FRANK W. HUNGER Assistant Attorney General MICHAEL J. YAMAGUCHI United States Attorney MARY BETH UITTI Assistant United States Attorney 450 Golden Gate Avenue San Francisco, California 94102 Telephone: (415) 436-7198 VINCENT M. GARVEY ANTHONY J. COPPOLINO Department of Justice Civil Division, Room 1084 901 E Street, N.W. Washington, D.C. 20530 Tel. (Voice): (202) 514-4782 (Fax) : (202) 616-8470 or 616-8460 Attorneys for the Defendants IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA DANIEL J. BERNSTEIN, ) C 95-0582 MHP ) Plaintiff, ) MEMORANDUM OF POINTS ) AND AUTHORITIES IN v. ) SUPPORT OF DEFENDANTS' ) MOTION FOR SUMMARY JUDGMENT. UNITED STATES DEPARTMENT OF ) STATE, et. al., ) ) Hearing: September 20, 1996 Defendants. ) Time: 12:00 Noon ) Judge Marilyn Hall Patel ________________________________) [end cover page] TABLE OF CONTENTS ----------------- PAGE(S) ------- INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 STATUTORY AND REGULATORY BACKGROUND . . . . . . . . . . . . . . . . . .2 FACTUAL BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ARGUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 I. THE ITAR DOES NOT ESTABLISH A SYSTEM OF PRIOR RESTRAINT ON THE PUBLICATION OF SCIENTIFIC INFORMATION . . . . . . . . . . . . . . . . . . . . 5 A. The ITAR Was Not Applied To Restrain Publication Of Plaintiff's Paper . . . . . . . . . . . . . .5 B. The Technical Data Provisions Of The ITAR, On Their Face, Do Not Regulate Scientific Publication Or Academic Exchanges . . . . . . . . . . . . . 7 C. The Technical Data Provisions Of The ITAR Do Not Operate To Regulate Scientific Publication Or Academic Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . 7 D. The Court Of Appeals In _Edler_ Sustained The Technical Data Provisions Of The ITAR Against A First Amendment Challenge . . . . . . . . . 9 E. Since _Edler_ Was Decided, The ITAR Has Been Amended To Provide Further Exceptions That Protect First Amendment Interests . . . . . . . . . . 12 II. EXPORT CONTROLS ON ENCRYPTION SOFTWARE ARE NOT DIRECTED AT THE CONTENT OF SPEECH AND ARE NOT A PRIOR RESTRAINT . . . . . . . . . . . . . . . . . . .14 A. Intermediate Scrutiny Applies In Assessing Controls On Cryptographic Software . . . . . . . . . . 15 1. The ITAR Does Not Regulate Cryptographic Source Code Based On The Content Of Ideas . . . . . . . . 16 2. The Government's Purpose In Licensing The Export Of Cryptographic Source Code Is Not Related To The Content Of Speech . . . . . . . . . . . . 17 B. Under Intermediate Scrutiny, Regulation Of Cryptographic Source Code Does Not Abridge First Amendment Principles . . . . . . . . . . 18 1. The Government Has The Constitutional Power To Control The Export Of Encryption Software And Its Interests In Doing So Are Substantial. . . . . . . . . . 19 2. Export Controls On Encryption Software Are Unrelated To The Suppression Of Speech . . . . . . . . . . . . . . . . . . . . 21 3. Export Controls On Encryption Software Are Narrolwy Tailored. . . . . . . . . . . . . 23 III. THE ITAR IS NOT OVERBROAD IN ITS REGULATION OF TECHNICAL DATA OR CRYPTOGRAPHIC SOFTWARE. . . . . . . . . . 25 A. Facial Challenges Are An Exception to the Traditional Rule of Constitutional Adjudication . . . . . . . . . . . . . . . . . . . . . 25 B. The Challenged Provisions Of The ITAR Are Not Substantially Overborad. . . . . . . . . . . . 28 1. The Technical Data Provisions Challenged Are Not Substantially Overbroad. . . . . . . . . . . . . . . . . . . 29 2. The Encryption Software Provisions Challenged Are Not Substantially Overbroad . . 30 IV. PLAINTIFF'S FIRST AMENDMENT VAGUENESS CLAIMS ARE WITHOUT MERIT. . . . . . . . . . . . . . . . . . . . . . . 32 A. The Technical Data Provisions Challenged Are Not Impermissibly Vague. . . . . . . . . . . . . . 33 B. The Encryption Software Provisions Challenged Are Not Impermissible Vague . . . . . . . . 34 V. PLAINTIFF'S CLAIMS UNDER THE ADMINISTRATIVE PROCEDURE ACT ARE WITHOUT MERIT. . . . . . . . . . . . . . . . 35 A. Plaintiff's Claim That The State Department Has Exceeded Statutory Authority Is Without Merit. . . . . . . . . . . . . . . . . . . . . 35 B. Plaintiff's Other APA Claims Are Meritless . . . . . . 38 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 _TABLE_OF_AUTHORITIES_ _Cases_ _Page(s)_ _Bernstein_v._Department_of_State,_et._al._, 922 F. Supp.1426 . . . . . . . . . . . . . . . . . . . . . _passim_ _Board_of_Trustees_of_State_University_of_New_York_v._ _Fox_, 492 U.S. 469 (1989) . . . . . . . . . . . . . . . . . . 27 _Boos_v._Barry_, 485 U.S. 312 (1988) . . . . . . . . . . . . . . . . . 16 _Broadrick_v._Oklahoma_, 413 U.S. 601 (1973) . . . . . . . . . . . . 26, 28 _Brockett_v._Spokane_Arcades,_Inc._, 472 U.S. 491 (1984). . . . . . . . . . . . . . . . . . . . . 26, 28 _Buckley_v._Valeo_, 424 U.S. 1 (1975). . . . . . . . . . . . . . . . . 32 _Bullfrog_Films_,Inc._,v._Wick_, 847 F.2d 502 (9th Cir. 1988). . . . . . . . . . . . . . . . . . . . . . . . 32 _Burson_v._Freeman_, 501 U.S. 191 (1992) . . . . . . . . . . . . . . . 16 _Chicago_&_Southern_Air_Lines_v._Waterman_SS._Corp._, 333 U.S. 103 (1948). . . . . . . . . . . . . . . . . . . . . . 20 _Clark_v._Community_for_Creative_Non-Violence_, 468 U.S. 288 (1984). . . . . . . . . . . . . . . . .15,16,18,23,24,25 _Grayned_v._City_of_Rockford_, 408 U.S. 104 (1972). . . . . . . . . . . . . . . . . . . . . 32, 33 _Grossman_v._City_of_Portland_, 33 F.3d 1200 (9th Cir. 1994). . . . . . . . . . . . . . . . . . . . . . . . 6 _Hoffman_Estates_v._Flipside_,_Hoffman_Estates_, 455 U.S. 489 (1981). . . . . . . . . . . . . . . . . . . . . . 25 _Karn_v._Department_of_State_, 925 F.Supp. 1 (D.D.C. 1996). . . . . . . . . . . . . . . . 16,18,20 _Kolender_v._Lawson_, 461 U.S. 352 (1982). . . . . . . . . . . . . . . 32 _Members_of_the_City_Council_of_Los_Angeles_v._ Taxpayers_for_Vincent_, 466 U.S.789 (1984) . . . . . . . 16,26,29,31 _New_York_State_Club_Ass'n._v._ New_York_City_, 487 U.S. 1 (1987). . . . . . . . . . . . . . . . . . . . . . . 28 _New_York_Times_Co._v._United_States_, 403 U.S. 713 (1971). . . . . . . . . . . . . . . . . . . . . . 6 _New_York_v._Ferber_, 458 U.S. 747 (1981). . . . . . . . . . . . . 26,28,29 _Outdoor_Systems_Inc._,v._City_of_Mesa_, 997F.2d 604 (9th Cir. 1993). . . . . . . . . . . . . . . . . . 28 _Renne_v._Geary_, 501 U.S. 312 (1990). . . . . . . . . . . . . . . . . 27 _Schwartzmiller_v._Gardner_, 752 F.2d 1341 (9th Cir. 1984). . . . . . . . . . . . . . . . . . . . . . . . 32 _Secretary_of_State_of_Maryland_v._J.H._Munson_, 467 U.S. 947 (1983). . . . . . . . . . . . . . . . . . . . . . 27 _Turner_Broadcasting_System_Inc._,v._FCC_. 114 S. Ct. 2445 (1994) . . . . . . . . . . . . . . . . . . 15,16,18 _United_States_v._Albertini_, 472 U.S. 675 (1985). . . . . . . . . . . 23 _United_States_v._Edler_Industries_, 579 F.2d 516 (9th Cir. 1978) . . . . . . . . . . . . . . . _passim_ _United_States_v._Gurrola-Garcia_, 547 F.2d 1075 (9th Cir. 1976). . . . . . . . . . . . . . . . . . . . . . . . 35 _United_States_v._Helmy_, 712 F. Supp. 1423 (e.D. Cal. 1989) . . . . . . . . . . . . . . . . . . . . . .20,38 _United_States_v._Mandel_, 914 F.2d 1215 (9th Cir. 1990). . . . . . . . . . . . . . . . . . . . . . .20,38 _United_States_v._Martinez_, 904 F.2d 601 (11th Cir. 1990). . . . . . . . . . . . . . . .20,38 _United_States_v._Moller-Butcher_, 560 F.Supp. 550 (D. Mass. 1983). . . . . . . . . . . . . . . . 24 _United_States_v._O'Brien_, 391 U.S. 367 (1968). . . . . . . . . . .16,18 _United_States_v._Posey_, 864 F.2d 1487 (9th Cir. 1989). . . . . . . . . . . . . . . .12,37 _United_States_v._Spawr_Optical_Research,_Inc._, 864 F.2d 1467 (9th Cir. 1988), _cert._denied_, 493 U.S. 809 (1989). . . . . . . . . . . . . . . . . . . . .20,38 _United_States_v._Stansell_, 847 F.2d 609 (9th Cir. 1988). . . . . . . . . . . . . . . . . . . . . . . . 28 _United_States_v._Thomas_, 864 F.2d 188 (D.C. Cir. 1988) . . . . . . . . . . . . . . . . . . . . . .32,33 _United_States_v._Van_Hee_, 531 F.2d 352 (6th Cir. 1976). . . . . . . . . . . . . . . . . . . . . . . . 36 _Ward_v._Rock_Against_Racism_, 491 U.S. 781 (1989) . . . . . . . 15,16,23 _Young_v._American_Mini_Theatres_,Inc._, 427 U.S. 50 (1975). . . . . . . . . . . . . . . . . . . . . . .33 _U.S._Constitution_ Art. I, Sec. 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Art. II, Sec. 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 _Statutes_ 5 U.S.C. Sec. 552 (a). . . . . . . . . . . . . . . . . . . . . . . . . 38 5 U.S.C. Sec. 552 (a) (1) (D). . . . . . . . . . . . . . . . . . . . . 38 5 U.S.C. Sec. 701 (a) (1). . . . . . . . . . . . . . . . . . . . . . . 38 Mutual Security Act of 1954, 22 U.S.C. Sec. 1934. . . . . . . . . . . . . . . . . . . . . . 35 22 U.S.C. Sec. 2778 (a) (1). . . . . . . . . . . . . . . . . . . . . 2,35 22 U.S.C. Sec. 2278 (b). . . . . . . . . . . . . . . . . . . . . . . . 37 22 U.S.C. Sec. 2778 (c). . . . . . . . . . . . . . . . . . . . . . .36,38 Export Administration Act, 50 U.S.C. App. Sec. 2401 et seq. . . . . . . . . . . . . . . . 36 _Executive_Order_ E.O. 11958, Sec 1(1) (1), 42 Fed. reg. 4311 (Jan. 18, 1977) (_reprinted_after_ 22 U.S.C. Sec.. 2751) . . . . . . . . . . . 37 _Regulations_ 22 C.F.R. Sec. 120.10 (a) (1) . . . . . . . . . . . . . . . . . . . . . 2 22 C.F.R. Sec. 120.10 (a) (2) . . . . . . . . . . . . . . . . . . . . . 2 22 C.F.R. Sec. 120.10 (a) (4) . . . . . . . . . . . . . . . . . . . . .34 22 C.F.R. Sec. 120.10 (a) (5) . . . . . . . . . . . . . . . . . .2,7,8,13 22 C.F.R. Sec. 120.11 . . . . . . . . . . . . . . . . . . . . . . .3,7,13 22 C.F.R. Sec. 120.11 (a) (6) . . . . . . . . . . . . . . . . . . . . 3,7 22 C.F.R. Sec. 120.11 (a) (8) . . . . . . . . . . . . . . . . . . . 3,7,8 22 C.F.R. Sec. 120.2 . . . . . . . . . . . . . . . . . . . . . . . . . 38 22 C.F.R. Sec. 120.4 . . . . . . . . . . . . . . . . . . . . . . . . 3,38 [end pages i - v] _PRINCIPAL_ISSUES_PRESENTED_ Whether the commodity jurisdiction determinations by the State Department that plaintiff's cryptographic software is covered by the United States Munitions List, made pursuant to the International Traffic in Arms Regulations, 22 C.F.R. Subchapter M, Parts 120 to 130 ("ITAR"), constitute an impermissible restriction on the content of speech in violation of the First Amendment. Whether the International Traffic in Arms Regulations, on their face, are impermissibly overbroad or vague, or establish a system of prior restraint, or regulate the content of speech, in violation of the First Amendment to the Constitution, by controlling the export of certain cryptographic software or technical data. _INTRODUCTION_ There are two central points that defendants seek to convey to the Court in this memorandum. First, the government does not control the export of cryptographic source code based on the content of expression or information that the software may convey -- be it a scientific idea implicit in the software, or any other informational value or purpose that the software or its export might have. Cryptographic software, such as plaintiff's Snuffle source code, is subject to export controls solely because it is a product that, whatever its communicative value, can function to encrypt information on a computer system. Second, the ITAR, on its face and as applied, does not require that a license be obtained prior to the publication of scientific ideas or the academic exchange of information. The ITAR provisions on technical data broadly exempt publicly available information and academic discourse from regulatory controls. The regulations are neither overbroad nor vague, but set forth narrowly tailored standards as to the kind of information and products that are subject to export controls. Moreover, the Court of Appeals has already sustained an earlier version of the ITAR's technical data provisions against a First Amedndment overbreadth and prior restraint challenge(1), and the State Department -- over eleven years ago -- indicated that it follows the court's interpretation of the law. These points go to the heart of the plaintiff's challenge in this case, cutting across the repetitive constitutional and statutory claims he brings. Reduced to their essence, all of plaintiff's claims fail for these reasons. Ultimately, plaintiff is claiming a constitutional right to distribute to any person, entity, or government anywhere in the world, at any time, the kind of software commodity that can be used to conceal information that might have foreign policy, military, or national security significance. The government does not seek to prevent plaintiff from publishing or teaching his ideas about cryptology or his software in the United States -- and indeed, ther is substantial academic discourse in this area of science. The question, rather, is whether the government is constitutionally precluded from assessing, for --- 1. _See_United_States_v._Edler_Industries_, 579 F.2d 516 (9th Cir. 1978). [end page 1] foreign policy and national security reasons, the end-user and end-use to which a particular encryption product, that can be used to conceal communications, is to be exported. As set forth further below, the Constitution does permit the government to control cryptographic software in furtherance of important national security and foreign policy interests. For this reason, defendants ask the Court to enter summary judgment in their favor. _STATUTORY_AND_REGULATORY_BACKGROUND_ The Arms Export Control Act authorizes the President to control the import and export of so-called "defense articles" and "defense services," and to designate such items on the United States Munitions List ("USML"). 