5 September 1997
Source: Hardcopy from Peter Junger
Tab B
GINO J. SCARSELLI
Attorney at Law
Tel/Fax 216-291-8601
January 2, 1997
VIA FACSIMILE AND MAIL
Anthony Coppolino, Esq.
Department of Justice
Civil Division, room 1084
901 E Street, N.W.
Washington, D.C. 20530
re: Junger v. Christopher, Case No. 96 CV 1723 (N.D. Ohio)
Dear Mr. Coppolino:
In light of the new Commerce regulations effective Monday,
December 30, 1996, and to narrow the issues before the Court, the
plaintiff is seeking clarification from the government.
As stated in the complaint and in the plaintiff's declaration,
Prof. Junger wants to allow foreign students in his Computers and Law
class, wants to exchange cryptographic information with foreign col-
leagues, wants to publish articles and his course materials, and wants
to post cryptographic information on his web site. The information
includes the source codes and machine code representations of his one-
time pad and other encryption programs, as well as the underlying
algorithms and information on how to use, and where to obtain, encryp-
tion programs. As we read the new regulations, some of what Prof.
Junger seeks may now be permitted.
Section 744.9, "Restrictions on technical assistance by U.S.
persons with respect to encryption items," of the new regulations
provides an exemption for academic teaching and discussions of cryp-
tography. Thus, it appears that in class disclosure of encryption
software and technology to foreign students is permitted.
Even if there are no restrictions placed on classroom disclosure
under the new regulations, we are concerned that there are other
restrictions that limit the First Amendment rights of Prof. Junger and
others.
Notwithstanding § 744.9, the sections exempting publicly avail-
able or educational technology and software from the EAR do not apply
to encryption software controlled under ECCN 5D002. See 22 C.F.R. §§
734.3(b)(3), 734.7 and 734.9. However, in the note following § 734.3,
printed material that contains encryption source code is not subject
to the EAR:
664 Allison Drive Richmond Heights Ohio 11143-2904 USA email: gscarsel@mail.multiverse.com
[2]
Note to paragraphs (b)(2) and (b)(3) of this
section: A printed book or other printed materi-
al setting forth encryption source code is not
itself subject to the EAR (see Sec. 734.3(D)(2)).
However, notwithstanding Sec. 734.3(b)(2),
encryption source code in electronic form or
media (e.g., computer diskette or CD ROM) remains
subject to the EAR (see 734.3(b)(3)).
Apparently, encryption software is not subject to the EAR if it's
in printed form, but is subject to the EAR in electronic form. Thus,
as we read the regulations, Prof. Junger is prohibited from posting
encryption software on his World Wide Web site without a license
(subject to the conditions in § 734.2(b)(9)(ii)) ever. if what he posts
is an article that contains encryption source code or representations
of machine code.
Furthermore, it is unclear whether material that contains encryp-
tion code if subject to the EAR is treated strictly as encryption
software under ECCN 5D002 or may also be treated as technology under
ECCN 5E002.
In light of the above, we seek the following clarifications from
your clients:
1. Is Prof. Junger permitted to disclose in the classroom
encryption software and encryption technology to foreign
students? Are there any restrictions or, what he may dis-
close in class?
2. Are foreign students who take Prof. Junger's class permit-
ted to return to their home countries with class materials,
which include encryption software or encryption technology?
3. Is Prof. Junger permitted to disclose encryption software
or technology to foreign colleagues outside the United
States or only within the United States?
4. Do the answers to (2) and (3) depend on whether the materi-
al is disclosed in printed form or electronic form (e.g.,
computer diskette, digital form that can be transferred via
the internet) and whether the material is controlled for
export as encryption software under ECCN 5D002 or encryp-
tion technology under ECCN 5E002? Are encryption source
code and object code controlled only as encryption software
under ECCN 5D002?
5. Are articles and books, including law review articles, that
contain encryption software subject to the EAR if electroni-
cally published (e.g., through LEXIS, WESTLAW, file trans-
fer protocols, World Wide Web sites)?
