________________________________________ ) PHILIP R. KARN, Jr. ) ) Plaintiff, ) ) Civ. A. No. 95-1812(CRR) v. ) ) (Judge Charles R. Richey) U.S. DEPARTMENT OF STATE, and ) THOMAS E. MCNAMARA, ) ) ORAL ARGUMENT REQUESTED Defendants. ) ) ________________________________________)
Respectfully submitted, Of Counsel Kenneth C. Bass, III Teresa Dondlinger Trissell Thomas J. Cooper Venable, Baetjer, Howard & Civiletti, LLP 1201 New York Avenue, N.W. Suite 1100 Washington, D.C. 20005 (202) 962-4890 Counsel for Plaintiff Date: December 11, 1995
Because a judicial determination of whether the constitutional claims in this case are at least "colorable" requires the Court to consider the additional factual materials submitted by the defendants, as well as the factual materials submitted by the plaintiff, this motion must be treated as a Motion for Summary Judgment. Moreover, because there are genuine disputes of material fact, at least some of which require limited discovery, [2] the motion must be denied. This case raises novel issues of law in a somewhat complex technological setting. Plaintiff therefore requests oral argument, pursuant to Local Rule 108(f).
Defendants' submission rests on two entirely distinct arguments. The primary argument proceeds from a factual assertion that the computer diskette at issue is a functionally different commodity than the Applied Cryptography book which the Government allows to be freely exported. [3] Based on this alleged substantial difference, the defendants argue that their different regulatory treatment is both rational and permissible under the First Amendment because any restriction on speech is only "incidental" to their regulation of "a functioning commodity." Defs. Mem. at 3.
Defendants' secondary argument, understandably muted in their submission, is that even if there were no functional difference between the book and the diskette, the Executive Branch has the power to prevent the export of a book containing computer source code listings of cryptographic algorithms because such exports threaten "national security." [4] This fallback position obviously raises substantial First Amendment issues, a reality that understandably relegates this argument to an almost invisible place in the defendants' submission. But there should be no mistake in the Court's understanding of the position taken by the Department of Justice in this case. The Executive Branch contends that it has the power, notwithstanding the First Amendment, to preclude exports of cryptographic source code listings, regardless of form, and that its decision to permit export of the Applied Cryptography book was a matter of "executive grace" and not a legally-required decision.
We submit that an informed ruling on this motion requires consideration of both of these distinctly different arguments. We submit that the first argument rests on a flawed factual perception. The defendants' contention that the diskette and the book are "functionally different" presents a genuine dispute of a material fact. If, as we contend, there is no such functional difference, then the defendants' significantly different regulatory treatment is arbitrary, capricious and unconstitutional under the Due Process Clause of the Fifth Amendment. We submit that the second argument, which of necessity also undergirds the first argument, rests on a legally flawed analysis of the First Amendment as it applies to cryptographic software. We further submit that the defendants have not shown that their regulatory suppression of communications in fact is justified by any legitimate "national security" concerns.
The defendants' motion rests on a factual assertion that the computer diskette contains cryptographic software "that can operate to encrypt, or scramble, information on a computer." Defs. Mem. at 1. Defendants contend that the book Applied Cryptography, which contains the same information as is contained on the diskette, can rationally be regulated differently because it lacks the alleged "functionality" that the diskette has. The defendants contend that the book contains "mere information," while the diskette has an additional attribute of being "functioning cryptographic software." Defs. Mem. at 3. These factual assertions are simply wrong.
There is no functional difference of any significance between the book and the diskette. Karn Decl. ¶ 13. Throughout the administrative proceedings, and now again in this Court, the government has justified its decision through reliance on a fundamental misunderstanding of the facts.
Neither the book nor the diskette can be used to encrypt or decrypt information. Both the book and the diskette, in the hands of a computer programmer of average skill, can be used as the basic building block for making a functioning encryption program. But the only function of the book or the diskette is to provide information to a human being which can then be used as part of the knowledge needed to build a functioning encryption/decryption program. Karn Decl. ¶¶ 13-15.
In the opening passages of their memorandum, defendants make the unqualified statement that the diskette "contains 'cryptographic' software -- software that can operate to encrypt, or scramble, information on a computer." Defs. Mem. at 1. That statement is, at best, an advocate's mild distortion and, at worst, a fundamental misunderstanding of the facts. The files on the diskette, by themselves, cannot perform any computer function, much less the function of encryption. The information on the diskette can be converted into an operating program, but only through a process that requires at least three additional programming steps:
While these steps might not take a skilled programmer more than a hour or so to perform, they are additional steps significantly beyond the skills of the ordinary user of a personal computer. Indeed, because these additional programming steps are necessary to produce any "functioning" encryption program, it is fundamentally wrong to describe the diskette itself as a "functioning commodity." The only "function" that the diskette performs is to store textual information, in the form of computer source code. Karn Decl. ¶¶ 13-14.
The sole function of the diskette -- storage and transmission of information -- is identical to the sole function of the book. There is no functional difference of any significance between the source code listings in the book and those on the diskette. Karn Decl. ¶¶ 13-14. Attached as Plaintiff's Exhibit 3 is a reproduction of the 18 pages of Applied Cryptography that contain the source code listing for the DES algorithm used by NSA to conduct the experiment described in the defendants' submission. Attached as Exhibit 4 is a printout of the file DES.TXT on the diskette at issue. As is readily apparent, there is no difference in the information contained in those two listings. They are substantively, and functionally, identical. [5]
The functional identity of the book and the diskette is also shown by the fact that a computer programmer with ordinary skill in programming in the "C" programming language can, using the book itself, create exactly the same functioning program that NSA created using the diskette. Karn Decl. ¶¶ 3-11. The only difference between the two processes is that a programmer who begins with the book alone must spend less than three hours of additional time at the computer keyboard typing the source code in the book into the computer and perhaps another two hours to proof-read and correct errors in the text file. [6]
The defendants contend that the diskette is the "functional equivalent" of an operating encryption program because a programmer of ordinary skill can use the diskette to create a complete program in about an hour. The defendants further contend that it is because of this "functionality" that they can lawfully regulate the diskette, notwithstanding the First Amendment. The fact is that the only difference between the source code listings in the book and those on the diskette is that it takes somewhat less than five hours, using the book alone, to produce a functioning program, while it takes less than two hours to produce the same program if the programmer starts with the diskette version. It is utterly arbitrary, capricious and specious to erect a regulatory difference between the book, which can be converted into a complete program in less than five hours, and the diskette which requires only 180 minutes less time to produce the same complete functioning program.
As defendants acknowledge, the Due Process Clause precludes regulatory distinction that is "demonstrably arbitrary or irrational." Duke Power Co. v. Carolina Env. Study Group, 438 U.S. 59, 84 (1978), relied upon in Defs. Mem. at 38, n.29. Plaintiff contends that a factually correct understanding of the "commodities" at issue in this case will show that there is no functional difference between the source code listings in the book and those on the diskette.
Plaintiff believes that in this case a determination of the rationality of the regulatory distinction drawn by the defendants requires discovery and a mini-trial to develop an adequate factual record. Computer programming skills, source code, object code and cryptology are, we acknowledge, not subjects of everyday consideration in our judicial system. Any decision based on a "trial by declaration" as to the alleged differences, or functional identities, of the book and the diskette would be procedurally flawed. Because the government genuinely contends that there is a meaningful functional difference between the book and the diskette, there is indeed a genuine dispute on a material fact, a dispute that precludes a summary determination.