22 U.S>C.Sec 2778(a)(1). The AECA is implemented by the International Traffic in Arms Regulations ("ITAR"), which sets forth the USML. 22 C.F.R. Part 121. The USML category at issue in this case is Category XIII(b)(1), which lists as defense articles cryptographic devices and software "with the capability of maintaining secrecy or confidentiality of information or information systems." 22 C.F.R. Sec. 121.1, XIII(b)(1). In addition, information that falls into the category of "technical data" is also subject to export licensing controls under the ITAR. Technical data includes information "required for the design[,] development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles."(2) The ITAR also provides various exemptions to the definition of technical data. Most notably, technical data does not include "information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges, and universities," 22 C.F.R. Sec 120.10(a)(5), or information that is in the "public domain." _Id._ Information is in the "public domain" if it is published and generally available and accessible --- 2. This includes information in the form of blueprints, drawings, photographs, plans, instructions, or documentation. 22 C.F.R. Sec. 120.10(a)(1). It also includes classified information relating to defense articles and services. _Id_. Sec. 120.10(a)(2). [end page 2] to the public through, _inter_alia_, sales at newsstands and bookstores, subscriptions, second class mail, and libraries open to the public. 22 C.F.R. Sec. 120.11. Information is also in the public domain if it is made generally available to the public "through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States" or "through fundamental research in science and engineering at accredited institutions of higher learning in the U.S. where the resulting informatino os ordinarily published and shared broadly in the scientific community." 22 C.F.R. Sec. 120.11.(a)(6), (8). _FACTUAL_BACKGROUND_ By letter dated June 30, 1992, plaintiff submitted a "commodity jurisdiction" request to the State Department for his "Snuffle 5.0 software" -- source code that can be used to encrypt and decrypt communications on a computer -- to determine if it was subject to the export licensing jurisdiction of the State Department.(3) _See_ Second Declaration of William J. Lowell, Director of the Office of Defense Trade Controls, Para. 7 and Tab 3. The commodity jurisdiction procedure is not mandatory, but is available on request when individuals or businesses are in doubt as to whether a particular article or service is covered by the USML. 22 C.F.R. Sec. 120.4. Dr. Bernstein described Snuffle's function to encrypt communications on a computer. The software allows for the exchange of encrypted text between two people "who have previously exchanged keys" that would enable them to read the message. Tab 3 to Lowell Declaration. By letter dated August 20, 1992, the State Department advised Dr. Bernstein that his Snuffle source code is designated as a defense article under Category XIII(b)(1) of the USML and therefore is subject to the licensing jurisdiction of the State Department. Lowell Decl. Para. 8 and Tab 4. Dr. Bernstein submitted a second commodity jurisdiction request letter dated July 15, 1993, which was divided into five parts (DJBCJF-2 to DJBCJF-6). Lowell Decl. Para. 9 and --- 3. These materials were filed under seal at Exhibits "A1" and "D1" to the Complaint. [end page 3] Tab 16. Only two of the items (DJBCJF-3 and 4) are the actual Snuffle source code.(4) In accompanying cover letters, Dr. Bernstein again described the function of Snuffle to encrypt communications on a computer, stating it was "originally designed to convert any one-way hash function into a zero-delay private-key encryption system." _See_ Tab 16 to Lowell Declaration. By letter dated October 5, 1993, the State Department advised Dr. Bernstein that the items he submitted "contain cryptographic source code for data encryption and are used in a stand-alone cryptographic product" and, once again, are covered by category XIII(b)(1) of the USML. Lowell Decl. Para. 11 and Tab 18. After claiming in this case that he had been barred from "publishing a paper" on his Snuffle theory, the State Department advised Dr. Bernstein, by letter dated June 29, 1995 that its CJ determinations pertained solely to the export of the actual Snuffle source code (DJBCJF-3 and 4), not the other explanatory items submitted. Lowell Declaration Para. 16 and Tab 21.(5) The administrative actions that remain at issue in this case are two commodity jurisdiction determinations designating plaintiff's Snuffle source code software as a defense article covered by Category XIII(b)(1) of the United States Munitions List. _ARGUMENT_ Plaintiff brings his challenge under four distinct First Amendment theories -- prior restraint, vagueness, overbreadth and content restriction -- but all revolve around the same regulatory provisions and present just two, cross-cutting questions. First, does the --- 4. The remaining items explained the theory of Snuffle, and how it may be programmed to encrypt communications on a computer system. Lowell Decl. Para. 16. 5. In response to a further request for clarification dated May 3, 1996 (Tab 22 to Lowell Declaration), the State Department reiterated these conclusions by letter dated July 25, 1996. _See_ Tab 24 to Lowell Declaration. Also by this letter dated July 25, 1996, the State Department responded to a seperate letter from plaintiff dated July 3, 1996 (Tab 23 to Lowell Declaration), concerning the impact of the ITAR on his plans to teach an undergraduate course on cryptography at the University of Illinois in January 1997, and indicated that the ITAR does not regulate toe mere teaching of this course. This issue is discussed further below. [end page 4] requirement that certain cryptographic source code, such as Snuffle, be licensed for export as a defense article unconstitutionally restrict the dissemination of free speech? Second, does the ITAR regulate the export of technical data in such a manner that it constitutes a system of prior restraint on the publication of scientific information and academic discussion? The answer to both questions is "no". Whatever First Amendment theory is applied, the ITAR has narrowly tailored standards that are solicitous of First Amendment rights. Encryption software is not controlled for export because of any ideas it might convey, but, rather, to control against the unlimited world-wide distribution of products that can function to maintain secrecy of information, and thereby cause harm ['to' omitted in original] the government's national security and foreign policy interests served by gathering intelligence abroad. In addition, the ITAR sets forth numerous exemptions to the kind of information regulated as technical data, which take account of important First Amendment interests in the general publication of scientific information and in academic discussion. each category of plaintiff's First Amendment claims is addressed seperately below. I. THE ITAR DOES NOT ESTABLISH A SYSTEM OF PRIOR RESTRAINT ON THE PUBLICATION OF SCIENTIFIC INFORMATION. ------------------------------------------------------- A. The ITAR Was Not Applied To Restrain Publication of Plaintiff's Paper. Plaintiff's prior restraint claim is that the ITAR requires a person who wishes to "publish a paper, algorithm or computer program" to "first apply to the Department of State, through its Commodity Jurisdiction procedure to determine whether a license is needed" and, if the scientific paper, algorithm, or computer program is deemed to be a defense article or service, he must regisater with the State Department and obtain a license prior to publication. Compl. Para. 94-94 and Counts II-IV. The Court has largely resolved this claim with respect to how the ITAR was actually applied here. As defendants have set forth, the two commodity jurisdiction determinations pertained to Snuffle software, and not the other explanatory items submitted. The Court indicated that plaintiff's claims with respect to the paper, "The Snuffle Encryption System" [end page 5] (DJBCJF-2), appear to be moot. _Bernstein_vs._Dept._of_State_, 922 F. Supp. 1426, 1434 n.12 (N.D. Cal. 1996). The Court also noted that "[d]efendants are correct with respect ot the two instructional items included in the second CJ determination and which ODTC subsequently identified as technical data, a prior restraint claim seems foreclosed by _Edler_, 579 F.2d at 521 ("So confined, the statute and regulations are not overbroad. For the same reasons the licensing provisions of the Act are not an unconstitutional prior restraint on speech.")." 922 F.Supp. at 1438, n. 20. The record supports the Court's conclusion.(6) Thus, while there are many issues left to consider, th4 Court's initial determination that the ITAR was not applied to plaintiff's non-code items as a prior restraint is correct. The remaining issue identified by the Court is whether the technical data provisions, on their face, _could_ be applied as a prior restrainrt, even if they were not so applied to Dr. Bernstein's non-code items here. _Bernstein_, 922 F. Supp. at 1437, n. 19.(7) Plaintiff's claim presents a mix of regulatory provisions (commodity jurisdiction, registration, and licensing) and items (scientific paper, algorithms, and a computer program) that should be parsed --- 6. Plaintiff's initial CJ request was for "Snuffle 5.0" (Tab 3 to Lowell Declaration), and his second request, which commingled the source code and explanatory items, was described as for an item that "was originally designed to convert any one-way hash function into a zero-delay private-key system." _See_ Tab 16 to Lowell Declaration. The CJ determinations themselves referred to "Snuffle 5.0" and "cryptographic source code for data encryption." _See_ Tabs 4 and 19 to Lowell Declaration. It is also noteworthy as well that information describing the commodity is required for CJ requests, 22 C.F.R. Sec. 120.4(c), and in this case was assessed by the National Security Agency only in order to evaluate the nature of the source code itself. Declaration of William P. Crowell Para. 16. 7. Prior restraint claims generally arise in the context of where the government in fact has sought to restrain the publication of information, including through a licensing scheme. _See_, _e.g._, _New_York_times_Co._v._United_States_,403 U.S. 713 (1971) (per curiam) (restraining order issued against newspaper publication); _Grossman_v._City_of_Portland_, 33 F.3d 1200, 1204-05 (9th Cir. 1994) (whether permit requirements as applied to plaintiff's actions constituted a prior restraint). With respect to the technical data provisions of the ITAR, there is no actual restraint at issue here and, therefore, this claim is more properly treated as an overbreadth or vagueness claim. The ultimate legal issue is generally the same: whether the technical data provisions establish and [typo in original] impermissible system of prior restraint. [end page 6] seperately -- distinguishing first between controls on technical data and the treatment of cryptographic software. B. The Technical Data Provisions Of The ITAR, On Their Face, Do Not Regulate Scientific Publication or Academic Exchanges --------------------------------------------------------- Governmental licensing schemes come with a heavy presumption against their validity when they act as a prior restraint on speech. _Bernstein_, 922 F.Supp 1438. Here, however, the ITAR provisions do not act as a system of prior restraint. The technical data provisions of the ITAR expressly exempt information that is broadly available to the public, including through academic settings. Indeed, the Court of Appeals in _edler_ upheld technical data provisions of the ITAR (that were far less specific) in the face of a First Amendment challenge. To begin with the regulations, the ITAR specifically excludes a substantial amount of information from the category of technical data. Of most pertinence, technical data does not include general scientific or mathematical principles commonly taught in universities, 22 C.F.R. Sec. 120.10(a)(5), and information that is in the public domain. _Id._ As noted above, information is in the public domain if it is published and generally available and accessible to the public through sales at newsstands and bookstores, subscriptions, second class mail, and libraries open to the public. 