstitutional prior restraint on speech (EFF). After the controls were shifted to a new regime run by the Commerce Department, she ruled again on August 25, 1997 that the successor Export Administration Regulations (EAR) were likewise unconstitutional as applied to source code. For the first time, a federal court had said plainly that source code was expression the First Amendment protects.

On May 6, 1999, a three-judge panel of the Ninth Circuit agreed, affirming by a 2-1 vote that encryption source code is protected speech and that the export-licensing scheme was an unconstitutional prior restraint (Ninth Circuit via FindLaw). That is the ruling most people remember. It is also, technically, not law. On September 30, 1999, the full Ninth Circuit voted to rehear the case en banc and withdrew the panel opinion, which made it non-precedential (Global Freedom of Expression, Columbia). The court never issued an en banc decision on the merits, because the government relaxed the rules in early 2000 and the case was sent back down. Bernstein, for all its fame, left behind no binding appellate precedent.

The precedent came from a quieter case in another circuit. Peter Junger, a law professor, challenged the same export controls, and in Junger v. Daley the Sixth Circuit reversed the trial court and held that computer source code is expression protected by the First Amendment. The case was argued December 17, 1999 and decided April 4, 2000 (FindLaw). With the Bernstein panel opinion withdrawn, Junger stands as the leading appellate authority for the plain proposition that source code is speech.

The rules give way

The courts were only part of the retreat. The executive branch had already begun rearranging the machinery. On November 15, 1996, Clinton signed Executive Order 13026, published on November 19, 1996 at 61 FR 58767, which moved non-military commercial encryption off the State Department's Munitions List and onto the Commerce Department's Commerce Control List (Federal Register). This was a relocation, not a release. The order also directed that encryption software "shall not be considered or treated as technology" under the export rules, and declared that the Export Administration Act's foreign-availability provisions "shall not be applicable" to these controls (American Presidency Project). Moving the paperwork from one agency to another did not set the code free. Encryption was still controlled, just controlled by Commerce.

Real liberalisation came later, and it came partly because the controls had stopped making sense. Strong encryption was already available all over the world, so American export limits mostly cost American companies foreign sales while doing little to keep the technology out of anyone's hands. Netscape, Microsoft, and other firms lobbied hard on exactly that point (Wikipedia). After a White House policy shift announced on September 16, 1999, the Commerce Department's Bureau of Export Administration published an interim rule that took effect on January 14, 2000. It sharply loosened the controls, created a "retail" category of products exportable to almost any end user in almost any destination, and allowed publicly available and open-source encryption source code to be exported under a license exception (Federal Register). That was the practical end of the crypto wars. The code was finally free to travel.

The bottom line

The crypto wars were an argument about categories. The government wanted encryption to be a munition it could hold at the border. Cryptographers, programmers, publishers, and eventually two federal appeals courts treated it as something you write, read, and share. The escrow scheme collapsed under a 16-bit flaw, the criminal case against Zimmermann ended without charges or an explanation, the source code went out as books and came back as software, and the export rules were rewritten until they barely applied to the products people actually used. The encryption that secures ordinary life now, the padlock on a checkout page and the lock on a chat app, is the settled result of a fight the government picked and did not win. The lesson that lasts is narrow but durable: it is very hard to control the distribution of a number, and a program is, in the end, just a precise way of writing one down.

Related reading

Fact-check notes and sources

  • The Clipper chip and Skipjack (the April 16, 1993 announcement; FIPS 185 in February 1994; Skipjack's 80-bit key and 64-bit block; declassified June 1998 and attacked within a day): Clinton White House archive and Wikipedia.
  • The LEAF flaw (the 128-bit LEAF protected by only a 16-bit checksum; Matt Blaze's November 1994 ACM CCS paper and the roughly 2-to-the-16th brute force; June 1994 New York Times reporting and NIST's June 1994 statement; the chip effectively defunct by 1996 with the Department of Justice as the only significant buyer): Wikipedia, ACM Digital Library, and NIST.
  • PGP and the Zimmermann investigation (the June 1991 release; the early-1993 Customs investigation, with a February 1993 San Jose visit and September 1993 grand-jury subpoenas; the January 11, 1996 declination by US Attorney Michael J. Yamaguchi, with no reason given): Internet Hall of Fame, Philip Dubois, and IEEE Cipher.
  • Source code as a book (the 1995 MIT Press edition; the 1997 PGP 5.0i printed set and the Norwegian re-scanning led by Stale Schumacher): Wikipedia and PGPi scanning project. The exact size of the 1997 set varies by account (roughly ten to twelve volumes, thousands of pages), so it is given as a range rather than a single figure.
  • Code is speech (Bernstein's February 21, 1995 suit; Judge Patel's December 6, 1996 and August 25, 1997 rulings; the May 6, 1999 Ninth Circuit panel; the September 30, 1999 en banc order that withdrew it; Junger v. Daley, argued December 17, 1999 and decided April 4, 2000): EFF, Ninth Circuit via FindLaw, Global Freedom of Expression, and FindLaw. The Patel date is given as December 6, 1996 per EFF's docket; some sources date the published opinion December 9, 1996, a minor record discrepancy that does not affect the outcome.
  • The rules relax (Executive Order 13026, signed November 15, 1996 and published November 19, 1996 at 61 FR 58767, with its "shall not be considered or treated as technology" language; the January 14, 2000 Commerce interim rule and its "retail" category): Federal Register, American Presidency Project, and Federal Register.
  • The economics (strong encryption already available abroad, and industry lobbying by Netscape, Microsoft, and others): Wikipedia. A figure of "$1 billion per year" in foregone sales sometimes circulates but is not supported by that source, so this piece describes the market dynamic without committing to a specific dollar amount; contemporary industry studies projected far larger losses over the decade, but no single authoritative figure was pinned down here.

This post is informational and educational, and it is not legal or security advice. Dates, figures, and quotations are reproduced from the cited government records, court opinions, and archives, with contested or uncertain points flagged as such. Companies, agencies, and individuals are named as a matter of public record under nominative fair use, and no affiliation or endorsement is implied.

← Back to Blog

Accessibility Options

Text Size
High Contrast
Reduce Motion
Reading Guide
Link Highlighting
Accessibility Statement

J.A. Watte is committed to ensuring digital accessibility for people with disabilities. This site conforms to WCAG 2.1 and 2.2 Level AA guidelines.

Measures Taken

  • Semantic HTML with proper heading hierarchy
  • ARIA labels and roles for interactive components
  • Color contrast ratios meeting WCAG AA (4.5:1)
  • Full keyboard navigation support
  • Skip navigation link
  • Visible focus indicators (3:1 contrast)
  • 44px minimum touch/click targets
  • Dark/light theme with system preference detection
  • Responsive design for all devices
  • Reduced motion support (CSS + toggle)
  • Text size customization (14px–20px)
  • Print stylesheet

Feedback

Contact: jwatte.com/contact

Full Accessibility StatementPrivacy Policy

Last updated: April 2026