6. Are there any restrictions on posting cryptographic informa-
tion, other than encryption source code, on a Web site?
For example, are there any restrictions on displaying
[3]
hyperlinks to sites where encryption software can be down-
loaded?
Since we have a limited time to file findings of facts and
conclusions of law, we request responses to our questions before
January 9, 1997. It is our intent to file an amended complaint short-
ly thereafter.
Sincerely,
[Signature]
Gino J. Scarselli
Attorney for the plaintiff
cc/ Peter Junger
Raymond Vasvari, Esq.
Kevin O'Neill, Esq.
UNITED STATES DEPARTMENT OF COMMERCE
Bureau of Export Administration
Washington, D C 20230
January 29, 1997
Gino Scarselli, Esq.
664 Allison Drive
Richmond Heights, Ohio 44142-2904
Re: January 2, 1997 Letter on Behalf of Peter D. Junger
Dear Mr. Scarselli:
Mr. Anthony J. Coppolino of the Department of Justice has
forwarded to us a copy of your January 2, 1997 letter to him
raising various questions concerning the application of the
Export Administration Regulations ("EAR") on encryption software
and technology to your client, Prof. Peter D. Junqer.
As you may know, on November 15, 1996, President Clinton issued
Executive Order 13026 (and a related Presidential memorandum)
directing that export licensing controls on certain encryption
products, including software, designated under Category XIII(b)
of the United States Munitions List ("USML"), 22 C.F.R. Part 121,
be transferred to the export licensing jurisdiction of the
Department of Commerce under the Commerce Control List ("CCL")
and EAR.1
On December 30, 1996, the Departments of Commerce and State
published regulations, effective on publication, implementing the
President's policy and transferring export licensing jurisdiction
over encryption commodities and software (including source code),
and related technical data, from the State Department to the
Commerce Department. 61 Fed. Reg. 68572 et seq. and 68633
(December 30, 1996). Accordingly, the Department of Commerce is
now the licensing authority for the export of most encryption
items, including software.2
Please be advised that the EAR establishes administrative
procedures by which the public can obtain advice on the
applicability of the EAR in various cases. Section 748.3 of the
EAR establishes the administrative procedures for obtaining a
Commodity Classification or an Advisory Opinion as to the
____________________
1 61 Fed. Reg. 12714 et seq. (March 25, 1996), as amended
by the interim rule at 61 Fed. Reg. 68572 et seq. (December 30,
1996) (to be codified at 15 C.F.R. Part 730, et seq.).
2 The Department of State retains licensing jurisdiction
over military cryptographic items and software. See 61 Fed. Reg.
at 68633 (amending 22 C.F.R. § 121.1, Category XIII(b)).
2
application of the EAR to the export of items or other
activities. See 61 Fed. Reg. 12812-13 (March 25, 1996) (to be
codified at 15 C.F.R. § 748.3). Because you have not provided
BXA with specific information concerning any export activities
that Prof. Junger seeks to engage in, BXA lacks the necessary
information to enable it to respond to the questions raised in
your letter. Based on the information in your letter, we are
also unable to provide you with either a Commodity Classification
determination regarding the possible application of the EAR to
any software or other items Prof. Junger may wish to export or,
if it is determined that those activities are subject to the EAR,
an Advisory Opinion whether a license is required, or likely to
be granted.
We can, however, provide you with some guidance in response to
your letter regarding the scope of the encryption controls
administered by the Department of Commerce pursuant to the
regulations issued on December 30, 1996. This information will
assist you in determining whether the EAR apply to Prof. Junger
and, if it does, whether a license is required for any of his
export activities. Otherwise, we will be pleased to review
either a Classification request or a request for an Advisory
Opinion that includes the information set forth in Section 748.3
of the EAR, such as the actual software he may wish to export.