22 C.F.R. Sec. 120.11. The public domain also includes information published through unlimited distribution at a conference or seminar, and fundamental research in science at institutions of higher learning in the United States that is ordinarily published and broadly share in the scientific community. 22 C.F.R. Sec. 120.11(a)(6),(8). Clearly, then, there are numerous exceptions to information subject to export controls that, on the face of the ITAR, carve out multiple avenues of protected speech from regulation. C. The Technical Data Provisions Of The ITAR Do Not Operate To Regulate Scientific Publication or Academic Exchanges. ------------------------------------------------------ Plaintiff contends that the broad exemptions from the definition of technical data are "self-executing," -- that the government must determine and approve in advance whether a [end page 7] particular publication can be placed in the public domain. _See_ Compl. Para. 141, 156 (claiming information not already in the public domain can be placed there). This is not how the regulations are applied, nor a reasonable reading of the provisions at issue. In fact, the State, Department does not seek to control the various means by which information is placed in the public domain. Lowell Decl. Para. 22. The Department does not review scientific information to determine whether it may be offered for sale at newsstands and bookstores, through subscriptions, second-class mail, or made available at libraries, or distributed at a conference or seminar in the United States. _Id._ [begin block quote] These clear examples are included in the ITAR to enable individuals to determine for themselves whether particular information is subject to regulation as technical data. Indeed, individuals rarely -- if ever -- seek a determination from the Department as to whether information is in the public domain, and the regulations are not applied to establish a prepublication review requirement for the general publication of scientific information in the United States. [end block quote] _Id._ Similarly, the State Department does not try to substitute its judgment for that of a university or academic scholars as to whether certain ideas constitute general scientific of [typo in original] mathematical principles commonly taught in colleges and universities, 22 C.F.R. Sec. 120.10(a)(5) or fundamental research in science at institutions of higher learning in the United States. _Id._Sec. 121.11(a)(8). Lowell Decl. Para. 23. [begin block quote] Rather, the specific mention of these exemptions in the ITAR is intended as an assurance to the academic community as to the general non-applicability of the ITAR to a university setting -- and not for the purpose of establishing a role for the Department in regulating scientific publication, academic exchanges of information, or fundamental research in the United States. [end block quote] _Id._ Dr. Bernstein's assertion that all scientific speech about cryptology is excluded from the definition of what could be in the public domain, Compl. Para. 157, is belied by a wealth of academic exchanges and conferences that routinely occur in the field of cryptology. _See_ Declaration of Wiliam P. Crowell of the National Security Agency, Paras. 22-32 and Tabs 1 to [end page 8] 10. Included among these exhibits are materials from annual conferences on cryptology that took place in California. _See_ Tabs 4, 5, 6, 7 to Crowell Declaration. None of this public discourse was (or is) regulated by the government. For plaintiff to claim that all information regarding cryptology is excluded from what can be in public domain, or that he is precluded from publishing a scientific paper discussing the idea behind Snuffle and the algorithm he created, in the face of the robust academic exchanges that occur routinely in this field, is seriously in error. Quite clearly, the regulations are not applied in this manner. D. The Court Of Appeals In _Edler_ Sustained The Technical Data Provisions Of The ITAR Against A First Amendment Challenge ---------------------------------------------------------- Aside from the broad, facial exemptions for publicly available information, and the fact that the ITAR is not applied to regulate scientific publication and academic exchanges, the Court of Appeals has already provided a reasonable, narrow construction of these provisions in the _Elder_ case to which the State Department adheres. In _Edler_, a California company and its founder were convicted of exporting technical data concerning a Munitions List item without a license.(8) Plaintiff challenged the regulatory definition of exporting technical data on First Amendment grounds. An [typo in original] provision defining an "export of technical data" indicated that controls applied _whenever_ the information is to be exported by oral, visual, or documentary means, or disclosed to foreign nationals in briefings and symposia domestically and abroad. 22 C.F.R. Sec. 125.03 (1977) (Tab 1C to Lowell Declaration). While controls on technical data excluded information "if it is in published form" and subject to dissemination through newsstands, bookstores and libraries, the regulations also provided that the burden for obtaining appropriate government approval for the publication of technical data fell on the exporter. _Id._ Sec. 125.11(a)(1) n. 3). [typo in original] -- 8. Specifically at issue was the provision of technical assistance and data related to missile technology to a French company that developed missile systems. 579 F.2d at 518. [end page 9] The court in _Edler_ observed that "an expansive interpretation of technical data relating to items on the Munitions List could seriously impede scientific research and publishing and the international scientific exchange." 579 F.2d at 519. But the court undertook a construction of the statute and regulations to preserve their constitutionality. _Id._ at 519. The court cited legislative history indicating that technical data would be subject to export controls only if it were "directly relevant to the production of a specified article on the Munitions List" and constituted "'defense information used for the purpose of making military sales.'" _Id._ at 521. The court concluded that the regulation "prohibits only the export of technical data significantly and directly related to specific articles on the Munitions List." _Id._ "The prohibition includes the provision of technical assistance for the foreign manufacture of articles that, if manufactured domestically, would be on the Munitions List." As construed, the court held that the technical data provisions did not interfere with constitutionally protected speech but, rather, [highlighted on copy of motion] "they control the conduct of assisting foreign enterprises to obtain military equipment and related technical expertise." [end highlightind] _Id._ So confined, "the licensing provisions of the Act are not an unconstitutional prior restraint on speech." _Id._(9) Thus, regulations that appeared much less protective of speech concern than the current provisions were upheld against a First Amendment challenge. In December 1984, the State Department indicated that its practice with respect to technical data was reflected in _Edler_,(10) and this is indeed the case. _See_ Lowell Decl. Para. 25. Consistent with _Edler_, the Department licenses the export of technical data in two general -- 9. In accordance with the foregoing, the State Department advised Dr. Bernstein that a license would be rewuired to export technical data if the objective or intent were to furnish technical assistance to a foreign person or enterprise in obtaining or developing cryptographic software. _See_ Tab 21 (Letter of June 29, 1995) and Tab 24 (Letter of July 25, 1996). Otherwise, the mere publication of his ideas concerning Snuffle, or teaching this theory in an academic setting, are not subject to prior restraint controls. 10. _See_ [italics] Revisions to International Traffic in Arms Regulation, Supplementary Information [end italics], 49 Fed. Reg. 47683 (Dec. 6, 1984) (Tab 1B). [end page 10] contexts, as explained in the Lowell Declaration. First, if such an export would constitute a "defense service," _see 22 C.F.R. Sec. 120.9(a)(1), -- that is, the actual provision of technical assistance and training by a U.S. person to a foreign person in _inter_alia_, the design, development, maintenance, or operation, or used [typo in original] of defense articles on the USML, a license is required. Lowell Decl. Para. 26. Second, a license to export technical data would be required where information "is directly related to a defense article and is intended to assist a foreign entity in obtaining, maintaining, repairing, or operating that article.[no end quotes in original] _Id._ As this indicates, a key element underlying controls on technical data is the specific conduct intended by the exporter. _Id._ If the exporter intends to provide a defense service, or technical data to assist a foreign entity in, _inter_alia_, obtaining or operating a defense article, a license would be required. This is fully consistent with he _Edler_ holding. Moreover, it is noteworthy that technical data for which export licenses are sought normally has not been placed in the public by the exporter. Lowell Decl. Para. 27. This is because the information sought to be exported is typically classified by the government, or legally controlled pursuant to a defense contract, or privileged and proprietary commercial information. _Id._ Most ['most' circled on copy of motion] requestors seeking to export technical data come to the State Department for a license because the information at issue is proprietary or classified, and because they seek to export it specifically in connection with the provision of a defense service or to assist a foreign entity in obtaining or maintaining a defense article. _Id._ Thus, the technical data/public domain provisions do not serve as a means for the State Department to regulate what can or cannot be published or discussed in academia. Rather, the regulations are targeted at controlling information which is _not_ generally disseminated publicly. The public domain provision, in contrast, serves to describe the type of information (and means of publishing it) which are not subject to licensing controls.(11) --- 11. This is not to say that any information that made publicly available is _per_se_ exempt [grammar error in original] from export controls on technical data in all circumstances. As the Court of Appeals has noted at least twice, if the intent in exporting technical data is to engage in the conduct of assisting foreign enterprises to obtain military equipment and related technical expertise, [end page 11] E. Since _Edler_ Was Decided, The ITAR Has Been Amended To Provide Further Exceptions That Protect First Amendment Interests. ---------------------------------------------------------- Finally, since _Edler_ was decided, the State Department has implemented a series of regulatory changes to the technical data provisions to address the facial First Amendment concerns.(12) The Department first proposed to amend the ITAR in December 1980 by inserting a new exemption from the definition of technical data "to make it clear that the regulation of the export of technical data does not interfere with the First Amendment rights of individuals."(13) In December 1984, the Department published final regulations making revisions to the ITAR in which it specifically noted that concern had been expressed that the ITAR could be read in an overbroad manner to encompass domestic changes of information in a purely academic setting.(14) The revisions amended the definition of technical data to specifically exclude "information concerning general scientific, mathematical or engineering principles." 49 Fed. Reg. at 47686 (amending then Sec. 120.21(c)) (Tab 1B). The revisions also established a distinct "public domain" provision in the ITAR based on prior exemptions from technical data controls. _Id._ at 47685 (establishing then Sec. 120.18). Importantly, the new provision deleted a prior footnote indicating that "the burden for --- controls on technical data are permissible even if the information is publicly available. _Edler_ 579 F.2d at 522; _see_also_United_States_v._posey_, 864 F.2d 1487, 1497-97 (9th Cir. 1989). 