After arguing at length that the diskette has an "added functionality" that the book lacks, the defendants proceed to argue that this supposed difference is legally immaterial. In the words of defendants' counsel, "[p]laintiff's argument that encryption source codes [printed in Applied Cryptography] may be transcribed into an electronic media and executed on a computer . . . is one that may compel reconsideration of the status of printed source codes" under the ITAR scheme. Defs. Mem. at 28. The argument thus advanced is that the book itself is not constitutionally protected from export controls and that the Executive Branch could, if it chose to do so, prohibit export of the book as well as the diskette. That argument is hauntingly reminiscent of the efforts of the Executive Branch to restrict publication of the Pentagon Papers, again in the name of national security. Just as that regulatory effort was rejected by the Supreme Court in New York Times Co. v. United States, 403 U.S. 713 (1971), so should this regulatory effort be rejected by this Court.
It is beyond debate that Applied Cryptography is a publicly available book entitled to the fullest protection of the First Amendment. We submit that the diskette is equally entitled to the fullest protection of the First Amendment.
The source code listings in Part Five of the book and the files on the diskette are substantively identical. Both contain the text listings for the computer source codes for a number of algorithms. Both presentations of the information are comprehensible to a human being. The book can be "understood" by most humans without the aid of any mechanical device, although many of us require the assistance of eyeglasses just to make the book "readable." The text files on the diskette can also be "read" and understood by a human, simply through the use of a common personal computer. All the reader has to do is to insert the diskette in a personal computer, and either execute a simple single command [7] or use a common text reader that is routinely bundled with the most prevalent personal computer operating system. [8] We submit that there cannot be a legally significant difference, for purposes of First Amendment analysis, between "text on paper" and "text on mylar" [9] since both expressions of text are merely means of transmitting information between human beings.[10]
The First Amendment is, of course, broadly construed to cover not only oral speech and the products of the Revolutionary War printing press, but other media as well. Radio, television and motion pictures are each a form of communication unknown to the Founding Fathers, yet each is protected by the same First Amendment that applies to books. [11] It is, we submit, simply inconceivable that a book published on a CD-ROM, such as Grolier's Encyclopedia, is any less entitled to First Amendment protection than the far bulkier paper edition. It is equally inconceivable that computer source code that has been published in a book is automatically subjected to second class status under the First Amendment when the identical information is put on a computer diskette.
The diskette, like the book, functions to communicate information to a human, not to cause a computer to perform a function. The communicative purpose and effect of the diskette is evidenced by the fact that the text files on the diskette include the "comments" in the source code listing of the book. [12] Those comments contain information that is useful only to a human who is using the information for programming purposes and is completely ignored by a computer when the listing is compiled as part of the process of creating a functioning program. Source code listings, unlike machine codes, are in fact primarily designed to communicate with human beings. As was cogently stated in the preface to a computer science textbook:
Our design of this introductory computer-science subject reflects two major concerns. First, we want to establish the idea that a computer language is not just a way of getting a computer to perform operations but rather that it is a novel formal medium for expressing ideas about methodology. Thus, programs must be written for people to read, and only incidentally for machines to execute.H. ABELSON AND G. SUSSMAN, STRUCTURE AND INTERPRETATION OF COMPUTER PROGRAMS (MIT Press 1985).
The First Amendment not only protects speech itself, it protects the tools of speech from government regulation which inhibits speech. For example, in Minneapolis Star & Tribune Co. v. Comm. of Revenue, 460 U.S. 575 (1983), the Supreme Court considered the constitutionality of a state statute imposing a sales and use tax on newsprint and ink. Although the tax was not a direct regulation of speech, it was a regulation of essential tools for the publication of printed media. As such, it was analyzed using First Amendment principles. As stated by the Court, "[a] tax that burdens rights protected by the First Amendment cannot stand unless the burden is necessary to achieve an overriding governmental interest." Id. at 582 (emphasis added). Because no such interest was shown in that case, the tax was held unconstitutional.
The expressions of source code are not only pure speech, they are also tools for facilitating human communication that, like the newspaper and ink in Minneapolis Star & Tribune, should be entitled to enhanced First Amendment protections because they are "tools of speech." The Supreme Court has held that the government cannot prohibit citizens from teaching or speaking a foreign language. Meyer v. Nebraska, 262 U.S. 390 (1923) (statute prohibiting the teaching of foreign languages held unconstitutional); Bartels v. Iowa, 262 U.S. 404 (1923) (statute prohibiting teaching of foreign languages below the eighth grade held unconstitutional); Yu Cong Eng v. Trinidad, 271 U.S. 500 (1926) (Philippine statute prohibiting maintenance of business records in certain languages held unconstitutional); Farrington v. Tokushige, 273 U.S. 284 (1927) (preliminary injunction against enforcement of comprehensive Hawaiian statute regulating foreign language schools upheld). Recently, the Ninth Circuit declared that Arizona's "English-only" statute was unconstitutional. Yniguez v. Arizonans, 1994 U.S. App. LEXIS 40866, 64 USLW 2219, 1995 WL 583414 (Oct. 5, 1995) (en banc decision). We submit that the Government cannot prohibit its citizens from communicating in code, anymore than it can prohibit them from communicating in the Spanish, Japanese or Navaho language. [13]
It is significant that the majority in Minneapolis Star & Tribune analyzed the case under First Amendment principles and did not employ the equal protection analysis urged by then-Justice Rehnquist in dissent. Plaintiff submits that the Court's analysis in that case stands for an underlying First Amendment principle: regulation of the tools of speech, like regulations of speech itself, raise First Amendment concerns and can be justified only by "an overriding governmental interest." The defendants have not met that burden in this case.
This case involves plaintiff's attempt to obtain the State Department's clearance to export Constitutionally protected information. The First Amendment does not stop at the water's edge. Bullfrog Films, Inc., v. Wick, 847 F.2d 502, 511 (9th Cir. 1988). In Bullfrog, the Court held that United States Information Agency regulations implementing an international agreement aimed at facilitating the international circulation of educational and scientific audio-visual materials were subject to First Amendment analysis and did not pass Constitutional muster. The Court wrote that:
A logically prior question, whether the First Amendment applies abroad, was raised by the district court . . . the court concluded: 'There can be no question that, in the absence of some over-riding governmental interest such as national security, the First Amendment protects communications with foreign audiences to the same extent as communications within our borders.'
Id. at 509 n.9 (citing the lower court opinion at 646 F. Supp. 492, 502 (C.D.Cal. 1986)).
The defendants mistakenly argue that the First Amendment issue in this case should be analyzed using the guidance of United States v. O'Brien, 391 U.S. 367 (1968). That contention is fundamentally wrong. As the Government correctly notes, O'Brien sets forth "the standard for evaluating the government's regulation of conduct which might, in its particular applications, impose incidental restrictions on speech." Defs. Mem. at 20 (emphasis added). O'Brien applies only "when 'speech' and 'non-speech' elements are combined in the same course of conduct." O'Brien, 391 U.S. at 376 (emphasis added). That analysis has no application here because in this case there is no regulated conduct, only regulated speech.
The defendants' contention that exports of the book and diskette are acts of "conduct" and not acts of "speech" would, if accepted, subject all publishing activities to an O'Brien analysis. The only "conduct" involved in this case is the conduct of distributing information. If the exportation of either the book or the diskette can be labeled as "conduct" and so regulated, then the publication of any book or newspaper can be similarly pigeon-holed and subject to far more stringent regulation than has ever been permitted in our First Amendment speech and press jurisprudence.
It should be remembered that the conduct at issue in O'Brien was the burning of draft cards. The case took on a First Amendment coloration only because the draft cards were being burned as a protest against the war in Vietnam. The defendants in that case categorized their conduct as "symbolic speech" and sought refuge in the First Amendment. The Supreme Court properly recognized that the act of burning a government-issued document was qualitatively different than the act of publishing an anti-war newspaper. This case, plaintiff submits, involves acts of distributing information, not conduct in the O'Brien sense.
