26 February 1997
Source: http://www.bxa.doc.gov/06-.pdf (313K)

Public Comments on Encryption Items Transferred from
the U.S. Munitions List to the Commerce Control List

6. Tuttle and Taylor

Tuttle & Taylor
A Law Corporation
Fortieth Floor
355 South Grand Avenue
Los Angeles California 90071-3102
Telephone: (213) 683-0600
Facsimile: (213) 683-0225
Writer's Direct Dial Number: (213) 683-0663

February 3, 1997

Ms. Nancy Crowe
Regulatory Policy Division
Bureau of Export Administration
Department of Commerce
14th Street and Pennsylvania Ave., N.W.. Room 2705
Washington, D.C. 20230

Re: Interim rule and EAR amendments of 61 FR 68572.

Dear Ms. Crowe:

Let me begin by saying that, a number of our clients for years have been involved in export subject to regulation by the Departments of State and Commerce. In my more than thirty years of experience dealing with these regulatory structures, there have been, naturally, instances in which their application was ambiguous or their meaning unclear. However, I cannot recall an instance more fraught with uncertainty and vulnerability to the dangers of ad hoc rulemaking than the one we are faced with now. My concern is that instead of clarifying the export process with regard to encryption software, the new regulations make the process more confusing. Moreover, they are vulnerable to challenges of unconstitutionality, not only because of their vagueness but also because of their effect on free speech.

The new regulations are designed to address foreign policy and national security concerns in regard to the export of cryptographic items, 61 FR 68572, 68573, at the same time they present serious constitutional due process and free speech issues. These violations arise out of the regulations' vagueness and their chilling effect on speech.

"It is a basic principle of due process that an enactment is void for vagueness if its prohibitions are not clearly defined." Grayned v. City of Rockford, 408 U.S. 104, 107, 33 L. Ed. 2d 222, 227 (1972). Vague enactments are not tolerated because society insists "that laws give the person of ordinary intelligence a reasonable opportunity to know what is prohibited, so that he may act accordingly. Vague laws may trap the innocent by not providing fair warning." Id. (citations omitted). A stricter vagueness test should apply where a violation of the enactment results in criminal sanctions, and the scienter requirement is unclear. See Hoffman Estates v. Flipside Hoffman Estates, 455 U.S. 489, 499, 71 L. Ed. 2d 362, 372 (1982).

The vagueness of part 744.9 of the new regulations poses a constitutional due process violation. This part is vague in its distinction between the "mere teaching or discussion of information about cryptography' and "providing technical assistance to foreign persons," or instruction of "encryption software." The "mere teaching or discussion" is allowed to occur without an export license. However, "providing technical assistance to a foreign person" or the instruction of "encryption software" require an export license to avoid criminal and civil sanctions. The apparent safe harbor found in the "teaching and discussion" realm thus proves to be illusory.

Part 734.3(b) lists the items not subject to EAR regulations. "Educational information" as described in part 734.9, is one item excluded from licensing requirements. 61 FR 68572, 68578. Part 734.9 defines "educational information" as information released by "instruction in catalog courses and associated teaching laboratories of academic institutions. Note that the provisions of this section do not apply to encryption software controlled under ECCN SD002 for "EI" reasons on the Commerce Control List." Id. at 68578 (emphasis added). Part 734.9, therefore, removes instruction on encryption software from the "educational information" exception of section 734.3(b)(iii). Thus, a speaker who seeks to discuss encryption software in the above described settings must first obtain an export license. The question then arises, how a speaker is to distinguish between this requirement for an export license and the exception provided in part 744.9.

Part 744.9 states:

No U.S. person may, without a license from BXA, provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities or software that, if of United States origin, would be controlled for "EI" reasons under ECCN 5A002 or SD002 .... Note in addition that the mere teaching or discussion of information about cryptography, including, for example, in an academic setting, by itself would not establish the intent described in this section, even where foreign persons are present.

61 FR 68572, 68584 (emphasis added). Under what criteria then, are speakers to gauge their conduct to avoid a violation of parts 734.3 or 744.9? When does the "mere teaching or discussion of information about cryptography" transmute to the prohibited "providing of technical assistance to foreign persons," or instruction of "encryption software?"

The scope of part 744.9 is not defined within the part, or the definitions in part 772. The new part 772 defines "encryption software," 61 FR 68572, 68585, but it does not define "catalog courses," "teaching laboratories" or "academic institutions," all of which are key elements of section 734.9. Additionally, part 772 does not define "information about cryptography," "intent" or "academic setting," which are key elements of the section 744.9 exception. Thus, a speaker of ordinary intelligence is deprived of a reasonable opportunity to know what discussion is prohibited, and must guess as to whether an export license is needed.