By way of background, in carrying out its responsibilities
regarding the transfer of certain encryption products from State
export licensing controls to Commerce, Commerce imposed national
security and foreign policy controls (~EI" for encryption items)
on certain information security items and equipment,
cryptographic devices, software and components specifically
designed or modified therefor, and related technology. See
Section 742.15 of the EAR, 61 Fed. Reg. at 68580 (to be codified
at 15 C.F.R. § 742.15). In order to export encryption items
subject to EI controls, including software, a license application
must be submitted to the Commerce Department, which will grant or
deny the application based on a case-by-case determination of
"whether the export * * * is consistent with U.S. national
security and foreign policy interests." Section 742.15(b) of the
EAR, 61 Fed. Reg. at 68581 (to be codified at 15 C.F.R.
§ 742.15(b)); see also Section § 742.15(b)(4)(ii) of the EAR, 61
Fed. Reg. at 68582 (to be codified at 15 C.F.R.
§ 742.15(b)(4)(ii)).3
____________________
3 Encryption software in either source code and "machine"
or object code form, is regulated under ECCN 5D002, not ECCN
5E002. ECCN 5E002 concerns encryption technology as defined in
Part 772 of the EAR, 61 Fed. Reg. 12925-37, as amended by 61 Fed.
Reg. 68585-86 (to be codified at 15 C.F.R. Part 772), not
encryption software. See 61 Fed. Reg. at 68586-87. Certain (continued...)
(continued...)
3
In order to assist you in reviewing Prof. Junger's circumstances,
which, as we understand it, involve teaching a class on computers
and the law and, in connection therewith, posting encryption
software on the Internet, note that the provisions of the EAR
distinguish for export control purposes between encryption
software (including source code and "machine" or object code) and
encryption technology. The EAR define the export of encryption
software subject to EI controls to mean an actual shipment or
transfer out of the United States or to a foreign embassy or
affiliate of a foreign government in the United States. See
Section 734.2(b)(9)(i)(A) and (B) of the EAR, 61 Fed. Reg. 68578
(to be codified at 15 C.F.R. § 734.2(b)(9)(i)(A) and (B)).
Accordingly, in response to your inquiries, the distribution of
encryption software subject to EI controls to students in a class
in the United States, including foreign students, is not an
export under the EAR. However, such software would be subject to
the provisions of the EAR and could not be exported from the
United States by any person, including any foreiqn student who
receives such software in the United States, without a license
from the Bureau of Export Administration.
You also inquired about other non-software information that might
be distributed in Prof. Junger's class. Technology subject to
the EAR is defined in Part 772 of the EAR (Definitions). 61 Fed.
Reg. 12925-37, as amended by 61 Fed. Reg. 68585-86 (to be
codified at 15 C.F.R. Part 772). However, information which is
released by instruction in catalog courses and associated
teaching laboratories of academic institutions is not technology
subject to the EAR. See Sections 734.3(b)(3)(iii) and 734.9 of
the EAR, 61 Fed. Reg. 12747-49, as amended by 61 Fed. Reg. at
68578-79 (to be codified at 15 C.F.R. § 734.3(b)(3)(iii) and
§ 734.9). See also Supplement No. 1 to Part 734, Section C:
Educational Instruction, 61 Fed. Reg. at 12751 (to be codified at
15 C.F.R. Part 734, Supplement No.1). Accordingly, there are no
restrictions under the EAR to the disclosure of educational
information distributed to students in a catalog course in the
United States.4
With respect to discussions with foreign academic colleagues,
Section 744.9 of the EAR provides that no person may, without a
____________________
3(...continued)
"mass-market" encryption software may be released from "EI"
controls if it meets certain criteria. See Section 742.15(b)(1)
of the EAR, 61 Fed. Reg. at 68581 (to be codified at 15 C.F.R. §
742.15(b)(l)).
4 Note that encryption software is controlled under ECCN
5D002 for EI reasons and may not be exported without a license.
Section 734.9 of the EAR, 61 Fed. Reg. at 68579 (to be codified
at 15 C.F.R. § 734.9).