The defendants' effort to label the act of publication of source code in printed and electronic form as "conduct" is essentially the same argument that was advanced in the Yniguez case in an effort to uphold Arizona's "English-only" law. In that case, the defenders of the law argued that a regulation prohibiting use of any language other than English in communications with the Arizona government was not a regulation of speech because "choice of language . . . is a mode of conduct -- a nonverbal expressive activity." Yniguez, 1995 WL 583414 at *11. The Ninth Circuit quite properly rejected this argument, stating that "[l]anguage is by definition speech, and the regulation of any language is the regulation of speech." Id. "Speech in any language is still speech, and the decision to speak in another language[, including the language of encryption,] is a decision involving speech alone." Id., 1995 WL 583414 at *13. The same result should follow here.
The First Amendment was designed, in large part, to protect the right of citizens to communicate through printing, publication and distribution of speech in the form of handbills, broadsides and rudimentary newspapers. The printing, publication and distribution of a book is classic "pure speech" and cannot be transformed by lawyers' arguments into "conduct" and thus subjected to regulation under a lessened standard of judicial scrutiny. That same result must follow for publication and distribution of information in digital form, whether in the form of a computer-readable CD-ROM or, as here, a diskette. The First Amendment is not limited to the printing press and it, like technology, expands to embrace all means for communicating information.
The proper analytical test for this case is the "clear and present danger" test consistently applied by the Supreme Court to books, newspapers and similar publications. Under that test, the burden is on the government to show a real, not imagined, danger to a legitimate government interest. We submit, for reasons explored in section IV of this memorandum, that the government cannot carry that burden with respect to this diskette.
Even if the O'Brien test was applicable to the present case, the defendants' actions would not pass Constitutional muster. The Supreme Court, as defendants note in their memorandum, established four criteria for determining when government interests sufficiently justify the regulation of expressive conduct combining speech and non-speech elements:
government regulation is sufficiently justified if it is within the Constitutional power of the government; if it furthers an important or substantial governmental interest; if the governmental interest is unrelated to the suppression of free expression; and if the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest.
O'Brien, 391 U.S. at 377. Assuming arguendo that the diskette is not pure speech but is a type of conduct with speech components, the third and fourth prongs of the O'Brien test are not satisfied. As indicated in section II.A. below, subjecting the diskette to export controls under the ITAR amounts to prohibiting its export. Accordingly, Plaintiff would be subjected to a prior restraint on the use of the diskette (an activity with speech components) in violation of his First Amendment right to free expression.
Also, as indicated in section IV below, exports of the encryption programs in the diskette, in fact, cannot threaten the national security because the same programs are already widely available in other countries or are so "weak" that they can be broken by the National Security Agency. It follows, therefore, that prohibiting the export is axiomatically a restriction "on alleged First Amendment freedoms" that is "greater than is essential to the furtherance" of the interest protected. In this case, the defendants seek to prohibit exports which would not threaten the national security.
If this were a "speech plus" case, then under Tinker v. Des Moines Independent Community School District, 393 U.S. 503, 508 (1969), a balancing of Mr. Karn's exercise of his First Amendment rights against the conflicting implementation of the ITAR by the Department of State would be necessary. In Tinker, the Supreme Court balanced the wearing of armbands by students against the conflicting rules of the school authorities. 393 U.S. at 510-11. In this case, plaintiff's proposed exportation of encryption software, which is not injurious to the national security, must be weighed against the policies of the State Department, which, again, amount to a prohibition on the export of the software. Any such balancing should result in the State Department's actions not passing muster, because, simply put, it has no basis for its action that will withstand Constitutional scrutiny.
The Department of Commerce's Bureau of Export Administration implements the EAA and its implementing regulations, and the Department of State's Office of Defense Trade Controls ("ODTC") implements the ITAR. The determination that a particular product is subject to the EAA, as opposed to the ITAR, can have great significance as to the ease with which it can be exported or as to whether it can be exported at all.
One basic distinction between the two regulatory systems is that under the EAA, products and technologies may be eligible for export under a variety of "general licenses". A general license is one which is "generally available" inasmuch as it may be used as authorization for an export without the necessity of a prior case-by-case export license application. Some products and technologies subject to export control under the EAA require individual validated licenses prior to export. An individual license must be specifically applied for from the Department of Commerce and issued prior to any export.
The regulations promulgated under the ITAR do not provide for general licenses. Rather, specific licenses, or other authorizations, must be obtained for essentially any export of products or technologies subject to its control. ODTC has developed certain standard practices for regulating exports of cryptologic software. The ODTC decisions on exporting cryptographic software are in fact made entirely on the basis of recommendations from the National Security Agency ("NSA"). Current policy permits essentially unregulated export of cryptographic software that uses either the RC2 or RC4 ciphers, as long as the cipher keylength is 40 bits or less. [15] Recently, the government proposed a modest liberalization of licensing policy for ITAR-controlled cryptographic functionalities with a key length of up to 64 bits provided that a "backdoor key" for decrypting messages is escrowed and available to the government under an appropriate lawful warrant. U.S. Department of Commerce National Institute of Standards and Technology Press Release, dated August 17, 1995.
The "commodity jurisdiction" procedure that is at issue in this litigation is an administrative mechanism set forth in the ITAR that permits companies or individuals to apply to the ODTC for a ruling that a particular commodity is not regulated under the ITAR but is instead regulated for export, if at all, by the Department of Commerce. See 22 C.F.R. § 120.4. Mr. Karn applied to ODTC for just such a determination. The effect of the defendants' refusal to make that determination is to preclude the export of the floppy disk. Because of a unique regulatory definition of "export," it is not only unlawful to send the diskette outside the United States, it is equally unlawful to deliver the diskette to a foreign national within the United States. [16] Thus, defendants are simply wrong when they argue that this case only involves communications beyond our borders. See Defs. Mem. at 18. Under the current commodity jurisdiction determination, it is a crime for Mr. Karn or anyone else to give the diskette to a foreign national in the United States, as well as to ship it outside the United States.
The ITAR provisions that apply in this case are facially clear, but have been twisted and linguistically tortured by the defendants to become a virtual regulatory "spider web" through interpretations so vague that they defy comprehension.
The defendants determined that the diskette is subject to entirely different provisions of the ITAR than those that apply to the Applied Cryptography book. The diskette, they say, is subject to regulation as a "defense article" while the book is not because it is in the public domain. See Defs. Mem. at 8-9. The diskette and the book are subjected to different regulatory obligations under the ITAR even though they are functionally the same material. The defendants reach this bizarre result through a convoluted parsing of their vague published regulations.
ODTC determined that the diskette is a defense article under Category XIII(b)(1) of the USML. That category includes information securities systems and equipment, cryptographic devices, software and components. Category XIII(b) at 22 C.F.R., § 121.1. Despite the fact that the diskette contains the same information as the book, ODTC concluded that the Applied Cryptography book "[i]s not subject to the licensing jurisdiction of the Department of State since [it] is in the public domain." Lowell Decl. at 11. This correct conclusion with respect to the book was required by the plain meaning of applicable regulations. We submit that the same conclusion was also required with regard to the diskette by the same plain meaning.
Section 125.1 of the ITAR unambiguously states that "[i]nformation which is in the public domain . . . is not subject to the controls of this subchapter." The regulations further define public domain information as that which is "published and . . . generally accessible or available to the public." 22 C.F.R. § 120.11. The book is widely available at book stores. [17] It is, necessarily, exempt from ITAR regulation. [18] A diskette containing the source code listings in the book is available by mail order subscription directly from the author of the book. See the last unnumbered page of Plaintiff's Exhibit 1. [19] The book and the diskette both contain "information." [20] Indeed, they contain the same source code information. Because the diskette at issue here contains information that has been published and is generally available to the public, it is public domain information exempt from ITAR regulation.