12. Indeed, the issue of whether the ITAR can be read to encompass academic exchanges of information is not a new one. In fact, much of what plaintiff claims today echoes a considerable debate that occurred in the early 1980's. Between 1978 and 1984, the Department of Justice, Office of Legal Counsel, provided three formal opinions with respect to the ITAR's regulation of the export of technical data, including one pertaining to cryptographic information. (The OLC Opinions are attached to the Declaration of Lee Tien filed by plaintiff in this action). 13. [italicized] Revision of International Traffic in Arms Regulations [end italics], Supplementary Information, 45 Fed. Reg. 83970, 83985 (Dec. 18, 1980) (proposed Sec. 125.11(a)(10)) (Tab 1A to Lowell Declaration). 14 _See_ [italicized] Revisions to International Traffic in Arms Regulations, Supplementary Information [end italics], 49 Fed. Reg. 47683 (dec. 6, 1984) (Tab 1B). [end page 12] obtaining appropriate U.S. Government approval for the publication [brackets in original] [of technical data] ... was on the person or company seeking publication." _See_ 22 C.F.R. Sec. 125.11(a)(1) n.3 (April 1, 1977).(15) Further revisions and exemptions to the technical data and public domain provisions have also been enacted since 1984. In October 1991, the technical data definition was amended again to exclude "baic marketing information on function or purpose or general system descriptions of defense articles." 56 Fed. Reg. 44548 (Oct. 28, 1991) (amending technical data definition at then-section 120.21) (Tab 1D to Lowell Declaration).(16) Also, in July 1993, the definition of public domain was expanded to include "through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States" or "through fundamental research in science and engineering at accreditied institutions of higher learning in the U.S. where the resulting information is ordinarily published and shared broadly in the scientific community." 58 Fed. Reg. at 39285 (amending Sec. 120.11).(17) These regulatory refinements underscore that the ITAR can readily be construed in a manner that does not impermissibly restrain First Amendment activities in the United States, such as general publication of scientific information and purely academic discourse. What --- 15. The amendment also revised the prior language that export controls did not apply to technical data "_if_ it is in published for," to the current wording which states that "[italicized] Public Domain [end italics] means information which _is_ published and which _is_ generally accessible and available to the public." 49 Fed. Reg. at 47685 (establishing then Sec. 120.18). 16. This amendment also refined the exception originally enacted in 1984 for "information concerning general scientific mathematical or engineering principles" by adding the phrase "commonly taught inacademia." 56 Fed. Reg. at 44548. 17. The 1993 amendments also changes the phrase "ommonly taught in academia: to "commonly taught in schools, colleges and universities." _See_ 58 Fed. Reg. 39285 (July 22, 1993) (amending Sec. 120.10(a)(5)). In addition, an exclusion for "information in the public domain as defined in Sec. 120.11" was inserted directly into the definition of "technical data" at Sec. 120.10(a)(5). Information in the public domain had always been excluded from technical data licensing controls under Sec 125.1(a). But the 1993 amendment mad this clearer by excluding such information from the technical data definition itself. [end page 13] is left of the prior restraint claim is whether the regulation of encryption _source_code_ constitutes an impermissible restraint of speech.(18) II. EXPORT CONTROLS ON ENCRYPTION SOFTWARE ARE NOT DIRECTED AT THE CONTENT OF SPEECH AND ARE NOT A PRIOR RESTRAINT. ---------------------------------------------------- Plaintiff also challenges the requirement that he obtain a license prior to the exportation of his Snuffle cryptographic source code software as an impermissible prior restraint on speech. _See_ Compl. Paras. 95, 97. There is no dispute that the State Department requires a license to export Snuffle (and other cryptographic software). The Court has also found that source code can be speech for First Amendment purposes. _Bernstein_, 922 F. Supp at 1439. The only issue is whether this licensing requirement is an impermissible restraint on speech. If export controls on source code do not impermissibly restrict the content of protected speech, they are not a prior restraint or otherwise in violation of the Fiorst Amendment. For this reason, defendants undertake a more traditional First Amendment analysis in connection with this claim.(19) --- 18. Plaintiff also claims that the commodity jurisdiction procedure and the registration requirements under the ITAR are a part of a system of prior restraint. The commodity jurisdiction procedure under the ITAR is not mandatory, but exists to provide guidance to the public, in response to their requests, as to whether or not a particular commodity is treated as a defense article or service subject to the export control jurisdiction of the Department of State under the ITAR. Licensing decisions are not made in the CJ process. The registration requirements under the ITAR, _see_ 22 C.F.R. Part 122, do not apply to persons whose pertinent business is [highlighted on copy] confined to the production of unclassified technical data. _Id._ Sec. 122.1(b)(2). Thus, if Dr. Bernstein merely seeks to publish a scientific paper that might contain technical data, he does not have to register. In addition, an individual seeking to publish an article is not requires to identify all possible recipients of the publication under 22 C.F.R. Sec. 123.9. This provision applies to the _re_-export of defense articles where a new end-user or end-use is sought for approval. [end highlighting] 19. Also, to avoid duplication, defendants address at this point plaintiff's "content-regulation" claim with respect to export controls on his source code. Compl. Paras. 165-170. [end page 14] A. Intermediate Scrutiny Applies In Assessing Controls On Cryptographic Software. ------------------------------------------------------ A threshold question in resolving whether speech is impermissibly regulated is what standard of review applies -- _i.e._, "strict scrutiny" or an intermediate standard of review. _Id._ at 1437. That issue turns on how and why the speech at issue is being regulated. A law that restricts First Amendment rights on the basis of the content of the speech must generally be subjected to strict scrutiny. _Turner_Broadcasting_System_,_Inc._,_v._FCC_, 114 S.Ct. 2445, 2459 (1994). In contrast, intermediate review generally applies where the regulation at issue is "content-neutral." _Ward_v._Rock_Against_Racism_, 491 U.S. 781, 791 (1989). "The principal inquiry in determining content neutrality, in speech cases generally ... is whether the government has adopted a regulation of speech because of disagreement with the message it conveys. _Ward_, 491 U.S. at 791 (_citing_Clark_v._Community_for_Creative_Non-Violence_, 468 U.S. 288, 295 (1984)) ("_CCNV_") (emphasis added); _Turner_, 114 S.Ct. at 2459. "The government's _purpose_ is the controlling consideration." _Ward)_, 491 U.S. at 791 (citation omitted) (emohasis added). "A regulation that serves purposes unrelated to the content of expression is deemed neutral, even if it has an incidental effect on some speakers or messages but not others." _Id._ [begin block quote] Government regulation of expressive activity is content-neutral so long as it is "[italicized] justified [end italics] without reference to the content of regulated speech." [end block quote] _Id._ (_quoting_CCNV_, supra, at 293) (original emphasis). Whether or not a statute or regulation is content-neutral may be discerned from an examination of the plain language of the statute or regulation itself, or from a finding that the regulations' "manifest purpose" is to regulate speech because of the message it conveys. _Turener_, supra, at 2461. "As a general rule, laws that by their terms distinguish favored [end page 15] speech from disfavored speech on the basis of their ideas or views expressed are content based." _Id._ at 2459.(20) Thus, unless the plain language of the ITAR specifically regulates speech on the basis of the content of ideas expressed, or unless it can be shown that the government's purpose in licensing the export of cryptographic source code is to control the content of ideas, the regulation is content-neutral and must be reviewed under the intermediate standard of review. Here it is readily shown that the government does not regulate source code on the basis of the content of the ideas or theories it may reflect. _See_Karn_v._Department_of_State_, 925 F.Supp. 1, 10 (D.D.C. 1996) (appeal pending) (export controls on cryptographic source code are content-neutral and subject to intermediate scrutiny). Indeed, in contrast to other cases applying intermediate scrutiny, which involved the direct regulation [word omission in original] First Amendment media, speech activities, or symbolic conduct,(21) the controls at issue here are entirely unrelated to any communicative value that export of the software might have to plaintiff or any foreign recipient. 1. The ITAR Does Not Regulate Cryptographic Source Code Based On The Content Of Ideas. ---------------------------------------------------------- The plain language of the regulations at issue indicates that cryptographic source code is not regulated for export on the basis of the content of any "speech" such an export might --- 20. For example, a law regulating whether individuals may exercise their free speech rights near a polling, that "depends entirely on whether the speech is related to a political campaign," is a content-based regulation. _Burson_v._Freeman_, 504 U.S. 191, 197 (1992). _See_also_Boos_v._Barry_, 485 U.S. 312, 318-19 (1988) (plurality opinion) (municipal ordinance that regulates whether individuals may picket in front of a foreign embassy that "depends entirely upon whether their picket signs are critical of the foreign government or not" is content-based). "By contrast, laws that confer benefits or impose burdens on speech without reference to the ideas or views expressed are in most instances content-neutral." _Turner_, supra, at 2459; _see_Members_of_the_City_Council_of_Los_Angeles_ _v._Taxpayers_for_Vincent_,466 U.S. 789, 810 (1984) (ordinance prohibiting the posting of signs on public propertry is "neutral -- indeed it is silent -- concerning any speaker's point of view"). 21. _see_e.g._Turner_ (regulation of cable television); _Ward_ (playing music in a park); _CCNV_ (demonstrating on behalf of the homeless in a park); _Taxpayers_for_Vincent_ (picketing on public property); _O'Brien) (burning draft cards to protest Vietnam War). [end page 16] entail. Category XIII(b)(1) of USML lists as defense article "Information Security Systems and equipment, cryptographic devices, software, and componente designed or modified therefor [typo in original],including: [begin block quote] (1) Cryptographic (including key management) systems, equipment, assemblies, modules, integrated circuits, components or software _with_the_capability_of_maintaining_secrecy_or_ _confidentiality__of_information_ or information systems, except cryptographic equipment and software [as described under Category XIII(b)]." [end block quote] 22 C.F.R.Sec. 121.1 XII(b)(1). Export controls on cryptographic software are, therefore, expressly linked to the capability of the product to maintain the secrecy of communications -- _not_ any communicative values of such a product or its export. Moreover, Category XIII(b)(1) differentiates other cryptographic products and software that are excluded from USML controls on the basis of their capabilities, not the content of scientific ideas. For example, products and software limited to performing "data authentication" -- which is intended to ensure that no alteration of a text has taken place in its transmission -- are not subject to Category XII(b)(1). _See 22 C.F.R. Sec. 121.1, XIII(b)(1)(vi). Another cryptographic product not regulated under the ITAR is an "access control" product, which is limited to protecting information from unauthorized users, such as sopftware which encrypts computer passwords. _See_ 22 C.F.R.Sec. 121.1, XIII(b)(1)(v). In addition, cryptographic products, including software, limited to use in machines for banking or money transactions, and restricted to use only in such transactions, are not controlled by the USML; for example, automatic teller machines. _See_ 22 C.F.R. Sec. 121.1, XIII(b)(1)(ii). This demonstrates further that controls on cryptographic products and software are directed at their capabilities, and not at the content of whatever speech or theory or other expression is reflected in the software or intended by its export. 