29 August 1997
Source: GIF images from:
http://www.eff.org/pub/Legal/Cases/Bernstein_v_DoS/Legal/970825_decision.images
[Fax header] Aug. 25, 1997 4:05PM THE RED HERRING No. 8597 P. 1/35
FILED
AUG 25 2 12 [cropped]
[Illegible]
CLERK
S. DISTRICT COURT
NO. DIST. OF CA.
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
DANIEL J. BERNSTEIN No. C-95-0582 MHP
Plaintiff OPINION
vs.
UNITED STATES DEPARTMENT OF STATE, et al.
Defendants
Plaintiff Daniel Bernstein originally brought this action
against the Department of State and the individually named
defendants seeking declaratory and injunctive relief from their
enforcement of the Arms Export Control Act ("AECA"), 22 U.S.C.
§ 2778 (1990), and the International Traffic in Arms Regulations
("ITAR"), 22 C.F.R. §§ 120-30 (1994), on the grounds that they are
unconstitutional on their face and as applied to the plaintiff. The
court granted in part and denied in part the parties' cross motions
for summary judgment on December 9, 1996. Just prior to the court's
order, President Clinton by Executive Order 13026 transferred
jurisdiction over the export of nonmilitary encryption products to
the Department of Commerce pursuant to the Export Administration
Act of 1979 ("EAA"). 50 U.S.C. App. §§ 2401 et seq. (1991), and
the Export Administration Regulations ("EAR"), 15 C.F.R. Pt. 730 et
seq. (1997). On December 30, 1996, the Commerce Department issued
an interim rule regulating certain encryption products. 61 Fed.
Reg. 68572 (Dec. 30, 1996). Plaintiff subsequently amended his
complaint to include the
1
new regulations and new defendants. Now before this court are the
parties' second cross-motions for summary judgment on the question
of whether licensing requirements for th export of cryptographic
devices, software and related technology covered by the amendments
to the EAR constitute an impermissable infringement on speech in
violation of the First Amendment.
Having considered teh parties' arguments and submissions, and for
the reason set forth below, the court enters the following
memorandum and order.
BACKGROUND1
At the time this action was filed, plaintiff was a PhD
candidate in mathematics at University of California at Berkeley
working in the field of cryptography, an area of applied mathematics
that seeks to develop confidentiality in electronic communication.
Plaintiff is currently a Research Assistant Professor in the
Department of Mathematics, Statistics and Computer Science at the
University of Illinois at Chicago.
I. Cryptography
Encryption basically involves running a readable message known
as "plaintext" through a computer program that translates the
message according to an equation or algorithm into unreadable
"ciphertext." Decryption is the translation back to plaintext when
the message is received by someone with an appropriate "key." The
message is both encrypted and decrypted by compatible keys.2 The
uses of cryptography are far-ranging in an electronic age, from
protecting personal messages over the Internet and transactions on
bank ATMs to ensuring the secrecy of military intelligence. In a
prepublication copy of a report done by the National Research
Council ("NRC") at the request of the Defense Department on
national cryptography policy, the NRC identified four major uses of
cryptography: ensuring data integrity, authenticating users,
facilitating nonrepudiation (the linking of a specific message with
a specific sender) and maintaining confidentiality. Tien Decl.,
Exh. E, National Research Council, National Academy of Sciences,
Cryptography's Role in Securing the Information Society C-2
(prepublication Copy May 30, 1996) (hereinafter "NRC
2
Report").
Once a field dominated almost exclusively by governments
concerned with protecting their own secrets as well as accessing
information held by others, the last twenty years has seen the
popularization of cryptography as industries and individuals alike
have increased their use of electronic media and have sought to
protect their electronic products and communications. NRC Report at
vii. As part of this transformation, cryptography has also become
a dynamic academic discipline within applied mathematics. Appel
Decl. at 5; Blaze Decl. at 2.