A straight-forward application of the plain meaning of the ITAR leads to the conclusion that the diskette, like the book, is in the "public domain" and not subject to the ITAR regulations. The defendants reach a different conclusion through a route of regulatory construction that is a paradigm of regulatory legerdemain. As articulated by Secretary McNamara in his June 13, 1995, letter to the plaintiff:
the ITAR "public domain" exemption which you and your attorneys claim is applicable to your disk is only available for "information" that otherwise would be "technical data" and cryptographic software does not come within the meaning of technical data. . . . Technical data is defined at ITAR §120.10(a)(1) as "information, other than software as defined in §120.10(d)."
Secretary McNamara's interpretation of the regulations is, quite simply, untenable as a matter of any "plain meaning" construction. The complete text of the "public domain" in section 120.11 of the ITAR contains no hint, suggestion or warning that it only applies to information "that otherwise would be 'technical data'" as defined in section 120.10. The "public domain" definition is as follows:
(a) Public domain means information which is published and which is generally accessible or available to the public:(1)Through sales at newsstands and bookstores;(2)Through subscriptions which are available without restriction to any individual who desires to obtain or purchase the published information;
(3)Through second class mailing privileges granted by the U.S. Government;
(4)At libraries open to the public or from which the public can obtain documents;
(5)Through patents available at any patent office;
(6)Through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States;
(7)Through public release (i.e., unlimited distribution) in any form (e.g., not necessarily in published form) after approval by the cognizant U.S. government department or agency (see also 125.4(b)(13) of this subchapter);
(8)Through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community. Fundamental research is defined to mean basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community, as distinguished from research the results of which are restricted for proprietary reasons or specific U.S. Government access and dissemination controls. University research will not be considered fundamental research if:
(i) The University or its researchers accept other restrictions on publication of scientific and technical information resulting from the project or activity, or
(ii)The research is funded by the U.S. Government and specific access and dissemination controls protecting information resulting from the research are applicable.
It is not possible to read into those words Secretary McNamara's additional requirement that the "information" must also meet the separate definition of "technical data" in the preceding section of the regulations.
The flaws in the defendants' regulatory analysis go beyond a mere misreading of the definition of "public domain." Secretary McNamara contends that the only "information" that can fit the "public domain" definition is information that is also "technical data" as defined in a separate provision of the ITAR. He then goes on to both amend and misread that separate provision. The complete regulatory definition of "technical data" is as follows:
(a) Technical data means, for purposes of this subchapter:(1) Information, other than software as defined in § 120.10(d), which is required for the design development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions and documentation;
(2) Classified information relating to defense articles and defense services;
(3) Information covered by an invention secrecy order;
(4) Software as defined in § 121.8(f) of this subchapter directly related to defense articles;
(5) This definition does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain as defined in §120.11. It also does not include basic marketing information on function or purpose or general system descriptions of defense articles.
Section 120.10.
The first flaw in the defendants' construction of this regulation is their effort to amend the reference to "software as defined in § 120.10(d)". There is no section 120.10(d) in the ITAR. This error, which has been present in the regulations, uncorrected, since they were last published in their entirety on July 22, 1993, is the reason why Secretary McNamara stated in his letter to the Plaintiff that the citation was incorrect. Secretary McNamara then went on to attempt to amend the published regulations by declaring that the "citation should read §120.10(a)(4)". Defs. Ex. 14.
However, that ad hoc amendment simply will not support the interpretation the defendants attempt. The defendants contend that "the definition of technical data specifically excludes cryptographic software enumerated in category XIII(b)" of section 121.1 of the ITAR. Defs. Mem. at 7. Not only is that interpretation unsupported by any language in the regulations, it is also flatly contradicted by the language of the regulation.
Subsection (a)(4) of the definition of "technical data" expressly includes "[s]oftware as defined in § 121.8(f) of this subchapter . . ." That section provides:
(f) Software includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test, operation, diagnosis and repair. . . .
On its face, this definition does not exclude any form of software, much less the cryptographic software covered in category XIII(b)(1).
The defendants' construction of the "technical data" provision rests entirely on the second sentence of section 121.8(f) which states that "[a] person who intends to export software only should, unless it is specifically enumerated in § 121.1 (e.g., XIII(b)), apply for a technical data license pursuant to part 125 of this subchapter." Defendants somehow read into that parenthetical reference to category XIII(b) an exclusion of such software from the definition of technical data. The text does not support that construction. All that the second sentence says is that persons who wish to export software enumerated in category XIII(b) should not apply for a technical data license. The section does not, in other words, limit the definition of "technical data," but is -- at most -- an inartful limitation on the granting of technical data licenses.
Defendants overlook the most relevant language in the ITAR "technical data" definition which expressly excludes from its coverage "information in the public domain as defined in section 120.11." Therefore, if cryptographic source codes are publicly available, they cannot be "technical data" because the regulatory definition of "technical data" expressly excludes public domain information from its coverage.
The published regulations are not vague on their face: Any "information", whether it consists of cryptographic source codes or Pulitzer Prize-winning fiction, is outside the ITAR regulatory structure if it meets the regulatory definition of "public domain" material. There is simply no textual basis in the published regulations for the defendants' contention at page 7 of their memorandum that "cryptographic software covered by category XIII(b)(1)" of the ITAR is excluded from the "public domain" exception by virtue of the "technical data" definition, whether read as it has been promulgated or as the defendants' now try to amend and interpret it. The interpretation of the ITAR applied in this case is simply an arbitrary re-writing of the published regulations driven by an arbitrary distinction between a diskette and a book. As such, it is unconstitutional under the Due Process Clause and additionally is a violation of the Administrative Procedure Act.
Defendants contend that the proper interpretation of the ITAR precludes any "cryptographic software enumerated in Category XIII(b)" from being exempt from export controls under the "public domain" exception. Defs. Mem. at 40. Applying this rubric, the defendants denied Mr. Karn's request for a commodity jurisdiction for the diskette. But the Department of State had already determined that the source code listings in Applied Cryptography were indeed "in the public domain" and thus exempt from export controls. See Lowell Decl. ¶ 11 and Tab 5 thereto. Thus, through an arbitrary invocation of semantic labeling, information published as print on paper is administratively classified as "in the public domain", while the identical information imprinted as magnetic data on mylar is defined as "computer software". Defendants contend that the latter software is ineligible for the talismanic categorization of "technical data" which, if it is in the public domain, is exempt from export controls.
This manipulation of language to justify totally arbitrary results is worthy of Humpty Dumpty in Through the Looking Glass. [21] Without any prior definition in the regulations, without any precedential basis and without a rational basis in fact, the export control authorities have taken two functionally identical commodities, both of which are regarded by computer programmers as software, Karn Decl. at ¶ 14, labeled one as a "mere book," the other as a "functional program" and thereby relegated the items to drastically different regulatory regimes. This result-driven lexicography is the antithesis of due process; it is inherently and obviously arbitrary and capricious and should be judicially invalidated.
In 1977, a NSA employee wrote the Institute of Electronic and Electrical Engineering to advise that the intended publication of a paper on public key cryptography would violate the ITAR. Applied Cryptography at 452. His contention was based on the literal language of the regulations which prohibited the disclosure, in the United States, of even "unclassified information" if the information might "advance the state of the art . . . in an area of significant military applicability." Id. Public key cryptography was, at that time, essentially unknown outside of NSA, so the warning was, on its face, a credible construction of the then-applicable ITAR regulations.