2. The Government's Purpose In Licensing The Export Of Cryptographic Source Code Is Not Related To The Content Of Speech. ------------------------------------------------------------------ Beyond the terms of the regulatory provision at issue, the _purpose_ of export controls on encryption software is not to stifle or control scientific expression, or to indicate favor or [end page 17] disfavor with a particular scientific theory. The purpose, in simple terms, is to control the unlimited world-wide distribution of a product that can function to encrypt data, and therefore exposes to harm the government's national security and foreign policy interests in gathering intelligence abroad.(22) The intermediate standard applies even assuming the Court's conclusion that source code can be speech for First Amendment purposes, and even assuming that plaintiff desires to export his software because of some communicative purpose. The intermediate standard of review must be applied nonetheless because the purpose of regulation is not to regulate the content of that speech. Whatever ideas are implicit in encryption source code, it is controlled to limit distribution of a commodity that can function to maintain the secrecy of foreign communications and thereby interfere with U.S. intelligence collection efforts. For the foregoing reasons, the regulation at issue is content-neutral, and intermediate scrutinty applies. B. Under Intermediate Scrutiny, Regulations of Cryptographic Source Code Does Not Abridge First Amendment Freedoms. --------------------------------------------------------- The intermediate standard is well established. A content-neutral regulation will be sustained if: (1) it is within the constitutional power of the Government; (ii) it furthers an important or substantial government interest; (iii) the governmental interest is unrelated to the suppression of free expression; and (iv) the incidental restriction on alleged First Amendment freedoms is no greater than is essential to the furtherance of that interest. _Turner_, 114 S.Ct at 2469 (citing _United_States_v._O'Brien_, 391 U.S. 367, 377 (1968); _see_also_CCNV_, 468 U.S. at 294. --- 22 _See_Karn_, 925 F.Supp. at 10 (the government is not regulating the export of source code because of the expressive content of the code, but in the belilef that the combination of encryption source code in machine readable media will make it easier for foreign intelligence sources to encode their communications). [end page 18] 1. The Government Has The Constitutional Power To Control The Export of Encryption Software And Its Interests In Doing So Are Substantial. ---------------------------------------------------------- The first two prongs of the standard test are readily met here. The regulation of the export of defense articles is squarely within the powers of Congress and the President to provide for the common defense and regulate international affairs and trade. U.S. Const., Art. I, Sec. 8; Art II, Sec. 2. Moreover, the governmental interest at stake with respect to the export of cryptigraphic software -- to protect critical foreign intelligence-gathering functions -- is undoubtedly a substantial one. Throughout history, governments of all nations have relied on intelligence information to cope with wars and other international crises, For example, the ability of the United States and its allies in World War II to break German "ENIGMA" and Japanese "PURPLE" coded communications of the axis forces was critical in shortening the war and saving lives.(23) When U.S. armed forces are deployed, gathering intelligence information on the activities of hostile forces is critical to ensuring the effective accomplishment of their mission with minimal loss of life. The National Security Agency's "signals intelligence" mission is conducted through sophisticated collection technologies that allow NSA to obtain information from foreign electromagnetic signals. Crowell Decl. Para. 4. Based on the information obtained, NSA provides reports on a rapid-response basis to national policymakers, including military commanders, reports that are essential to national security and the conduct of the foreign affairs of the United States. _Id._ The use of encryption by foreign intelligence targets to conceal their communications can have a debilitating effect on NSA's ability to collect and report such critical foreign intelligence. _Id._ Accordingly, there should be little question that the underlying policy interest at stake in controlling the export of cryptographic products and --- 23 _See_,_e.g._, [italicized] The Code Breakers: The Story of Secret Writing, [end italics] by David Kahn (MacMillan Publishing Inc. 1967). [end page 19] software is of substantial significance. It is, moreover, the type of interest that courts have held merit greater deference. "The question whether a particular item should have been placed on the Munitions List possesses nearly every trait that the Supreme Court has enumerated [that] [brackets in original] traditionally renders a question 'political.'" _United_States_v._Martinez_, 904 F.2d 601, 602 (11th Cir. 1990), _Id._ _Accord_United_States_v._Helmy_, 712 F.Supp. 1423, 1428-30 (E.D> Cal. 1989). [begin block quote] Neither the courts nor the parties are privy to reports of the intelligence services on which this decision, or decisions like it, may have been based .... Questions concerning what perils our nation might face at some future time and how best to guard against those perils "are delicate, complex, and involve large elements of prophecy. They are and should be undertaken only by those directly responsible to the people whose welfare they advance or imperil ...." [end block quote] _Martinez_, 904 F.2d at 602 (quoting _Chicago_&_Southern_Air_Lines_[_v._Waterman_SS._Corp._], 333 U.S. 103, 111 (1948)). _See_also_karn_, 925 F.Supp. at 11 (decision to control source code is a foreign policy judgment not subject to judicial scrutiny). The Court of Appeals for the Ninth Circuit has recognized the broad deference due on export policy matters. In _United_States_v._Spawr_Optical_Research_,_Inc._, 864 F.2d 1467, 1473 (9th Cir. 1988), _cert._denied_, 493 U.S. 809 (1989), the court held the policy basis for designating a commodity as subject to export copntrols was "beyond dispute" and not a triable issue of fact, since "the export of certain commodities may have a significant impact on United States' foreign policy and national security." Similarly, in _United_States_v._Mandel_, 914 F.2d 1215 (9th Cir. 1990), the court held that whether export controls must be placed on a particular commodity "are quintessentially matters of policy entrusted by the Constitution to the Congress and the President, for which there are no meaningful standards of judicial review." _Id._ at 1223 (citations omitted). Indeed, the court barred discovery into the basis for controlling a commodity, because "whether the export of a given commodity would make a significant contribution to the military potential of other countries" is a "matter[] [bracket in original] of policy [end page 20] entrusted by the Constitution to the Congress and the President ...." _Id._.(24) Plaintiff himself has indicated that he is "not challenging the wisdom" of policy by which cryptographic products and software are designated as defense articles.(25) Thus, while review may proceed as to whether the content of speech is being restricted, the policy interest underlying the export controls at issue cannot be second-guessed. 2. Export Controls on Encryption Software Are Unrelated to the Suppression of Speech. ----------------------------------------------------------- The next aspect of teh review standard -- whether the regulation at issue is unrelated to the suppression of speech -- is largely the same inquiry for determining whether intermediate review applies at all, _i.e._, whether the regulation is content-neutral. As indicated above, the regulations, on their face, do not purport to restrict the content of speech, but control for export cryptographic products and software that can function to maintain the secrecy of information. Moreover, as the government has explained, export controls are not imposed on source code to regulate scientific ideas or theories. Source code may indeed have speech or communicative value, as the Court has ruled. _Bernstein_, 922 F.Supp. at 1435-36, 1439. The theory behind Snuffle may inform the intellect of someone who understands cryptography. Studying or using the software may, for some, be an intellectual or academic exercise. But in the unique context of source code, the "information" at issue is also a commodity that _itself_ can be made to function. It cannot be reasonably controverted that source code, such as Snufflwe, also has a practical function to actually encrypt information on a computer. Source code, is, after all, a _computer_program_, a precise set of instructions to a computer that, when compiled, enables the computer to perform cryptographic functions. Crowell Decl. Para 19. Indeed, Dr. --- 24 _Accord_United_States_v._Moller-Butcher_, 560 F. Supp 550, 553-54 (D. Mass. 1983) ("[t]he power to classify goods on the CCL -- and to restrict them for export on national security grounds -- can (and should) be turned over to the executive branch, as it has the dominant role in conducting foreign policy"). 25. _See_ Plaintiff's Opposition to Motion to Dismiss at 30, 35, 38. [end page 21] Bernstein himself capably describes this function in his correspondence to the State Department. _See_ Tabs 3 and 16 to Lowell Declaration. The Snuffle encryption system allows for the exchange of encrypted text between two people "who have previously exchanged keys" that would enable them to read the message. Tab 3 to Lowell Declaration. Snuffle "can be used for various applications requiring private key cryptography, including the example above of interactive text exchange." _Id._ Dr. Bernstein states that his system could work with "zero-delay," meaning that "Snuffle can be used for interactive conversations: each character typed by one person can be encrypted, sent top the other person, and decrypted by the other person immediately." _Id._ It is for this reason, not any ideas that Dr. Bernstein seeks to convey, that Snuffle and other source code is controlled for export. While encryption source code may convey ideas as other information can, it is not _merely_ a conduit of information that explains how cryptography works, or describes scientific ideas or information related to cryptography. Crowell Decl. Para 19. Rather, source code is an item that is essential to encrypting information on a computer. This takes the matter beyond speech that has a high utility value, _Bernstein_, 922 F.Supp. at 1435-36. such as manuals on how to build a bomb, or a "blueprint" diagramming how a plane is built, or even the recipe for cooking a particular dish. Information describing how to make something function is distinct from the item itself. Obviously, the blueprint for a plane cannot fly, and the manual on how to build a bomb cannot detonate. The plane and bomb are the defense articles, and the blueprint and manual are technical data explaining how to make it fly or explode. Similarly, with the recipe for a cake, one still needs flour, water, sugar, and eggs to make the cake. If one types a blueprint or recipe into a computer, the result is text that can be read to inform. In the context of cryptographic source code, however, what is arguably informative also has functionality: a commodity that may convey information is also a commodity that itself can be made to function. Through computer programming and compiling, the plaintext of a message can actually be passed through a cryptographic algorithm, allowing information [end page 22] to be encrypted. Thus, when source code is entered into a computer, one can do far more than read it and learn from it -- one can _use_it to perform a cryptographic function. In contrast, no amount of computer programming will transform the text of a manual for a bomb into anything that can actually function. The point is that source code, while informative to some, does more than simply describe how to "build" an item that functions -- it is itself a commodity that can be made to function. Finally, it bears noting that, in relying on the content-neutral standard of review, defendants are not arguing that "Snuffle is conduct." _Bernstein_, 922 F.Supp at 1436-37. Snuffle is source code, which may reflect certain ideas, and can also be compiled to encrypt information. The "conduct" that is at issue in this case is exporting this software item. To whatever extent this conduct implicates the communication of ideas, the regulation thereof is unrelated to restricting the content of ideas or scientific theory that Snuffle embodies, or even any statement plaintiff wishes to make, scientific or political, by exporting this product. This is why intermediate scrutiny applies, and why export controls on plaintiff's source code are unrelated to the suppression of speech. 