II. Prior Regulatory Framework
Plaintiff's original complaint and both of the court's
decisions in this action were directed at the regulations in force
at the time, the ITAR, promulgated to implement the AECA. The ITAR,
administered within the State Department by the Director of the
Office of Defense Trade Controls ("ODTC"), Bureau of Politico-
Military Affairs, regulates the import and export of defense
articles and defense services by designating such items to the
United States Munitions List ("USML"), 22 U.S.C. § 2778(a)(1).(3)
Items listed on the USML, which at the time included all
cryptographic systems and software, require a license before they
can be imported or exported. 22 U.S.C. § 2778(b)(2). The ITAR
allows for a "commodity jurisdiction procedure" by which the ODTC
determines if an article or service is covered by the USML when
doubt exists about an item. 22. C.F.R. § 120.4(a).
As a graduate student, Bernstein developed an encryption
algorithm he call "Snuffle." He describes Snuffle as a zero-delay
private-key encryption system. Complaint Exh. A. Bernstein has
articulated his mathematical ideas in two ways: an academic paper
in English entitled "The Snuffle Encryption system," and in "source
code" written in "C", a high-level computer programming
language,4 detailing both the encryption and decryption, which he
calls "Snuffle.c" and "Unsnuffle.c", respectively. Once source code
is converted to "object code," a binary system consisting of a
series of 0s and 1s read by a computer, the computer is capable of
encrypting and decrypting data.
3
In 1992 plaintiff submitted a commodity jurisdiction ("CJ")
request to the State Department to determine whether Snuffle.c and
Unsnuffle.c (together referred to as Snuffle 5.0), each submitted
in C language source files, and his academic paper describing the
Snuffle system, were controlled by ITAR.5 The ODTC determined that
the commodity Snuffle 5.0 was a defense article on the USML under
Category XIII of the ITAR and subject to licensing by the Department
of State prior to export. The ODTC identified the item as a "stand-
alone cryptographic algorithm which is not incorporated into a
finished software product." Complaint Exh. B.
Alleging that he was not free to teach, publish or discuss with
other scientists his theories on cryptography embodied in his
Snuffle program, plaintiff brought this action challenging the AECA
and the ITAR on teh grounds that they violated the First Amendment.
In Bernstein I this court found that source code was speech for
purposes of the First Amendment and therefore plaintiff's claims
presented a colorable constitutional challenge and were accordingly
justiciable. In Bernstein II the court concluded that the licensing
requirements for encryption software under the ITAR constituted an
unlawful prior restraint. The court also considered vagueness and
overbreadth challenges to certain terms contained in the ITAR. The
court issued its decision in Bernstein II on December 9, 1996.
III. The Transfer of Jurisdiction and the Current Regulatory Framework
On November 15, 1996, President Clinton issued Executive Order
13026, titled "Administration of Export Controls on Encryption Products,"
in which he ordered that jurisdiction over export controls on nonmilitary
encryption products and related technology be transferred from the
Department of State to the Department of commerce. The President's
Executive Order specifies that encryption products that would be
designated as defense articles under the USML and regulated under the
AECA are now to be placed on the Commerce Control List ("CCL"), under
the EAR. The White House Press Release accompanying the Executive Order
clarified that encryption products designed for military applications
would remain on the USML and continue to be regulated under the ITAR.
Press Release Accompanying Exec. Order No. 13026, at 2 (hereinafter
"Press Release")
4
The Executive Order also provides a caveat that is repeated in the
Press Release and throughout the new regulations: "the export of
encryption software, like the export of other encryption products
described in this section, must be controlled because of the
software's functional capacity, rather than because of any
informational value of such software...." Exec. Order No. 13026,
61 Fed. Reg. 58768 (1996). The Press Release states that encryption
products must be controlled for foreign policy and national security
interests and concludes by noting that if the new regulations do not
provide adequate controls on encryption products then such products
will be redesignated as defense articles and placed again on the
USML. Press Release, at 1, 4.