The NSA letter caused a firestorm of concern and led directly to the preparation of a series of legal opinions by the Office of Legal Counsel in the Department of Justice. [22] The first opinion, issued May 11, 1978, concluded that "[t]he ITAR requirement of a license as a prerequisite to 'exports' of cryptographic information clearly raises First Amendment questions of prior restraint." OLC Memorandum to Dr. Frank Press, May 11, 1978, at 5. That office went on to conclude that "the regulatory provisions present questions of overbreadth and vagueness." Id. at n.8. The memorandum concluded by stating that the ITAR restrictions on cryptologic information, whether generated by the government or developed by private individuals, were "justifiable under the First Amendment only to the extent that the information is properly classified or classifiable." [23] Id. at 7 (emphasis added). The ultimate conclusion was "that the present ITAR licensing scheme does not meet constitutional standards." Id. at 11.
In part as a direct result of the OLC opinion, the Department of State undertook a revision of the ITAR and published proposed changes in December of 1980. 45 Fed. Reg. 83,970 (Dec. 19, 1980). On July 1, 1981, OLC issued its second opinion on the constitutionality of the ITAR regime. The office concluded that while "the revised ITAR is a significant improvement over the prior version, . . . even as revised, it can have a number of unconstitutional applications." OLC Memorandum Opinion for the Office of Munitions Control, July 1, 1981, at 1, published at 5 Opin. OLC 202. The 1981 opinion concluded that while some of the substantive vagueness of the ITAR had been eliminated, the process was still an unconstitutional system of prior restraint because it does not "impose on the government the burden of obtaining prompt judicial review of any State Department decision barring the communication of cryptographic information." Id., 5 Opin. OLC at 205. [24] The Department of State did not heed the OLC advice and the present regulations still do not require the government to initiate a prompt judicial review of the denial of an export license for cryptologic data. OLC's 1981 opinion correctly stated that "if speech is arguably protected by the First Amendment, it may not be subjected to prior restraint except in the most extraordinary cases" and that "[p]rior restraint . . . is presumptively unconstitutional." Id., 5 Opin. OLC at 212.
OLC was again asked to analyze the ITAR in 1984. In yet another opinion, that office concluded that "the application of the ITAR to a significant class of conduct continues to raise serious constitutional questions." OLC Memorandum for Davis R. Robinson, Legal Adviser, Department of State, July 5, 1984, at 2. That opinion considered two intervening Supreme Court decisions, Metromedia, Inc. v. San Diego, 453 U.S. 490 (1981) and Bolger v. Youngs Drug Products Corp., 463 U.S. 60 (1983). The office concluded that, notwithstanding those decisions, "the constitutional principles upon which we relied [in our prior opinions] remain intact." OLC Mem. at 4. The Office again concluded that the revised ITAR would still "appear to us to present sensitive constitutional issues" and that there was still an unconstitutional "remaining overbreadth." Id. at 14-15.
The constitutional infirmities which OLC has repeatedly identified in the ITAR remain there today. There is still no provision for prompt judicial review, at the government's instigation, of decisions to prohibit dissemination of cryptologic information outside the United States. In fact, the administrative action taken in this case has, if anything, retreated from the "liberalization" that OLC had expected. The revised ITAR considered in 1984 held out the promise that no "public domain" information would ever be regulated. See 1984 OLC opinion at 8. In this case, the defendants have, through linguistic distortions, specifically tried to prohibit the export of source codes that are undeniably already in the public domain.
The impact of the OLC opinions on this case is obvious. We submit that those opinions are respectable authority for our arguments that the application of the ITAR to the diskette is both impermissibly vague and an unconstitutional prior restraint. At a minimum those opinions establish that the constitutional claims in this case are substantial and far more than "colorable."
The defendants' contention that the diskette "enable[s] a computer to perform a cryptographic function" is erroneous. Defs. Mem. at 3. As evidenced by the Karn Declaration, the diskette functions to provide textual information to a human being, a computer programmer, who then combines this information with other information to produce yet a new commodity that, when translated by a computer from English to a binary language ("object code") becomes an operating computer program that can be used by a human being to encrypt information. Thus the diskette -- like the book -- functions to inform a human being, a function that lies at the heart of the First Amendment.
An accurate determination of the facts will conclude that the source code listings in the book and those on the diskette have essentially identical functionalities. Both provide information to a computer programmer for creating an encryption program. Neither, by itself, is capable of performing any encryption or decryption. Both are readable by human beings. Both the source code listings and the diskette files are protectible under the copyright laws as written expressions. [25]
The submissions of defendants and the plaintiff are squarely in conflict. Defendants contend that the book and the diskette have significantly different functionalities, differences that justify distinctly different regulatory treatment. The plaintiff, a fully qualified computer programmer who has created significant communications programs, declares that there is no functional difference between the two forms of expression. The scope and extent of this factual clash cannot properly be adjudicated on declarations alone. Discovery is necessary to explore why the unnamed NSA programmers who created the test program that underlies the defendants' factual submission hold the views that have been expressed in the defendants' submission.
In order to meet their burden under New York Times, the government must show that exportation of plaintiff's disk would pose a real danger to the national security. For the following reasons, defendants fall short of this standard.
The State Department permits the exportation of certain "weak" grades of cryptographic software, such as 40-bit keylength implementations of RC2 and RC4. That policy reflects the rational conclusion that not all cryptography poses a threat to our national security. For example, the defendants give a footnote example of the "Caesar cypher" which takes each letter and simply moves it a fixed number of places to become another letter. See Defs. Mem. at 19. This same algorithm is widely used in some e-mail software programs as the "ROT-13" system. Under that system, each letter is replaced by a letter 13 places removed. To a casual reader, an ROT-13-encrypted e-mail message is incomprehensible. Such programs obviously pose no threat to national security since they can be easily broken.
There are 14 cryptographic algorithms at issue in this case. The defendants cannot, we believe, deny in good faith the fact that at least several of these algorithms pose no threat to national security. Three of those algorithms (MD5, NHASH and SHS) are "hashing" functions not capable of performing encryption of data. [26] Those functions are expressly exempted from ITAR regulation. Category XIII(b)(1)(vi) of 22 C.F.R. § 121.1. One of those algorithms is the famous Enigma cypher that was used by the Germans in World War II. NSA has for many years proudly recognized, and properly so, that the Allies cracked Enigma during the War and were therefore able to read German traffic. How then can export of that same cypher in computer source code form possibly pose a threat to our national security?
The 14 source codes include other algorithms, such as the FEAL-8 algorithm, that have been broken by individual cryptographers. [27] Again, a code which has been broken by private-sector cryptographers cannot constitute a threat to our national security. Given the "beyond Top Secret" classification status of NSA's cryptographic activities, there is no public recognition of which of the 14 cyphers, other than Enigma, NSA can break. However, given the highly-regarded capabilities of NSA, the substantial fiscal resources allocated to their activities, and the reasonable inferences based on their prior successful attacks, it is likely that most of the 14 cyphers pose no threat to national security. Karn Decl. ¶¶ 16-18.
We acknowledge that at least one of the cyphers, IDEA, may well be strong enough that it cannot be routinely or economically broken by NSA and that widespread use of IDEA to encrypt messages could significantly reduce the ability of NSA to gather foreign intelligence. That probability, however, still does not mean that export of the IDEA encryption algorithm would pose any threat to the national security. The IDEA algorithm is already widely available throughout the world, in a fully-executable object code form, as part of the Pretty Good Privacy ("PGP") software. PGP has been publicly available, for free, from a number of Internet sites for several years. See Exhibit B to the Karn Decl. (Internet listing of PGP availability).
The foreign availability of a fully-executable implementation of IDEA is only one example of the meaninglessness of the export restrictions imposed on this diskette. Many of the same source code listings that are on the diskette are already available in digital form from Internet sites in foreign countries. Exhibit A to Karn Decl. It is indeed absurd for the defendants to invoke the national security blanket for the Vigenere algorithm that is the first source code listing in the book. As is apparent from the text itself, that listing was prepared by an Australian in 1992. What the defendants are saying in this case is that the plaintiff cannot export an electronic version of a source code listing that was first disclosed outside the United States. That contention, we submit, is simply irrational.
