CINDY A. COHN, ESQ.; SBN 145997 McGLASHAN & SARRAIL Professional Corporation 177 Bovet Road, Sixth Floor San Mateo, CA 94402 Tel: (415) 341-2585 Fax: (415) 341-1395 LEE TIEN, ESQ.; SBN 148216 1452 Curtis Street Berkeley, CA 94702 Tel: (510) 525-0817 Attorneys for Plaintiff Daniel J. Bernstein IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA DANIEL J. BERNSTEIN ) ) C 95-00582 MHP Plaintiff, ) ) DECLARATION OF v. ) BRIAN BEHLENDORF ) ) UNITED STATES DEPARTMENT OF ) STATE et al., ) ) Defendants. ) ) ) I, Brian Behlendorf, hereby declare: 1. I am the Founder and Chief Technology Officer of Organic Online located in San Francisco, California. Since 1993, Organic Online has designed and implemented leading- edge Internet technology for clients such as Saturn Cars, Levi-Strauss, Kinkos, Colgate-Palmolive, and others. 2. Besides running my company, I am also a vocal member of the Internet Engineering Task Force Working Groups on HTML and HTTP standards. HTML and HTTP are computer languages used in Internet programs. I am the author of two drafts currently being incorporated into the official Internet standards. One of the new Internet technologies is VRML (Virtual Reality Modeling Language), which transmits 3D animation and graphic via the Internet. I am the co-Founder, list maintainer, and moderator of the Virtuality Modelling Language development forum, an online discussion group that defines VRML standards. 3. Furthermore, I am the co-Founder, list maintainer, website maintainer, and programmer of the Apache Project, the most commonly used Internet web server. A web server is software that transmits information from the computer hard disk to users over the Web, and so is critical to any web site, including sites for commerce, political commentary or scientific or social discussion. 4. The Apache server is available for free on the Internet. The forerunner to the current version of the Apache server was originally written by the National Center for Supercomputing Applications (NCSA). About a year ago, a couple other people and I realized that NCSA did not appear to support and update the server. We decided to continue the longevity of the server by enhancing its functionality and fixing bugs. Throughout the life cycle of the project, I have actively contributed code, tested new releases, written new documentation, and acted as the group's cheerleader. 5. On May 18th, 1995, Elizabeth Frank, a software developer with the NCSA, sent a message to members of the Apache project, indicating that the NSA had recently informed NCSA that all versions of the NCSA server, including both prior and current versions, were in violation of ITAR export restrictions. This was due, not to any encryption software in the program, since there is no encryption in the server, but due solely to "hooks" in the program which allowed users to add separately-available encryption libraries known as Privacy Enhanced Mail or PEM to the server. Hooks are parts of a computer program that allow one to add new code to the original software easily. 6. Software like the Apache project server is built with places in it for computer code to be inserted to add further pieces, much as many law books have a space for "pocket parts" for additions or changes to the text in the book. The computer code on either side of these spaces are called the "hooks". 7. Because the Apache server uses the NCSA server source code, and because we make the server available via the Internet to users and to developers around the world, we at the Apache project were asked by NCSA to remove the hooks from the Apache server. 8. Because members of the Apache project reside around the globe, from Australia to United States to United Kingdom to Poland, it would not be feasible to maintain two distribution trees for the program, which would apparently be required to avoid violation of the ITAR. Rather than face possible prosecution, the Apache members decided to remove the hooks in our program. 9. In this case, no cryptographic source code was ever distributed by the Apache project. Despite this, the Apache server code was deemed by the NSA to violate the ITAR. 10. The result of these government regulations is a chilling effect on software and Internet commerce development. Here, even though we did not offer cryptography ourselves, we were asked by the government to change our code or face criminal indictment. 11. By taking the position that software with no encryption capabilities whatsoever is covered by the ITAR, the government has made me afraid to write software which could be modified to allow encryption. This extends to an extremely wide range of software, including nearly all software which allows or facilitates communication, since any communication software could be modified to add encryption capabilities. I declare under penalty of perjury that the foregoing is true and correct. Dated:_________________ _________________________ Brian Behlendorf