The EAR were promulgated to implement the EAA, but the EAA is not
permanent legislation. Lapses in the EAA have been declared national
emergencies and the President has issued Executive orders authorizing
continuation of the EAR export controls under the authority of the
International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C.
§§ 1701-1706. See, e.g., Exec. Order No. 12924, 59 Fed. Reg. 43437
(1994). Executive Order 13026 states that the authority of the
President to administer these changes in the export control system
under the EAR derives in part from the IEEPA and that the new controls
on encryption products are "additional steps with respect to the
national emergency described and declared" in the previous Executive
Orders continuing in effect the EAR. Exec. Order No. 13026, 61 Fed.
Reg. 58767 (1996).
On December 30, 1996, the Bureau of Export Administration
("BXA") under the Department of Commerce issued an interim rule
amending the EAR "by exercising jurisdiction over, and imposing new
combined national security and foreign policy controls on, certain
encryption items that were on the [USML].: 61 Fed. Reg. 68572
(1996) (to be codified at 15 C.F.R. Pts. 730-774) ("encryption
regulations" or "new regulations"). The EAR is structured around
the CCL. 15 C.F.R. Pt. 774, 61 Fed. Reg. 12937 (1996), which
categorizes items whose export is regulated according to various
criteria, including the reason for their control. The new
regulations add a category called "Encryption Items" or "EI" as a
reason for control. 61 Fed. REg. 68579 (1996) (to be codified at 15
C.F.R. § 738.2(d)(2)(I)(A)). Encryption items are defined as "all
encryption commodities, software, and technology that contain
encryption features and are subject to EAR." 61 Fed. Reg. 68585 (to
5
be codified at 15 C.F.R. § 772). This does not include those
items still listed on the USML and controlled by the Department of
State. With certain exception, one must obtain a license from the
BXA prior to exporting any item listed on the CCL. See 15 C.F.R.
Pts. 740-44. All items on the CCL are given an Export Control
Classification Number ("ECCN") which can be used to determine the
categories under which an item is controlled and the reasons for
its control.
The new regulations add three categories of items to the CCL
which are controlled for EI reasons,6 all of them more generally
classified in Category 5, which covers telecommunications and
information security. See C.F.R. § 738.2(a). Those items are ECCN
5A002, covering encryption commodities; ECCN 5D002, covering
encryption software; and ECCN 5E002, covering encryption
technology. 61 Fed. Reg. 68586-87 (to be codified at 15 C.F.R. §
774 supp. 1). For export licensing purposes, encryption software is
treated the same as an encryption commodity. See note following
ECCN 5D002. A commodity is defined generally as "[a]ny article,
material, or supply except technology and software." 61 Fed. Reg.
68586 (to be codified at 15 C.F.R. Pt. 772). Encryption software is
regulated differently from other software controlled by the CCL and
is defined as "[c]omputer programs that provide capability of
encryption functions or confidentiality of information or
information systems. Such software includes source code, object
code, applications software, or system software." 61 Fed. Reg.
68585 (to be codified at 15 C.F.R. Pt. 772).7 Definitions of
encryption source code and encryption object code have also been
added.(8) Technology has not been amended by the encryption
regulations and is defined generally as teh technical data or
technical assistance necessary for the development or use of a
product. 15 C.F.R. Pt. 772. Controlled technology is that
technology required for the development or use of items on the CCL.
15 C.F.R. Pt. 774 supp. 2 (General Technology Note). New
restrictions on technical assistance have been added, however, to
require a license to provide technical assistance (including
training) to foreign persons with the intent to aid them in the
foreign development of items that if they were domestic would be
controlled under ECCNs 5A002 and 5D002.(9) 61 Fed. Reg. 68584 (to
be codified at 15 C.F.R. § 744.9(a)); 61 Fed. Reg. 68579 (to be
codified at 15 C.F.R. § 736.2(b)(7)(ii)).
6