3. Export Controls On Encryption Software Are Narrowly Tailored. ------------------------------------------------------------- The final aspect of evaluating a content-neutral regulation is whether any incidental restriction on First Amendment freedoms are no greater than is essential to the furtherance of the state interest. To satisfy this standard, a regulation "need not be the least restrictive or least intrusive means of doing so." _Ward_v._Rock_Against_Racism_, 491 U.S. at 798. "Rather, the requirement of narrow tailoring is satisfied 'so long as the ... regulation promotes a substantial government interest that would be achieved less effectively absent the regulation.'" _Id._ at 799 (_quoting_United_States_v._Albertini_, 472 U.S. 675, 689 (1985)). In _CCNV_, the court looked to whether "the parks would be more exposed to harm without the sleeping prohibition than with it" and, if so, "the ban is safe from invalidation under the First Amendment ...." 468 U.S. at 297. Regulations are not to be held invalid under this [end page 23] standard "simply because there is some imaginable alternative that might be less burdensome on speech." _Albertini_, 472 U.S. at 675. Inclusion of cryptographic software on the USML meets this standard as well. Such software is regulated in furtherance of a substantial national security interest to protect the United States' intelligence-gathering capabilities, which provide essential information to national security policy-makers and military commanders. In the absence of export licensing controls on cryptographic products and software, highly significant technology would be available in greater amounts and quality -- without regard to its end-use or end-user. The government's interest in gathering intelligence abroad and breaking encrypted foreign communications would surely be "more exposed to harm" absent export licensing, _CCNV_, 468 U.S. at 297, since there would be less control over which products are being exported, to where, and to whom. At the same time, however, controls on the export of cryptographic software do not preclude individuals from otherwise publishing or discussing scientific ideas related to cryptography and cryptographic algorithms. As noted above, abroad academic discourse exists concerning cryptologic theories. _See_ Tabs 1 to 10 to Crowell Declaration. Plaintiff himself is not precluded from publishing an article or teaching a class regarding the theory of his software. Indeed, the government has already indicated that this paper on "The Snuffle Encryption System" (DJBCJF-2) is not subject to the ITAR. For these reasons, the regulation of the plaintiff's source code would not have "a substantial deleterious effect," _Ward_, 491 U.S. at 801, on the ability of persons to disseminate information about cryptography, and would "leave open ample alternative channels of communication." _Id._ at 802. Also, as noted above, even with respect to cryptographic software, the scope of ITAR controls is limited. Under Category XIII(b), encryption products that do not function to maintain the secrecy and confidentiality of data are not encompassed by Category XIII(b). [redundant sentence structure in original] This includes products and software that are limited to a data authentication or access control function, or use in secure banking transactions. _See_ 22 C.F.R. Sec. 121.1 XII- [end page 24] I(b)(1)(ii),(v),(vi). In addition, products that do maintain data confidentiality, but satisfy specific mass market and encryption criteria, can also be transferred to the Commerce Department. _See_ 22 C.F.R. Sec. 121.1, XIII(b)(1)(ix) note and Tab 3 to Lowell Declaration.(26) This further demonstrates that export controls under Category XIII(b) are focused on a specific set of encryption products that function to maintain secrecy. For this reason as well, control on the export of encryption software "'responds precisely to the substantive problems which legitimately concern the [Government] [brackets in original].'" _CCNV_, 468 U.S. at 297 (_quoting_Taxpayers_for_Vincent_, supra, 466 U.S. at 810). The final prong of the intermediate standard of review is therefore satisfied. Export controls on cryptographic source code survive intermediate scrutiny, and do not restrain speech in violation of the First Amendment.(27) III. THE ITAR IS NOT OVERBROAD IN ITS REGULATION OF TECHNICAL DATA OR CRYPTOGRAPHIC SOFTWARE. ------------------------------------------------------------- A. Facial Challenges Are An Exception to the Traditional Rule of Constitutional Adjudication. ------------------------------------------------------------- Plaintiff next makes a series of claims that provisions of the ITAR concerning technical data and cryptographic software are overbroad in violation of the First Amendment. This is a facial challenge through which plaintiff seeks a ruling invalidating the apllicable regulations "_in_toto_" -- _i.e._, on the ground that they are "incapable of any valid application" --- 26. Mass market software is computer software with encryption capabilities, that is available to the public via sales from stock at retail selling points, and by means of over-the-counter, mail, or telephone transactions. The criteria for expedited processing for transfer to the jurisdiction of the Commerce Department includes whether the software utilizes a particular cryptographic algorithm (called RC4 and/or RC2) with a key space of 40 bits. _See_ Tab 20 to Lowell Declaration. 27. While defendants do not believe the law supports application of the strict scrutiny standard here, even under this standard the governmental interest in controlling the export of encryption software is compelling. In addition, given the exclusions from and purpose for export controls on technical data and cryptographic software described above, the regulations are drawn in the least restrictive means as well and, therefore, satisfy the strict scrutiny standard. [end page 25] to any other person. _Hoffman_Estates_v._Flipside_,_Hoffman_Estates_, 455 U.S. 489, 494 n.3 (1981). It is precisely because such a claim asks the Court to void a provision of law on its face -- regardless of how it has been applied in the particular case before the court -- that facial challenges are disfavored. The traditional rule is that a person to whom a statute may constitutionally be applied "may not challenge that statute on the ground that it may conceivably be applied unconstitutionally to tothers in situations not before the Court." _New_York_v._Ferber_, 458 U.S. 747, 767 (1981) (citations omitted). This rule reflects "two cardinal [constitutional] principles" of standing: the personal nature of constitutional rights, ... and prudential limitations on constitutional adjudication." _Id._ (citations omitted).(28) An exception to the traditional doctrine of standing in the First Amendment context is the "overbreadth" doctrine, through which "an individual whose _own_speech_ or expressive conduct _may_be_validly_prohibited_ is permitted to challenge a statute on its face because it threatens others not before the court..." _Brockett_v._Spokane_Arcades,_Inc._, 472 U.S. 491, 503 (1984); _see_also_Broadrick_v._Oklahoma_, 413 U.S. 601 (1973). As indicated above, the overbreadth doctrine does not apply where the parties challenging the statute are "those who desire to engage in protected speech that the overbroad statute purports to punish" since, in such a circumstance, there is "no want of a proper party to challenge the statute, no concern that an attack on the statute will be unduly delayed or protected speech discouraged." _Brockett_, 472 U.S. at 504. Accordingly, there must be a "significant difference" between the claims of the plaintiff, and those of third parties not before the court, in order for the overbreadth doctrine to apply. _Taxpayers_for_Vincent._,466 U.S. at 802-803. If the challenged statute or --- 28. In general, a court has jurisdiction to declare a statute or regulation void only "as it is called upon to adjudge the legal rights of litigants in actual controversies.'" _Ferber_, supra, at 767-8 n. 20 (citation omitted). By focusing on the factual situation before it, the court faces "'flesh-and-blood' legal problems with data 'relevant and adequate to an informed judgment.'" _Id._ at 768. [end page 26] regulation applies to the plaintiff's interests in the same manner as absent third parties, the challenge must proceed only as an "as applied" claim.(29) _See_also_Renne_v._geary_, 501 U.S. 312, 324 (1990) (whenever possible constitutional claim should be considered only in an as-applied context and should only be invalidated as applied to the particular facts). Based on this foregoing authority, it is questionable whether plaintiff has a valid overbreadth claim.(30) Dr. Bernstein is not asserting that the ITAR may properly restrict his rights to free speech, and seeking only to vindicate the rights of others whose speech might be impermissibly impaired. Quite the contrary, he is seeking to vindicate his own rights. He expressly claims, on various grounds, that the ITAR, "as applied," restricts his right to publish his own scientific information, as well as to export Snuffle. Compl. Para. 3. Moreover, plaintiff seeks to vindicate the same interests of "similarly situated" third parties not before the Court. _See_,e.g._, Cmpl. Paras. 36, 159. Therefore, the proper approach is to assess his First Amendment challenge only insofar as the regulations have been applied to him, but not as to all conceivable applications.(31) As demonstrated above, the ITAR has not been applied to the plaintiff to restrict his right to publish a scientific paper. The only administrative --- 29 _See_Taxpayers_for_Vincent_, supra, at 802-803 (overbreadth doctrine did not apply where challenge to ordinance prohibiting posting signs on public property would potentially abridge the rights of plaintiff in the same manner as third parties not before the court). _See_also_Secretary_of_State_of_Maryland_v._J.H._Munson_, 467 U.S. 947, 956-58 (1983) (overbreadth challenge allowed as to statute restricting First Amendment rights of charitable organization to solicit funds where the plaintiff was not a charitable organization and "where there might not be a possibilty that the challenged statute could restrict [plaintiff's] own First Amendment rights"). 30. Although the Court found that plaintiff had a "colorable" overbreadth claim, _Bernstein_, 922 F.Supp at 1438-39, the jurisdictional issue of standing that can be raised at any point in the proceedings. [incomplete sentence in original] 31. Where plaintiff challenges a regulation as applied to his interests, and other aspects of regulations that solely pertain to third party interests that the plaintiff does not share, both claims may proceed. _See_Board_of_Trustees_of_State_University_of_New_York_v._Fox_, 492 U.S. 469 (1989) (students seek to vindicate their own rights, as well as third party commercial interests, in challenging school regulation barring use of dormitories to demonstrate commercial products). [end of page 27] action at issue are commodity jurisdiction determinations that a license is required to export his source code -- an action which as shown does not impermissibly regulate speech. B. The Challenged Provisions Of The ITAR Are Not Substantially Overbroad. ----------------------------------------------------------- Assuming, _arguendo_, the Court considers plaintiff's facial overbreadth challenge, it is without merit. Even where a plaintiff is permitted to raise the rights of third parties, he must demonstrate that the statute or regulations are _substantially_ overbroad. "Because of the wide-ranging effect of striking down a statute on its face at the request of one whose own conduct may be punished despite the First Amendment, we have recognized that the overbreadth is "strong medicine" and have employed it with hesitation, and then "only as a last resort." _Ferber_, 747 U.S. at 769 (quoting _Broadrick_, 413 U.S. at 613). For this reason, the Court is required to find that the alleged "overbreadth of the statute must not only be real, but substantial as well, judged in relation to the statute's plainly legitimate sweep." _Id._ (quoting _Broadrick_, supra, at 615).