Defendants argue that the foreign availability of these source codes does not diminish the legitimacy of their regulation of exports from the United States. Arguing that the fact that there are tanks and guns in foreign countries does not invalidate government regulation of those armaments, defendants suggest that our national security is somehow enhanced by the restrictions they seek to impose here. That contention is factually unsound. Tanks cannot be built without financial resources and substantial investment of human resources. It takes millions of dollars and substantial industrial resources to build a tank. It requires nothing but a few hours of time and access to a common computer for a programmer to "make" an encryption program. Computer files can easily be replicated in minutes; tanks cannot be replicated, but must be built individually. The defendants' argument ignores these critical differences.
The foreign availability of these source codes, and other cryptographic materials, is sufficient to cause any reasonable person to question defendants' invocation of national security. This Court is familiar with the fact that the national security blanket has not infrequently been invoked where the alleged threat is ephemeral at best. When First Amendment rights are challenged, even that argument is one which must be tested, not automatically accepted on the sole basis of unexamined declarations, even declarations from NSA officials. [28]
The Arms Export Control Act provides that the "designation by the President . . . in regulations issued under this section, of items as defense articles or defense services for purposes of this section shall not be subject to judicial review." 22 U.S.C. § 2778(h). This provision arguably prohibits a challenge to the Secretary of State's inclusion of cryptographic software in Category XIII(b) of the published USML, absent constitutional issues. What it does not prohibit is this challenge to the government claims that this specific diskette can be subjected to the ITAR regulations. The question of whether a category of items should have been placed on the USML involves policy decisions that might fall within the non-reviewable area of a political question; however, the question whether a specific item is properly regulated under that category is one of fact which the judiciary is well-suited to address. [29]
Prohibitions on judicial review are to be interpreted narrowly in light of the strong presumption in favor of judicial review. Bowen v. Michigan Academy of Family Physicians, 476 U.S. 667, 670-73 (1986). The Supreme Court has established the standard for overcoming this presumption in favor of judicial review as "a showing of 'clear and convincing evidence' of a contrary legislative intent." Traynor v. Turnage, 485 U.S. 535, 542 (1988). In considering the scope of a judicial review prohibition, the Court gives great weight to the specific language chosen by Congress, and also considers the text and legislative history of the statute. Block v. Community Nutrition Institute, 467 U.S. 340, 345 (1984); Traynor, 485 U.S. at 541-43. For example, in McNary v. Haitian Refugee Center, Inc., 498 U.S. 479, 483 (1991), the Court addressed whether the administrative and judicial review provisions of the Immigration and Nationality Act precluded a federal district court from exercising general federal question jurisdiction.
The judicial review provision in McNary provided: "There shall be no administrative or judicial review of a determination respecting an application for adjustment of status under this section except in accordance with this subsection." 8 U.S.C. § 1160(e)(1). The Court noted that the critical words in the judicial review prohibition referred "only to review 'of a determination respecting an application'" for Special Agricultural Worker status. McNary at 491-492, quoting 8 U.S.C. § 1160(e)(1). Because the critical words were in the singular form, the Court interpreted the prohibition to apply only to the denial of an individual application. Thus, a challenge to the application process itself was allowed. Id. McNary illustrates that the presumption in favor of judicial review directs the Court to focus on the narrowest possible interpretation when examining the precise wording of a judicial review prohibition. When applied to section 2778(h) of the AECA, this approach limits the judicial review prohibition to the Secretary of State's listing of items in the USML published regulation only; thus, the prohibition does not bar review of specific factual issues such as the one at issue here.
The text of the AECA also supports an interpretation that allows review of whether an item is properly regulated under the ITAR. The judicial review prohibition applies to "the designation . . . in regulations . . . of items as defense articles or defense services for purposes of this section. . . ." 22 U.S.C. § 2778(h). The same words appears at the very beginning of section 2778 in a paragraph that sheds light on how narrowly Congress intended the judicial review prohibition to apply. Paragraph 22 U.S.C. § 2778(a)(1) reads in relevant part:
The President is authorized to designate those items which shall be considered as defense articles and defense services for the purposes of this section and to promulgate regulations for the import and export of such articles and services. The items so designated shall constitute the United States Munitions List.
Restated, this paragraph defines the items designated "as defense articles and defense services for purposes of this section" as the USML. Since Congress repeated these exact words in the judicial review prohibition ('as defense articles or defense services for purposes of this section'), Congress must have intended that they receive the same meaning in paragraph (h) as they are defined as in paragraph (a)(1). Thus, since paragraph (a)(1) indicates that these items designated shall constitute the USML, Congress must have intended that the judicial review prohibition similarly apply to only the designation of items on the USML. [30] Such an intention would not prohibit review of the factual determinations involved in deciding whether the State Department can actually regulate an item under one of the USML categories previously designated.
The Supreme Court has allowed judicial review even when faced with a prohibition far more sweeping than that of the AECA. In Lindahl v. OPM, 470 U.S. 768 (1985), the Court found that judicial review under the Civil Service Retirement Act was appropriate notwithstanding the judicial review prohibition. That prohibition provided that decisions by the Office of Personnel Management ("OPM") on "questions of dependency and disability . . . shall be final and conclusive and shall not be subject to review." 5 U.S.C. § 8347(c). The issue before the Court was whether section 8347(c) prohibited judicial review altogether, or only the factual determinations of the OPM, and thus permitting review of questions of law and procedure. The Court noted that
while section 8347(c) plausibly can be read as imposing an absolute bar to judicial review, it also quite naturally can be read as precluding review only of OPM's factual determinations about 'questions of disability and dependency'. . . . [W]hen Congress intends to bar judicial review altogether, it typically employs language far more unambiguous and comprehensive than that set forth in § 8347.Lindahl, 470 U.S. at 779-80. Based on the presumption favoring judicial review and the precise wording of the text, section 8347 was interpreted only as precluding review of OPM's factual, but not its legal, conclusions. Id. at 779.
The similarity of the dual reading of section 8347 noted by the Court in Lindahl and the dual reading of section 2778(h) demonstrated by Plaintiff and defendants in this case is dispositive. In light of the presumption favoring judicial review, the ambiguous language of section 2778(h), the particular wording chosen by Congress, and the lack of a statutory structure supporting a complete prohibition on review, [31] this court should find that section 2778(h) does not bar the review sought in this case.
In their memorandum, defendants offer no direct support for their proposition that "plaintiff may not challenge in this Court . . . the State Department's specific designation of plaintiff's software diskette as a defense article." Defs. Mem. at 12. United States v. Martinez, cited by defendants, stands only for the proposition that inclusion of a category on the USML is not subject to judicial review. [32] That case does not address whether a court can review the factual issues involved in challenging the State Department's designation of plaintiff's diskette as a defense article covered by a categories of commodities on the USML. [33]
Defendants rely on three Ninth Circuit opinions for the proposition that the factual determination that a particular item is covered by a USML category is not subject to judicial review. Defs. Mem. at 14. Defendants' reliance on these cases is misplaced because: 1) these cases all arose in a criminal context and address judicial review under the EAA, not the AECA; and 2) the D.C. Circuit has taken the opposite view of the Ninth Circuit on judicial review availability under the EAA.