The note added to part 734.3 drastically reduces the media that previously qualified for the ITAR "public domain," licensing exception. Part 734.3 states: "A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see S.734.3(b)(2)). However, notwithstanding S.734.(b)(2)[sic], encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see S.734.3 (b)(3))." 61 FR 68572, 68578. Part 120.11 of the ITAR states that "[p]ublic domain means information which is published and which is generally accessible or available to the public: ...." 22 CFR 120.11. Thus, publically available, published information was not limited to "printed material" by ITAR as it is now.

Furthermore, the EAR public domain limitation raises the question whether printed material can ever be sent in electronic form or media in violation of part 734.3. Would a FAX of printed material of encryption source code fall within the scope of the EAR? Would the distribution of encryption source code as printed material during a mere discussion of cryptography violate section 734.3, 744.9 or 734.7 (the printed material itself would not be subject to the EAR per 734.3; however, its distribution as educational information appears to be subject to the EAR per 734.7 and its distribution as technical assistance appears to be controlled per 744.9)? Again, this note lacks guidance for actual application, and leaves academic and other speakers in a state of confusion as to what constitutes a licensable "transaction."

The gravity of the inherent vagueness in parts 734.3, 734.7 and 744.9 is further compounded by the criminal sanctions imposed by part 764.3(b), and the "knowledge" definition found in part 772. The EAR imposes criminal sanctions on whomever "knowingly violates or conspires to or attempts to violate the EAA, the EAR, or any order or license issued thereunder...." 15 C.F.R. S.764.3(b)(1). "Knowledge" is defined by the EAR as follows:

Knowledge of a circumstance ... includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts ....

Id. at S.772. Although an awareness of a "high probability of an existing circumstance is not a new criminal standard for imputing knowledge on a defendant ... [t]he definition of 'knowledge' in part 772 also requires an exporter to be aware of a high probability of a 'future occurrence' of a circumstance." WILLLIAM A. ROOT & JOHN R. LIEBMAN, UNITED STATES EXPORT CONTROLS THIRD EDITION 1996 SUPPLEMENT, S.1.14.5 (1996)(citing United States v. McAllister, 747 F.2d 1273, 1275 (9th Cir. 1984), cert. denied, 474 U.S. 829 (1985)). Such a scienter requirement exacerbates the vagueness of the EAR's prohibitions. This definition imposes on the potential exporter the "responsibility of predicting future events, in cases where, with the benefit of hindsight, one could say that there was a high probability that such events would occur." Id. Since there is no effective means by which a speaker, in these circumstances can predict future events, the vagueness of parts 734.3, 734.7 and 744.9 will result in the chilling of free speech.

"Encryption software is controlled because ... it has a functional capacity to encrypt information on a computer system, and not because of any information or theoretical value that such software may reflect, contain or represent, or that its export may convey to others abroad.'' Id. at 68585 (emphasis added). However, just because encryption software has a functional capacity, it is still speech and subject to First Amendment Protection. See Bernstein v. United States Dep't of State, 922 F.Supp. 1426, 1435 (N.D. Cal. 1996)("even if Snuffle source code, which is easily compiled into object code for the computer to read and easily used for encryption, is essentially functional, that does not remove it from the realm of speech")(citing Yniguez v. Arizonans for Official English, 69 F.3d 920, 934-36 (9th Cir. 1995)(en banc) cert. granted, 134 L. Ed. 2d 469 (1996), Ward v. Rock Against Racism, 491 U.S. 781, 790, 105 L. Ed. 2d 661 (1989)). As in Bernstein, the regulations discussed in these comments "fail to give notice of the conduct they regulate and have a chilling effect on speech." Bernstein, at 1439. As in Bernstein, the regulations discussed in these comments "fail to give notice of the conduct they regulate and have a chilling effect on speech." Bernstein, at 1439.

One loophole in export license requirements, although not contained in 744.9 technical assistance license requirements, is the potential removal of any discussion or teaching from EAR regulation through designated "precautions." Part 734.2(b)(9)(ii) defines the export of encryption source code software, inter alia, as the "downloading, or causing the downloading of such software to locations ... outside the U.S., or making such software available for transfer outside the United States ... unless the person making the software available takes precautions adequate to prevent [such] unauthorized transfers...." 61 FR 68572, 68577. Adequate precautions include:

(A)- ensuring that the facility from which the software is available controls the access to and transfers of such software through such measures as: (3) every party requesting or receiving a transfer of such software must acknowledge affirmatively that he or she understands that the cryptographic software is subject to export controls under the Export Administration Act, and that anyone receiving the transfer cannot export the software without a license.

Id. at 68578. Thus, if an academic institution obtained an acknowledgment from every audience member, does this adequately protect the speaker from inadvertently exporting without a license? What kind of record would have to be kept in order to prove compliance? If such an acknowledgment removed the teaching and class discussion from the regulations, is this consistent with the overall purpose of the new regulations?

All of the questions raised in the above comments indicate that the regulations are exposed to serious, potentially fatal, constitutional challenges.

Sincerely,

TUTTLE & TAYLOR

By
John R. Liebman

Hypertext by DN and JYA/Urban Deadline