(32) _See_also_United_States_v._Stansell_, 847 F.2d 609, 612-13 (9th Cir. 1988). As with all constitutional challenges, overbreadth should not be found where a limiting construction of the statute or regulation at issue is possible. _Stansell_, 847 F.2d at 613; _Broadrick_, 413 U.S. at 613.(33) Plaintiff "must demonstrate from the text of the [regulations] [brackets in original] and from actual fact that a substantial number of instances exist" in which the ITAR provisions he challenges "cannot be applied constitutionally." _New_York_State_Club_Ass'n_v._New_York_City_, 487 U.S. 1, 11-12 (1987). Moreover, as the Court has already observed, "[m]erely being able to --- 32. This standard applies not only where speech-related conduct is at issue, but pure speech as well. _Ferber_, 458 U.S. at 771-72; _Brockett_, 472 U.S. at 503 n. 12. Thus, the substantial overbreadth standard applies to plaintiff's source code at issue in this case, notwithstanding that the Court has determined that source code is speech for First Amendment purposes. _See_Bernstein_, 922 F. Supp. at 1248-39. [*those* numbers in original] 33. _See_also_Outdoor_Systems_,_Inc._v._City_of_Mesa_, 997 F. 2d 604, 611 (9th Cir. 1993) (courts have a "duty to interpret a statute, if fairly possible, in a manner that renders it constitutionally valid"). [end page 28] conceive of "some impermissible applications of a statute is insufficient.'" _Bernstein_, 922 F. Supp. at 1438 (quoting _Taxpayers_for_Vincent_, 466 U.S. at 800); _see_ also _Ferber_, supra, at 772; _Broadrick_, supra, at 630. Plaintiff challenges as overbroad provisions of the ITAR concerning both technical data and cryptographic software, and the two categories will be considered seperately. 1. The Technical Data Provisions Challenged Are Not Substantially Overbroad. ---------------------------------------- Echoing his prior restraint allegations, plaintiff again alleges that the defintion of "export" under the ITAR is overbroad on the ground that it prevents him from publishing a scientific paper, algorithm, or computer program, Compl. Para 152, or that it "prevents plaintiff from discussing or revealing his ideas in any public forum in the United States" since they might be disclosed to a foreign person. _Id._ Para. 153. He also claims the "public domain" exception is "overbroad" on the ground that information not already in the public domain cannot be published. _Id._ Para. 141. Finally, he claims that the defendants have applied the ITAR in so overbroad a manner that "all speech about cryptography" is excluded from the definition of public domain. _Id._ Para. 157. (34) Most of these claims have been addressed above. Plaintiff's "overbreadth" theory is based on an out-of-context assessment of the regulations. While a single definition, read in isolation, might seem overbroad on its face, the regulations must be read as a whole in order to discern whether they might have a substantial number of impermissible applications. While the definition of "export" does include the disclosure of technical data to a foreign person in the United States, 22 C.F.R. Sec. 120.17(a)(4), ther are multiple exemptions to the definition of technical data which limit the reach and the meaning of such an export. For purposes of a First Amendment overbreadth analysis, the most important exemptions are those where information available publicly falls outside the definition of --- 34. Plaintiff also claims that the regulation of technical data exceeds statutory authority under the AECA. Compl. Para. 155. This claim is discussed _infra_ in connection with plaintiff's APA claims. [end page 29] technical data. (35) This includes commonly taught mathematical and scientific principles, marketing information, and other information broadly in the public domain through newsstands, bookstores and libraries, information released at symposia, and fundamental scientific research. These exemptions demonstrate that the export definition is not overbroad on its face, and does not seek to regulate the mere publication of ideas. Moreover, the Court of Appeals in _Elder_ expressly upheld an earlier version of the ITAR technical data regulations that contained far fewer express exemptions. There, the court recognized that there clearly is a substantial number of permissible applications for the technical data provisions -- namely, to "control the conduct of assisting foreign enterprises to obtain military equipment and related technical expertise." 579 F.2d at 521. This is how the State Department continues to apply the regulations. Lowell Decl. Paras. 25-26. Particularly given the greater exemptions for general publication and scientific exchange, the ITAR today is even less susceptible to an overbreadth challenge, and plaintiff's claims should be rejected. 2. The Encryption Software Provisions Challenged Are Not Substantially Overbroad. ----------------------------------------------------- Plaintiff's also claims [typo in original] that the ITAR provisions concerning cryptographic software are overbroad on the grounds that source code with the capability to maintain secrecy or confidentiality may not have a "military application." Compl. Paras. 150, 151, 158. He also claims the definition of software is overbroad in that it might prevent the publication of algorithms. Compl. Para. 160. Again, these claims are without merit. First, there can be little doubt that cryptographic products and software have a military and intelligence application. As both the State Department and NSA make plain, breaking foreign encryption capabilities -- including in a military setting on battlefields -- is of critical national security significance. _See_ Crowell Decl. Paras. 4,5; Lowell Decl. Para. 4. Moreover, the ITAR limits the type of cryptographic products and software subject to export controls to those that maintain data confidentiality. The regulations is not overbroad --- 35. Several other exemptions are set forth at 22 C.F.R. Sec. 125.4(d). [end page 30] fundamentally because it does not regulate the content of speech. Beyond this, the ITAR does not control products for data authentication, access control, and banking transactions. In addition, through the expidited processing of mass-market software products, some products that _do_ maintain confidentiality are nonetheless transferred to the jurisdiction of the Comerce Department if specific criteria are met. _See_ Tab 20 to Lowell Declaration. Hence, the regulations define and limit the types of products subject to export controls and are not overbroad in regulating software that might have communicative value. Plaintiff's claim that the defintion of software is vague or overbroad is also without merit. Compl. Para. 142, 159. It is clear that the government does not regulate the mere publication or discussion of algorithms, _see_ Tabs 1 to 10 to the Crowell Declaration, but, rather, controls the export of source code that implements an algorithm to encrypt information on a computer. Indeed, in the mathematical field of cryptology, it is common practice that cryptographic algorithms are widely published and discussed so that their capabilities may be evaluated by peers in the field. Crowell Decl. Para. 22. One of the more significant encryption algorithms -- the Data Encryption Algorithm -- was published by the government in 1977. _See_ Federal Information Processing Standards Publication, FIPS PUB 46 at 659 (January 15, 1977). It is not enough "that one can conceive of some impermissible applications of statute"; rather, "there must be a _realistic_danger_ that the statute itself will significantly compromise recognized First Amendment protections of parties not before the Court for it to be facially challenged on overbreadth grounds." _Taxpayer_for_Vincent_, 466 U.S. at 800-01 (emphasis added). There is no realistic danger here of an impermissible application of the definition of software, since as applied, it does not prohibit the mere publication or discussion of algorithms. For this reason, plaintiff's overbreadth challenge with respect to cryptographic software should be rejected as well. (36) --- 36. Finally, plaintiff's claim that the registration requirements of the ITAR, 22 C.F.R. Sec. 122.1, are overboroad on their face is also meritless. Compl. Para. 160. Under this provision, a [end page 31] IV. PLAINTIFF'S FIRST AMENDMENT VAGUENESS CLAIMS ARE WITHOUT MERIT. --------------------------------------------------------------- Plaintiff's seperate claims against essentially the same regulatory provisions as impermissibly vague ubder the First Amendment, Compl. Paras. 134-47, are without merit as well. The gravamen of a void-for-vagueness claim is a due process concern that the statute or regulation at issue "provided fair notice" that the "contemplated conduct fell within the legitimate scope of the prohibition" at issue. _United_States_v._Thomas_, 864 F.2d 188, 194 (D.C. Cir. 1988). _See_Grayned_v._City_of_Rockford_, 408 U.S. 104, 108 (1972). (37) Even in a First Amendment context, the Court must look to whether a statute or regulation defines an offense "with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement." _Kolender_v._Lawson_, 461 U.S. 352, 357 (1982). (38) Also, courts are mindful that statutes or regulations "cannot, in reawson, define proscribed behavior exhaustively or with --- person who engages in the business of manufacturing or exporting defense articles must register with the State Department. But several exceptions to the registration requirement are expressly noted in the regulation, including for individuals whose pertinent business activity is confined to the production of technical data, or who fabricate defense articles for experimental or scientific purposes. 22 C.F.R. Sec. 122.1(a)(2) and (4). On its face, the provision does not require those who seek to publish an article or teach a class to register with the State Department -- only those who export defense articles. (37) Where First Amendment interests are implicated, a greater degree of specificity of the statute or regulation is required. _See_,_e.g._,_Bullfrog_Films,_Inc.,_v._Wick_, 847 F.2d 502, 512-13 (9th Cir. 1988); _Grayned_, 408 U.S. at 109, _Buckley_v._Valeo_, 424 U.S. 1, 77 (1975). (38) _See_also_Stansell_, 847 F.2d at 615-16 (_Kolender_ standard applies in assessing First Amendment vagueness claim); _Schwartzmiller_v._Gardner_, 752 F.2d 1341, 1346-47 (9th Cir. 1984) (under _Kolender_, review of facial vagueness claim under the First Amendment "becomes the functional equivalent of an overbreadth analysis"). [end page 32] consummate precision." _Thomas_, 864 F. 2d at 195. Rather, the test is whether the regulations at issue are _reasonably_ clear. _Id._ (39) A. The Technical Data Provisions Challenged Are Not Impermissibly Vague. -------------------------------------------------------------- Again challenging the tachnical data/public domain provisions, plaintiff claims that whether something "is published" and "is generally accessible to the public" is something a reasonable person of ordinary intelligence could not understand. Compl. Para. 141. This claim is not credible. On the contrary, the challenged provisions list at least 12 specific examples of information excluded from the definition -- several of which are precise ("newsstand" "bookstores" "libraries" "second-class mail") and others of which are reawsonably clear (commonly taught principles in colleges and universities, trade shows and symposia, and fundamental research at institutions of higher learning). Particuarly where these provisions set forth _exemptions_ to the regulations -- _i.e._, a description of activities that are _not_ subject to criminal penalties, _see_ Lowell Decl. Paras. 