Defendants rely on three cases from the Ninth Circuit: United States v. Spawr Optical Research, Inc., 864 F.2d 1467 (9th Cir. 1988), cert. denied., 493 U.S. 809 (1989); United States v. Mandel, 914 F.2d 1215 (9th Cir. 1990); United States v. Bozarov, 974 F.2d 1037 (9th Cir. 1992), cert. denied, 113 S. Ct. 1273 (1993). All of those cases arose from criminal charges brought against the defendants who plead or were found guilty of violating the EAA. None of the decisions concern the exportation of items that implicate First Amendment rights. [34] None of the cases address the issues of factual review sought here by plaintiff. [35] In fact, the statute discussed in each of the cases is not even the same statute as the one at issue in this case.
The Ninth Circuit cases all involve the EAA, not the AECA. While defendants characterize the EAA export controls as "closely analogous" to those of the AECA, Defs. Mem. at 13, important differences exist that are critical to this case, in both the actual text of the judicial review provisions and in the overall comprehensiveness of the statutory structures.
The judicial review prohibition in the EAA applies to all administrative "functions exercised under this Act". 50 U.S.C. § 2412(a). The word "functions" as used in that provision encompasses all activities exercised under the EAA. In comparison, the more precise wording of the AECA only prohibits review of the single administrative function of "designating" an item on the USML. Each Ninth Circuit case relied on by defendants cites to the broad EAA prohibition on judicial review. [36] Defendants do not show how the EAA cases can be relied on when this case is brought under a different statute with a much narrower judicial review prohibition.
In deciding whether a statute precludes judicial review, courts will consider the overall statutory structure, the comprehensiveness of the protections and remedies available, and the availability of administrative and judicial review provided by the statute. Where Congress enacts a comprehensive statutory scheme, intent to preclude judicial review may be discerned from the structure. United States v. Fausto, 484 U.S. 439, 449-51 (1988). The AECA does not contain a comprehensive statutory scheme like the EAA indicating a preclusion of judicial review. The EAA provides specific direction as to the processing of export license applications, the enforcement process and administrative procedure and judicial review. [37] The administrative and judicial review portion alone consists of nine paragraphs and clauses explaining the procedures for and time limitations on review. [38] These provisions speak to the following: excluding the functions exercised under the Act from judicial review; providing for a formal complaint, administrative hearing, findings by an administrative law judge and a written order from the Secretary; providing for appeal of the Secretary's decision; directing the qualifications of administrative law judges; allowing for temporary denial orders and review and appeal thereof; and providing for appeal from license denials. This exhaustive scheme stands in stark contrast to the brief text of 22 U.S.C. § 2778(h). Considered as a whole, the AECA shows no Congressional intent to preclude judicial review of Plaintiff's claims. It establishes no comprehensive system of judicial and administrative remedies for those affected by agency action, and displays no intent to displace the jurisdiction of an Article III Court.
The defendants' reliance on the Ninth Circuit decisions interpreting the EAA overlooks the significant difference between those decisions and the law in this circuit. In Dart v. United States, 848 F.2d 217 (D.C. Cir. 1988), this Circuit had to determine whether the judicial review prohibition in the EAA was broad enough to prohibit the review of certain functions that were not specified in the language of the EAA's prohibition. The EAA prohibited review of orders of the Secretary that "'affirm, modify, or vacate' an ALJ's initial decision." In Dart, the Secretary had issued an order that did not affirm, modify or vacate an ALJ decision, but instead "reversed" the ALJ's decision. The court found that judicial review of the Secretary's reversal was available based upon the "well-established presumption favoring judicial review and on the particular language, structure and legislative history of the EAA." Id. at 221. That decision is consistent with the "narrow construction" rule that the Supreme Court has held must be applied to legislative attempts to limit judicial review. The D.C. Circuit is also clear that the party seeking to preclude review bears the burden of demonstrating by clear and convincing evidence that Congress intended to restrict access to judicial review. Bartlett v. Bowen, 816 F.2d 695, 699 (D.C. Cir. 1987); see Paradyne Corp. v. United States Department of Justice, 647 F. Supp. 1228, 1235 (D.D.C. 1986). The defendants have failed to carry the burden in this case, and thus the Court should review all of Plaintiff's claims. [39]
As acknowledged by the defendants, judicial review of colorable constitutional claims is allowed in spite of a statutory judicial review prohibition. Defs. Mem. at 16, citing Webster v. Doe, 486 U.S. 592 (1988). The constitutional issues presented by this case have been discussed in prior sections of this memorandum. Those issues are clearly far more than merely "colorable" and therefore, even under the defendants' view of the scope of the judicial review prohibition in the ACEA, this Court is not barred from deciding those issues on their merits.
For the reasons set forth in this memorandum, and on the basis of the materials submitted with this memorandum, the Court should deny the defendants' motion, permit discovery on the contested material facts, and schedule a mini-trial to determine the contested factual and legal issues.
Respectfully submitted, Of Counsel Kenneth C. Bass, III Teresa Dondlinger Trissell Thomas J. Cooper Venable, Baetjer, Howard & Civiletti, LLP 1201 New York Avenue, N.W. Suite 1100 Washington, D.C. 20005 (202) 962-4890 Counsel for Plaintiff Date: December 11, 1995
1. On its face the statute makes "determinations . . . in regulations . . . of items as defense articles" non-reviewable, and this case does not involve a question of the inclusion in regulations of cryptographic software as a "defense article." See infra pp. 34-38.
2. There are at least two factual disputes which require limited discovery: 1) Is there any functional difference between the book and the diskette versions of the source code; and 2) Do any of the cryptographic algorithms at issue pose any genuine threat to national security. See infra pp. 29-34.
3. Bruce Schneier, Applied Cryptography (1994). For the Court's convenience, a copy of the book has been lodged with the Clerk as Plaintiff's Exhibit 1 and a copy of the diskette has been lodged as Plaintiff's Exhibit 2.
4. The secondary position is most clearly articulated when the defendants discuss the process of optically scanning a book, Defs. Mem. at 28-29, and ultimately conclude that in light of "rapid technological development" in the field, the Executive Branch is "re-visiting the question of printed source codes." Defs. Mem. at 30. Indeed, defendants admit that the continuing validity of their decision to permit free export of Applied Cryptography is presently under re-consideration "through another pending CJ request." Defs. Mem. at 28 n.22. That other request is, we believe, a request by the Massachusetts Institute of Technology to the Department of State to issue a commodity jurisdiction determination for their published book, PGP Source Code and Internals, which contains a printed listing of the computer source code for a complete cryptographic program, PGP ("Pretty Good Privacy"). See attached Declaration of Philip R. Zimmermann.
5. The defendants' observation that some of the text files on the disk include corrections of minor typographical errors in the book, Defs. Mem. at 29, does not alter the fundamental fact that, for purposes of regulation, the text of the book and the text of the diskette is indistinguishable. It does not matter, for purposes of government regulation, whether the subject of the regulation is an "uncorrected first edition" or the corrected second edition of a book. Plaintiff submits that the minor textual differences between the book and the diskette are equally irrelevant.
6. Secretaries in counsel's firm were asked to type the 18-page DES source code listing into a word processing file. That task was timed and it required 2.77 hours. See Tuthill Decl. It took Mr. Karn 3.5 hours, using an optical scanner, to convert the book listings into a functional source code listing in machine-readable form. About three hours of that time was spent in correcting errors in the scanning process and errors in the syntax of the listings in the book. Karn Decl. 5-7.
7. The text files on the diskette can be printed out by a simple DOS command: "type a:[textfile name]" to read it on the screen, or "print a:[textfile name]" to print a copy on paper.
8. Microsoft® Windows, routinely installed on most personal computers sold today, comes with a utility, Notepad, that can easily be used to display or print the text files on the diskette.
9. Computer diskettes consist of a mylar disk enclosed in a plastic housing. The information stored on the mylar is in the form of magnetic variations in the coating on the mylar disk.