4
license from the Bureau of Export Administration, "provide
technical assistance (including training) to foreign persons with
the intent to aid a foreign person in the development or
manufacture outside of the United States of encryption
commodities and software that, if of United States origin, would
be controlled for EI reasons under ECCN 5A002 and 5D002."
Section 744.9 of the EAR, 61 Fed. Reg. 68584-5 (December 30,
1996) (to be codified at 15 C.F.R. § 744.9). However, Section
744.9 provides further that the "mere discussion of information
about cryptography, including, for example, in an academic
setting, by itself would not establish the intent described in
this section, even where foreign persons are present." Id. The
purpose of this section is to provide assurance that academics
like Prof. Junger would not be prohibited by this section from
engaging in mere academic discussions of information about
cryptography with foreign colleagues -- inside or outside of the
United States.5
You also inquired about the posting of encryption software on the
Internet. The EAR define the export of encryption source code
and object code software controlled for EI reasons under ECCN
5D002 to include downloading, or causing the download of, such
software to locations (including electronic bulletin boards,
Internet file transfer protocol, and World Wide Web sites)
outside the United States, or making such software available for
transfer outside the United States, over a variety of media,
unless the person making the software available takes precautions
adequate to prevent unauthorized transfer of such code outside
the United States. See Section 734.2(b)(9)(ii) of the EAR, 61
Fed. Reg. at 68578 (to be codified at 15 C.F.R.
§ 734.2(b)(9)(ii)). Thus, under the EAR, electronic transmission
of encryption software (including source code and "machine" or
object code) subject to EI controls by means of the Internet is
an export under the EAR, unless the person making the software
available takes precautions adequate to prevent unauthorized
transfers outside the United States. See id.
Also, in response to your inquiry, a printed book or other
printed materials setting forth encryption source code is not
itself subject to the EAR. See Note to Section 734.3(b)(2) and
(3) of the EAR, 61 Fed. Reg. at 68578 (to be codified at 15
C.F.R. § 734.3(b)(2) and (3).6 You also inquired about whether
____________________
5 Again, encryption software is controlled under ECCN 5D002
for EI controls and may not be exported without a license. See
Section 734.7 and 734.8 of the EAR, 61 Fed. Reg. at 68578-79 (to
be codified at 15 C.F.R. §§ 734.7 and 734.8).
6 Please note that the administration continues to review
whether and to what extent scannable encryption source or object
(continued...)
5
"books or articles" that contain encryption software are subject
to the EAR if exported in electronic form. We are unable to
respond to your inquiry because you have not adequately described
the nature of the material Prof. Junger proposes to export. If
encryption software subject to EI controls, in source code or
object code form, is transmitted abroad in an electronic form, it
would be subject to EAR licensing requirements. See Section
734.2(b)(9)(ii) of the EAR, 61 Fed. Reg. at 68578 (to be codified
at 15 C.F.R § 734.2(b)(9)(ii)). However, theoretical information
or academic discussions of cryptography--as distinct from
encryption programming language that could itself ultimately be
executed on a computer to encrypt information--would not fall
within the definition of cryptographic software subject to the
EAR. See Part 772 of the EAR, 61 Fed. Reg. 12925-37, as amended
by 61 Fed. Reg. 68S85-86 (to be codified at 15 C.F.R. Part 772).
If you have a question regarding whether a particular item in
electronic form that contains encryption software is subject to
the EAR, the only way that we would be able to make that
determination is if you submit the item for a Commodity
Classification or Advisory opinion in accordance with the
requirements of Section 748.3 of the EAR.
Please contact us if we can be of further assistance to you or if
you want to obtain a Commodity Classification or Advisory opinion
under Section 748.3 of the EAR.
Sincerely,
[Signature]
James A. Lewis
Director
Office of Strategic Trade
and Foreign Policy Controls
_____________________
6(...continued)
code in printed form should be subject to the EAR and reserves
the option to impose export controls on such software for
national security and foreign policy reasons.