22-23, a facial vagueness challenge is meritless. Moreover, there is strong evidence that it is _no_ reasonable to read the ITAR as requiring that permission be sought before publishing academic research. Many academics in Dr. Bernstein's field freely publish scientific information on cryptographic theories and algorithms, and attend symposia. _See_ Tabs 1 to 10 of Crowell Declaration. As Director Lowell also notes, very few individuals request licenses to export information that is already published. Lowell Decl. Para. 22. Rather, most applicants to the State Department seek to export technical data related to a munition that is not publicly available. _Id._ Para. 27. "For a claim of facial vagueness to survive, the deterrent effect of the statute on protected expression must be 'real and substantial' and not easily narrowed by a court." _Bernstein_, 922 F. Supp. at 1439 (quoting _Young_v._American Mini-Theaters,_Inc._, 427 U.S. 50, 60 (1975). As with the overbreadth claim, the Court can readily concluded [typo in original] that the numerous exemptions to the --- 39. _See_Grayned_, 498 U.S. at 110 (ordinance at issue was "marked by flexibility and reasonable breadth, rather than meticulous specificity" but it was "clear what the ordinance as a whole prohibits"). [end page 33] technical data provisions provide a reasonable person notice of the kinds of speech activities that are not subject to prior licensing controls. B. The Encryption Software Provisions Challenged Are Not Impermissibly Vague. ----------------------------------------------------- Plaintiff next claims that the ITAR provisions concerning cryptographic software are vague on the ground that the definition of technical data does not include software, Compl. Para. 139; that the definition of cryptographic software "with the capability of maintaining secrecy or confidentiality" cannot be understood by a reasonable person, Compl. Para. 136; and that the regulatory distinction between "encryption" and "authentication" is also vague. Compl. Para. 140. Again, these claims lack merit. First, plaintiff mis-reads the regulations. The definition of technical data _does_ include some software, _see_ 22 C.F.R. Sec. 121.10(a)(4), but excludes cryptographic software. _See_ 22 C.F.R. Sec. 121.8(f). While plaintiff may believe that cryptographic software _should_ be treated as technical data -- the regulations themselves are clear: cryptographic software is a defense article. 22 C.F.R. Sec. 121.1, XIII(b)(1). It is specifically excluded from the technical data provisions under Sec. 121.8(f) (excluding software under Category XIII(b) from the technical data license application process). There is no issue of regulatory vagueness with respect to whether cryptographic software is treated as technical data. Moreover, the definition of cryptographic software as that capable of "maintaining the secrecy or confidentiality of information" also is not vague on its face. Indeed, this definition is likely understandable to someone generally unfamiliar with the science of cryptography -- since the common sense meaning of encryption is to keep something a secret. Moreover, the definition is certainly very understandable to plaintiff, who himself described the Snuffle encryption system as software that can be used to exchange encrypted text between two people "who have previously exchanged keys" that would enable them to read the message. Tab 3 to Lowell Declaration. This system could work with "zero-delay," meaning that "Snuffle can be used for interactive conversations: each character typed by one person can be encrypted, sent to the other person, and decrypted immediately." _Id._ [end page 34] Dr. Bernstein seems to understand what maintaining confidentiality means, since that is the purpose of his software. Finally, the distinction between encryption software and data authentication is also not vague. The regulations describe both with reasonably [typo in original] specificity -- encryption (capable of maintaining secrecy) and data authentication (intended to ensure no alteration of text has taken place). 22 C.F.R. Sec. 121.1, XIII(b)(1) and (vi). V. PLAINTIFF'S CLAIMS UNDER THE ADMINISTRATIVE PROCEDURE ACT ARE WITHOUT MERIT. --------------------------------------------------------------------- Plaintiff tags onto his constitutional claims a list of claims under the Administrative Procedure Act which likewise lack merit. The central APA claim is that the State Department applies the ITAR in excess of statutory authority by, inter alia, regulating cryptographic software even though it has civilian uses; defining the terms "export" and "technical data" too broadly; requiring plaintiff to register; and delegating statutory authority to the NSA. Compl. Para. 192. These claims should not give the Court much pause. A. Plaintiff's Claim That The State Department Has Exceeded Statutory Authority Is Without Merit. -------------------------------------------------------- The Arms Export Control Act broadly grants the President authority to designate defense articles and defense services "[i]n furtherance of world peace and the security and foreign policy of the United States..." 22 U.S.C. Sec. 2778(a)(1). The statutory standard exudes deference to the President and his designees in the Executive branch. As the Ninth Circuit held with respect to a predecessor statute,(40) "[t]he purposes of the provision were to be accomplished not by a detailed statutory scheme but by a grant of authority to the President to "control" the exportation of listed munitions." United States v. Gurrola-Garcia, 547 F.2d 1075, 1078 (9th Cir. 1976). In so doing, the Congress "relied primarily on the President's traditional dominance in and responsibility for foreign affairs." Id. This is the statutory standard against which the regulatory actions of the State Department must be measured. _________________________ 40. Mutual Security Act of 1954, 22 U.S.C. Sec. 1934. 1. Defense Articles: With respect to designating defense articles such as cryptographic software, the AECA expressly precludes judicial review of this determination, 22 U.S.C. Sec. 2778(c), and the courts, including the Ninth Circuit, has consistently held that the decision to designate a particular commodity as subject to export controls is also non-justiciable. See Spawr Optical, Mandel, Helmy, Martinez, supra. Thus, there is no valid statutory claim that the designation of cryptographic products exceeded statutory authority, since the statue vests this discretion in the President and his designees to designate defense articles. See Karn, 925 F.Supp. at 6 ("[d]etermining whether an item is covered by the munitions list is critical to the President's ability to designate and control the export of those items which the Executive Branch considers to be defense articles). Moreover, any claim that statutory authority has been exceeded because cryptographic software has civilian uses likewise fails. Under either the AECA or the Export Administration Act, 50 U.S.C. App. Sec. 2401 et seq., the designation of a commodity subject to export controls is not reviewable or justiciable, and the court would have no standard or jurisdiction to decide the merits of whether an item should be controlled on the USML or on the Commerce Control List. See Spawr Optical, supra. Even if the Court could assess the matter, cryptographic software unquestionable has long-standing military and intelligence significance, and control of cryptographic products and software as defense articles easily fits within the AECA scheme.(41) 2. Technical Data: With respect to technical data, courts have long recognized that the AECA also grants the President and his designees authority to regulate information related to munitions. See United States v. Van Hee, 531 F.2d 352, 355-56 (6th Cir. 1976) (Under prior Sec. 1934, Congress subjected technical data to same controls as arms "doubtless...in recognition of the fact that world peace and American security and foreign policy could by [typo in original] _________________________ 41. To the extent plaintiff claims the AECA does not authorize the regulation under the ITAR of speech implicit in source code, that is properly addressed above as a First Amendment claim. The fact that source code was designated as a defense article under the AECA, by itself, is non-justiciable. threatened by the exportation of such data without the necessity of actually sending arms or implements abroad"). The court in Edler also recognized that control over technical data was extended under the provisions of the AECA governing defense services. 579 F.2d at 521. It construed such requirements to concern information directly related to munitions, and found them justified to control the conduct of assisting foreign enterprises in obtaining military equipment and technical expertise. Id.(42) As detailed above, the definition of technical data and public domain, with their numerous exemptions, demonstrate that the regulations are narrowly tailored to conform with the statutory purpose upheld by the Court in Edler. 3. Registration: The ITAR's requirements that those who engage in the business of exporting defense articles and services register with the government, 22 C.F.R. Sec. 122.1, are in accord with an express provision of the AECA. 22 U.S.C. Sec. 2778(b). The Department previously advised plaintiff, by letter dated July 7, 1993 that, "based on information he had provided to us, it appears that he should register." Tab 13 to Lowell Declaration. This was in response to a letter from Dr. Bernstein dated, June 30, 1993, in which he indicated that he intended to export Snuffle 5.0, a commodity he acknowledged was covered by Category XIII(b)(1) of the USML. Tab 12 to Lowell Declaration. The registration requirement itself was never actually applied to Dr. Bernstein, since he did not seek to export Snuffle after the CJ determinations. The regulations contain specific exemptions, including for those who only fabricate defense articles for experimental or scientific purposes, and for those whose pertinent business activity is confined to the production of technical data. Id. Sec. 122.1(b)(4)). Hence, there is no basis to find the agency exceeded statutory authority as applied in this case. 4. Delegation to NSA: Plaintiff's claim concerning an impermissible delegation to NSA is specious. The State Department is required by Executive Order to obtain the concurrence of the Defense Department in the designation of defense articles and services. _________________________ 42. See also U.S. v. Posey, supra, 864 F.2d at 1496 (following Edler in upholding statutory controls on technical data). E.O. 11958, Sec. 1(1)(1), 42 Fed. Reg. 4311 (Jan. 18, 1977) (reprinted after 22 U.S.C. Sec. 2751). The ITAR requires this as well, 22 C.F.R. Sec. 120.2, and nothing in the AECA precludes the President from requiring such consultations. The final authority to make CJ determinations lies with the Secretary of State and his designees in the State Department, and there is clearly no statutory bar on consultations with other agencies. B. Plaintiff's Other APA Claims Are Meritless. Plaintiff also claims that defendants actions at issue here were "arbitrary and capricious." Compl. Para. 189. The only actual administrative actions take [typo in original] were determinations that plaintiff's Snuffle software is a designated defense article under Category XIII(b)(1) of the USML. While constitutional claims are reviewable, a statutory claim challenging the merits of this determination is precluded from judicial review under the AECA, 22 U.S.C. Sec. 2778(c), and therefore the APA. 5 U.S.C. Sec. 701(a)1) (judicial review under the APA precluded to the extent precluded by statute). Second, defendants did not unreasonably delay agency action on plaintiff's first appeal. Compl. Paras. 186-188. No record of this appeal has been found and, thus, there was no deliberate delay by the government. Moreover, such a claim is particularly baseless where the government did taken [typo in original] action on a subsequent CJ request concerning the same software product. Finally, plaintiff's claim under the Freedom of Information Act "publication" requirement, 5 U.S.C Sec. 551(a), that the State Department has not published procedures concerning the commodity jurisdiction process, Compl. Para. 194, is also wrong. The CJ process is described in the ITAR. 22 C.F.R. Sec. 120.4. Moreover, the FOIA provision applies only to "substantive rules of general applicability" that concern clarifications of existing laws or regulations, not mere procedural matters. 5 U.S.C. Sec. 552(a)(1)(D). In addition, there can be no violation here if a party has actual notice of the rule. Id. Here, plaintiff had notice enough to apply for two CJ determinations. Also, the State Department regularly publishes newsletters setting forth information on the CJ procedures. See Tab 2 to Lowell Declaration. CONCLUSION For the foregoing reasons, defendants' motion for summary judgment should be granted. Respectfully Submitted, FRANK W. HUNGER Assistant Attorney General MICHAEL J. YAMAGUCHI United States Attorney MARY BETH UITTI Assistant United States Attorney 450 Golden Gate Avenue San Francisco, California 94102 Telephone: (415) 436-7198 VINCENT M. GARVEY ANTHONY J. COPPOLINO Department of Justice Civil Division, Room 1084 901 E Street, N.W. Washington, D.C. 20530 Tel. (Voice): (202) 514-4782 (FAX): (202) 616-8470 or 616-8460 Attorneys for the Defendants CERTIFICATION OF SERVICE I hereby certify that on this the 26th day of July 1996, a copy of the foregoing memorandum of points and authorities in support of defendants' motion for summary judgment was served, via overnight express mail, on: Cindy A. Cohn McGLASHAN & SARRAIL 177 Bovet Road, Sixth Floor San Mateo, California 94402 ANTHONY J. COPPOLINO