10. See Cubby, Inc. v. Compuserve, Inc., 776 F. Supp. 135, 140 (S.D.N.Y. 1991) ("A computerized database is the functional equivalent of a more traditional news vendor.")
11. The "limited resources" analysis that has traditionally been invoked to justify restrictions of broadcast media that would be impermissible in a book context is not material here. Moreover, even those traditional differences are of questionable continuing validity in light of the technological advances afforded by cable and satellite distribution of broadcasts. Robert Corn-Revere, New Technology and the First Amendment: Breaking the Cycle of Repression, 17 Hastings Comm. and Enter. L.J. 247, 261 n.57 (1994) (citing courts and commentators that have questioned the continuing validity of the "limited resources" analysis).
12. The comments are marked by the text lines that begin with "/*" and end with "*/" in both the book and the diskette files.
13. In fact, the Navaho language was used as one of the most successful forms of encryption employed during World War II to protect military communications. See NSA'S Guide To The National Cryptologic Museum, attached as Plaintiff's Exhibit 5, at 12.
14. The EAA expired on August 20, 1994. Since that date, its regulatory structure has been continued by a Presidential Executive Order issued under the auspices of the International Emergency Economic Powers Act. 50 U.S.C. § 1701 et seq.
15. Applied Cryptography at 454.
16. The applicable ITAR provision defines "export" as
(1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes personal data; or . . .22 C.F.R. § 120.17.(3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an Embassy, any agency of subdivision of a foreign government (e.g., diplomatic missions); or
(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
(5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad. . . .
17. The copy of the book lodged with the Clerk as Plaintiff's Exhibit 1 was purchased at Borders' bookstore at Tysons Corner, Virginia.
18. In light of these plain and unambiguous provisions, it is frankly astonishing that the defendants suggest that they are "reconsidering" their prior ruling that a published book of cryptographic source codes might require an export license before it could be distributed to foreign countries.
19. The diskette distributed by the author contains source code listings not printed in the book. In order to eliminate this basis for distinguishing the book form from the diskette form, Mr. Karn requested a commodity jurisdiction determination for a diskette that contained only the source code listings printed in the book. Since those diskette files are all included in the two-diskette version that is publicly available from the author of the book, the diskette at issue is, we contend, also publicly available within the meaning of the ITAR.
20. The ITAR does not include any definition of "information." A dictionary definition of "information" in the specific context of computers is "data at any stage of processing (input, output, storage, transmission, etc.)." Random House Unabridged Dictionary 980 (2d ed. 1993). The definition does not draw a distinction based on the format of the information or the medium on which it is contained.
21. "When I use a word,' Humpty Dumpty said, in a rather scornful tone, 'it means just what I choose it to mean -- nothing more nor less.' 'The question is,' said Alice, 'whether you can make words mean so many different things.' 'The question is,' said Humpty Dumpty, 'which is to be the master -- that's all.'" Lewis Carroll, Alice's Adventures in Wonderland & Through The Looking Glass 169 (Bantam Classic ed. 1981) (1865 & 1871) (emphasis in original).
22. A copy of each of the public opinions we rely on is submitted with this memorandum as Exhibit 6.
23. None of the source codes at issue in this case is either classified or classifiable.
24. OLC identified three situations in which the application of the ITAR's technical data provisions raised First Amendment concerns: (1) transactions involving the direct transmission of technical data to a foreign enterprise for the purpose of assisting that enterprise in using the technology; (2) transactions involving dissemination for the purpose of promoting the sale of items on the USML; and (3) transactions in which the exporter is not connected with a foreign enterprise in circumstances where "the data may be taken abroad and used by someone there in the manufacture or use of" controlled technology. OLC concluded the revised regulations were still constitutionally suspect in the third category of "exports." Since there is no connection between Mr. Karn and any foreign enterprise, this case falls squarely within OLC's suspect category.
25. "[A] computer program is a 'work of authorship' subject to copyright . . . [whether] written in a conventional human language, known as a source code . . . [or] written in machine-readable language, known as an object code." Nimmer on Copyright § 2.04[C] (1995), at 2-52.1.
26. "Hashing" is a data authentication functionality which produces a single number that represents the precise contents of a document. Hashing does not alter the contents and does not encrypt the document.
27. Discussion of the successful attacks on FEAL-8 is found at pages 251-52 of Applied Cryptography.
28. The national security concerns that fueled the efforts to suppress the Pentagon Papers were based substantially on NSA's concerns that publication of some of the material in those papers would impair NSA's cryptographic mission. See S. Ungar, The Papers & The Papers(1972).
29. Defendants themselves recognize that two separate questions are involved in determining whether or not an item is subject to the AECA when in their own memorandum they state that "plaintiff may not challenge . . . [1] the Secretary of State�s designation of cryptographic software on the USML, nor [2] the State Department�s specific designation of plaintiff�s software diskette as a defense article." Defs. Mem. at 12. In addition, defendants concede that the commodity jurisdiction process, which plaintiff challenges here, "merely determines whether a particular commodity is covered by the USML. . . ." Defs. Mem. at 7.
30. The 11th Circuit also arrived at the same interpretation of section 2778(h). In United States v. Martinez, the 11th Circuit found the plaintiffs' claim to be a nonjusticiable political question. 904 F.2d 601 (11th Cir. 1990). The plaintiffs challenged the category of "cryptographic devices and software" on the Munitions List as overbroad because it included items in the public domain. Id. They did not argue that the video signal descramblers of which they were convicted of conspiring to export were not cryptographic devices. In discussing the judicial review prohibition of section 2778, the court noted that the prohibition "shield[ed] the contents of the Munitions List from judicial review." Id. at 602-03 (emphasis added).
33. The holding in United States v. Helmy, 712 F. Supp. 1423 (E.D.Cal. 1989) that judicial review was prohibited under the political question doctrine is similarly limited to "the placement decisions made under the AECA and the EAA" and not the factual determination of whether an item actually is a defense article listed on the USML. Id. at 1430.
34. In Spawr, the defendants were convicted of conspiracy and the exportation of laser mirrors. Spawr, 864 F.2d at 1469. In Mandel, the defendant was charged with exporting high technology equipment without a license. Mandel, 914 F.2d 1217. In Bozarov, the defendant was charged with conspiracy to export computer disc manufacturing equipment. Bozarov, 974 F.2d at 1038.
35. In Spawr, the defendants raised claims of prosectorial misconduct for failing to disclose to the defense material evidence of an exculpatory nature and for providing the court with an incorrect CCL. Spawr, 864 F.2d at 1472. In Mandel, the government sought review of the trial court's order permitting discovery of the Department of Commerce's records relating to the placement of the high technology items on the CCL. Mandel, 914 F.2d at 1219. In Bozarov, the government appealed the lower court's determination that EAA's preclusion of judicial review violated the nondelegation doctrine of the Constitution. Bozarov, 974 F.2d at 1039-40.
36. Spawr, 864 F.2d at 1473; Mandel, 914 F.2d at 1220 n.10; Bozarov, 974 F.2d at 1039.
37. 50 U.S.C. §§ 2409, 2411-2412.
38. 50 U.S.C. § 2412(a), (c)(1), (c)(2), (c)(3), (c)(4), (d)(1), (d)(2), (d)(3) and (e).
39. Defendants do not expressly address Plaintiff's position that subjecting the diskette to export controls when the information it contains is identical to information contained in Applied Cryptography (information previously deemed by the State Department as not subject to the Department's export controls) is arbitrary and capricious, an abuse of discretion and not otherwise in accordance with the Administrative Procedure Act (the "APA") at 5 U.S.C. 706(2)(A). Compl. 29. Defendants simply state that judicial review is not permitted under the APA where it has been precluded by statute. Defs. Mem. at 16. As shown supra, review in this matter is, in fact, not precluded by statute.